Use volumes for security hardened images

Instead of relying on fixed partitions, start using volumes now that diskimage-builder is supporting it. It will give more flexibility in terms of resizing to use the disk fully. Change-Id: I88049da2179e2ea984e05648abb60c804a521b70
2017-08-31 15:10:18 +02:00 · 2017-08-31 15:10:18 +02:00 · 23de84ffcd
parent ae10ca1dc7
commit 23de84ffcd
1 changed files with 81 additions and 49 deletions
--- a/elements/overcloud-secure/block-device-default.yaml
+++ b/elements/overcloud-secure/block-device-default.yaml
@ -6,53 +6,85 @@
    partitions:
      - name: root
        flags: [ boot,primary ]
-        size: 6G
-        mkfs:
-            type: xfs
-            label: "img-rootfs"
-            mount:
-                mount_point: /
-                fstab:
-                    options: "rw,relatime"
-                    fck-passno: 1
-      - name: tmp
-        size: 1G
-        mkfs:
-            type: xfs
-            mount:
-                mount_point: /tmp
-                fstab:
-                    options: "rw,nosuid,nodev,noexec,relatime"
-      - name: var
-        size: 7G
-        mkfs:
-            type: xfs
-            mount:
-                mount_point: /var
-                fstab:
-                    options: "rw,relatime"
-      - name: log
-        size: 5G
-        mkfs:
-            type: xfs
-            mount:
-                mount_point: /var/log
-                fstab:
-                    options: "rw,relatime"
-      - name: audit
-        size: 900M
-        mkfs:
-            type: xfs
-            mount:
-                mount_point: /var/log/audit
-                fstab:
-                    options: "rw,relatime"
-      - name: home
-        size: 100M
-        mkfs:
-            type: xfs
-            mount:
-                mount_point: /home
-                fstab:
-                    options: "rw,nodev,relatime"
+        size: 20G
+- lvm:
+    name: lvm
+    base: [ root ]
+    pvs:
+        - name: pv
+          base: root
+          options: [ "--force" ]
+    vgs:
+        - name: vg
+          base: [ "pv" ]
+          options: [ "--force" ]
+    lvs:
+        - name: lv_root
+          base: vg
+          extents: 30%VG
+        - name: lv_tmp
+          base: vg
+          extents: 5%VG
+        - name: lv_var
+          base: vg
+          extents: 35%VG
+        - name: lv_log
+          base: vg
+          extents: 25%VG
+        - name: lv_audit
+          base: vg
+          extents: 4%VG
+        - name: lv_home
+          base: vg
+          extents: 1%VG
+- mkfs:
+    name: fs_root
+    base: lv_root
+    type: xfs
+    label: "img-rootfs"
+    mount:
+        mount_point: /
+        fstab:
+            options: "rw,relatime"
+            fck-passno: 1
+- mkfs:
+    name: fs_tmp
+    base: lv_tmp
+    type: xfs
+    mount:
+        mount_point: /tmp
+        fstab:
+            options: "rw,nosuid,nodev,noexec,relatime"
+- mkfs:
+    name: fs_var
+    base: lv_var
+    type: xfs
+    mount:
+        mount_point: /var
+        fstab:
+            options: "rw,relatime"
+- mkfs:
+    name: fs_log
+    base: lv_log
+    type: xfs
+    mount:
+        mount_point: /var/log
+        fstab:
+            options: "rw,relatime"
+- mkfs:
+    name: fs_audit
+    base: lv_audit
+    type: xfs
+    mount:
+        mount_point: /var/log/audit
+        fstab:
+            options: "rw,relatime"
+- mkfs:
+    name: fs_home
+    base: lv_home
+    type: xfs
+    mount:
+        mount_point: /home
+        fstab:
+            options: "rw,nodev,relatime"