mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
6670d19872
modules/ibm-z-cex: Use Butane's boot_device layouts Use Butane's boot_device layouts to setup the LUKS encryption with CEX to properly account for all cases (zVM, LPAR, KVM and DASD or FCP disks). Remove the NVMe case as it is currently not tested and we don't have Butane sugar for it. Do not use the sugar for the zFCP case as there is currently an issue with mulitpath support with it. Also comment AsciiDoc callouts in yaml. See: https://coreos.github.io/butane/upgrading-openshift/#luks-cex-support See: https://coreos.github.io/butane/upgrading-openshift/#boot_device-layouts-s390x-support
186 lines
7.3 KiB
Plaintext
186 lines
7.3 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * installing/installing_ibm_z/installing-ibm-z.adoc
|
|
// * installing/installing_ibm_z/installing-restricted-networks-ibm-z.adoc
|
|
// * installing/installing_ibm_z/installing-ibm-z-kvm.adoc
|
|
// * installing/installing_ibm_z/installing-restricted-networks-ibm-z-kvm.adoc
|
|
// * installing/installing_ibm_z/installing-ibm-z-lpar.adoc
|
|
// * installing/installing_ibm_z/installing-restricted-networks-ibm-z-lpar.adoc
|
|
|
|
ifeval::["{context}" == "installing-ibm-z"]
|
|
:ibm-z:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-ibm-z-kvm"]
|
|
:ibm-z-kvm:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-ibm-z-lpar"]
|
|
:ibm-z-lpar:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-restricted-networks-ibm-z"]
|
|
:ibm-z:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-restricted-networks-ibm-z-kvm"]
|
|
:ibm-z-kvm:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-restricted-networks-ibm-z-lpar"]
|
|
:ibm-z-lpar:
|
|
endif::[]
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="configuring-luks-encryption-via-cex-ibm-z-linuxone-environment_{context}"]
|
|
= LUKS encryption via CEX in an {ibm-z-title} or {ibm-linuxone-title} environment
|
|
|
|
Enabling hardware-based Linux Unified Key Setup (LUKS) encryption via {ibm-name} Crypto Express (CEX) in an {ibm-z-name} or {ibm-linuxone-name} environment requires additional steps, which are described in detail in this section.
|
|
|
|
.Prerequisites
|
|
|
|
* You have installed the `butane` utility.
|
|
* You have reviewed the instructions for how to create machine configs with Butane.
|
|
|
|
.Procedure
|
|
|
|
ifdef::ibm-z-kvm[]
|
|
. Create Butane configuration files for the control plane and compute nodes:
|
|
** Create a file named `main-storage.bu` by using the following Butane configuration for a control plane node with disk encryption, for example:
|
|
+
|
|
[source,yaml,subs="attributes+"]
|
|
----
|
|
variant: openshift
|
|
version: {product-version}.0
|
|
metadata:
|
|
name: main-storage
|
|
labels:
|
|
machineconfiguration.openshift.io/role: master
|
|
boot_device:
|
|
layout: s390x-virt
|
|
luks:
|
|
cex:
|
|
enabled: true
|
|
openshift:
|
|
fips: true # <1>
|
|
kernel_arguments:
|
|
- rd.luks.key=/etc/luks/cex.key # <2>
|
|
----
|
|
<1> Specifies whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
|
|
<2> Specifies the location of the key that is required to decrypt the device. You can not change this value.
|
|
endif::ibm-z-kvm[]
|
|
ifndef::ibm-z-kvm[]
|
|
. Choose the appropriate method to create Butane configuration files for the control plane and compute nodes:
|
|
** For installations on DASD-type disks, create a file named `main-storage.bu` by using the following Butane configuration for a control plane node with disk encryption, for example:
|
|
+
|
|
[source,yaml,subs="attributes+"]
|
|
----
|
|
variant: openshift
|
|
version: {product-version}.0
|
|
metadata:
|
|
name: main-storage
|
|
labels:
|
|
machineconfiguration.openshift.io/role: master
|
|
boot_device:
|
|
layout: s390x-eckd
|
|
luks:
|
|
device: /dev/dasda
|
|
cex:
|
|
enabled: true
|
|
openshift:
|
|
fips: true # <1>
|
|
kernel_arguments:
|
|
- rd.luks.key=/etc/luks/cex.key # <2>
|
|
----
|
|
<1> Specifies whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
|
|
<2> Specifies the location of the key that is required to decrypt the device. You can not change this value.
