Jarrod Johnson
e565a1752f
Fix LEAP initprofile behavior
2021-07-01 13:43:31 -04:00
Jarrod Johnson
ef1649208e
Switch to using separate CA for TLS
...
This allows regenerating TLS cert
without updating boot images.
For example, if ip address changes need a new cert, no
longer should the nodes need new certs to trust
just due to that.
2021-06-30 14:25:46 -04:00
Jarrod Johnson
35b9635840
Clear armed API if current node token is used
...
If a node is armed, but instead unseals the prior key from TPM,
implicitly clear the armed state to avoid leaving it armed.
2021-06-28 13:30:09 -04:00
Jarrod Johnson
9c43dbff47
Rework MFA handling
...
Avoid calling PAM in the parent process, as
this seems to cause problems with some PAM
configurations.
2021-06-28 11:34:11 -04:00
Jarrod Johnson
f830514d10
Implement support for additional pam prompts
...
For example, if PAM has OTP, then support it.
2021-06-25 17:26:32 -04:00
Jarrod Johnson
f2eba22b9b
Fix TLS certs for el8 diskless
...
Properly place and process
the TLS certs for a site.
2021-06-25 13:06:35 -04:00
Jarrod Johnson
1fcab688dd
Fix connection name in networkmanager diskless
2021-06-25 10:56:35 -04:00
Jarrod Johnson
abfa2c4f7c
Switch back to default curl output
...
The terminal size on console is a challenge.
2021-06-24 17:01:35 -04:00
Jarrod Johnson
3be73af07e
Change style of download progress in curl
...
Use a simpler progress bar.
2021-06-24 16:46:10 -04:00
Jarrod Johnson
a2b2c8a995
Remove extraneous '/' output
...
Suppress output of cd -, as
it's a bit odd during boot.
2021-06-24 15:57:03 -04:00
Jarrod Johnson
42f8056d56
Fix apiclient with TPM managed token
...
The retry mechanism is amended
to clear out the useless key
and start trying to get a network grant again.
2021-06-24 14:53:54 -04:00
Jarrod Johnson
2ef695324a
Migrate genesis to new TPM strategy
...
Have addons for genesis
implement the same TPM usage
model as the suse/redhat stateless.
2021-06-24 14:35:21 -04:00
Jarrod Johnson
4c6f0843f9
Remove microcode from genesis
...
Should not be needed for genesis level activity, and consumes a large
amount of storage.
2021-06-24 14:00:19 -04:00
Jarrod Johnson
c19ae8a451
Add tpm2 tools to genesis
...
Follow the design of the stateless usage of TPM
2021-06-24 13:20:47 -04:00
Jarrod Johnson
a8e152cc4a
Switch TPM strategy on RedHat diskless
...
Switch to thte same approach as used in suse:
-Try to unseal any persistent handles
-If that works, try to use it on network
-If it didn't work, clear that handle
-When an api key is retrieved, then seal it to pcr 15
-When it's all done, extend pcr15 to prevent the OS from being able to
unseal
2021-06-24 12:04:10 -04:00
Jarrod Johnson
c92b3aea9d
Mitigate error output from extraneous handles
...
Unrelated handles in use will no longer result in misleading console
output.
2021-06-24 11:41:34 -04:00
Jarrod Johnson
5be4a5ab73
Add missing TPM utilities to suse boot
2021-06-24 11:22:41 -04:00
Jarrod Johnson
3c41c52d77
Rework TPM usage in SUSE diskless
...
For one, need to detect stale
TPM value and clear them.
For another, seal to PCR 15 and extend after unlock, so that the booted
system is unable to retrieve
the data from the TPM (e.g.
a plain user by default is allowed
to unseal data if there's no
policy, so use a policy and
extend the state away before boot)
2021-06-24 11:09:37 -04:00
Jarrod Johnson
e24a3a7231
Change media_url
...
Have autoyast file pass validation and adapt
the processing to work with it.
2021-06-24 08:27:55 -04:00
Jarrod Johnson
bffb7a8cac
Correct typo in suse install autoconsole message
2021-06-23 17:52:21 -04:00
Jarrod Johnson
feb418ac59
Store TPM unsealed apikey in usual location
2021-06-23 17:22:18 -04:00
Jarrod Johnson
ee5ea4263f
Add curl to suse15 pkglist
2021-06-23 17:16:13 -04:00
Jarrod Johnson
b30fabd55d
Enable TPM2 on SUSE diskless for apikey
...
Rather than remote sealed copy, store it in the TPM2
Will convert genesis and EL diskless for this to be the new preferred
mechanism.
2021-06-23 17:01:27 -04:00
Jarrod Johnson
b8c9e9c535
Begin work to support complex PAM conversations
...
