Commit Graph

1141 Commits

Author SHA1 Message Date
Shivanand Tendulker
f0315b4ed4 Fix to load only signed kernel in UEFI secure boot
This fix prevents loading of unsigned ubuntu kernel in UEFI secure
boot environment when image is created using 'iso' element.

'iso' element uses 'linux' and 'initrd' modules of grub2 to load
kernel and initrd respectively. The grub2 implementation of Ubuntu
can load unsigned kernel when these modules are used.

Ubuntu has Grub2 modules 'linuxefi' and 'initrdefi' which exits
boot process if unsigned kernel is used in UEFI secure boot mode.
The 'iso' element should use these modules in grub.cfg to prevent
loading of unsigned kernel when node is booted in the UEFI secure
boot environment.

'linuxefi' and 'initrdefi' works seamlessly when node is booted in
normal UEFI boot mode (non-secure).

Fedora do not have this issue. This fix has been tested in Fedora
environment. It works fine.

Closes-Bug: 1443114
Change-Id: If256ba1f7d7c149482d0f37fabcdfa8ed22e3f91
2015-04-13 13:20:12 +00:00
Shivanand Tendulker
06e3d7c767 Add element ubuntu-signed to provide signed kernel
ubuntu-signed element would install 'linux-signed-image-generic' that
provides signed kernel that can be used for deploy in UEFI secure boot mode.

Package 'linux-signed-image-generic' ships signed kernel with extension
'.efi.signed' (Ex. '/boot/vmlinuz-3.13.0-49-generic.efi.signed').

The kernel modules directory for signed kernel and unsigned kernel is same.
It is without 'efi.signed' extension to its name. This is different from normal
practice of directory naming in '/lib/modules' (Ex. For signed kernel
'vmlinuz-3.13.0-49-generic.efi.signed', modules directory is
'/lib/modules/3.13.0-49-generic').
This needed some changes in '/lib/ramdisk-functions' and 'ramdisk' element to
copy kernel modules.

The signed kernel package contains both signed and unsigned kernel. The
unsiged kernel is without extension '.efi.signed' (Ex.
'/boot/vmlinuz-3.13.0-49-generic'). This required change into
'/lib/img-functions' and 'baremetal' element to pick up signed kernel version
when this element is used.

Closes-Bug: 1443076
Change-Id: I60061cbea847b47fa752b9463cfd387e8e7f0635
2015-04-12 11:36:17 -07:00
Jenkins
65ad6377a6 Merge "No markdown docs for elements" 2015-04-09 13:59:32 +00:00
Gregory Haynes
8111fc40aa Improved apt-sources README
Cleaning up the apt-sources README to be easier to consume. Also
removing some tripleo references from the README.

Change-Id: I6937fd5cd51288b36890dde214701bcef1d61381
2015-04-07 23:05:38 +00:00
Gregory Haynes
cc308464c6 No markdown docs for elements
Sphinx does not support markdown, therefore all our element docs should
not be in this format.

Change-Id: I6fceb5c2c218e94a463f13d6d9050aea485e6c31
2015-04-02 23:55:19 +00:00
Jenkins
2888318eab Merge "Report status of boot loader installation to Ironic" 2015-04-02 13:07:40 +00:00
Jenkins
5f0f296f58 Merge "Refactor deploy ramdisk to allow use of targetcli" 2015-04-01 21:20:59 +00:00
Jenkins
6446b2eebf Merge "Split dib-init-system into its own element" 2015-04-01 20:35:04 +00:00
Jenkins
88309de96b Merge "Handle non-cloud-init installs" 2015-04-01 04:01:39 +00:00
Jenkins
de0c663a1c Merge "Use find instead of ls" 2015-03-31 20:18:15 +00:00
Jenkins
64d2b3647e Merge "Run udevadm settle after kpartx -l" 2015-03-31 20:17:03 +00:00
Jenkins
60bafe6d93 Merge "Fedora: install redhat-rpm-config" 2015-03-31 19:55:41 +00:00
Ramakrishnan G
9fb2d14cf1 Report status of boot loader installation to Ironic
This commit changes the 80-deploy-ironic script of
deploy-ironic element to report back the status of
boot loader install (when boot_option == "local")
using a newly introduced vendorpassthru.

