diff --git a/admin-guide/deployment/_static/legacy_boot.png b/admin-guide/deployment/_static/legacy_boot.png index 9108c389..a1bded69 100644 Binary files a/admin-guide/deployment/_static/legacy_boot.png and b/admin-guide/deployment/_static/legacy_boot.png differ diff --git a/admin-guide/deployment/_static/legacy_boot.puml b/admin-guide/deployment/_static/legacy_boot.puml index 90170331..9a73b79d 100644 --- a/admin-guide/deployment/_static/legacy_boot.puml +++ b/admin-guide/deployment/_static/legacy_boot.puml @@ -21,9 +21,9 @@ hnote over bootnode endhnote bootnode -> pxeserver : load PXE config tftp:/tftpboot/pxelinux.cfg/01-$MAC note right - By manually setting a MAC or IP config the - boot menu can be customised or shortcut. - Most is managed by symlinks. There is the + By manually setting a MAC or IP config the + boot menu can be customised or shortcut. + Most is managed by symlinks. There is the undocumented "link-to-lxprod.py" script for manually linking MAC to hostname and hostname to "lxprod". At some places this is done the @@ -57,11 +57,14 @@ bootnode -> dhcp : DHCP request dhcp -> bootnode : IP bootnode -> sysdb : load iPXE menu http:/ipxe/v1/config?mac=$MAC note right - Default selection by sydb boot + Default selection by sydb boot property "local" or "netboot", - later installs Red Hat 7.9. - manually selectable are all - Red Hat 7 versions to install, + later automatically starts the + installer configured in sysdb + attribute "ipxe_installer". + Manually selectable are all + Red Hat 7 versions and Red Hat 8 + alpha test version to install, Windows, a selection of tools and "HP SPP". endnote diff --git a/admin-guide/deployment/_static/uefi_boot.png b/admin-guide/deployment/_static/uefi_boot.png new file mode 100644 index 00000000..660821b5 Binary files /dev/null and b/admin-guide/deployment/_static/uefi_boot.png differ diff --git a/admin-guide/deployment/_static/uefi_boot.puml b/admin-guide/deployment/_static/uefi_boot.puml new file mode 100644 index 00000000..cc1deb4e --- /dev/null +++ b/admin-guide/deployment/_static/uefi_boot.puml @@ -0,0 +1,88 @@ +@startuml + +actor admin +participant "UEFI Node" as bootnode +participant "QIP DHCP" as dhcp +participant "pxeserv01.psi.ch" as pxeserver +participant "boot00.psi.ch" as sysdb +participant "repo01.psi.ch" as reposerver + +admin -> bootnode : boots up + +hnote over bootnode + EFI +endhnote +bootnode -> dhcp : DHCP request +dhcp -> bootnode : IP + PXE boot location +bootnode -> pxeserver : load PXE kernel tftp:/tftpboot/shimx64.efi +bootnode -> pxeserver : load PXE kernel tftp:/tftpboot/grubx64.efi + + +hnote over bootnode + GRUB +endhnote +bootnode -> pxeserver : load PXE config tftp:/tftpboot/grub.cfg-01-$MAC +note right + By manually setting a MAC or IP config the + boot menu can be customised or shortcut. +end note +bootnode -> pxeserver : load PXE config tftp:/tftpboot/grub.cfg-$HEX-IP +bootnode -> pxeserver : load PXE config tftp:/tftpboot/grub.cfg +bootnode -> sysdb : load GRUB menu http:/grub/v1/config?mac=$MAC +note right + Default selection by sydb boot + property "local" or "netboot", + later automatically starts the + installer configured in sysdb + attribute "ipxe_installer". + Manually selectable are other + version of RHEL 7 and + "Windows and Tools Menus". +endnote + +admin -> bootnode : selects "Windows and Tools Menus" +note left + Now the automatic installation kicks in, + but here we show the manual detour over iPXE. +end note + +bootnode -> pxeserver : load iPXE kernel tftp:/tftpboot/ipxe.efi +note right + https://git.psi.ch/linux-infra/ipxe-build + The following steps are by embed/pxe.ipxe +end note + +hnote over bootnode + iPXE +endhnote +bootnode -> dhcp : DHCP request +dhcp -> bootnode : IP +bootnode -> sysdb : load iPXE menu http:/ipxe/v1/config?mac=$MAC +note right + Default selection by sydb boot + property "local" or "netboot", + later automatically starts the + installer configured in sysdb + attribute "ipxe_installer". + Manually selectable are all + Red Hat 7 versions and Red Hat 8 + alpha test version to install, + Windows, a selection of tools + and "HP SPP". +endnote +bootnode -> reposerver : load initrd http:/iso/rhel-server-7.9-x86_64-dvd/images/pxeboot/initrd.img +note left + Automatic installation in GRUB + directly jumps here without iPXE +end note +bootnode -> reposerver : load kernel http:/iso/rhel-server-7.9-x86_64-dvd/images/pxeboot/vmlinuz + +hnote over bootnode + Linux kernel +endhnote +bootnode -> reposerver : installation media http:/iso/rhel-server-7.9-x86_64-dvd/ +bootnode -> sysdb : kickstart file http:/kickstart/v1/config?fqdn=$HOSTNAME&instrepo=rhel-server-7.9-x86_64-dvd + +@enduml + + diff --git a/admin-guide/deployment/ipxe.rst b/admin-guide/deployment/ipxe.rst index 22615053..93075401 100644 --- a/admin-guide/deployment/ipxe.rst +++ b/admin-guide/deployment/ipxe.rst @@ -32,6 +32,11 @@ which distribution it is supposed to use. The menu offers other options as well, e.g. an interactive iPXE shell and a memory test. +Sequence Diagram of the UEFI Boot Process +-------------------------------------------------- +.. image:: _static/uefi_boot.png + + Sequence Diagram of the BIOS (Legacy) Boot Process -------------------------------------------------- .. image:: _static/legacy_boot.png diff --git a/infrastructure-guide/home.md b/infrastructure-guide/home.md index cf415451..4985bc9a 100644 --- a/infrastructure-guide/home.md +++ b/infrastructure-guide/home.md @@ -58,11 +58,33 @@ Access to the redhat.com knowledge base: # SSH Certificates / Signing Public User Keys -Use the ca certificate that is on the "Kai special USB stick" (the certificate permissions needs to be 600 !) - -The signing is done like this: +Use the [user ca certificate](https://git.psi.ch/linux-infra/core-linux-secrets/-/blob/main/ssh-ca/user-ca.gpg), but this is automated by pasting below function into your shell ```bash -ssh-keygen -s user-ca -I -n -V +55w id_ed25519.pub +function sign-user-ssh-key { + ( + name="$1" + pubkey="$2" + + # let the private key flow through a named pipe + # so it never ends up on the file system + + umask 077 + pipe="$(mktemp --dry-run)" + echo "mkfifo '$pipe'" + mkfifo "$pipe" || return 1 + [ -p "$pipe" ] || return 1 + echo "pass ssh-ca/user-ca > '$pipe' &" + pass ssh-ca/user-ca > "$pipe" & + echo "ssh-keygen -s '$pipe' -I '$name' -n '$name' -V +55w '$pubkey'" + ssh-keygen -s "$pipe" -I "$name" -n "$name" -V +55w "$pubkey" + echo "rm '$pipe'" + rm "$pipe" + ) +} +``` +and run it with the user name as principal and the public key file +``` +sign-user-ssh-key $PRINCIPAL $PUBKEY_FILE ``` More details on how this works can be found in this article: https://engineering.fb.com/2016/09/12/security/scalable-and-secure-access-with-ssh/ diff --git a/rhel8/index.md b/rhel8/index.md index e9f1a766..c1880daf 100644 --- a/rhel8/index.md +++ b/rhel8/index.md @@ -19,12 +19,25 @@ It looks like it works already a lot out of the box, but no guarantee can be giv ### Major Known Issues +- using a package snapshot tag (`yum_client::repo_tag` in hiera) different than `prod` will fail horribly + ### Major Missing Features - default user home is local unless configured to be on AFS [PSILINUX-97](https://jira.psi.ch/browse/PSILINUX-97) - security patches are automatically installed [PSILINUX-98](https://jira.psi.ch/browse/PSILINUX-98) - minimal default installation, aka gem, git and postfix is not installed by default [PSILINUX-100](https://jira.psi.ch/browse/PSILINUX-100) +### Caveats + +#### Workstation Installation Takes Long and Seams to Hang +On the very first puppet run the command to install the GUI packages takes up to 10 minutes and it looks like it +is hanging. Usually it is after the installation of `/etc/sssd/sssd.conf`. Just give it a bit time. + +#### Installing a Machine with YFS and an Old Package Snapshot Tag +After the `pli-firstboot` script it stopps due to errors (installed yfs kernel module version does not fit running kernel). Still it manages to install everything fine. +So please restart the machine (so it loads the right kernel) and run `puppet agent` again to finally start and enable the `yfs-service`. + + ## Documenatation * [Installation (Alpha)](installation) diff --git a/rhel8/installation.md b/rhel8/installation.md index 2de8fd30..31ab65cb 100644 --- a/rhel8/installation.md +++ b/rhel8/installation.md @@ -13,7 +13,7 @@ bob node set-attr $FQDN puppet_env=rhel8_preprod Optional you can set `netboot` and RHEL 8.6 installer but that can also be selected manually in be boot menu: ``` bob node netboot $FQDN -bob node set-attr $FQDN ipxe_installer=rhel85install +bob node set-attr $FQDN ipxe_installer=rhel86install ``` ### Installation with UEFI Start the machine and select network boot (if not already the default), then you get following menu: