From 7f9b2c24cefe78590777083dc7e59628737c5ba0 Mon Sep 17 00:00:00 2001 From: madhu-pillai Date: Tue, 3 Oct 2023 11:10:59 +0530 Subject: [PATCH] spec/v1.6: Add support for boot_device sugar on s390x Co-authored-by: Nikita Dubrovski --- config/common/errors.go | 2 ++ config/fcos/v1_6_exp/schema.go | 1 + config/fcos/v1_6_exp/translate.go | 16 +++++++++-- config/fcos/v1_6_exp/validate.go | 17 ++++++++++++ docs/config-fcos-v1_6-exp.md | 1 + docs/config-openshift-v4_15-exp.md | 1 + docs/examples.md | 43 ++++++++++++++++++++++++++++++ docs/release-notes.md | 2 ++ internal/doc/butane.yaml | 9 +++++++ 9 files changed, 90 insertions(+), 2 deletions(-) diff --git a/config/common/errors.go b/config/common/errors.go index a5f8d5b2..2134d2e5 100644 --- a/config/common/errors.go +++ b/config/common/errors.go @@ -56,6 +56,8 @@ var ( // boot device ErrUnknownBootDeviceLayout = errors.New("layout must be one of: aarch64, ppc64le, x86_64") ErrTooFewMirrorDevices = errors.New("mirroring requires at least two devices") + ErrNoLuksBootDevice = errors.New("s390x-device is required if layout: s390x-eckd && s390x-device: /dev/dasd[a-z] or s390x-zfcp && s390x-device: /dev/sd[a-z]") + ErrMirrorNotSupport = errors.New("layout: s390x-zfcp or s390x-eckd does not support mirror") // partition ErrReuseByLabel = errors.New("partitions cannot be reused by label; number must be specified except on boot disk (/dev/disk/by-id/coreos-boot-disk) or when wipe_table is true") diff --git a/config/fcos/v1_6_exp/schema.go b/config/fcos/v1_6_exp/schema.go index 140cd31a..799b9540 100644 --- a/config/fcos/v1_6_exp/schema.go +++ b/config/fcos/v1_6_exp/schema.go @@ -32,6 +32,7 @@ type BootDevice struct { type BootDeviceLuks struct { Discard *bool `yaml:"discard"` + Device *string `yaml:"s390x-device"` Tang []base.Tang `yaml:"tang"` Threshold *int `yaml:"threshold"` Tpm2 *bool `yaml:"tpm2"` diff --git a/config/fcos/v1_6_exp/translate.go b/config/fcos/v1_6_exp/translate.go index 2a45287b..305ba36e 100644 --- a/config/fcos/v1_6_exp/translate.go +++ b/config/fcos/v1_6_exp/translate.go @@ -133,6 +133,10 @@ func (c Config) processBootDevice(config *types.Config, ts *translate.Translatio wantEFIPart = true case *layout == "ppc64le": wantPRePPart = true + case *layout == "s390x-virt": + wantBIOSPart = true + wantEFIPart = true + case *layout == "s390x-eckd" || *layout == "s390x-zfcp": default: // should have failed validation panic("unknown layout") @@ -239,9 +243,17 @@ func (c Config) processBootDevice(config *types.Config, ts *translate.Translatio // encrypted root partition if wantLuks { - luksDevice := "/dev/disk/by-partlabel/root" - if wantMirror { + var luksDevice string + switch { + //Luks Device for dasd and zFCP-scsi + case layout != nil && *layout == "s390x-eckd": + luksDevice = *c.BootDevice.Luks.Device + "2" + case layout != nil && *layout == "s390x-zfcp": + luksDevice = *c.BootDevice.Luks.Device + "4" + case wantMirror: luksDevice = "/dev/md/md-root" + default: + luksDevice = "/dev/disk/by-partlabel/root" } clevis, ts2, r2 := translateBootDeviceLuks(c.BootDevice.Luks, options) rendered.Storage.Luks = []types.Luks{{ diff --git a/config/fcos/v1_6_exp/validate.go b/config/fcos/v1_6_exp/validate.go index 4c3ae9de..5b230f95 100644 --- a/config/fcos/v1_6_exp/validate.go +++ b/config/fcos/v1_6_exp/validate.go @@ -27,6 +27,8 @@ import ( const rootDevice = "/dev/disk/by-id/coreos-boot-disk" var allowedMountpoints = regexp.MustCompile(`^/(etc|var)(/|$)`) +var dasdRe = regexp.MustCompile("(/dev/dasd[a-z]$)") +var sdRe = regexp.MustCompile("(/dev/sd[a-z]$)") // We can't define a Validate function directly on Disk because that's defined in base, // so we use a Validate function on the top-level Config instead. @@ -52,9 +54,24 @@ func (d BootDevice) Validate(c path.ContextPath) (r report.Report) { if d.Layout != nil { switch *d.Layout { case "aarch64", "ppc64le", "x86_64": + case "s390x-eckd": + if util.NilOrEmpty(d.Luks.Device) || !dasdRe.MatchString(*d.Luks.Device) { + r.AddOnError(c.Append(*d.Layout), common.ErrNoLuksBootDevice) + } + case "s390x-zfcp": + if util.NilOrEmpty(d.Luks.Device) || !sdRe.MatchString(*d.Luks.Device) { + r.AddOnError(c.Append(*d.Layout), common.ErrNoLuksBootDevice) + } + case "s390x-virt": default: r.AddOnError(c.Append("layout"), common.ErrUnknownBootDeviceLayout) } + + if *d.Layout == "s390x-eckd" || *d.Layout == "s390x-zfcp" { + if len(d.Mirror.Devices) > 0 { + r.AddOnError(c.Append(*d.Layout), common.ErrMirrorNotSupport) + } + } } r.Merge(d.Mirror.Validate(c.Append("mirror"))) return