Add overcloud-secure-uefi element
This is the equivalent of the overcloud-secure element, but is defined to generate images that are capable to boot from UEFI. Change-Id: If9e0504438632f1a22b45b7c95e7bfb8cb6f41d3 Depends-On: I47c96450e10f34b91bcc32888532bd7ab87cf316 Depends-On: Id3dee735e6f8fb221d199c4aba648f3e9a6e4206
This commit is contained in:
parent
2ac38dd68c
commit
a1d4c352a2
|
@ -0,0 +1,17 @@
|
|||
overcloud-secure-uefi
|
||||
=====================
|
||||
|
||||
CAUTION: This element is part of the security hardened images feature, that
|
||||
is delivered in this release as tech preview. The following element is not
|
||||
intended for production usage.
|
||||
|
||||
overcloud-secure-uefi is an element to add extra security hardening features to
|
||||
the tripleo images: partition creation and unsafe package uninstall. This
|
||||
element is the equivalent of overcloud-secure one, but is used when needed to
|
||||
build images that are capable of booting from uefi.
|
||||
|
||||
It includes the block-device-default definition, that creates independent
|
||||
partitions on the overcloud image, allowing those to accomplish the ANSSI
|
||||
security requirements. Please note that the sizes of the partitions may not
|
||||
be enough for production usage, they will need to be resized properly after
|
||||
deployment depending on the available disk size.
|
|
@ -0,0 +1,103 @@
|
|||
- local_loop:
|
||||
name: image0
|
||||
- partitioning:
|
||||
base: image0
|
||||
label: gpt
|
||||
partitions:
|
||||
- name: ESP
|
||||
type: 'EF00'
|
||||
size: 8MiB
|
||||
mkfs:
|
||||
type: vfat
|
||||
mount:
|
||||
mount_point: /boot/efi
|
||||
fstab:
|
||||
options: "defaults"
|
||||
fsck-passno: 1
|
||||
- name: BSP
|
||||
type: 'EF02'
|
||||
size: 8MiB
|
||||
- name: root
|
||||
flags: [ boot ]
|
||||
size: 23G
|
||||
- lvm:
|
||||
name: lvm
|
||||
base: [ root ]
|
||||
pvs:
|
||||
- name: pv
|
||||
base: root
|
||||
options: [ "--force" ]
|
||||
vgs:
|
||||
- name: vg
|
||||
base: [ "pv" ]
|
||||
options: [ "--force" ]
|
||||
lvs:
|
||||
- name: lv_root
|
||||
base: vg
|
||||
extents: 28%VG
|
||||
- name: lv_tmp
|
||||
base: vg
|
||||
extents: 4%VG
|
||||
- name: lv_var
|
||||
base: vg
|
||||
extents: 40%VG
|
||||
- name: lv_log
|
||||
base: vg
|
||||
extents: 23%VG
|
||||
- name: lv_audit
|
||||
base: vg
|
||||
extents: 4%VG
|
||||
- name: lv_home
|
||||
base: vg
|
||||
extents: 1%VG
|
||||
- mkfs:
|
||||
name: fs_root
|
||||
base: lv_root
|
||||
type: xfs
|
||||
label: "img-rootfs"
|
||||
mount:
|
||||
mount_point: /
|
||||
fstab:
|
||||
options: "rw,relatime"
|
||||
fck-passno: 1
|
||||
- mkfs:
|
||||
name: fs_tmp
|
||||
base: lv_tmp
|
||||
type: xfs
|
||||
mount:
|
||||
mount_point: /tmp
|
||||
fstab:
|
||||
options: "rw,nosuid,nodev,noexec,relatime"
|
||||
- mkfs:
|
||||
name: fs_var
|
||||
base: lv_var
|
||||
type: xfs
|
||||
mount:
|
||||
mount_point: /var
|
||||
fstab:
|
||||
options: "rw,relatime"
|
||||
- mkfs:
|
||||
name: fs_log
|
||||
base: lv_log
|
||||
type: xfs
|
||||
mount:
|
||||
mount_point: /var/log
|
||||
fstab:
|
||||
options: "rw,relatime"
|
||||
- mkfs:
|
||||
name: fs_audit
|
||||
base: lv_audit
|
||||
type: xfs
|
||||
mount:
|
||||
mount_point: /var/log/audit
|
||||
fstab:
|
||||
options: "rw,relatime"
|
||||
- mkfs:
|
||||
name: fs_home
|
||||
base: lv_home
|
||||
type: xfs
|
||||
mount:
|
||||
mount_point: /home
|
||||
fstab:
|
||||
options: "rw,nodev,relatime"
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
block-device-efi
|
||||
package-installs
|
|
@ -0,0 +1,4 @@
|
|||
kexec-tools:
|
||||
uninstall: True
|
||||
telnet:
|
||||
uninstall: True
|
Loading…
Reference in New Issue