Add security hardened images that can boot from uefi

This is a similar image than the hardened one, but it has some differences: - removes the blacklist of vfat module, as we need it - Sets DIB_BLOCK_DEVICE to efi instead of mbr - Uses the overcloud-secure-uefi element, that creates the proper layout Change-Id: I0e1c79462da170fb9dc99e12c05817b9f565c0de Depends-On: If9e0504438632f1a22b45b7c95e7bfb8cb6f41d3
2018-06-19 14:28:59 +02:00 · 2018-06-19 14:28:59 +02:00 · 21b575a575
parent ed5416093c
commit 21b575a575
3 changed files with 65 additions and 0 deletions
--- a/image-yaml/overcloud-hardened-images-uefi-centos7.yaml
+++ b/image-yaml/overcloud-hardened-images-uefi-centos7.yaml
@ -0,0 +1,9 @@
+disk_images:
+  -
+    imagename: overcloud-hardened-uefi-full
+    type: qcow2
+    distro: centos7
+    elements:
+      - selinux-permissive
+    packages:
+      - yum-plugin-priorities
--- a/image-yaml/overcloud-hardened-images-uefi-rhel7.yaml
+++ b/image-yaml/overcloud-hardened-images-uefi-rhel7.yaml
@ -0,0 +1,5 @@
+disk_images:
+  -
+    imagename: overcloud-hardened-uefi-full
+    type: qcow2
+    distro: rhel7
--- a/image-yaml/overcloud-hardened-images-uefi.yaml
+++ b/image-yaml/overcloud-hardened-images-uefi.yaml
@ -0,0 +1,51 @@
+disk_images:
+  -
+    imagename: overcloud-hardened-uefi-full
+    type: qcow2
+    elements:
+      - dhcp-all-interfaces
+      - openvswitch
+      - overcloud-agent
+      - overcloud-full
+      - overcloud-controller
+      - overcloud-compute
+      - overcloud-ceph-storage
+      - puppet-modules
+      - stable-interface-names
+      - bootloader
+      - element-manifest
+      - dynamic-login
+      - iptables
+      - enable-packages-install
+      - pip-and-virtualenv-override
+      - dracut-regenerate
+      - remove-machine-id
+      - remove-resolvconf
+      - modprobe-blacklist
+      - overcloud-secure-uefi
+      - openssh
+    packages:
+      - ntp
+      - python-psutil
+      - python-debtcollector
+      - plotnetcfg
+      - sos
+      - device-mapper-multipath
+      - python-heat-agent-puppet
+      - python-heat-agent-hiera
+      - python-heat-agent-apply-config
+      - python-heat-agent-ansible
+      - python-heat-agent-docker-cmd
+      - python-heat-agent-json-file
+      - screen
+      - os-net-config
+      - jq
+    options:
+      - "--min-tmpfs=7"
+    environment:
+      DIB_PYTHON_VERSION: '2'
+      DIB_MODPROBE_BLACKLIST: 'usb-storage cramfs freevxfs jffs2 hfs hfsplus squashfs udf bluetooth'
+      DIB_BOOTLOADER_DEFAULT_CMDLINE: 'nofb nomodeset vga=normal console=tty0 console=ttyS0,115200 audit=1 nousb'
+      DIB_IMAGE_SIZE: '23'
+      COMPRESS_IMAGE: '1'
+      DIB_BLOCK_DEVICE: 'efi'