From 324ffbfe09e7a79eb2e35a5f21330769346dfcd3 Mon Sep 17 00:00:00 2001 From: SNiemann15 Date: Fri, 10 Mar 2023 15:19:49 +0100 Subject: [PATCH] IBM Z install 4.13 --- .../installing-ibm-z-kvm.adoc | 2 +- ...talling-restricted-networks-ibm-z-kvm.adoc | 2 +- modules/ibm-z-secure-execution.adoc | 48 +++++++++++++++++-- ...ull-ibm-z-kvm-user-infra-machines-iso.adoc | 2 +- ...ion-ibm-z-kvm-user-infra-machines-iso.adoc | 5 +- .../installation-machine-requirements.adoc | 4 +- ...llation-minimum-resource-requirements.adoc | 2 +- ...ion-requirements-user-infra-ibm-z-kvm.adoc | 15 ++---- .../minimum-ibm-z-system-requirements.adoc | 9 +--- 9 files changed, 61 insertions(+), 28 deletions(-) diff --git a/installing/installing_ibm_z/installing-ibm-z-kvm.adoc b/installing/installing_ibm_z/installing-ibm-z-kvm.adoc index 72bba0d02b..56bcea1dc0 100644 --- a/installing/installing_ibm_z/installing-ibm-z-kvm.adoc +++ b/installing/installing_ibm_z/installing-ibm-z-kvm.adoc @@ -33,7 +33,7 @@ link:https://access.redhat.com/articles/4207611[guidelines for deploying {produc ==== Be sure to also review this site list if you are configuring a proxy. ==== -* You provisioned a {op-system-base} Kernel Virtual Machine (KVM) system that is hosted on the logical partition (LPAR) and based on {op-system-base} 8.4 or later. See link:https://access.redhat.com/support/policy/updates/errata#RHEL8_and_9_Life_Cycle[Red Hat Enterprise Linux 8 and 9 Life Cycle]. +* You provisioned a {op-system-base} Kernel Virtual Machine (KVM) system that is hosted on the logical partition (LPAR) and based on {op-system-base} 8.6 or later. See link:https://access.redhat.com/support/policy/updates/errata#RHEL8_and_9_Life_Cycle[Red Hat Enterprise Linux 8 and 9 Life Cycle]. include::modules/cluster-entitlements.adoc[leveloffset=+1] diff --git a/installing/installing_ibm_z/installing-restricted-networks-ibm-z-kvm.adoc b/installing/installing_ibm_z/installing-restricted-networks-ibm-z-kvm.adoc index 4ffd195928..bac8d8713f 100644 --- a/installing/installing_ibm_z/installing-restricted-networks-ibm-z-kvm.adoc +++ b/installing/installing_ibm_z/installing-restricted-networks-ibm-z-kvm.adoc @@ -39,7 +39,7 @@ Ensure that installation steps are done from a machine with access to the instal ==== Be sure to also review this site list if you are configuring a proxy. ==== -* You provisioned a {op-system-base} Kernel Virtual Machine (KVM) system that is hosted on the logical partition (LPAR) and based on {op-system-base} 8.4 or later. See link:https://access.redhat.com/support/policy/updates/errata#RHEL8_and_9_Life_Cycle[Red Hat Enterprise Linux 8 and 9 Life Cycle]. +* You provisioned a {op-system-base} Kernel Virtual Machine (KVM) system that is hosted on the logical partition (LPAR) and based on {op-system-base} 8.6 or later. See link:https://access.redhat.com/support/policy/updates/errata#RHEL8_and_9_Life_Cycle[Red Hat Enterprise Linux 8 and 9 Life Cycle]. include::modules/installation-about-restricted-network.adoc[leveloffset=+1] diff --git a/modules/ibm-z-secure-execution.adoc b/modules/ibm-z-secure-execution.adoc index 540ca075cc..c0c65cdb4e 100644 --- a/modules/ibm-z-secure-execution.adoc +++ b/modules/ibm-z-secure-execution.adoc @@ -9,9 +9,6 @@ Before you install {op-system} using IBM Secure Execution, you must prepare the underlying infrastructure. -:FeatureName: Installing {op-system} using IBM Secure Execution -include::snippets/technology-preview.adoc[] - .Prerequisites * IBM z15 or later, or {linuxoneProductName} III