2
0
mirror of https://github.com/xcat2/confluent.git synced 2024-11-29 13:00:03 +00:00
Commit Graph

33 Commits

Author SHA1 Message Date
Jarrod Johnson
71ca9ef76c Fix path to ntp servers in user-data mod for ubuntu 2024-07-29 15:57:34 -04:00
Jarrod Johnson
1c4f1ae817 Try to add ntp and timezones to Ubuntu scripted install 2024-07-29 15:21:10 -04:00
Jarrod Johnson
329f2b4485 Amend cryptboot implementation for Ubuntu 22/24, EL8/EL9
Provide mechanism for administrator to place a custom
key for potential interactive recovery into
/var/lib/confluent/private/os/<profile>/pending/luks.key

If not provided, generate a unique one for each install.

Either way, persist the key in /etc/confluent/luks.key, to
facilitate later resealing if the user wants (clevis nor systemd
prior to 256 supports unlock via TPM2, so keyfile is required
for now).

Migrating to otherwise escrowed passphrases and/or sealing to
specific TPMs will be left to operators and/or third parties.
2024-07-29 10:17:14 -04:00
Jarrod Johnson
332068074d Extend systemdecrypt hook to support Ubuntu 24.04
Ubuntu 240.4 systemd-cryptsetup now has an external dependency.
2024-07-26 16:54:58 -04:00
Jarrod Johnson
2df902e80e Remove luks password from argv
Pass the luks password by environment variable instead.
2024-07-26 14:07:54 -04:00
Jarrod Johnson
7a602f58b2 Fixes for ubuntu profile tpm support 2024-07-26 13:47:13 -04:00
Jarrod Johnson
c563f48c71 Fix assignment of lukspass variable. 2024-07-26 12:30:41 -04:00
Jarrod Johnson
c1747ad24c Correct spelling of key for luks check 2024-07-26 11:54:10 -04:00
Jarrod Johnson
1ddf735590 Fix omitted argument to addcrypt 2024-07-26 11:50:53 -04:00
Jarrod Johnson
f482d2ead9 Amend crypt hook check
The comment was changed, check for password instead.
2024-07-26 11:35:49 -04:00
Jarrod Johnson
58ee85f39e Rework Ubuntu addcrypt support
The comment based hook is destroyed during early install process.

Use python to manipulate the autoinstall file in a more sophisticated way.

Also refactor the initramfs hook material to be standalone files.
2024-07-26 11:33:01 -04:00
Jarrod Johnson
1d6009a2f2 Switch to using systemd-cryptenroll
The design more cleanly uses luks slot, but
requires providing initramfs hooks.

Those hooks are provided now.
2024-07-26 10:33:38 -04:00
Jarrod Johnson
0f955cd068 Begin work on a cryptboot support for ubuntu
Start implementing a tpm2-initramfs-tool based approach.

This requires a bit of an odd transition as the PCR 7 is likely
to change between the install phase and the boot phase, so
we have to select different PCRs, but that requires
an argument to pass that crypttab does not support.
2024-07-25 11:24:41 -04:00
Jarrod Johnson
8c193fe33f Fix issues with firstboot on Ubuntu 22+ 2024-07-12 15:30:47 -04:00
Jarrod Johnson
1da27083cc Another cleanup of syncfileclient output 2024-04-09 15:08:56 -04:00
Jarrod Johnson
67b3c48dc9 Clean up error output on syncfileclient execution 2024-04-09 14:58:38 -04:00
Jarrod Johnson
02f301b5d0 Fix mistakes in syncfileclient change 2024-04-09 13:41:27 -04:00
Jarrod Johnson
f68f9f4693 Make syncfile step robust or pause
If syncfiles fails, keep it retrying.

Also, slow down sync checking to avoid hammering the system.

Further, randomized delay to spread highly synchronized requestors.

Block attempts to do multiple concurrent syncfile runs.
2024-04-09 11:07:11 -04:00
henglikuang1
ea88ccb0ad Fix efivars handling of unexpected unmount 2024-01-11 14:31:45 +08:00
Jarrod Johnson
68ce3d039d Filter out nvme 'c' devnames, that are used to refer to paths to nvme
Some versions start manifesting nvme devnames with 'c', which
are to be used to interact with multipath to have raw devices
backing a traditional nvme device.
2023-11-27 08:34:34 -05:00
Jarrod Johnson
ee19386d8c Export nodename in ubuntu pre 2023-10-04 09:49:09 -04:00
Jarrod Johnson
a00fd325aa Export variables for ubuntu pre.d run 2023-09-27 13:09:23 -04:00
Jarrod Johnson
0a527f5f39 Add environment to firstboot ubuntu 2023-09-18 11:38:41 -04:00
Jarrod Johnson
a01b7c6503 Revamp and add missing bits to scripted ubuntu install 2023-09-18 10:30:52 -04:00
Jarrod Johnson
83e3627b47 Add pre.d to ubuntu 22 diskful 2023-09-18 10:19:50 -04:00
Jarrod Johnson
f16cf4387f Further Ubuntu enhancements
Add confignet to Ubuntu 20 and 22
Add syncfile to the ubuntu diskless/cloning
2023-09-01 16:40:02 -04:00
Jarrod Johnson
f6e658c341 Add site CA to ubuntu profiles on install 2023-09-01 13:25:20 -04:00
Jarrod Johnson
305a3a06d2 Ensure $HOME is set during firstboot
systemd tends not to set environment variables.  However some firstboot
scripts generally expect $HOME to be correct.
2023-04-12 11:22:27 -04:00
Jarrod Johnson
bb7a72db65 Fix for ipv6 deployment
Need to avoid double-bracketing of the server and also disable globbing
so curl does not mistake the ip address for a glob attempt.
2023-02-13 09:36:42 -05:00
Jarrod Johnson
20e6e1e521 Refresh functions to cope with v6-only usage 2022-11-08 08:52:29 -05:00
Jarrod Johnson
6eb4bf28e5 Another iteration to try to have IP adaptive syncfiles
It is likely that a client connects from fe80::, which
is explicitly omitted from ssh principals.

This time, have the client provide all currently set IP addresses
and the server will make a determination.

There remains the possibility it misconfigures a nic and tries to use that,
inducing failure.  One strategy would be to filter the addresses and
only provide from the 'current' interface.  Another is to just take
the hit as the node is likely going to suffer a lot from such a
misconfiguration anyway.
2022-10-05 12:23:47 -04:00
Jarrod Johnson
b98759698a Sync up getinstalldisk and add another m.2 model 2022-09-01 13:22:50 -04:00
Jarrod Johnson
b2feb62d8a Add ubuntu22.04 profile
Ubuntu 22.04 makes some changes, notably removing the
custom-installation hooks.

Change to injecting our modifications more directly to where the
custom-installation hooks used to be.
2022-05-04 09:25:49 -04:00