For example, TOTP setups need
more prompts, this will pass
the info to the client for the client to adjust.
2021-06-23 16:31:42 -04:00
Jarrod Johnson
d86fc664e9
Handle space delimiting in nameservers
...
If multiple dns servers, then need to quote to preserve
the list.
2021-06-23 12:35:54 -04:00
Jarrod Johnson
6862d9e580
Correct formatting of nameserver list in suse
2021-06-23 12:26:49 -04:00
Jarrod Johnson
dc8cb1b13f
Correct syntax in imageboot for suse
2021-06-23 12:24:36 -04:00
Jarrod Johnson
f10d2af59f
Specify netconfig file location
2021-06-23 12:16:08 -04:00
Jarrod Johnson
172bb12885
Modify Suse diskless for suse networking
...
Suse doesn't use network manager, populate sysconfig
instead.
2021-06-23 12:07:13 -04:00
Jarrod Johnson
4445b8cc78
Fix name resolution for suse hosts/containers
...
Suse uses a strategy with symlinks, adapt
the resolv.conf target based on findings from
symlink chasing.
2021-06-23 11:49:16 -04:00
Jarrod Johnson
b2fa2d92c5
Correct formatting mistake in os profile label in diskless
2021-06-23 11:32:43 -04:00
Jarrod Johnson
fc19ca4e36
Change to pythton-dnspython for dependency
...
Multiple compatible packages exist that provide same name, accept
either.
2021-06-23 08:37:00 -04:00
Jarrod Johnson
23231e2b75
Have Suse15 diskless prep initrd and enable sshd
2021-06-22 16:59:12 -04:00
Jarrod Johnson
9ad5f52eed
Package up suse diskless support
2021-06-22 16:37:04 -04:00
Jarrod Johnson
76f3537a79
Further advance SUSE15 diskless support
2021-06-22 16:18:32 -04:00
Jarrod Johnson
b26b46dc41
Crate dracut module for suse15
2021-06-22 14:49:15 -04:00
Jarrod Johnson
deec9b111a
Initial phase of suse diskless support
2021-06-22 14:29:28 -04:00
Jarrod Johnson
59e6dc80b3
Remove commented, non-working concept code
...
The code was going to replace XInclude with something more manual
from sed and xml comments, but yast strips the comments.
So we instead manually make hooks for the replacement items.
2021-06-22 12:21:18 -04:00
Jarrod Johnson
e34d76f7eb
OpenSUSE 15.3 support
...
A number of changes in opensuse 15.3 require modifying our
strategy.
No more XInclude. This seems to be unintentional, but it released
and so we will work around it.
Some somewhat incorrect values, as pointed out by new validation.
2021-06-22 12:19:54 -04:00
Jarrod Johnson
f0693f6ee5
Correct typo in imgutil
2021-06-15 13:45:27 -04:00
Jarrod Johnson
84634afc9c
Improve imgutil brevity
...
Allow it to take only the basename and
default to likely /var/lib/confluent locations
Draft work on tab completion for imgutil.
Technically the tab completion should be in the imgutil package,
but for now bundle with server.
2021-06-15 13:30:30 -04:00
Jarrod Johnson
5621d48ffa
Fix syntax error with new check
2021-06-15 12:23:45 -04:00
Jarrod Johnson
55a4211e71
Fix imgutil volume mounting
2021-06-15 12:12:27 -04:00
Jarrod Johnson
802ba9c708
Merge pull request #60 from vmaneagit/patch-61
...
Update collective.ronn
2021-06-15 09:42:48 -04:00
Jarrod Johnson
490827fe3a
Allow memory reclamation through deletion
...
When going to zram, things were solid for space reduction as
data was written, however memory could no longer be reclaimed.
It turns out that zram supports TRIM, and by telling xfs discard,
we have it do trim-on-demand. It is by default off out of performance
concerns, but I don't think that applies to a zram backed filesystem.
2021-06-15 09:36:44 -04:00
vmaneagit
85568091fa
Update collective.ronn
...
Added correction for:
"collective gencert collective delete" should be on 2 separate lines.
correction should be:
collective gencert
collective delete
2021-06-15 16:25:26 +03:00
Jarrod Johnson
2ecab0432c
Fix imageboot.sh issues for diskless boot
2021-06-15 08:58:21 -04:00
Jarrod Johnson
dee03e1359
Attempt to updateboot at end of pack
2021-06-15 08:41:33 -04:00
Jarrod Johnson
3f87696978
Fix typo in imageboot.sh script
2021-06-15 08:38:27 -04:00
Jarrod Johnson
38a4e20b9a
Fix issues around imageboot and source in functions
2021-06-15 08:31:45 -04:00