diff --git a/docs/config-fcos-v1_6-exp.md b/docs/config-fcos-v1_6-exp.md index ebc21a5a..3d1d6670 100644 --- a/docs/config-fcos-v1_6-exp.md +++ b/docs/config-fcos-v1_6-exp.md @@ -211,6 +211,7 @@ The Fedora CoreOS configuration is a YAML document conforming to the following s * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified. * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`. * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem. + * **_s390x-device_** (string): the whole-disk device (not partitions), referenced by their absolute path. One device must be specified with s390x-* layout except s390x-virt. * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`. * **url** (string): url of the tang server. * **thumbprint** (string): thumbprint of a trusted signing key. diff --git a/docs/config-openshift-v4_15-exp.md b/docs/config-openshift-v4_15-exp.md index c6fa8f64..f666fdd3 100644 --- a/docs/config-openshift-v4_15-exp.md +++ b/docs/config-openshift-v4_15-exp.md @@ -160,6 +160,7 @@ The OpenShift configuration is a YAML document conforming to the following speci * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified. * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`. * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem. + * **_s390x-device_** (string): the whole-disk device (not partitions), referenced by their absolute path. One device must be specified with s390x-* layout except s390x-virt. * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`. * **url** (string): url of the tang server. * **thumbprint** (string): thumbprint of a trusted signing key. diff --git a/docs/examples.md b/docs/examples.md index 6fb1c3e4..bf136fb7 100644 --- a/docs/examples.md +++ b/docs/examples.md @@ -296,8 +296,51 @@ storage: format: ext4 ``` +This example uses the shortcut `boot_device` syntax to configure an encrypted root filesystem in s390x by using device dasda unlocked with a network Tang server. + + +```yaml +variant: fcos +version: 1.6.0-experimental +boot_device: + layout: s390x-eckd + luks: + s390x-device: /dev/dasda + tang: + - url: https://tang.example.com + thumbprint: REPLACE-THIS-WITH-YOUR-TANG-THUMBPRINT +``` + +This example uses the shortcut `boot_device` syntax to configure an encrypted root filesystem in s390x by using device zfcp scsi unlocked with a network Tang server. + + +```yaml +variant: fcos +version: 1.6.0-experimental +boot_device: + layout: s390x-zfcp + luks: + s390x-device: /dev/sdb + tang: + - url: https://tang.example.com + thumbprint: REPLACE-THIS-WITH-YOUR-TANG-THUMBPRINT +``` ### Mirrored boot disk +This example uses the shortcut `boot_device` syntax to configure an encrypted root filesystem in s390x KVM unlocked with a network Tang server. + + +```yaml +variant: fcos +version: 1.6.0-experimental +boot_device: + layout: s390x-virt + luks: + tang: + - url: https://tang.example.com + thumbprint: REPLACE-THIS-WITH-YOUR-TANG-THUMBPRINT +``` + This example replicates all default partitions on the boot disk across multiple disks, allowing the system to survive disk failure. diff --git a/docs/release-notes.md b/docs/release-notes.md index f56a2573..91b0fb25 100644 --- a/docs/release-notes.md +++ b/docs/release-notes.md @@ -43,6 +43,7 @@ key](https://getfedora.org/security/). - Stabilize OpenShift spec 4.14.0, targeting Ignition spec 3.4.0 - Add OpenShift spec 4.15.0-experimental, targeting Ignition spec 3.5.0-experimental +- Add support of boot_device sugar for s390x ### Bug fixes @@ -63,6 +64,7 @@ key](https://getfedora.org/security/). - Document `key_file` `compression` field _(openshift 4.8.0 - 4.9.0)_ - Document support for special mode bits and `arn` URLs _(r4e 1.1.0+)_ - Improve rendering of spec docs on docs site +- Document `luks.s390x-device` spec _(fcos, openshift 4.14.0+)_ ## Butane 0.18.0 (2023-03-24) diff --git a/internal/doc/butane.yaml b/internal/doc/butane.yaml index 13ef285f..33491ecb 100644 --- a/internal/doc/butane.yaml +++ b/internal/doc/butane.yaml @@ -326,6 +326,15 @@ root: - name: luks desc: describes the clevis configuration for encrypting the root filesystem. children: + - name: s390x-device + transforms: + - regex: $ + replacement: the whole-disk device (not partitions), referenced by their absolute path. One device must be specified with s390x-* layout except s390x-virt. + if: + - variant: fcos + min: 1.6.0-experimental + - variant: openshift + min: 4.15.0-experimental - name: tang use: tang - name: tpm2