|
|
+
|
|
** For installations on FCP-type disks, create a file named `main-storage.bu` by using the following Butane configuration for a control plane node with disk encryption, for example:
|
|
+
|
|
[source,yaml,subs="attributes+"]
|
|
----
|
|
variant: openshift
|
|
version: {product-version}.0
|
|
metadata:
|
|
name: main-storage
|
|
labels:
|
|
machineconfiguration.openshift.io/role: master
|
|
storage:
|
|
filesystems:
|
|
- device: /dev/mapper/root
|
|
format: xfs
|
|
label: root
|
|
wipe_filesystem: true
|
|
luks:
|
|
- device: /dev/disk/by-label/root
|
|
label: luks-root
|
|
name: root
|
|
wipe_volume: true
|
|
cex:
|
|
enabled: true
|
|
openshift:
|
|
fips: true # <1>
|
|
kernel_arguments:
|
|
- rd.luks.key=/etc/luks/cex.key # <2>
|
|
----
|
|
<1> Specifies whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
|
|
<2> Specifies the location of the key that is required to decrypt the device. You can not change this value.
|
|
endif::ibm-z-kvm[]
|
|
|
|
. Create a parameter file that includes `ignition.platform.id=metal` and `ignition.firstboot`.
|
|
+
|
|
.Example kernel parameter file for the control plane machine
|
|
+
|
|
ifdef::ibm-z-kvm[]
|
|
[source,terminal]
|
|
----
|
|
cio_ignore=all,!condev rd.neednet=1 \
|
|
console=ttysclp0 \
|
|
ignition.firstboot ignition.platform.id=metal \
|
|
coreos.inst.ignition_url=http://<http_server>/master.ign \// <1>
|
|
coreos.live.rootfs_url=http://<http_server>/rhcos-<version>-live-rootfs.<architecture>.img \// <2>
|
|
ip=<ip_address>::<gateway>:<netmask>:<hostname>::none nameserver=<dns> \
|
|
rd.znet=qeth,0.0.bdd0,0.0.bdd1,0.0.bdd2,layer2=1 \
|
|
rd.zfcp=0.0.5677,0x600606680g7f0056,0x034F000000000000
|
|
----
|
|
<1> Specifies the location of the Ignition configuration file. Use `master.ign` or `worker.ign`. You can only use the HTTP and HTTPS protocols.
|
|
<2> Specifies the location of the `rootfs` artifact for the `kernel` and `initramfs` that you want to boot. You can only use the HTTP and HTTPS protocols.
|
|
endif::ibm-z-kvm[]
|
|
ifndef::ibm-z-kvm[]
|
|
[source,terminal]
|
|
----
|
|
cio_ignore=all,!condev rd.neednet=1 \
|
|
console=ttysclp0 \
|
|
coreos.inst.install_dev=/dev/disk/by-id/scsi-<serial_number> \// <1>
|
|
ignition.firstboot ignition.platform.id=metal \
|
|
coreos.inst.ignition_url=http://<http_server>/master.ign \// <2>
|
|
coreos.live.rootfs_url=http://<http_server>/rhcos-<version>-live-rootfs.<architecture>.img \// <3>
|
|
ip=<ip_address>::<gateway>:<netmask>:<hostname>::none nameserver=<dns> \
|
|
rd.znet=qeth,0.0.bdd0,0.0.bdd1,0.0.bdd2,layer2=1 \
|
|
rd.zfcp=0.0.5677,0x600606680g7f0056,0x034F000000000000 <4>
|
|
----
|
|
<1> Specifies a unique fully qualified path depending on disk type. This can be DASD-type or FCP-type disks.
|
|
<2> Specifies the location of the Ignition configuration file. Use `master.ign` or `worker.ign`. You can only use the HTTP and HTTPS protocols.
|
|
<3> Specifies the location of the `rootfs` artifact for the `kernel` and `initramfs` that you want to boot. You can only use the HTTP and HTTPS protocols.
|
|
<4> Specifies the root device. For installations on DASD-type disks, replace with `rd.dasd=0.0.xxxx` to specify the DASD device.
|
|
endif::ibm-z-kvm[]
|
|
+
|
|
[NOTE]
|
|
====
|
|
Write all options in the parameter file as a single line and make sure you have no newline characters.
|
|
====
|
|
|
|
ifeval::["{context}" == "installing-ibm-z"]
|
|
:!ibm-z:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-ibm-z-kvm"]
|
|
:!ibm-z-kvm:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-ibm-z-lpar"]
|
|
:!ibm-z-lpar:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-restricted-networks-ibm-z"]
|
|
:!ibm-z:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-restricted-networks-ibm-z-kvm"]
|
|
:!ibm-z-kvm:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-restricted-networks-ibm-z-lpar"]
|
|
:!ibm-z-lpar:
|
|
endif::[]
|