From a1d4c352a2c77204c25d9ecaceddf16d91085e64 Mon Sep 17 00:00:00 2001 From: Yolanda Robla Date: Tue, 19 Jun 2018 13:50:19 +0200 Subject: [PATCH] Add overcloud-secure-uefi element This is the equivalent of the overcloud-secure element, but is defined to generate images that are capable to boot from UEFI. Change-Id: If9e0504438632f1a22b45b7c95e7bfb8cb6f41d3 Depends-On: I47c96450e10f34b91bcc32888532bd7ab87cf316 Depends-On: Id3dee735e6f8fb221d199c4aba648f3e9a6e4206 --- elements/overcloud-secure-uefi/README.rst | 17 +++ .../block-device-default.yaml | 103 ++++++++++++++++++ elements/overcloud-secure-uefi/element-deps | 2 + .../package-installs.yaml | 4 + 4 files changed, 126 insertions(+) create mode 100644 elements/overcloud-secure-uefi/README.rst create mode 100644 elements/overcloud-secure-uefi/block-device-default.yaml create mode 100644 elements/overcloud-secure-uefi/element-deps create mode 100644 elements/overcloud-secure-uefi/package-installs.yaml diff --git a/elements/overcloud-secure-uefi/README.rst b/elements/overcloud-secure-uefi/README.rst new file mode 100644 index 000000000..df3f6130a --- /dev/null +++ b/elements/overcloud-secure-uefi/README.rst @@ -0,0 +1,17 @@ +overcloud-secure-uefi +===================== + +CAUTION: This element is part of the security hardened images feature, that +is delivered in this release as tech preview. The following element is not +intended for production usage. + +overcloud-secure-uefi is an element to add extra security hardening features to +the tripleo images: partition creation and unsafe package uninstall. This +element is the equivalent of overcloud-secure one, but is used when needed to +build images that are capable of booting from uefi. + +It includes the block-device-default definition, that creates independent +partitions on the overcloud image, allowing those to accomplish the ANSSI +security requirements. Please note that the sizes of the partitions may not +be enough for production usage, they will need to be resized properly after +deployment depending on the available disk size. diff --git a/elements/overcloud-secure-uefi/block-device-default.yaml b/elements/overcloud-secure-uefi/block-device-default.yaml new file mode 100644 index 000000000..abaa964f2 --- /dev/null +++ b/elements/overcloud-secure-uefi/block-device-default.yaml @@ -0,0 +1,103 @@ +- local_loop: + name: image0 +- partitioning: + base: image0 + label: gpt + partitions: + - name: ESP + type: 'EF00' + size: 8MiB + mkfs: + type: vfat + mount: + mount_point: /boot/efi + fstab: + options: "defaults" + fsck-passno: 1 + - name: BSP + type: 'EF02' + size: 8MiB + - name: root + flags: [ boot ] + size: 23G +- lvm: + name: lvm + base: [ root ] + pvs: + - name: pv + base: root + options: [ "--force" ] + vgs: + - name: vg + base: [ "pv" ] + options: [ "--force" ] + lvs: + - name: lv_root + base: vg + extents: 28%VG + - name: lv_tmp + base: vg + extents: 4%VG + - name: lv_var + base: vg + extents: 40%VG + - name: lv_log + base: vg + extents: 23%VG + - name: lv_audit + base: vg + extents: 4%VG + - name: lv_home + base: vg + extents: 1%VG +- mkfs: + name: fs_root + base: lv_root + type: xfs + label: "img-rootfs" + mount: + mount_point: / + fstab: + options: "rw,relatime" + fck-passno: 1 +- mkfs: + name: fs_tmp + base: lv_tmp + type: xfs + mount: + mount_point: /tmp + fstab: + options: "rw,nosuid,nodev,noexec,relatime" +- mkfs: + name: fs_var + base: lv_var + type: xfs + mount: + mount_point: /var + fstab: + options: "rw,relatime" +- mkfs: + name: fs_log + base: lv_log + type: xfs + mount: + mount_point: /var/log + fstab: + options: "rw,relatime" +- mkfs: + name: fs_audit + base: lv_audit + type: xfs + mount: + mount_point: /var/log/audit + fstab: + options: "rw,relatime" +- mkfs: + name: fs_home + base: lv_home + type: xfs + mount: + mount_point: /home + fstab: + options: "rw,nodev,relatime" + diff --git a/elements/overcloud-secure-uefi/element-deps b/elements/overcloud-secure-uefi/element-deps new file mode 100644 index 000000000..2f1ab12f1 --- /dev/null +++ b/elements/overcloud-secure-uefi/element-deps @@ -0,0 +1,2 @@ +block-device-efi +package-installs diff --git a/elements/overcloud-secure-uefi/package-installs.yaml b/elements/overcloud-secure-uefi/package-installs.yaml new file mode 100644 index 000000000..219e4be41 --- /dev/null +++ b/elements/overcloud-secure-uefi/package-installs.yaml @@ -0,0 +1,4 @@ +kexec-tools: + uninstall: True +telnet: + uninstall: True