Merge branch 'master' of git.psi.ch:linux-infra/documentation

admin-guide/deployment/_static/legacy_boot.puml

@@ -21,9 +21,9 @@ hnote over bootnode
 endhnote
 bootnode -> pxeserver : load PXE config tftp:/tftpboot/pxelinux.cfg/01-$MAC
 note right
-    By manually setting a MAC or IP config the 
-    boot menu can be customised or shortcut. 
-    Most is managed by symlinks. There is the 
+    By manually setting a MAC or IP config the
+    boot menu can be customised or shortcut.
+    Most is managed by symlinks. There is the
     undocumented "link-to-lxprod.py" script for
     manually linking MAC to hostname and hostname
     to "lxprod". At some places this is done the
@@ -57,11 +57,14 @@ bootnode -> dhcp : DHCP request
 dhcp -> bootnode : IP
 bootnode -> sysdb : load iPXE menu http:/ipxe/v1/config?mac=$MAC
 note right
-    Default selection by sydb boot 
+    Default selection by sydb boot
     property "local" or "netboot",
-    later installs Red Hat 7.9.
-    manually selectable are all 
-    Red Hat 7 versions to install,
+    later automatically starts the
+    installer configured in sysdb
+    attribute "ipxe_installer".
+    Manually selectable are all
+    Red Hat 7 versions and Red Hat 8
+    alpha test version to install,
     Windows, a selection of tools
     and "HP SPP".
 endnote

admin-guide/deployment/_static/uefi_boot.puml

@@ -0,0 +1,88 @@
+@startuml
+
+actor admin
+participant "UEFI Node" as bootnode
+participant "QIP DHCP" as dhcp
+participant "pxeserv01.psi.ch" as pxeserver
+participant "boot00.psi.ch" as sysdb
+participant "repo01.psi.ch" as reposerver
+
+admin -> bootnode : boots up
+
+hnote over bootnode
+    EFI
+endhnote
+bootnode -> dhcp : DHCP request
+dhcp -> bootnode : IP + PXE boot location
+bootnode -> pxeserver : load PXE kernel tftp:/tftpboot/shimx64.efi
+bootnode -> pxeserver : load PXE kernel tftp:/tftpboot/grubx64.efi
+
+
+hnote over bootnode
+    GRUB
+endhnote
+bootnode -> pxeserver : load PXE config tftp:/tftpboot/grub.cfg-01-$MAC
+note right
+    By manually setting a MAC or IP config the
+    boot menu can be customised or shortcut.
+end note
+bootnode -> pxeserver : load PXE config tftp:/tftpboot/grub.cfg-$HEX-IP
+bootnode -> pxeserver : load PXE config tftp:/tftpboot/grub.cfg
+bootnode -> sysdb : load GRUB menu http:/grub/v1/config?mac=$MAC
+note right
+    Default selection by sydb boot
+    property "local" or "netboot",
+    later automatically starts the
+    installer configured in sysdb
+    attribute "ipxe_installer".
+    Manually selectable are other
+    version of RHEL 7 and
+    "Windows and Tools Menus".
+endnote
+
+admin -> bootnode :  selects "Windows and Tools Menus"
+note left
+    Now the automatic installation kicks in,
+    but here we show the manual detour over iPXE.
+end note
+
+bootnode -> pxeserver : load iPXE kernel tftp:/tftpboot/ipxe.efi
+note right
+    https://git.psi.ch/linux-infra/ipxe-build
+    The following steps are by embed/pxe.ipxe
+end note
+
+hnote over bootnode
+    iPXE
+endhnote
+bootnode -> dhcp : DHCP request
+dhcp -> bootnode : IP
+bootnode -> sysdb : load iPXE menu http:/ipxe/v1/config?mac=$MAC
+note right
+    Default selection by sydb boot
+    property "local" or "netboot",
+    later automatically starts the
+    installer configured in sysdb
+    attribute "ipxe_installer".
+    Manually selectable are all
+    Red Hat 7 versions and Red Hat 8
+    alpha test version to install,
+    Windows, a selection of tools
+    and "HP SPP".
+endnote
+bootnode -> reposerver : load initrd http:/iso/rhel-server-7.9-x86_64-dvd/images/pxeboot/initrd.img
+note left
+    Automatic installation in GRUB
+    directly jumps here without iPXE
+end note
+bootnode -> reposerver : load kernel http:/iso/rhel-server-7.9-x86_64-dvd/images/pxeboot/vmlinuz
+
+hnote over bootnode
+    Linux kernel
+endhnote
+bootnode -> reposerver : installation media http:/iso/rhel-server-7.9-x86_64-dvd/
+bootnode -> sysdb : kickstart file http:/kickstart/v1/config?fqdn=$HOSTNAME&instrepo=rhel-server-7.9-x86_64-dvd
+
+@enduml
+
+

admin-guide/deployment/ipxe.rst

@@ -32,6 +32,11 @@ which distribution it is supposed to use. The menu offers other options as well,
 e.g. an interactive iPXE shell and a memory test.
 
