spec/v1.6: Add support for boot_device sugar on s390x

Co-authored-by: Nikita Dubrovski <[email protected]>

config/common/errors.go

@@ -56,6 +56,8 @@ var (
 	// boot device
 	ErrUnknownBootDeviceLayout = errors.New("layout must be one of: aarch64, ppc64le, x86_64")
 	ErrTooFewMirrorDevices     = errors.New("mirroring requires at least two devices")
+	ErrNoLuksBootDevice        = errors.New("s390x-device is required if layout: s390x-eckd && s390x-device: /dev/dasd[a-z] or s390x-zfcp && s390x-device: /dev/sd[a-z]")
+	ErrMirrorNotSupport        = errors.New("layout: s390x-zfcp or s390x-eckd does not support mirror")
 
 	// partition
 	ErrReuseByLabel         = errors.New("partitions cannot be reused by label; number must be specified except on boot disk (/dev/disk/by-id/coreos-boot-disk) or when wipe_table is true")

config/fcos/v1_6_exp/schema.go

@@ -32,6 +32,7 @@ type BootDevice struct {
 
 type BootDeviceLuks struct {
 	Discard   *bool       `yaml:"discard"`
+	Device    *string     `yaml:"s390x-device"`
 	Tang      []base.Tang `yaml:"tang"`
 	Threshold *int        `yaml:"threshold"`
 	Tpm2      *bool       `yaml:"tpm2"`

config/fcos/v1_6_exp/translate.go

@@ -133,6 +133,10 @@ func (c Config) processBootDevice(config *types.Config, ts *translate.Translatio
 		wantEFIPart = true
 	case *layout == "ppc64le":
 		wantPRePPart = true
+	case *layout == "s390x-virt":
+		wantBIOSPart = true
+		wantEFIPart = true
+	case *layout == "s390x-eckd" || *layout == "s390x-zfcp":
 	default:
 		// should have failed validation
 		panic("unknown layout")
@@ -239,9 +243,17 @@ func (c Config) processBootDevice(config *types.Config, ts *translate.Translatio
 
 	// encrypted root partition
 	if wantLuks {
-		luksDevice := "/dev/disk/by-partlabel/root"
-		if wantMirror {
+		var luksDevice string
+		switch {
+		//Luks Device for dasd and zFCP-scsi
+		case layout != nil && *layout == "s390x-eckd":
+			luksDevice = *c.BootDevice.Luks.Device + "2"
+		case layout != nil && *layout == "s390x-zfcp":
+			luksDevice = *c.BootDevice.Luks.Device + "4"
+		case wantMirror:
 			luksDevice = "/dev/md/md-root"
+		default:
+			luksDevice = "/dev/disk/by-partlabel/root"
 		}
 		clevis, ts2, r2 := translateBootDeviceLuks(c.BootDevice.Luks, options)
 		rendered.Storage.Luks = []types.Luks{{

config/fcos/v1_6_exp/validate.go

@@ -27,6 +27,8 @@ import (
 const rootDevice = "/dev/disk/by-id/coreos-boot-disk"
 
 var allowedMountpoints = regexp.MustCompile(`^/(etc|var)(/|$)`)
+var dasdRe = regexp.MustCompile("(/dev/dasd[a-z]$)")
+var sdRe = regexp.MustCompile("(/dev/sd[a-z]$)")
 
 // We can't define a Validate function directly on Disk because that's defined in base,
 // so we use a Validate function on the top-level Config instead.
@@ -52,9 +54,24 @@ func (d BootDevice) Validate(c path.ContextPath) (r report.Report) {
 	if d.Layout != nil {
 		switch *d.Layout {
 		case "aarch64", "ppc64le", "x86_64":
+		case "s390x-eckd":
+			if util.NilOrEmpty(d.Luks.Device) || !dasdRe.MatchString(*d.Luks.Device) {
+				r.AddOnError(c.Append(*d.Layout), common.ErrNoLuksBootDevice)
+			}
+		case "s390x-zfcp":
+			if util.NilOrEmpty(d.Luks.Device) || !sdRe.MatchString(*d.Luks.Device) {
+				r.AddOnError(c.Append(*d.Layout), common.ErrNoLuksBootDevice)
+			}
+		case "s390x-virt":
 		default:
 			r.AddOnError(c.Append("layout"), common.ErrUnknownBootDeviceLayout)
 		}
+
+		if *d.Layout == "s390x-eckd" || *d.Layout == "s390x-zfcp" {
+			if len(d.Mirror.Devices) > 0 {
+				r.AddOnError(c.Append(*d.Layout), common.ErrMirrorNotSupport)
+			}
+		}
 	}
 	r.Merge(d.Mirror.Validate(c.Append("mirror")))
 	return