Closes-Bug: 1422723
Change-Id: I9c1d8643be7cb9e273d65ddd791715a5c271fd93
2015-03-31 16:41:24 +00:00
Pino Toscano
516e3ae7d6 Use find instead of ls
The listing of *-$INSTALL_TYPE-install files currently uses ls, which
errors out when the glob matches no files, thus using true to not fail
it.
Instead, use find to collect the file list, so there is no need to
ignore the command errors.

Change-Id: Ic6888106858df320a1c90a84f1b9ec74d436b9e6
2015-03-31 13:24:29 +02:00
Gregory Haynes
89dd01e4a0 Run svc-map tests
We currently do not run these tests and they also fail.

Change-Id: I60c8cbd9495b52fb8b4c848549822a05f921664f
2015-03-29 04:11:41 +00:00
Monty Taylor
12165f7b25 Split dib-init-system into its own element
Other elements need this and don't necessarily need base.

Change-Id: I3a12611d7d891a1fb0476f4095be522210b60cba
2015-03-25 13:28:38 -04:00
Monty Taylor
05356cbc09 Handle non-cloud-init installs
Not all operating-system elements install cloud-init, but the base
element assumes its existence. Create the directory if it does not
exist.

Change-Id: I4bda8dc5d200825ea0c8163a4e5c44050a45083f
2015-03-25 13:28:12 -04:00
Pino Toscano
626ca9ad47 Run udevadm settle after kpartx -l
it may happen that if the system where disk-image-create runs is busy,
then the kpartx -l run may leave a stale autodelete loop device.

This is because kpartx -l first adds a new loop device, then does the
listing and removes the loop device. The latter may not end before the
end of the kpartx run, leaving a loop device marked as autodelete.
Such kind of loop device will automatically delete itself, so the
 rm -r $WORKING
after
 sudo umount -f $WORKING/mnt
in the EXIT trap will fail because $WORKING does not exist anymore.

To prevent this situation, just ask udev to finish its operations,
properly removing the (temporary) loop device.

Change-Id: I12246f3dbe6b5669e698767682a5a142f803823b
2015-03-23 10:38:21 +01:00
Jenkins
100959de8d Merge "Add no_timer_check to vm grub cmdline" 2015-03-20 13:05:03 +00:00
Jenkins
b30513f0a2 Merge "openSUSE update" 2015-03-20 09:34:15 +00:00
Jenkins
0a82b3ebcc Merge "Flagging ubuntu-minimal as untested" 2015-03-20 09:00:16 +00:00
Jenkins
e0e0159ef7 Merge "CentOS 6 Element" 2015-03-19 19:42:40 +00:00
Ben Nemec
c98a17222f Refactor deploy ramdisk to allow use of targetcli
RHEL 7 does not ship tgtadm or tgtd so they cannot be used in the
deploy ramdisk.  This change separates the tgt-specific parts of
the ramdisk into their own element, and adds a new one that supports
targetcli instead.

For now, the tgt implementation can only be used with traditional
busybox ramdisks and the targetcli one can only be used with dracut.
This is because dracut is primarily used for RHEL right now so it
makes sense to keep the dependencies simple.  If there is a future
desire to mix and match the implementations that could be done, but
it would require users to explicitly select between tgt and
targetcli.

Change-Id: I4f99c91016287e08d836095c2f2261de8b45abdc
Co-Authored-By: James Slagle <jslagle@redhat.com>
2015-03-18 11:42:00 -05:00
Ben Nemec
6377c723aa Allow elements to add drivers to dracut
It is reasonable that elements may need to include additional
kernel modules in a dracut ramdisk.  This is done with the
--add-drivers option to dracut, but previously the value passed
was hard-coded.