 
+Sequence Diagram of the UEFI Boot Process
+--------------------------------------------------
+.. image:: _static/uefi_boot.png
+
+
 Sequence Diagram of the BIOS (Legacy) Boot Process
 --------------------------------------------------
 .. image:: _static/legacy_boot.png

infrastructure-guide/home.md

@@ -58,11 +58,33 @@ Access to the redhat.com knowledge base:
 
 # SSH Certificates / Signing Public User Keys
 
-Use the ca certificate that is on the "Kai special USB stick" (the certificate permissions needs to be 600 !)
-
-The signing is done like this:
+Use the [user ca certificate](https://git.psi.ch/linux-infra/core-linux-secrets/-/blob/main/ssh-ca/user-ca.gpg), but this is automated by pasting below function into your shell
 ```bash
-ssh-keygen -s user-ca -I <username> -n <username> -V +55w id_ed25519.pub
+function sign-user-ssh-key {
+    (
+        name="$1"
+        pubkey="$2"
+
+        # let the private key flow through a named pipe
+        # so it never ends up on the file system
+
+        umask 077
+        pipe="$(mktemp --dry-run)"
+        echo "mkfifo '$pipe'"
+        mkfifo "$pipe" || return 1
+        [ -p "$pipe" ] || return 1
+        echo "pass ssh-ca/user-ca > '$pipe' &"
+        pass ssh-ca/user-ca > "$pipe" &
+        echo "ssh-keygen -s '$pipe' -I '$name' -n '$name' -V +55w '$pubkey'"
+        ssh-keygen -s "$pipe" -I "$name" -n "$name" -V +55w "$pubkey"
+        echo "rm '$pipe'"
+        rm "$pipe"
+    )
+}
+```
+and run it with the user name as principal and the public key file
+```
+sign-user-ssh-key $PRINCIPAL $PUBKEY_FILE
 ```
 
 More details on how this works can be found in this article: https://engineering.fb.com/2016/09/12/security/scalable-and-secure-access-with-ssh/

rhel8/index.md

@@ -19,12 +19,25 @@ It looks like it works already a lot out of the box, but no guarantee can be giv
 
 ### Major Known Issues
 
+- using a package snapshot tag (`yum_client::repo_tag` in hiera) different than `prod` will fail horribly
+
 ### Major Missing Features
 
 - default user home is local unless configured to be on AFS [PSILINUX-97](https://jira.psi.ch/browse/PSILINUX-97)
 - security patches are automatically installed [PSILINUX-98](https://jira.psi.ch/browse/PSILINUX-98)
 - minimal default installation, aka gem, git and postfix is not installed by default [PSILINUX-100](https://jira.psi.ch/browse/PSILINUX-100)
 
+### Caveats
+
+#### Workstation Installation Takes Long and Seams to Hang
+On the very first puppet run the command to install the GUI packages takes up to 10 minutes and it looks like it
+is hanging. Usually it is after the installation of `/etc/sssd/sssd.conf`. Just give it a bit time.
+
+#### Installing a Machine with YFS and an Old Package Snapshot Tag
+After the `pli-firstboot` script it stopps due to errors (installed yfs kernel module version does not fit running kernel). Still it manages to install everything fine.  
+So please restart the machine (so it loads the right kernel) and run `puppet agent` again to finally start and enable the `yfs-service`.
+
+
 ## Documenatation
 
 * [Installation (Alpha)](installation)

rhel8/installation.md

@@ -13,7 +13,7 @@ bob node set-attr $FQDN puppet_env=rhel8_preprod
 Optional you can set `netboot` and RHEL 8.6 installer but that can also be selected manually in be boot menu:
 ```
 bob node netboot $FQDN
-bob node set-attr $FQDN ipxe_installer=rhel85install
+bob node set-attr $FQDN ipxe_installer=rhel86install
 ```
 ### Installation with UEFI
 Start the machine and select network boot (if not already the default), then you get following menu: