IBM Z install 4.13

2026-02-05 12:46:18 +01:00 · 2023-03-10 15:19:49 +01:00
parent 577d2d5243
commit 324ffbfe09
9 changed files with 61 additions and 28 deletions
--- a/installing/installing_ibm_z/installing-ibm-z-kvm.adoc
+++ b/installing/installing_ibm_z/installing-ibm-z-kvm.adoc
@@ -33,7 +33,7 @@ link:https://access.redhat.com/articles/4207611[guidelines for deploying {produc
 ====
 Be sure to also review this site list if you are configuring a proxy.
 ====
-* You provisioned a {op-system-base} Kernel Virtual Machine (KVM) system that is hosted on the logical partition (LPAR) and based on {op-system-base} 8.4 or later. See link:https://access.redhat.com/support/policy/updates/errata#RHEL8_and_9_Life_Cycle[Red Hat Enterprise Linux 8 and 9 Life Cycle].
+* You provisioned a {op-system-base} Kernel Virtual Machine (KVM) system that is hosted on the logical partition (LPAR) and based on {op-system-base} 8.6 or later. See link:https://access.redhat.com/support/policy/updates/errata#RHEL8_and_9_Life_Cycle[Red Hat Enterprise Linux 8 and 9 Life Cycle].


 include::modules/cluster-entitlements.adoc[leveloffset=+1]
--- a/installing/installing_ibm_z/installing-restricted-networks-ibm-z-kvm.adoc
+++ b/installing/installing_ibm_z/installing-restricted-networks-ibm-z-kvm.adoc
@@ -39,7 +39,7 @@ Ensure that installation steps are done from a machine with access to the instal
 ====
 Be sure to also review this site list if you are configuring a proxy.
 ====
-* You provisioned a {op-system-base} Kernel Virtual Machine (KVM) system that is hosted on the logical partition (LPAR) and based on {op-system-base} 8.4 or later. See link:https://access.redhat.com/support/policy/updates/errata#RHEL8_and_9_Life_Cycle[Red Hat Enterprise Linux 8 and 9 Life Cycle].
+* You provisioned a {op-system-base} Kernel Virtual Machine (KVM) system that is hosted on the logical partition (LPAR) and based on {op-system-base} 8.6 or later. See link:https://access.redhat.com/support/policy/updates/errata#RHEL8_and_9_Life_Cycle[Red Hat Enterprise Linux 8 and 9 Life Cycle].

 include::modules/installation-about-restricted-network.adoc[leveloffset=+1]

--- a/modules/ibm-z-secure-execution.adoc
+++ b/modules/ibm-z-secure-execution.adoc
@@ -9,9 +9,6 @@

 Before you install {op-system} using IBM Secure Execution, you must prepare the underlying infrastructure.

-:FeatureName: Installing {op-system} using IBM Secure Execution
-include::snippets/technology-preview.adoc[]
-
 .Prerequisites

 * IBM z15 or later, or {linuxoneProductName} III or later.
@@ -101,4 +98,49 @@ base64 <your-hostkey>.crt
 +
 Compared to guests not running IBM Secure Execution, the first boot of the machine is longer because the entire image is encrypted with a randomly generated LUKS passphrase before the Ignition phase.

+. Add Ignition protection
+
+To protect the secrets that are stored in the Ignition config file from being read or even modified, you must encrypt the Ignition config file.
+
+[NOTE]
+====
+To achieve the desired security, Ignition logging and local login are disabled by default when running IBM Secure Execution.
+====
+.. Fetch the public GPG key for the `secex-qemu.qcow2` image and encrypt the Ignition config with the key by running the following command:
+
+[source,terminal]
+----
+gpg --recipient-file /path/to/ignition.gpg.pub --yes --output /path/to/config.ign.gpg --verbose --armor --encrypt /path/to/config.ign
+----
+
+[NOTE]
+====
+Before starting the VM, replace `serial=ignition` with `serial=ignition_crypted` when mounting the Ignition file.
+====
+
+When Ignition runs on the first boot, and the decryption is successful, you will see an output like the following example:
+
+.Example output
+[source,terminal]
+----
+[    2.801433] systemd[1]: Starting coreos-ignition-setup-user.service - CoreOS Ignition User Config Setup...
+
+[    2.803959] coreos-secex-ignition-decrypt[731]: gpg: key <key_name>: public key "Secure Execution (secex) 38.20230323.dev.0" imported
+[    2.808874] coreos-secex-ignition-decrypt[740]: gpg: encrypted with rsa4096 key, ID <key_name>, created <yyyy-mm-dd>
+[  OK  ] Finished coreos-secex-igni…S Secex Ignition Config Decryptor.
+----
+
+If the decryption fails, you will see an output like the following example:
+
+.Example output
+[source,terminal]
+----
+Starting coreos-ignition-s…reOS Ignition User Config Setup...
+[    2.863675] coreos-secex-ignition-decrypt[729]: gpg: key <key_name>: public key "Secure Execution (secex) 38.20230323.dev.0" imported
+[    2.869178] coreos-secex-ignition-decrypt[738]: gpg: encrypted with RSA key, ID <key_name>
+[    2.870347] coreos-secex-ignition-decrypt[738]: gpg: public key decryption failed: No secret key
+[    2.870371] coreos-secex-ignition-decrypt[738]: gpg: decryption failed: No secret key
+----
+
+
 . Follow the fast-track installation procedure to install nodes using the IBM Secure Exection QCOW image.
--- a/modules/installation-full-ibm-z-kvm-user-infra-machines-iso.adoc
+++ b/modules/installation-full-ibm-z-kvm-user-infra-machines-iso.adoc
@@ -11,7 +11,7 @@ Complete the following steps to create the machines in a full installation on a

 .Prerequisites

-* At least one LPAR running  on {op-system-base} 8.4 or later with KVM, referred to as {op-system-base} KVM host in this procedure.
+* At least one LPAR running  on {op-system-base} 8.6 or later with KVM, referred to as {op-system-base} KVM host in this procedure.
 * The KVM/QEMU hypervisor is installed on the {op-system-base} KVM host.
 * A domain name server (DNS) that can perform hostname and reverse lookup for the nodes.
 * An HTTP or HTTPS server is set up.
--- a/modules/installation-ibm-z-kvm-user-infra-machines-iso.adoc
+++ b/modules/installation-ibm-z-kvm-user-infra-machines-iso.adoc
@@ -11,7 +11,7 @@ Complete the following steps to create the machines in a fast-track installation

 .Prerequisites

-* At least one LPAR running on {op-system-base} 8.4 or later with KVM, referred to as {op-system-base} KVM host in this procedure.
+* At least one LPAR running on {op-system-base} 8.6 or later with KVM, referred to as {op-system-base} KVM host in this procedure.
 * The KVM/QEMU hypervisor is installed on the {op-system-base} KVM host.
 * A domain name server (DNS) that can perform hostname and reverse lookup for the nodes.
 * A DHCP server that provides IP addresses.
@@ -54,5 +54,6 @@ $ virt-install --noautoconsole \
   --disk {disk} \
   --import \
   --network network={network},mac={mac} \
-   --disk path={ign_file},format=raw,readonly=on,serial=ignition,startup_policy=optional
+   --disk path={ign_file},format=raw,readonly=on,serial=ignition,startup_policy=optional <1>
 ----
+<1> If IBM Secure Execution is enabled, replace `serial=ignition` with `serial=ignition_crypted`.
--- a/modules/installation-machine-requirements.adoc
+++ b/modules/installation-machine-requirements.adoc
@@ -87,14 +87,14 @@ endif::ibm-z[]
 ====

 ifndef::ibm-z,ibm-power[]
-The bootstrap and control plane machines must use {op-system-first} as the operating system. However, the compute machines can choose between {op-system-first}, {op-system-base-full} 8.4, or {op-system-base} 8.5.
+The bootstrap and control plane machines must use {op-system-first} as the operating system. However, the compute machines can choose between {op-system-first}, {op-system-base-full} 8.6, or {op-system-base} 8.7.
 endif::ibm-z,ibm-power[]
 ifdef::ibm-z,ibm-power[]
 The bootstrap, control plane, and compute machines must use {op-system-first} as the operating system.
 endif::ibm-z,ibm-power[]

 ifndef::openshift-origin[]
-Note that {op-system} is based on {op-system-base-full} 8 and inherits all of its hardware certifications and requirements.
+Note that {op-system} is based on {op-system-base-full} 9.2 and inherits all of its hardware certifications and requirements.
 endif::[]
 See link:https://access.redhat.com/articles/rhel-limits[Red Hat Enterprise Linux technology capabilities and limits].