This change allows an element to put a file containing its desired
drivers in a dracut-drivers.d directory, and the list there will
be added to the list of drivers added.  This functions in
essentially the same way as the binary-deps.d directory that
already exists for including additional executables in a ramdisk.

Change-Id: Ie892b908d36c175a469f7cde7dd803ad4b1942b6
2015-03-18 11:40:20 -05:00
Dan Prince
ec0123554f Fedora: install redhat-rpm-config
This is required on Fedora 21 in order to build some
packages via source. Includes files like:

 /usr/lib/rpm/redhat/redhat-hardened-cc1

Specifically this fixed MySQL driver compilation issues on Fedora 21
for source builds.

Change-Id: I459f2203fa145049dda185da952813118193d573
2015-03-18 08:25:18 -04:00
Jenkins
a341ca84e7 Merge "redhat-common: Fix MariaDB-Galera-server case" 2015-03-18 02:32:34 +00:00
Jenkins
dd5a917571 Merge "Allow disabling apt-get clean" 2015-03-17 18:20:11 +00:00
Jenkins
a1c1470017 Merge "Convert leftover unconditional set -x to DIB_DEBUG_TRACE" 2015-03-17 16:58:34 +00:00
Jenkins
b2fc2cc358 Merge "Ironic: Deploy ramdisk to find the right root device" 2015-03-17 15:44:30 +00:00
Yanis Guenane
6b8421e0f9 redhat-common: Fix MariaDB-Galera-server case
Official MariaDB repositories offer the package : MariaDB-Galera-server.
This package has been now ported within Fedora (and also RDO), the
package is now called mariadb-galera-server. Yum install being case
sensitive hence this change.

Change-Id: Icd03877f17d01708b3916578991e42eef30a69e4
2015-03-17 10:56:01 +01:00
Jenkins
85a4d42879 Merge "Fix incorrect package name dmidecoded to dmidecode" 2015-03-16 16:28:04 +00:00
Spencer Krum
514181ce7f Flagging ubuntu-minimal as untested
Change-Id: I5f4973b9b81d97552d02ab3e64314bce827542f4
2015-03-14 12:52:21 -07:00
Jenkins
e94b90a2ab Merge "ironic-agent: exclude content of /tmp from initramfs" 2015-03-13 20:17:47 +00:00
Lucas Alvares Gomes
b95cbb14b1 Ironic: Deploy ramdisk to find the right root device
As part of the blueprint root-device-hints Ironic will pass some to the
deploy ramdisk some hints about which disk device it should pick to be
root device (the one where the image will be deployed on).

Before the deploy ramdisk would pick the first device it finds, but as the
machine could have more than one SATA, SCSI or IDE disk controllers the
order in which their corresponding device nodes are added is arbitrary
causing devices like /dev/sda and /dev/sdb switching around on each
boot time.

Plus, as people are adding support to build RAID arrays in Ironic we need
a way to tell it to use the just created device to be the root device.

The list of hints that could be passed to the deploy ramdisk so it finds
the right disk is:

* wwn (STRING): unique storage identifier
* serial (STRING): disk serial number
* model (STRING): device identifier
* vendor (STRING): device vendor
* size (INT): The size of the disk in GB

If not hints are passed, the deploy ramdisk will continue to do what it
did before to find the disk.

Change-Id: I8425f593e1a610af5a3697988702603ff218f2de
2015-03-13 14:09:40 +00:00
Jenkins
e70ffdd15e Merge "Ironic: uefi localboot support" 2015-03-13 02:00:30 +00:00
Jenkins
c680bab025 Merge "Fix check for installtype" 2015-03-13 01:55:59 +00:00
Ramakrishnan G
13c906059b Ironic: uefi localboot support
This commit adds support for uefi localboot in
deploy-ironic element. The change is to mount the efi
system partition (created by Ironic) in /boot/efi.

