Merge "Add overcloud-secure-uefi element"

elements/overcloud-secure-uefi/README.rst

@@ -0,0 +1,17 @@
+overcloud-secure-uefi
+=====================
+
+CAUTION: This element is part of the security hardened images feature, that
+is delivered in this release as tech preview. The following element is not
+intended for production usage.
+
+overcloud-secure-uefi is an element to add extra security hardening features to
+the tripleo images: partition creation and unsafe package uninstall. This
+element is the equivalent of overcloud-secure one, but is used when needed to
+build images that are capable of booting from uefi.
+
+It includes the block-device-default definition, that creates independent
+partitions on the overcloud image, allowing those to accomplish the ANSSI
+security requirements. Please note that the sizes of the partitions may not
+be enough for production usage, they will need to be resized properly after
+deployment depending on the available disk size.

elements/overcloud-secure-uefi/block-device-default.yaml

@@ -0,0 +1,103 @@
+- local_loop:
+    name: image0
+- partitioning:
+    base: image0
+    label: gpt
+    partitions:
+      - name: ESP
+        type: 'EF00'
+        size: 8MiB
+        mkfs:
+          type: vfat
+          mount:
+            mount_point: /boot/efi
+            fstab:
+              options: "defaults"
+              fsck-passno: 1
+      - name: BSP
+        type: 'EF02'
+        size: 8MiB
+      - name: root
+        flags: [ boot ]
+        size: 23G
+- lvm:
+    name: lvm
+    base: [ root ]
+    pvs:
+        - name: pv
+          base: root
+          options: [ "--force" ]
+    vgs:
+        - name: vg
+          base: [ "pv" ]
+          options: [ "--force" ]
+    lvs:
+        - name: lv_root
+          base: vg
+          extents: 28%VG
+        - name: lv_tmp
+          base: vg
+          extents: 4%VG
+        - name: lv_var
+          base: vg
+          extents: 40%VG
+        - name: lv_log
+          base: vg
+          extents: 23%VG
+        - name: lv_audit
+          base: vg
+          extents: 4%VG
+        - name: lv_home
+          base: vg
+          extents: 1%VG
+- mkfs:
+    name: fs_root
+    base: lv_root
+    type: xfs
+    label: "img-rootfs"
+    mount:
+        mount_point: /
+        fstab:
+            options: "rw,relatime"
+            fck-passno: 1
+- mkfs:
+    name: fs_tmp
+    base: lv_tmp
+    type: xfs
+    mount:
+        mount_point: /tmp
+        fstab:
+            options: "rw,nosuid,nodev,noexec,relatime"
+- mkfs:
+    name: fs_var
+    base: lv_var
+    type: xfs
+    mount:
+        mount_point: /var
+        fstab:
+            options: "rw,relatime"
+- mkfs:
+    name: fs_log
+    base: lv_log
+    type: xfs
+    mount:
+        mount_point: /var/log
+        fstab:
+            options: "rw,relatime"
+- mkfs:
+    name: fs_audit
+    base: lv_audit
+    type: xfs
+    mount:
+        mount_point: /var/log/audit
+        fstab:
+            options: "rw,relatime"
+- mkfs:
+    name: fs_home
+    base: lv_home
+    type: xfs
+    mount:
+        mount_point: /home
+        fstab:
+            options: "rw,nodev,relatime"
+

elements/overcloud-secure-uefi/element-deps

@@ -0,0 +1,2 @@
+block-device-efi
+package-installs

elements/overcloud-secure-uefi/package-installs.yaml

@@ -0,0 +1,4 @@
+kexec-tools:
+  uninstall: True
+telnet:
+  uninstall: True