--- a/modules/installation-minimum-resource-requirements.adoc
+++ b/modules/installation-minimum-resource-requirements.adoc
@@ -158,7 +158,7 @@ endif::ibm-z[]
 ifndef::openshift-origin[]
 |Compute
 ifdef::ibm-z,ibm-power,ibm-cloud-vpc[|{op-system}]
-ifndef::ibm-z,ibm-power,ibm-cloud-vpc[|{op-system}, {op-system-base} 8.4, or {op-system-base} 8.5 ^[3]^]
+ifndef::ibm-z,ibm-power,ibm-cloud-vpc[|{op-system}, {op-system-base} 8.6, or {op-system-base} 8.7 ^[3]^]
 |2
 |8 GB
 |100 GB
--- a/modules/installation-requirements-user-infra-ibm-z-kvm.adoc
+++ b/modules/installation-requirements-user-infra-ibm-z-kvm.adoc
@@ -10,7 +10,7 @@
 For a cluster that contains user-provisioned infrastructure, you must deploy all
 of the required machines.

-One or more KVM host machines based on {op-system-base} 8.4 or later. Each {op-system-base} KVM host machine must have libvirt installed and running. The virtual machines are provisioned under each {op-system-base} KVM host machine.
+One or more KVM host machines based on {op-system-base} 8.6 or later. Each {op-system-base} KVM host machine must have libvirt installed and running. The virtual machines are provisioned under each {op-system-base} KVM host machine.


 [id="machine-requirements_{context}"]
@@ -65,13 +65,8 @@ The {op-system-base} KVM host in your environment must meet the following requir

 You can install {product-title} version {product-version} on the following IBM hardware:

-* IBM z16 (all models), IBM z15 (all models), IBM z14 (all models), IBM z13, and IBM z13s
-* {linuxoneProductName} Emperor 4, {linuxoneProductName} III (all models), {linuxoneProductName} Emperor II, {linuxoneProductName} Rockhopper II, {linuxoneProductName} Emperor, and {linuxoneProductName} Rockhopper
-
-[NOTE]
-====
-Support for {op-system} functionality for IBM z13 all models, {linuxoneProductName} Emperor, and {linuxoneProductName} Rockhopper is deprecated. These hardware models remain fully supported in {product-title} 4.13. However, Red Hat recommends that you use later hardware models.
-====
+* IBM z16 (all models), IBM z15 (all models), IBM z14 (all models)
+* {linuxoneProductName} 4 (all models), {linuxoneProductName} III (all models), {linuxoneProductName} Emperor II, {linuxoneProductName} Rockhopper II

 [id="minimum-ibm-z-system-requirements_{context}"]
 == Minimum {ibmzProductName} system environment
@@ -94,7 +89,7 @@ Since the overall performance of the cluster can be impacted, the LPARs that are

 [discrete]
 === Operating system requirements
-* One LPAR running on {op-system-base} 8.4 or later with KVM, which is managed by libvirt
+* One LPAR running on {op-system-base} 8.6 or later with KVM, which is managed by libvirt

 On your {op-system-base} KVM host, set up:

@@ -156,7 +151,7 @@ Each cluster virtual machine must meet the following minimum requirements:
 [discrete]
 === Operating system requirements

-* For high availability, two or three LPARs running on {op-system-base} 8.4 or later with KVM, which are managed by libvirt.
+* For high availability, two or three LPARs running on {op-system-base} 8.6 or later with KVM, which are managed by libvirt.

 On your {op-system-base} KVM host, set up:

--- a/modules/minimum-ibm-z-system-requirements.adoc
+++ b/modules/minimum-ibm-z-system-requirements.adoc
@@ -9,13 +9,8 @@

 You can install {product-title} version {product-version} on the following IBM hardware:

-* IBM z16 (all models), IBM z15 (all models), IBM z14 (all models), IBM z13, and IBM z13s
-* {linuxoneProductName} Emperor 4, {linuxoneProductName} III (all models), {linuxoneProductName} Emperor II, {linuxoneProductName} Rockhopper II, {linuxoneProductName} Emperor, and {linuxoneProductName} Rockhopper
-
-[NOTE]
-====
-Support for {op-system} functionality for IBM z13 all models, {linuxoneProductName} Emperor, and {linuxoneProductName} Rockhopper is deprecated. These hardware models remain fully supported in {product-title} 4.12. However, Red Hat recommends that you use later hardware models.
-====
+* IBM z16 (all models), IBM z15 (all models), IBM z14 (all models)
+* {linuxoneProductName} 4 (all models), {linuxoneProductName} III (all models), {linuxoneProductName} Emperor II, {linuxoneProductName} Rockhopper II

 [discrete]
 == Hardware requirements