The corresponding Ironic change is
I00ac31da325676ea4ea1ac4185f5ac3a52c5809a

Implements: blueprint local-boot-support-with-partition-images
Change-Id: Idf7ac5987e14e1d31311834196ca7283deec15c6
2015-03-12 10:11:18 +00:00
Jenkins
f8872a48c1 Merge "Install Fedora kernel-modules pkg for iscsi_tcp" 2015-03-11 21:45:34 +00:00
Pino Toscano
6c1d8d28a3 Convert leftover unconditional set -x to DIB_DEBUG_TRACE
Commit 36b59c001c introduces
DIB_DEBUG_TRACE, to be checked in element scripts for enabling tracing.

In the aforementioned conversion, few scripts were left with
unconditional "set -x" calls: remove them, changing the default value
for unset DIB_DEBUG_TRACE from 0 to 1, to retain their older behaviour
(as it was done in 36b59c001c too).

Change-Id: I3d1a9290021bf63de7d4e7752e809852e784ac8b
2015-03-11 14:58:14 +01:00
Jenkins
f53bf5e77e Merge "UEFI secure boot support for iso element." 2015-03-11 06:34:57 +00:00
James Slagle
ba19541d47 Fix check for installtype
Previously, this code was not checking for the proper environment
variable for an element's installtype. There was a line replacing '-'
with '_' as is required, but that value was not actually used when
searching for the environment variable.

Change-Id: I0bbd56969188389db81844d9276269464870f776
2015-03-10 21:59:03 -04:00
YuikoTakada
07924b9761 Fix incorrect package name dmidecoded to dmidecode
When executing
"ramdisk-image-create -o discovery ubuntu ironic-discoverd-ramdisk",
below error occurs.

E: Unable to locate package dmidecoded

The reason why above command fails is incorrect package name.
(F) dmidecoded
(T) dmidecode

This patch set fix this bug.

Change-Id: I46d3dafce1eef1b017c4ac9121336aa68d749798
Closes-Bug: #1430599
2015-03-11 01:04:37 +00:00
Pino Toscano
92dab2c82a ironic-agent: exclude content of /tmp from initramfs
/tmp does not contain anything useful anyway, and excluding its content
makes the initramfs smaller too.

Change-Id: Ia72867e0cdebacf668ac1a1f551a965da0d69694
2015-03-10 19:03:04 +01:00
Jenkins
5617264aab Merge "Set DIB_RELEASE in ubuntu element" 2015-03-10 09:25:30 +00:00
Shivanand Tendulker
0bbe91af82 UEFI secure boot support for iso element.
This adds support to UEFI secure boot by copying signed shim and
grub bootloaders into ramdisk image.

Closes-Bug: 1419707
Change-Id: I1193cd3a9011855a6804966a31c7c0e28da90ada
2015-03-10 00:39:14 -07:00
Dan Prince
ea4b08cda0 Install Fedora kernel-modules pkg for iscsi_tcp
The newest stable Fedora splits out kernel modules into
a separate package. By default this is not installed in
the Fedora cloud image... and it contains some things we
need for Ironic (iscsi_tcp module) among other things that
might be very useful.

Change-Id: I3374ea278fecfeb6552e4664717ef3646d382c17
Closes-bug: #1429504
2015-03-07 21:45:33 -05:00
Gregory Haynes
d2f4c3b843 Allow disabling apt-get clean
Sometimes users want to maintain the apt cache in their images.

Change-Id: Id49a04896cf3eeaf1557f1d644e4d8ba64716392
2015-03-06 17:07:29 +00:00
Jenkins
c5cbc93693 Merge "Use package-installs on dpkg-based elements" 2015-03-05 01:14:07 +00:00
Jenkins
4074851682 Merge "Fix race in svc-map" 2015-03-05 00:11:19 +00:00
Gregory Haynes
8434e5afbf Set DIB_RELEASE in ubuntu element
The other distro elements set DIB_RELEASE which allows the other
elements to know what distro release is being built during the
extra-data or environment.d phases.

Change-Id: I00bf13410ded5b678ebc66ff191891ed3cc80f4f
2015-03-04 23:11:27 +00:00