or later. @@ -101,4 +98,49 @@ base64 .crt + Compared to guests not running IBM Secure Execution, the first boot of the machine is longer because the entire image is encrypted with a randomly generated LUKS passphrase before the Ignition phase. +. Add Ignition protection ++ +To protect the secrets that are stored in the Ignition config file from being read or even modified, you must encrypt the Ignition config file. ++ +[NOTE] +==== +To achieve the desired security, Ignition logging and local login are disabled by default when running IBM Secure Execution. +==== +.. Fetch the public GPG key for the `secex-qemu.qcow2` image and encrypt the Ignition config with the key by running the following command: ++ +[source,terminal] +---- +gpg --recipient-file /path/to/ignition.gpg.pub --yes --output /path/to/config.ign.gpg --verbose --armor --encrypt /path/to/config.ign +---- ++ +[NOTE] +==== +Before starting the VM, replace `serial=ignition` with `serial=ignition_crypted` when mounting the Ignition file. +==== ++ +When Ignition runs on the first boot, and the decryption is successful, you will see an output like the following example: ++ +.Example output +[source,terminal] +---- +[ 2.801433] systemd[1]: Starting coreos-ignition-setup-user.service - CoreOS Ignition User Config Setup... + +[ 2.803959] coreos-secex-ignition-decrypt[731]: gpg: key : public key "Secure Execution (secex) 38.20230323.dev.0" imported +[ 2.808874] coreos-secex-ignition-decrypt[740]: gpg: encrypted with rsa4096 key, ID , created +[ OK ] Finished coreos-secex-igni…S Secex Ignition Config Decryptor. +---- ++ +If the decryption fails, you will see an output like the following example: ++ +.Example output +[source,terminal] +---- +Starting coreos-ignition-s…reOS Ignition User Config Setup... +[ 2.863675] coreos-secex-ignition-decrypt[729]: gpg: key : public key "Secure Execution (secex) 38.20230323.dev.0" imported +[ 2.869178] coreos-secex-ignition-decrypt[738]: gpg: encrypted with RSA key, ID +[ 2.870347] coreos-secex-ignition-decrypt[738]: gpg: public key decryption failed: No secret key +[ 2.870371] coreos-secex-ignition-decrypt[738]: gpg: decryption failed: No secret key +---- ++ + . Follow the fast-track installation procedure to install nodes using the IBM Secure Exection QCOW image. \ No newline at end of file diff --git a/modules/installation-full-ibm-z-kvm-user-infra-machines-iso.adoc b/modules/installation-full-ibm-z-kvm-user-infra-machines-iso.adoc index 58f6feb2fe..705bd5deab 100644 --- a/modules/installation-full-ibm-z-kvm-user-infra-machines-iso.adoc +++ b/modules/installation-full-ibm-z-kvm-user-infra-machines-iso.adoc @@ -11,7 +11,7 @@ Complete the following steps to create the machines in a full installation on a .Prerequisites -* At least one LPAR running on {op-system-base} 8.4 or later with KVM, referred to as {op-system-base} KVM host in this procedure. +* At least one LPAR running on {op-system-base} 8.6 or later with KVM, referred to as {op-system-base} KVM host in this procedure. * The KVM/QEMU hypervisor is installed on the {op-system-base} KVM host. * A domain name server (DNS) that can perform hostname and reverse lookup for the nodes. * An HTTP or HTTPS server is set up. diff --git a/modules/installation-ibm-z-kvm-user-infra-machines-iso.adoc b/modules/installation-ibm-z-kvm-user-infra-machines-iso.adoc index df8837f0d1..6afe796fd9 100644 --- a/modules/installation-ibm-z-kvm-user-infra-machines-iso.adoc +++ b/modules/installation-ibm-z-kvm-user-infra-machines-iso.adoc @@ -11,7 +11,7 @@ Complete the following steps to create the machines in a fast-track installation .Prerequisites -* At least one LPAR running on {op-system-base} 8.4 or later with KVM, referred to as {op-system-base} KVM host in this procedure. +* At least one LPAR running on {op-system-base} 8.6 or later with KVM, referred to as {op-system-base} KVM host in this procedure. * The KVM/QEMU hypervisor is installed on the {op-system-base} KVM host. * A domain name server (DNS) that can perform hostname and reverse lookup for the nodes. * A DHCP server that provides IP addresses. @@ -54,5 +54,6 @@ $ virt-install --noautoconsole \ --disk {disk} \ --import \ --network network={network},mac={mac} \ - --disk path={ign_file},format=raw,readonly=on,serial=ignition,startup_policy=optional + --disk path={ign_file},format=raw,readonly=on,serial=ignition,startup_policy=optional <1> ---- +<1> If IBM Secure Execution is enabled, replace `serial=ignition` with `serial=ignition_crypted`. diff --git a/modules/installation-machine-requirements.adoc b/modules/installation-machine-requirements.adoc index 4f42f7f46d..f51ac7ac46 100644 --- a/modules/installation-machine-requirements.adoc +++ b/modules/installation-machine-requirements.adoc @@ -87,14 +87,14 @@ endif::ibm-z[] ==== ifndef::ibm-z,ibm-power[] -The bootstrap and control plane machines must use {op-system-first} as the operating system. However, the compute machines can choose between {op-system-first}, {op-system-base-full} 8.4, or {op-system-base} 8.5. +The bootstrap and control plane machines must use {op-system-first} as the operating system. However, the compute machines can choose between {op-system-first}, {op-system-base-full} 8.6, or {op-system-base} 8.7. endif::ibm-z,ibm-power[] ifdef::ibm-z,ibm-power[] The bootstrap, control plane, and compute machines must use {op-system-first} as the operating system. endif::ibm-z,ibm-power[] ifndef::openshift-origin[] -Note that {op-system} is based on {op-system-base-full} 8 and inherits all of its hardware certifications and requirements. +Note that {op-system} is based on {op-system-base-full} 9.2 and inherits all of its hardware certifications and requirements. endif::[] See link:https://access.redhat.com/articles/rhel-limits[Red Hat Enterprise Linux technology capabilities and limits]. diff --git a/modules/installation-minimum-resource-requirements.adoc b/modules/installation-minimum-resource-requirements.adoc index b089168e55..f91d299149 100644 --- a/modules/installation-minimum-resource-requirements.adoc +++ b/modules/installation-minimum-resource-requirements.adoc @@ -158,7 +158,7 @@ endif::ibm-z[] ifndef::openshift-origin[] |Compute ifdef::ibm-z,ibm-power,ibm-cloud-vpc[|{op-system}] -ifndef::ibm-z,ibm-power,ibm-cloud-vpc[|{op-system}, {op-system-base} 8.4, or {op-system-base} 8.5 ^[3]^] +ifndef::ibm-z,ibm-power,ibm-cloud-vpc[|{op-system}, {op-system-base} 8.6, or {op-system-base} 8.7 ^[3]^] |2 |8 GB |100 GB diff --git a/modules/installation-requirements-user-infra-ibm-z-kvm.adoc b/modules/installation-requirements-user-infra-ibm-z-kvm.adoc index 012f1eaf3f..229b88f6aa 100644 --- a/modules/installation-requirements-user-infra-ibm-z-kvm.adoc +++ b/modules/installation-requirements-user-infra-ibm-z-kvm.adoc @@ -10,7 +10,7 @@ For a cluster that contains user-provisioned infrastructure, you must deploy all of the required machines. -One or more KVM host machines based on {op-system-base} 8.4 or later. Each {op-system-base} KVM host machine must have libvirt