diff --git a/installing/installing_ibm_z/installing-ibm-z-kvm.adoc b/installing/installing_ibm_z/installing-ibm-z-kvm.adoc index 56bcea1dc0c6..83e38c7cf82c 100644 --- a/installing/installing_ibm_z/installing-ibm-z-kvm.adoc +++ b/installing/installing_ibm_z/installing-ibm-z-kvm.adoc @@ -95,6 +95,14 @@ include::modules/ibm-z-secure-execution.adoc[leveloffset=+2] * link:https://www.ibm.com/docs/en/linux-on-systems?topic=ibmz-secure-execution[Linux as an IBM Secure Execution host or guest] +include::modules/ibmz-configure-nbde-with-static-ip.adoc[leveloffset=+2] + +[role="_additional-resources"] +[id="additional-resources_configure-nbde-ibm-z-kvm"] +.Additional resources + +* xref:../../installing/install_config/installing-customizing.adoc#installing-customizing[Creating machine configs with Butane]. + include::modules/installation-ibm-z-kvm-user-infra-machines-iso.adoc[leveloffset=+2] include::modules/installation-full-ibm-z-kvm-user-infra-machines-iso.adoc[leveloffset=+2] diff --git a/installing/installing_ibm_z/installing-ibm-z.adoc b/installing/installing_ibm_z/installing-ibm-z.adoc index 8e14b10e4af0..7a3266f3f796 100644 --- a/installing/installing_ibm_z/installing-ibm-z.adoc +++ b/installing/installing_ibm_z/installing-ibm-z.adoc @@ -98,6 +98,14 @@ include::modules/nw-operator-cr.adoc[leveloffset=+1] include::modules/installation-user-infra-generate-k8s-manifest-ignition.adoc[leveloffset=+1] +include::modules/ibmz-configure-nbde-with-static-ip.adoc[leveloffset=+1] + +[role="_additional-resources"] +[id="additional-resources_configure-nbde-ibm-z"] +.Additional resources + +* xref:../../installing/install_config/installing-customizing.adoc#installing-customizing[Creating machine configs with Butane]. + include::modules/installation-ibm-z-user-infra-machines-iso.adoc[leveloffset=+1] include::modules/installation-user-infra-machines-static-network.adoc[leveloffset=+2] diff --git a/installing/installing_ibm_z/installing-restricted-networks-ibm-z-kvm.adoc b/installing/installing_ibm_z/installing-restricted-networks-ibm-z-kvm.adoc index bac8d8713f6e..6a37fcc425a2 100644 --- a/installing/installing_ibm_z/installing-restricted-networks-ibm-z-kvm.adoc +++ b/installing/installing_ibm_z/installing-restricted-networks-ibm-z-kvm.adoc @@ -102,6 +102,14 @@ include::modules/ibm-z-secure-execution.adoc[leveloffset=+2] * link:https://www.ibm.com/docs/en/linux-on-systems?topic=ibmz-secure-execution[Linux as an IBM Secure Execution host or guest] +include::modules/ibmz-configure-nbde-with-static-ip.adoc[leveloffset=+2] + +[role="_additional-resources"] +[id="additional-resources_configure-nbde-ibm-z-kvm-restricted"] +.Additional resources + +* xref:../../installing/install_config/installing-customizing.adoc#installing-customizing[Creating machine configs with Butane]. + include::modules/installation-ibm-z-kvm-user-infra-machines-iso.adoc[leveloffset=+2] include::modules/installation-full-ibm-z-kvm-user-infra-machines-iso.adoc[leveloffset=+2] diff --git a/installing/installing_ibm_z/installing-restricted-networks-ibm-z.adoc b/installing/installing_ibm_z/installing-restricted-networks-ibm-z.adoc index 20c639636af0..a137760411c9 100644 --- a/installing/installing_ibm_z/installing-restricted-networks-ibm-z.adoc +++ b/installing/installing_ibm_z/installing-restricted-networks-ibm-z.adoc @@ -104,6 +104,14 @@ include::modules/nw-operator-cr.adoc[leveloffset=+1] include::modules/installation-user-infra-generate-k8s-manifest-ignition.adoc[leveloffset=+1] +include::modules/ibmz-configure-nbde-with-static-ip.adoc[leveloffset=+1] + +[role="_additional-resources"] +[id="additional-resources_Configure-nbde-ibm-z-restricted"] +.Additional resources + +* xref:../../installing/install_config/installing-customizing.adoc#installing-customizing[Creating machine configs with Butane]. + include::modules/installation-ibm-z-user-infra-machines-iso.adoc[leveloffset=+1] include::modules/installation-user-infra-machines-static-network.adoc[leveloffset=+2] diff --git a/modules/ibmz-configure-nbde-with-static-ip.adoc b/modules/ibmz-configure-nbde-with-static-ip.adoc new file mode 100644 index 000000000000..ce1722c992f2 --- /dev/null +++ b/modules/ibmz-configure-nbde-with-static-ip.adoc @@ -0,0 +1,143 @@ +// Module included in the following assemblies: +// +// * installing/installing_ibm_z/installing-ibm-z.adoc +// * installing/installing_ibm_z/installing-restricted-networks-ibm-z.adoc +// * installing/installing_ibm_z/installing-ibm-z-kvm.adoc +// * installing/installing_ibm_z/installing-restricted-networks-ibm-z-kvm.adoc + +ifeval::["{context}" == "installing-ibm-z"] +:ibm-z: +endif::[] +ifeval::["{context}" == "installing-ibm-z-kvm"] +:ibm-z-kvm: +endif::[] +ifeval::["{context}" == "installing-restricted-networks-ibm-z"] +:ibm-z: +endif::[] +ifeval::["{context}" == "installing-restricted-networks-ibm-z-kvm"] +:ibm-z-kvm: +endif::[] + +:_content-type: PROCEDURE +[id="configuring-nbde-static-ip-ibmz-linuxone-environment_{context}"] += Configuring NBDE with static IP in an {ibmzProductName} or {linuxoneProductName} environment + +Enabling NBDE disk encryption in an {ibmzProductName} or {linuxoneProductName} environment requires additional steps, which are described in detail in this section. + +.Prerequisites + +* You set up the External Tang Server. See link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption_security-hardening#network-bound-disk-encryption_configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption[Network-bound disk encryption] for instructions. +* You have installed the `butane` utility. +* You have reviewed the instructions for how to create machine configs with Butane. + +.Procedure + +. Create Butane config files for the control plane and compute nodes. ++ +The following example Butane configuration for a control plane node creates a file named `master-storage.bu` for disk encryption: ++ +[source,yaml] +---- +variant: openshift +version: 4.13.0 +metadata: + name: master-storage + labels: + machineconfiguration.openshift.io/role: master +storage: + luks: + - clevis: + tang: + - thumbprint: QcPr_NHFJammnRCA3fFMVdNBwjs + url: http://clevis.example.com:7500 +ifndef::ibm-z-kvm[] + device: /dev/disk/by-partlabel/root <1> +endif::ibm-z-kvm[] +ifdef::ibm-z-kvm[] + device: /dev/disk/by-partlabel/root +endif::ibm-z-kvm[] + label: luks-root + name: root + wipe_volume: true + filesystems: + - device: /dev/mapper/root + format: xfs + label: root + wipe_filesystem: true +---- +ifndef::ibm-z-kvm[] +<1> For installations on DASD-type disks, replace with `device: /dev/disk/by-label/root`. +endif::ibm-z-kvm[] + +. Create a customized initramfs file to boot the machine, by running the following command: ++ +[source,terminal] +---- +$ coreos-installer pxe customize \ + /root/rhcos-bootfiles/rhcos--live-initramfs.s390x.img \ + --dest-device /dev/sda --dest-karg-append \ + ip=::::::none \ + --dest-karg-append nameserver= \ + --dest-karg-append rd.neednet=1 -o \ + /root/rhcos-bootfiles/-initramfs.s390x.img +---- ++ +[NOTE] +==== +Before first boot, you must customize the initramfs for each node in the cluster and add PXE kernel parameters. +==== + +. Create a parameter file that includes `ignition.platform.id=metal` and `ignition.firstboot`. ++ +Example kernel parameter file for the control plane machine: ++ +ifndef::ibm-z-kvm[] +[source,terminal] +---- +rd.neednet=1 \ +console=ttysclp0 \ +coreos.inst.install_dev=/dev/dasda \ <1> +ignition.firstboot ignition.platform.id=metal \ +coreos.live.rootfs_url=http://10.19.17.25/redhat/ocp/rhcos-413.86.202302201445-0/rhcos-413.86.202302201445-0-live-rootfs.s390x.img \ +coreos.inst.ignition_url=http://bastion.ocp-cluster1.example.com:8080/ignition/master.ign \ +ip=10.19.17.2::10.19.17.1:255.255.255.0::enbdd0:none nameserver=10.19.17.1 \ +zfcp.allow_lun_scan=0 \ <2> +rd.znet=qeth,0.0.bdd0,0.0.bdd1,0.0.bdd2,layer2=1 \ +rd.zfcp=0.0.5677,0x600606680g7f0056,0x034F000000000000 \ <3> +zfcp.allow_lun_scan=0 \ +rd.znet=qeth,0.0.bdd0,0.0.bdd1,0.0.bdd2,layer2=1 \ +rd.zfcp=0.0.5677,0x600606680g7f0056,0x034F000000000000 +---- +<1> For installations on DASD-type disks, add `coreos.inst.install_dev=/dev/dasda`. Omit this value for FCP-type disks. +<2> For installations on FCP-type disks, add `zfcp.allow_lun_scan=0`. Omit this value for DASD-type disks. +<3> For installations on DASD-type disks, replace with `rd.dasd=0.0.3490` to specify the DASD