Skip to content

Commit

Permalink
add NBDE encryption for IBM Z
Browse files Browse the repository at this point in the history
  • Loading branch information
SNiemann15 committed Apr 12, 2023
1 parent cb26a3c commit a0b2d75
Show file tree
Hide file tree
Showing 5 changed files with 167 additions and 0 deletions.
8 changes: 8 additions & 0 deletions installing/installing_ibm_z/installing-ibm-z-kvm.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,14 @@ include::modules/installation-ibm-z-kvm-user-infra-machines-iso.adoc[leveloffset

include::modules/installation-full-ibm-z-kvm-user-infra-machines-iso.adoc[leveloffset=+2]

include::modules/ibmz-configure-nbde-with-static-ip.adoc[leveloffset=+2]

[role="_additional-resources"]
[id="additional-resources_configure-nbde-ibm-z-kvm"]
.Additional resources

* xref:../../installing/install_config/installing-customizing.adoc#installing-customizing[Creating machine configs with Butane].

include::modules/installation-user-infra-machines-static-network.adoc[leveloffset=+2]

include::modules/installation-installing-bare-metal.adoc[leveloffset=+1]
Expand Down
8 changes: 8 additions & 0 deletions installing/installing_ibm_z/installing-ibm-z.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,14 @@ include::modules/installation-user-infra-generate-k8s-manifest-ignition.adoc[lev

include::modules/installation-ibm-z-user-infra-machines-iso.adoc[leveloffset=+1]

include::modules/ibmz-configure-nbde-with-static-ip.adoc[leveloffset=+2]

[role="_additional-resources"]
[id="additional-resources_configure-nbde-ibm-z"]
.Additional resources

* xref:../../installing/install_config/installing-customizing.adoc#installing-customizing[Creating machine configs with Butane].

include::modules/installation-user-infra-machines-static-network.adoc[leveloffset=+2]

include::modules/installation-installing-bare-metal.adoc[leveloffset=+1]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,14 @@ include::modules/installation-ibm-z-kvm-user-infra-machines-iso.adoc[leveloffset

include::modules/installation-full-ibm-z-kvm-user-infra-machines-iso.adoc[leveloffset=+2]

include::modules/ibmz-configure-nbde-with-static-ip.adoc[leveloffset=+2]

[role="_additional-resources"]
[id="additional-resources_configure-nbde-ibm-z-kvm-restricted"]
.Additional resources

* xref:../../installing/install_config/installing-customizing.adoc#installing-customizing[Creating machine configs with Butane].

include::modules/installation-user-infra-machines-static-network.adoc[leveloffset=+2]

include::modules/installation-installing-bare-metal.adoc[leveloffset=+1]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,14 @@ include::modules/installation-user-infra-generate-k8s-manifest-ignition.adoc[lev

include::modules/installation-ibm-z-user-infra-machines-iso.adoc[leveloffset=+1]

include::modules/ibmz-configure-nbde-with-static-ip.adoc[leveloffset=+2]

[role="_additional-resources"]
[id="additional-resources_Configure-nbde-ibm-z-restricted"]
.Additional resources

* xref:../../installing/install_config/installing-customizing.adoc#installing-customizing[Creating machine configs with Butane].

include::modules/installation-user-infra-machines-static-network.adoc[leveloffset=+2]

include::modules/installation-installing-bare-metal.adoc[leveloffset=+1]
Expand Down
135 changes: 135 additions & 0 deletions modules/ibmz-configure-nbde-with-static-ip.adoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,135 @@
// Module included in the following assemblies:
//
// * installing/installing_ibm_z/installing-ibm-z.adoc
// * installing/installing_ibm_z/installing-restricted-networks-ibm-z.adoc
// * installing/installing_ibm_z/installing-ibm-z-kvm.adoc
// * installing/installing_ibm_z/installing-restricted-networks-ibm-z-kvm.adoc

ifeval::["{context}" == "installing-ibm-z"]
:ibm-z:
endif::[]
ifeval::["{context}" == "installing-ibm-z-kvm"]
:ibm-z-kvm:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-ibm-z"]
:ibm-z:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-ibm-z-kvm"]
:ibm-z-kvm:
endif::[]

:_content-type: PROCEDURE
[id="configuring-nbde-static-ip-ibmz-linuxone-environment_{context}"]
= Configuring NBDE with static IP in an {ibmzProductName} or {linuxoneProductName} environment

Enabling NBDE disk encryption in an {ibmzProductName} or {linuxoneProductName} environment requires additional steps, which are described in detail in this section.