installed and running. The virtual machines are provisioned under each {op-system-base} KVM host machine. +One or more KVM host machines based on {op-system-base} 8.6 or later. Each {op-system-base} KVM host machine must have libvirt installed and running. The virtual machines are provisioned under each {op-system-base} KVM host machine. [id="machine-requirements_{context}"] @@ -65,13 +65,8 @@ The {op-system-base} KVM host in your environment must meet the following requir You can install {product-title} version {product-version} on the following IBM hardware: -* IBM z16 (all models), IBM z15 (all models), IBM z14 (all models), IBM z13, and IBM z13s -* {linuxoneProductName} Emperor 4, {linuxoneProductName} III (all models), {linuxoneProductName} Emperor II, {linuxoneProductName} Rockhopper II, {linuxoneProductName} Emperor, and {linuxoneProductName} Rockhopper - -[NOTE] -==== -Support for {op-system} functionality for IBM z13 all models, {linuxoneProductName} Emperor, and {linuxoneProductName} Rockhopper is deprecated. These hardware models remain fully supported in {product-title} 4.13. However, Red Hat recommends that you use later hardware models. -==== +* IBM z16 (all models), IBM z15 (all models), IBM z14 (all models) +* {linuxoneProductName} 4 (all models), {linuxoneProductName} III (all models), {linuxoneProductName} Emperor II, {linuxoneProductName} Rockhopper II [id="minimum-ibm-z-system-requirements_{context}"] == Minimum {ibmzProductName} system environment @@ -94,7 +89,7 @@ Since the overall performance of the cluster can be impacted, the LPARs that are [discrete] === Operating system requirements -* One LPAR running on {op-system-base} 8.4 or later with KVM, which is managed by libvirt +* One LPAR running on {op-system-base} 8.6 or later with KVM, which is managed by libvirt On your {op-system-base} KVM host, set up: @@ -156,7 +151,7 @@ Each cluster virtual machine must meet the following minimum requirements: [discrete] === Operating system requirements -* For high availability, two or three LPARs running on {op-system-base} 8.4 or later with KVM, which are managed by libvirt. +* For high availability, two or three LPARs running on {op-system-base} 8.6 or later with KVM, which are managed by libvirt. On your {op-system-base} KVM host, set up: diff --git a/modules/minimum-ibm-z-system-requirements.adoc b/modules/minimum-ibm-z-system-requirements.adoc index a28aa9525c..5a2f0744ef 100644 --- a/modules/minimum-ibm-z-system-requirements.adoc +++ b/modules/minimum-ibm-z-system-requirements.adoc @@ -9,13 +9,8 @@ You can install {product-title} version {product-version} on the following IBM hardware: -* IBM z16 (all models), IBM z15 (all models), IBM z14 (all models), IBM z13, and IBM z13s -* {linuxoneProductName} Emperor 4, {linuxoneProductName} III (all models), {linuxoneProductName} Emperor II, {linuxoneProductName} Rockhopper II, {linuxoneProductName} Emperor, and {linuxoneProductName} Rockhopper - -[NOTE] -==== -Support for {op-system} functionality for IBM z13 all models, {linuxoneProductName} Emperor, and {linuxoneProductName} Rockhopper is deprecated. These hardware models remain fully supported in {product-title} 4.12. However, Red Hat recommends that you use later hardware models. -==== +* IBM z16 (all models), IBM z15 (all models), IBM z14 (all models) +* {linuxoneProductName} 4 (all models), {linuxoneProductName} III (all models), {linuxoneProductName} Emperor II, {linuxoneProductName} Rockhopper II [discrete] == Hardware requirements