device. +endif::ibm-z-kvm[] +ifdef::ibm-z-kvm[] +[source,terminal] +---- +rd.neednet=1 \ +console=ttysclp0 \ +ignition.firstboot ignition.platform.id=metal \ +coreos.live.rootfs_url=http://10.19.17.25/redhat/ocp/rhcos-413.86.202302201445-0/rhcos-413.86.202302201445-0-live-rootfs.s390x.img \ +coreos.inst.ignition_url=http://bastion.ocp-cluster1.example.com:8080/ignition/master.ign \ +ip=10.19.17.2::10.19.17.1:255.255.255.0::enbdd0:none nameserver=10.19.17.1 \ +zfcp.allow_lun_scan=0 \ +rd.znet=qeth,0.0.bdd0,0.0.bdd1,0.0.bdd2,layer2=1 \ +rd.zfcp=0.0.5677,0x600606680g7f0056,0x034F000000000000 +---- +endif::ibm-z-kvm[] ++ +Write all options in the parameter file as a single line and make sure you have no newline characters. + +ifeval::["{context}" == "installing-ibm-z"] +:!ibm-z: +endif::[] +ifeval::["{context}" == "installing-ibm-z-kvm"] +:!ibm-z-kvm: +endif::[] +ifeval::["{context}" == "installing-restricted-networks-ibm-z"] +:!ibm-z: +endif::[] +ifeval::["{context}" == "installing-restricted-networks-ibm-z-kvm"] +:!ibm-z-kvm: +endif::[] \ No newline at end of file diff --git a/modules/installation-full-ibm-z-kvm-user-infra-machines-iso.adoc b/modules/installation-full-ibm-z-kvm-user-infra-machines-iso.adoc index 705bd5deab9d..3c3a97bb56f8 100644 --- a/modules/installation-full-ibm-z-kvm-user-infra-machines-iso.adoc +++ b/modules/installation-full-ibm-z-kvm-user-infra-machines-iso.adoc @@ -55,7 +55,7 @@ $ virt-install \ --network network={virt_network_parm} \ --boot hd \ --location {media_location},kernel={rhcos_kernel},initrd={rhcos_initrd} \ - --extra-args "rd.neednet=1 coreos.inst=yes coreos.inst.install_dev=vda coreos.live.rootfs_url={rhcos_liveos} ip={ip}::{default_gateway}:{subnet_mask_length}:{vn_name}:enc1:none:{MTU} nameserver={dns} coreos.inst.ignition_url={rhcos_ign}" \ + --extra-args "rd.neednet=1 coreos.inst.install_dev=/dev/vda coreos.live.rootfs_url={rhcos_liveos} ip={ip}::{default_gateway}:{subnet_mask_length}:{vn_name}:enc1:none:{MTU} nameserver={dns} coreos.inst.ignition_url={rhcos_ign}" \ --noautoconsole \ --wait ---- diff --git a/modules/installation-ibm-z-user-infra-machines-iso.adoc b/modules/installation-ibm-z-user-infra-machines-iso.adoc index 9be28a6895a6..5ef3578456ec 100644 --- a/modules/installation-ibm-z-user-infra-machines-iso.adoc +++ b/modules/installation-ibm-z-user-infra-machines-iso.adoc @@ -51,7 +51,7 @@ The rootfs image is the same for FCP and DASD. ** For `coreos.live.rootfs_url=`, specify the matching rootfs artifact for the kernel and initramfs you are booting. Only HTTP and HTTPS protocols are supported. ** For installations on DASD-type disks, complete the following tasks: -... For `coreos.inst.install_dev=`, specify `dasda`. +... For `coreos.inst.install_dev=`, specify `/dev/dasda`. ... Use `rd.dasd=` to specify the DASD where {op-system} is to be installed. ... Leave all other parameters unchanged. + @@ -61,7 +61,7 @@ Example parameter file, `bootstrap-0.parm`, for the bootstrap machine: ---- rd.neednet=1 \ console=ttysclp0 \ -coreos.inst.install_dev=dasda \ +coreos.inst.install_dev=/dev/dasda \ coreos.live.rootfs_url=http://cl1.provide.example.com:8080/assets/rhcos-live-rootfs.s390x.img \ coreos.inst.ignition_url=http://cl1.provide.example.com:8080/ignition/bootstrap.ign \ ip=172.18.78.2::172.18.78.1:255.255.255.0:::none nameserver=172.18.78.1 \ @@ -79,7 +79,7 @@ Write all options in the parameter file as a single line and make sure you have ==== When you install with multiple paths, you must enable multipathing directly after the installation, not at a later point in time, as this can cause problems. ==== -... Set the install device as: `coreos.inst.install_dev=sda`. +... Set the install device as: `coreos.inst.install_dev=/dev/sda`. + [NOTE] ==== @@ -99,7 +99,7 @@ The following is an example parameter file `worker-1.parm` for a worker node wit ---- rd.neednet=1 \ console=ttysclp0 \ -coreos.inst.install_dev=sda \ +coreos.inst.install_dev=/dev/sda \ coreos.live.rootfs_url=http://cl1.provide.example.com:8080/assets/rhcos-live-rootfs.s390x.img \ coreos.inst.ignition_url=http://cl1.provide.example.com:8080/ignition/worker.ign \ ip=172.18.78.2::172.18.78.1:255.255.255.0:::none nameserver=172.18.78.1 \