2
0
mirror of https://github.com/xcat2/confluent.git synced 2024-11-22 17:43:14 +00:00
Commit Graph

5175 Commits

Author SHA1 Message Date
Jarrod Johnson
e6dc383d25 Fix mistake in EL8/EL9 LUKS 2024-07-29 11:22:07 -04:00
Jarrod Johnson
329f2b4485 Amend cryptboot implementation for Ubuntu 22/24, EL8/EL9
Provide mechanism for administrator to place a custom
key for potential interactive recovery into
/var/lib/confluent/private/os/<profile>/pending/luks.key

If not provided, generate a unique one for each install.

Either way, persist the key in /etc/confluent/luks.key, to
facilitate later resealing if the user wants (clevis nor systemd
prior to 256 supports unlock via TPM2, so keyfile is required
for now).

Migrating to otherwise escrowed passphrases and/or sealing to
specific TPMs will be left to operators and/or third parties.
2024-07-29 10:17:14 -04:00
Jarrod Johnson
bee9f18197 Tolerate / in the apikey for LUKS setup
The apikey is highly likely to have a /, and so we need to use something
not in the base64 alphabet as a delimiter.
2024-07-26 17:59:42 -04:00
Jarrod Johnson
1af898dcb8 Fix encryptboot on EL8/EL9 2024-07-26 17:43:51 -04:00
Jarrod Johnson
332068074d Extend systemdecrypt hook to support Ubuntu 24.04
Ubuntu 240.4 systemd-cryptsetup now has an external dependency.
2024-07-26 16:54:58 -04:00
Jarrod Johnson
2df902e80e Remove luks password from argv
Pass the luks password by environment variable instead.
2024-07-26 14:07:54 -04:00
Jarrod Johnson
7a602f58b2 Fixes for ubuntu profile tpm support 2024-07-26 13:47:13 -04:00
Jarrod Johnson
c563f48c71 Fix assignment of lukspass variable. 2024-07-26 12:30:41 -04:00
Jarrod Johnson
c1747ad24c Correct spelling of key for luks check 2024-07-26 11:54:10 -04:00
Jarrod Johnson
1ddf735590 Fix omitted argument to addcrypt 2024-07-26 11:50:53 -04:00
Jarrod Johnson
f482d2ead9 Amend crypt hook check
The comment was changed, check for password instead.
2024-07-26 11:35:49 -04:00
Jarrod Johnson
58ee85f39e Rework Ubuntu addcrypt support
The comment based hook is destroyed during early install process.

Use python to manipulate the autoinstall file in a more sophisticated way.

Also refactor the initramfs hook material to be standalone files.
2024-07-26 11:33:01 -04:00
Jarrod Johnson
1d6009a2f2 Switch to using systemd-cryptenroll
The design more cleanly uses luks slot, but
requires providing initramfs hooks.

Those hooks are provided now.
2024-07-26 10:33:38 -04:00
Jarrod Johnson
6d15633a95 Merge branch 'master' into ubuntucryptboot 2024-07-25 15:57:00 -04:00
Jarrod Johnson
dc7c9f4a3d Have SSDP fallback to unverified noderanges when looking at candidates 2024-07-25 15:26:23 -04:00
Jarrod Johnson
956e473fa6 Have SSDP fallback to unverified noderanges when looking at candidates 2024-07-25 15:25:09 -04:00
Jarrod Johnson
626f16cb6f Ignore duplicate specifications of same key
Particularly if traversing a lot of linked configuration, the same key/cert
path may come up multiple times, check for equality
and if equal, just keep going.
2024-07-25 14:55:06 -04:00
Jarrod Johnson
30aa6f382c Ignore duplicate specifications of same key
Particularly if traversing a lot of linked configuration, the same key/cert
path may come up multiple times, check for equality
and if equal, just keep going.
2024-07-25 14:54:15 -04:00
Jarrod Johnson
fe6d44a4bb
Merge pull request #153 from Obihoernchen/json-dump-sort
Use natural sort for lists in json dumps
2024-07-25 14:15:15 -04:00
Jarrod Johnson
298be3b30a Point to the C context object rather than python class
The OpenSSL variant of Context is a python class, but it does have
a C context in it.
2024-07-25 14:05:59 -04:00
Jarrod Johnson
80296b6cbc Point to the C context object rather than python class
The OpenSSL variant of Context is a python class, but it does have
a C context in it.
2024-07-25 14:05:10 -04:00
Markus Hilger
41b722c3f7 Use natural sort for lists in json dumps
Previously, items were randomly arranged in lists in the json dump. This meant that the JSON files were different after each export.
Now they are naturally sorted and identical.
This should make it easier to save and compare the JSON dumps in version control systems.
2024-07-25 18:38:23 +02:00
Jarrod Johnson
0f955cd068 Begin work on a cryptboot support for ubuntu
Start implementing a tpm2-initramfs-tool based approach.