.Prerequisites

* You set up the External Tang Server. See link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption_security-hardening#network-bound-disk-encryption_configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption[Network-bound disk encryption] for instructions.
* You have installed the `butane` utility.
* You have reviewed the instructions for how to create machine configs with Butane.
.Procedure

. Create Butane config files for the control plane and compute nodes.
+
The following example Butane configuration for a control plane node creates a file named `master-storage.bu` for disk encryption:
+
[source,yaml]
----
variant: openshift
version: 4.13.0
metadata:
name: master-storage
labels:
machineconfiguration.openshift.io/role: master
boot_device:
luks:
tang:
- url: http://12.23.21.58:7500
thumbprint: QcPr_NHFJammnRCA3fFMVdNBwjs
threshold: 1
openshift:
fips: true
----
ifndef::ibm-z-kvm[]
+
[NOTE]
====
To encrypt DASD disks you must add `device: /dev/disk/by-label/root` to the Ignition file that is generated by Butane.
====
endif::ibm-z-kvm[]

. Create a customized initramfs file, by running the following command:
+
[source,terminal]
----
$ coreos-installer pxe customize \
/root/rhcos-bootfiles/rhcos-<release>-live-initramfs.s390x.img \
--dest-device /dev/sda --dest-karg-append \
ip=<ip-address>::<gateway-ip>:<subnet-mask>::<network-device>:none \
--dest-karg-append nameserver=<nameserver-ip> \
--dest-karg-append rd.neednet=1 -o \
/root/rhcos-bootfiles/<Node-name>-initramfs.s390x.img
----
ifndef::ibm-z-kvm[]
+
[NOTE]
====
Before first boot, you must customize the initramfs for each node in the cluster and add PXE kernel parameters.
====
endif::ibm-z-kvm[]

. Create a parameter file that includes `ignition.platform.id=metal` and `ignition.firstboot`.
+
Example kernel parameter file for the control plane machine:
+
ifndef::ibm-z-kvm[]
[source,terminal]
----
rd.neednet=1 \
console=ttysclp0 \
coreos.inst.install_dev=dasda \ <1>
ignition.firstboot=true ignition.platform.id=metal \
coreos.live.rootfs_url=http://10.19.17.25/redhat/ocp/rhcos-413.86.202302201445-0/rhcos-413.86.202302201445-0-live-rootfs.s390x.img \ coreos.inst.ignition_url=http://bastion.ocp-cluster1.example.com:8080/ignition/master.ign \
ip=10.19.17.2::10.19.17.1:255.255.255.0::enbdd0:none nameserver=10.19.17.1 \
zfcp.allow_lun_scan=0 \ <2>
rd.znet=qeth,0.0.bdd0,0.0.bdd1,0.0.bdd2,layer2=1 \
rd.zfcp=0.0.5677,0x600606680g7f0056,0x034F000000000000 \ <3>
zfcp.allow_lun_scan=0 \
rd.znet=qeth,0.0.bdd0,0.0.bdd1,0.0.bdd2,layer2=1 \
rd.zfcp=0.0.5677,0x600606680g7f0056,0x034F000000000000
----
<1> For installations on DASD-type disks, add `coreos.inst.install_dev=dasda`. Omit this value for FCP-type disks.
<2> For installations on FCP-type disks, add `zfcp.allow_lun_scan=0`. Omit this value for DASD-type disks.
<3> For installations on DASD-type disks, replace with `rd.dasd=0.0.3490` to specify the DASD device.
endif::ibm-z-kvm[]
ifdef::ibm-z-kvm[]
[source,terminal]
----
rd.neednet=1 \
console=ttysclp0 \
ignition.firstboot=true ignition.platform.id=metal \
coreos.live.rootfs_url=http://10.19.17.25/redhat/ocp/rhcos-413.86.202302201445-0/rhcos-413.86.202302201445-0-live-rootfs.s390x.img \ coreos.inst.ignition_url=http://bastion.ocp-cluster1.example.com:8080/ignition/master.ign \
ip=10.19.17.2::10.19.17.1:255.255.255.0::enbdd0:none nameserver=10.19.17.1 \
zfcp.allow_lun_scan=0 \
rd.znet=qeth,0.0.bdd0,0.0.bdd1,0.0.bdd2,layer2=1 \
rd.zfcp=0.0.5677,0x600606680g7f0056,0x034F000000000000
----
endif::ibm-z-kvm[]
+
Write all options in the parameter file as a single line and make sure you have no newline characters.

ifeval::["{context}" == "installing-ibm-z"]
:!ibm-z:
endif::[]
ifeval::["{context}" == "installing-ibm-z-kvm"]
:!ibm-z-kvm:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-ibm-z"]
:!ibm-z:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-ibm-z-kvm"]
:!ibm-z-kvm:
endif::[]

0 comments on commit a0b2d75

Please sign in to comment.