docs/config-fcos-v1_6-exp.md

@@ -211,6 +211,7 @@ The Fedora CoreOS configuration is a YAML document conforming to the following s
 * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified.
   * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`.
   * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem.
+    * **_s390x-device_** (string): the whole-disk device (not partitions), referenced by their absolute path. One device must be specified with s390x-* layout except s390x-virt.
     * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`.
       * **url** (string): url of the tang server.
       * **thumbprint** (string): thumbprint of a trusted signing key.

docs/config-openshift-v4_15-exp.md

@@ -160,6 +160,7 @@ The OpenShift configuration is a YAML document conforming to the following speci
 * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified.
   * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`.
   * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem.
+    * **_s390x-device_** (string): the whole-disk device (not partitions), referenced by their absolute path. One device must be specified with s390x-* layout except s390x-virt.
     * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`.
       * **url** (string): url of the tang server.
       * **thumbprint** (string): thumbprint of a trusted signing key.

docs/examples.md

@@ -296,8 +296,51 @@ storage:
       format: ext4
 ```
 
+This example uses the shortcut `boot_device` syntax to configure an encrypted root filesystem in s390x by using device dasda unlocked with a network Tang server.
+
+<!-- butane-config -->
+```yaml
+variant: fcos
+version: 1.6.0-experimental
+boot_device:
+  layout: s390x-eckd
+  luks:
+    s390x-device: /dev/dasda
+    tang:
+      - url: https://tang.example.com
+        thumbprint: REPLACE-THIS-WITH-YOUR-TANG-THUMBPRINT
+```
+
+This example uses the shortcut `boot_device` syntax to configure an encrypted root filesystem in s390x by using device zfcp scsi unlocked with a network Tang server.
+
+<!-- butane-config -->
+```yaml
+variant: fcos
+version: 1.6.0-experimental
+boot_device:
+  layout: s390x-zfcp
+  luks:
+    s390x-device: /dev/sdb
+    tang:
+      - url: https://tang.example.com
+        thumbprint: REPLACE-THIS-WITH-YOUR-TANG-THUMBPRINT
+```
 ### Mirrored boot disk
 
+This example uses the shortcut `boot_device` syntax to configure an encrypted root filesystem in s390x KVM unlocked with a network Tang server.
+
+<!-- butane-config -->
+```yaml
+variant: fcos
+version: 1.6.0-experimental
+boot_device:
+  layout: s390x-virt
+  luks:
+    tang:
+      - url: https://tang.example.com
+        thumbprint: REPLACE-THIS-WITH-YOUR-TANG-THUMBPRINT
+```
+
 This example replicates all default partitions on the boot disk across multiple disks, allowing the system to survive disk failure.
 
 <!-- butane-config -->

docs/release-notes.md

@@ -43,6 +43,7 @@ key](https://getfedora.org/security/).
 - Stabilize OpenShift spec 4.14.0, targeting Ignition spec 3.4.0
 - Add OpenShift spec 4.15.0-experimental, targeting Ignition spec
   3.5.0-experimental
+- Add support of boot_device sugar for s390x
 
 ### Bug fixes
 
@@ -63,6 +64,7 @@ key](https://getfedora.org/security/).
 - Document `key_file` `compression` field  _(openshift 4.8.0 - 4.9.0)_
 - Document support for special mode bits and `arn` URLs _(r4e 1.1.0+)_
 - Improve rendering of spec docs on docs site
+- Document `luks.s390x-device` spec _(fcos, openshift 4.14.0+)_
 
 
 ## Butane 0.18.0 (2023-03-24)

internal/doc/butane.yaml

@@ -326,6 +326,15 @@ root:
         - name: luks
           desc: describes the clevis configuration for encrypting the root filesystem.
           children:
+            - name: s390x-device
+              transforms:
+                - regex: $
+                  replacement: the whole-disk device (not partitions), referenced by their absolute path. One device must be specified with s390x-* layout except s390x-virt.
+                  if:
+                    - variant: fcos
+                      min: 1.6.0-experimental
+                    - variant: openshift
+                      min: 4.15.0-experimental
             - name: tang
               use: tang
             - name: tpm2