This requires a bit of an odd transition as the PCR 7 is likely
to change between the install phase and the boot phase, so
we have to select different PCRs, but that requires
an argument to pass that crypttab does not support.
2024-07-25 11:24:41 -04:00
Jarrod Johnson
c3e918fc5f Fix mistake in untethered support 2024-07-25 09:42:24 -04:00
Jarrod Johnson
8f1a1130a8 Add a selfcheck to check misdone collective manager 2024-07-24 15:55:04 -04:00
Jarrod Johnson
6e8d8dabd1 Fix whitespace issue 2024-07-24 15:28:03 -04:00
Jarrod Johnson
a92edc7924 Apply ownership sanity check even for root
User could accidently run 'confluent' in a way that makes no sense,
block it the most accessible way.

The pid file should have blocked it, but systemd purges the directory
even on failure.
2024-07-24 15:20:02 -04:00
Jarrod Johnson
714fefe31b Fix unethered boot for ubuntu 2024-07-24 14:41:39 -04:00
Jarrod Johnson
c91af840e5 Robust handling of relative link resolv.conf
resolv.conf may be a relative link, normal file, or absolute link.

Handle all cases.
2024-07-24 11:12:31 -04:00
Jarrod Johnson
2235faa76d Stop using private interface of PyCA
PyCA changes their minds about which bindings to include.

So make the binding ourselves since PyCA removed it in certain versions.

This is a backport of the implementation from the async port effort.
2024-07-24 08:33:20 -04:00
Jarrod Johnson
8f58567a70 Add ssh to default services of a built ubuntu image 2024-07-23 11:05:51 -04:00
Jarrod Johnson
cf4475cfcc Escape the '\W' to avoid stepping on python processing 2024-07-23 10:23:05 -04:00
Jarrod Johnson
a94b9235e8 Tighten umask on confignet to avoid ubuntu warnings 2024-07-23 10:14:32 -04:00
Jarrod Johnson
bb04faed04 Explicitly request bash under ubuntu, which tends to use dash 2024-07-23 10:01:53 -04:00
Jarrod Johnson
33ed1a5e64 Add onboot for ubuntu diskless 2024-07-23 09:32:20 -04:00
Jarrod Johnson
1ade704daa Fix imgutil copy of ubuntu sources 2024-07-22 16:40:44 -04:00
Jarrod Johnson
34b03da494 Update for Ubuntu 24.04 diskless 2024-07-22 16:33:07 -04:00
Jarrod Johnson
4f18294d93 Fix path in debian build for imgutil 2024-07-22 13:57:38 -04:00
Jarrod Johnson
7154a1d60c Add control file for deb build of imgutil 2024-07-22 13:47:36 -04:00
Jarrod Johnson
69fa3f10c0 Add deb packaging of imgutil 2024-07-22 13:47:29 -04:00
Jarrod Johnson
294ef8e88c Fix for IB diskless boot to install clone
The infiniband section must be defined for the OS
to use the IB link. If it is missing then networking
does not come up during firstboot.

Fix this by having an inifiniband section including explicitly
declaring use of datagram mode. This should suffice for all
install use cases, and may be changed after firstboot starts.
2024-07-19 09:28:29 -04:00
Jarrod Johnson
b61e5fb1ff
Merge pull request #151 from Obihoernchen/el-stateful-fix
Fix EL stateful install
2024-07-18 13:06:12 -04:00
Markus Hilger
b4a33b8102 Fix EL stateful install
Sometimes stateful install can fail if vgchange -a n is run after dd.
Use wipefs instead and fix order of both commands.
Furthermore, use the $INSALLDISK variable.
2024-07-18 17:35:39 +02:00
Jarrod Johnson
9d5432f8cd Fix network configuration when middle name ends in 'net' 2024-07-18 08:40:40 -04:00
Jarrod Johnson
abf12f2b96 Reinstate linuxefi/initrdefi for older GRUB
Technically, Grub never had 'linuxefi/initrdefi' commands
officially, so this is a bit weird.

However, if we see signs of GRUB older than 2.03, we will assume
that is requires the linuxefi/initrdefi commands from
the out of tree patch to support EFI the old way.

This corresponds with EL7.  Other variants seem ok with
the more proper linux/initrd command names.
2024-07-15 11:26:58 -04:00
Jarrod Johnson
5d08919769
Merge pull request #150 from tkucherera-lenovo/nodebmcpasswordUpdate
better error handling
2024-07-15 09:30:22 -04:00
tkucherera
8d726bced9 better error handling 2024-07-15 09:22:59 -04:00
Jarrod Johnson
945dff09f3 Change to generic linux/inird command in Grub
Modern grub has removed these variants, and should only be required for very old non-EFI stub kernels
2024-07-15 08:19:13 -04:00
Jarrod Johnson
7a3e1dfde3 Fix grub fallback path for more grub 2024-07-12 16:48:46 -04:00
Jarrod Johnson
c0cc673c63 Make directory exist before creating file 2024-07-12 16:31:06 -04:00