diff --git a/config/common/errors.go b/config/common/errors.go index a5f8d5b2..2134d2e5 100644 --- a/config/common/errors.go +++ b/config/common/errors.go @@ -56,6 +56,8 @@ var ( // boot device ErrUnknownBootDeviceLayout = errors.New("layout must be one of: aarch64, ppc64le, x86_64") ErrTooFewMirrorDevices = errors.New("mirroring requires at least two devices") + ErrNoLuksBootDevice = errors.New("s390x-device is required if layout: s390x-eckd && s390x-device: /dev/dasd[a-z] or s390x-zfcp && s390x-device: /dev/sd[a-z]") + ErrMirrorNotSupport = errors.New("layout: s390x-zfcp or s390x-eckd does not support mirror") // partition ErrReuseByLabel = errors.New("partitions cannot be reused by label; number must be specified except on boot disk (/dev/disk/by-id/coreos-boot-disk) or when wipe_table is true") diff --git a/config/fcos/v1_6_exp/schema.go b/config/fcos/v1_6_exp/schema.go index 140cd31a..799b9540 100644 --- a/config/fcos/v1_6_exp/schema.go +++ b/config/fcos/v1_6_exp/schema.go @@ -32,6 +32,7 @@ type BootDevice struct { type BootDeviceLuks struct { Discard *bool `yaml:"discard"` + Device *string `yaml:"s390x-device"` Tang []base.Tang `yaml:"tang"` Threshold *int `yaml:"threshold"` Tpm2 *bool `yaml:"tpm2"` diff --git a/config/fcos/v1_6_exp/translate.go b/config/fcos/v1_6_exp/translate.go index 2a45287b..305ba36e 100644 --- a/config/fcos/v1_6_exp/translate.go +++ b/config/fcos/v1_6_exp/translate.go @@ -133,6 +133,10 @@ func (c Config) processBootDevice(config *types.Config, ts *translate.Translatio wantEFIPart = true case *layout == "ppc64le": wantPRePPart = true + case *layout == "s390x-virt": + wantBIOSPart = true + wantEFIPart = true + case *layout == "s390x-eckd" || *layout == "s390x-zfcp": default: // should have failed validation panic("unknown layout") @@ -239,9 +243,17 @@ func (c Config) processBootDevice(config *types.Config, ts *translate.Translatio // encrypted root partition if wantLuks { - luksDevice := "/dev/disk/by-partlabel/root" - if wantMirror { + var luksDevice string + switch { + //Luks Device for dasd and zFCP-scsi + case layout != nil && *layout == "s390x-eckd": + luksDevice = *c.BootDevice.Luks.Device + "2" + case layout != nil && *layout == "s390x-zfcp": + luksDevice = *c.BootDevice.Luks.Device + "4" + case wantMirror: luksDevice = "/dev/md/md-root" + default: + luksDevice = "/dev/disk/by-partlabel/root" } clevis, ts2, r2 := translateBootDeviceLuks(c.BootDevice.Luks, options) rendered.Storage.Luks = []types.Luks{{ diff --git a/config/fcos/v1_6_exp/validate.go b/config/fcos/v1_6_exp/validate.go index 4c3ae9de..5b230f95 100644 --- a/config/fcos/v1_6_exp/validate.go +++ b/config/fcos/v1_6_exp/validate.go @@ -27,6 +27,8 @@ import ( const rootDevice = "/dev/disk/by-id/coreos-boot-disk" var allowedMountpoints = regexp.MustCompile(`^/(etc|var)(/|$)`) +var dasdRe = regexp.MustCompile("(/dev/dasd[a-z]$)") +var sdRe = regexp.MustCompile("(/dev/sd[a-z]$)") // We can't define a Validate function directly on Disk because that's defined in base, // so we use a Validate function on the top-level Config instead. @@ -52,9 +54,24 @@ func (d BootDevice) Validate(c path.ContextPath) (r report.Report) { if d.Layout != nil { switch *d.Layout { case "aarch64", "ppc64le", "x86_64": + case "s390x-eckd": + if util.NilOrEmpty(d.Luks.Device) || !dasdRe.MatchString(*d.Luks.Device) { + r.AddOnError(c.Append(*d.Layout), common.ErrNoLuksBootDevice) + } + case "s390x-zfcp": + if util.NilOrEmpty(d.Luks.Device) || !sdRe.MatchString(*d.Luks.Device) { + r.AddOnError(c.Append(*d.Layout), common.ErrNoLuksBootDevice) + } + case "s390x-virt": default: r.AddOnError(c.Append("layout"), common.ErrUnknownBootDeviceLayout) } + + if *d.Layout == "s390x-eckd" || *d.Layout == "s390x-zfcp" { + if len(d.Mirror.Devices) > 0 { + r.AddOnError(c.Append(*d.Layout), common.ErrMirrorNotSupport) + } + } } r.Merge(d.Mirror.Validate(c.Append("mirror"))) return diff --git a/docs/config-fcos-v1_6-exp.md b/docs/config-fcos-v1_6-exp.md index ebc21a5a..b283d22d 100644 --- a/docs/config-fcos-v1_6-exp.md +++ b/docs/config-fcos-v1_6-exp.md @@ -209,8 +209,9 @@ The Fedora CoreOS configuration is a YAML document conforming to the following s * **_should_exist_** (list of strings): the list of kernel arguments that should exist. * **_should_not_exist_** (list of strings): the list of kernel arguments that should not exist. * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified. - * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`. + * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-eckd`, `s390x-virt`, `s390x-zfcp` and `x86_64`. Defaults to `x86_64`. * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem. + * **s390x-device** (string): describes device specific to s390x `dasd[a-z]` or `sd[a-z]`. * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`. * **url** (string): url of the tang server. * **thumbprint** (string): thumbprint of a trusted signing key. diff --git a/docs/config-openshift-v4_15-exp.md b/docs/config-openshift-v4_15-exp.md index c6fa8f64..a21c96ee 100644 --- a/docs/config-openshift-v4_15-exp.md +++ b/docs/config-openshift-v4_15-exp.md @@ -158,8 +158,9 @@ The OpenShift configuration is a YAML document conforming to the following speci * **_ssh_authorized_keys_** (list of strings): a list of SSH keys to be added as an SSH key fragment at `.ssh/authorized_keys.d/ignition` in the user's home directory. All SSH keys must be unique. * **_ssh_authorized_keys_local_** (list of strings): a list of local paths to SSH key files, relative to the directory specified by the `--files-dir` command-line argument, to be added as SSH key fragments at `.ssh/authorized_keys.d/ignition` in the user's home directory. All SSH keys must be unique. Each file may contain multiple SSH keys, one per line. * **_boot_device_** (object): describes the desired boot device configuration. At least one of `luks` or `mirror` must be specified. - * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, and `x86_64`. Defaults to `x86_64`. + * **_layout_** (string): the disk layout of the target OS image. Supported values are `aarch64`, `ppc64le`, `s390x-eckd`, `s390x-virt`, `s390x-zfcp` and `x86_64`. Defaults to `x86_64`. * **_luks_** (object): describes the clevis configuration for encrypting the root filesystem. + * **s390x-device** (string): describes device specific to s390x `dasd[a-z]` or `sd[a-z]`. * **_tang_** (list of objects): describes a tang server. Every server must have a unique `url`. * **url** (string): url of the tang server. * **thumbprint** (string): thumbprint of a trusted signing key. diff --git a/docs/examples.md b/docs/examples.md index 6fb1c3e4..d7eb3aaf 100644 --- a/docs/examples.md +++ b/docs/examples.md @@ -296,8 +296,51 @@ storage: format: ext4 ``` +This example uses the shortcut `boot_device` syntax to configure an encrypted root filesystem in s390x by using device dasda unlocked with a network Tang server. + + +```yaml +variant: fcos +version: 1.6.0 +boot_device: + layout: s390x-eckd + luks: + s390x-device: /dev/dasda + tang: + - url: https://tang.example.com + thumbprint: REPLACE-THIS-WITH-YOUR-TANG-THUMBPRINT +``` + +This example uses the shortcut `boot_device` syntax to configure an encrypted root filesystem in s390x by using device zfcp scsi unlocked with a network Tang server. + + +```yaml +variant: fcos +version: 1.6.0 +boot_device: + layout: s390x-zfcp + luks: + s390x-device: /dev/sdb + tang: + - url: https://tang.example.com + thumbprint: REPLACE-THIS-WITH-YOUR-TANG-THUMBPRINT +``` ### Mirrored boot disk +This example uses the shortcut `boot_device` syntax to configure an encrypted root filesystem in s390x KVM unlocked with a network Tang server. + + +```yaml +variant: fcos +version: 1.6.0 +boot_device: + layout: s390x-virt + luks: + tang: + - url: https://tang.example.com + thumbprint: REPLACE-THIS-WITH-YOUR-TANG-THUMBPRINT +``` + This example replicates all default partitions on the boot disk across multiple disks, allowing the system to survive disk failure.