improve robustness of the initrd sdk #884
Conversation
metal3-io-bot
added
the
size/L
Rozzii
force-pushed
the
improve_initrd_sdk_robustness
branch
from
3094a0d to
3f0be83
Compare
Rozzii
force-pushed
the
improve_initrd_sdk_robustness
branch
3 times, most recently
from
14e8ec7 to
ece938f
Compare
|
/override metal3-ubuntu-e2e-integration-test-main This test is not relevant. |
|
@Rozzii: Overrode contexts on behalf of Rozzii: metal3-ubuntu-e2e-integration-test-main In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: tuminoid The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
metal3-io-bot
added
the
approved
| @@ -0,0 +1,20 @@ | |||
| #!/bin/bash | |||
There was a problem hiding this comment.
you don't have executable in this file, no need to add a shebang if you're just sourcing it
There was a problem hiding this comment.
you don't have executable in this file, no need to add a shebang if you're just sourcing it
It is not harmful to have it, and it makes $EDITOR's life easier as it also doesn't have extension to detect the source type.
There was a problem hiding this comment.
I would like to have it for the reasons mentioned by @tuminoid .
Rozzii
force-pushed
the
improve_initrd_sdk_robustness
branch
from
ece938f to
3c1e175
Compare
|
/override metal3-ubuntu-e2e-integration-test-main This test is not relevant. |
|
@Rozzii: Overrode contexts on behalf of Rozzii: metal3-ubuntu-e2e-integration-test-main In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Rozzii
force-pushed
the
improve_initrd_sdk_robustness
branch
from
3c1e175 to
a8c1956
Compare
metal3-io-bot
added
size/XL
This commit: - Implements LUKS and TPM2 tool chain checks and enforcement in order to avoid issues originating from uninitialized hardware and driver modules. - Improves the "testability" of the code - Changes the configuration workflow of the unlock-mount-luks.sh to rely on a config file instead of positional cmdline arguments in order to make configuration more explicit and easier to debug. - Ads script used for tpm2.0 persistent secret unsealing - Ads a config file with value presets intended for testing - Implements support for disks where only the root partition need decryption by the unlock-mount-luks.sh - Implements auto discovery for root partition based on GPT partition label - Implements auto discovery for config drive partition based on GPT partition label - Implement support for environments where only the config-drive is encrypted - Reorganizes and updates comments - Fixes evaluation bug of the "key_command" - the key script is now executed once after the preparation stage and the LUKS key file is stored in memory until the root switching happens - LUKS key file is accessible via a persistent file descriptor instead of an ephemeral file descriptor for stability reasons - Typo fixes - Exclude .swp files via .gitignore - Fix incorrect config drive partition name generation in relation to disks types that doesn't use partition prefixes - Introduce config option to skip the preparation "phase" intended for testing - Add support for use-case where encryption is not present and the tool chain is also missing - The verify script will mount /sys,/dev,/proc and /run FS before unblocking the root switching in order to make the switching more controlled - Implements a configurable timeout mechanism for the verify script - unseal-and-open-luks service have been moved closer to the root switching in the systemd unit "boot" order in order to minimize the possibility of conflicts with other mounts,device operations and services Signed-off-by: Adam Rozman <adam.rozman@est.tech>
Rozzii
force-pushed
the
improve_initrd_sdk_robustness
branch
from
a8c1956 to
ffa364b
Compare
|
/override metal3-ubuntu-e2e-integration-test-main |
|
@Rozzii: Overrode contexts on behalf of Rozzii: metal3-ubuntu-e2e-integration-test-main In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
This commit:
Implements LUKS and TPM2 tool chain checks and enforcement in order to
avoid issues originating from uninitialized hardware and driver modules.
Improves the "testability" of the code
Changes the configuration workflow of the unlock-mount-luks.sh to
rely on a config file instead of positional cmdline arguments in order
to make configuration more explicit and easier to debug.
Ads script used for tpm2.0 persistent secret unsealing
Ads a config file with value presets intended for testing
Implements support for disks where only the root partition need decryption
by the unlock-mount-luks.sh
Implements auto discovery for root partition based on GPT partition label
Implements auto discovery for config drive partition based on GPT partition
label
Implement support for environments where only the config-drive is
encrypted
Reorganizes and updates comments
Fixes evaluation bug of the "key_command"
the key script is now executed once after the preparation stage and the
LUKS key file is stored in memory until the root switching happens
LUKS key file is accessible via a persistent file descriptor instead of an
ephemeral file descriptor for stability reasons
Typo fixes
Exclude .swp files via .gitignore
Fix incorrect config drive partition name generation in relation to disks
types that doesn't use partition prefixes
Introduce config option to skip the preparation "phase" intended for testing
Add support for use-case where encryption is not present and the tool chain
is also missing
The verify script will mount /sys,/dev,/proc and /run FS before unblocking
the root switching in order to make the switching more controlled
Implements a configurable timeout mechanism for the verify script
unseal-and-open-luks service have been moved closer to the root switching in the systemd unit "boot" order in order to minimize the possibility of conflicts with other mounts,device operations and services