Bug 1809125

Summary: [Doc RFE] Document LUKS/Clevis/Tang implementation
Product: [Red Hat Storage] Red Hat Gluster Storage Reporter: Anjana Suparna Sriram <asriram>
Component: doc-Deploying_RHHIAssignee: Laura Bailey <lbailey>
Status: CLOSED ERRATA QA Contact: SATHEESARAN <sasundar>
Severity: high Docs Contact:
Priority: high    
Version: rhhiv-1.8CC: asriram, godas, lbailey, rhs-bugs, sasundar, storage-doc, storage-qa-internal
Target Milestone: ---   
Target Release: RHHI-V 1.8   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-08-11 13:15:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1785074    

Comment 4 Gobinda Das 2020-03-06 05:43:55 UTC 
Laura,
 The clevis packages(clevis,clevis-dracut) required from hypervisor side will be included with RHVH ISO, but for Tang server user has to configure manually like:

# sudo yum install tang
# sudo firewall-cmd --add-service http --permanent && sudo firewall-cmd --reload
# sudo systemctl enable tangd.socket --now


For RHEl based installation clevis,clevis-dracut pkgs also need to be install manually by user in RHHI nodes.
Comment 16 SATHEESARAN 2020-06-09 01:45:47 UTC 
Laura,

As I read through the doc, I found few issues and recording it here for correction:

1. Deployment flow include 'Modifying firewall rules for additional software'
This is not required on the RHVH side.
This firewall configuration to be done only on the NBDE Key server side.

So it shouldn't be the part of deployment flow
Comment 17 SATHEESARAN 2020-06-09 02:06:02 UTC 
Laura,

Section 6.2 elaborately describes about how to install RHEL 7 or RHEL 8 on the machines,
but I suggest to include, how to install 'tang' package on these server too.

1. subscribe to particular repo
2. Install tang package - # yum install tang
3. Open the required port 80 ( default port )
4. start the service - # systemctl start tangd.socket

Also point to RHEL 8 doc on configuring tang with custom port, if required
Comment 31 SATHEESARAN 2020-07-20 17:53:24 UTC 
@Laura,

The step to include installation of tang is missing in RHHI-V 3 node deployment with RHVH docs.
Can you add that step, before starting tangd in chapter-10
Comment 34 SATHEESARAN 2020-07-21 06:54:49 UTC 
Few changes required for Appendix section B.1 that explains the inventory file contents

Under the section - ip_config_method (required) corresponding to 'static' method.
Content goes like:

<snip>
 The other valid value for this option is static, which requires the following additional parameters:

hc_nodes:
  vars:
    ip_config_method: static
    host_ip_addr: 192.168.1.101
    host_ip_prefix: 24
    host_net_gateway: 192.168.1.100
</snip>

This content should be added per host, not in common vars.
So the expected content should be:
<expected>
 The other valid value for this option is static, which requires the following additional parameters per host:

hc_nodes:
  host1:
    ip_config_method: static
    host_ip_addr: 192.168.1.101
    host_ip_prefix: 24
    host_net_gateway: 192.168.1.100

  host2:
    ip_config_method: static
    host_ip_addr: 192.168.1.102
    host_ip_prefix: 24
    host_net_gateway: 192.168.1.100

  host3:
    ip_config_method: static
    host_ip_addr: 192.168.1.103
    host_ip_prefix: 24
    host_net_gateway: 192.168.1.100
</expected>


Example in B.2 has 3 issues

1. Blacklist devices are empty
2. explains the usage of 'static' network configuration
3. Last (third) host interface is mentioned as 'enp0s31f6', but
for other hosts, the interface uses the template term - 'if-to-bind-tang-server-on'
4. The common vars uses 'dhcp' and so it would better to remove static host values per hosts

For example:
hc_nodes:
  hosts:
    host1-backend.example.com:
      blacklist_mpath_devices:
        - sda
        - sdb
        - sdc
      gluster_infra_luks_devices:
        - devicename: /dev/sdb
          passphrase: dev-sdb-encrypt-passphrase
        - devicename: /dev/sdc
          passphrase: dev-sdc-encrypt-passphrase
      rootpassphrase: host1-root-passphrase
      rootdevice: /dev/sda2
      networkinterface: eth0                 <-----------interface used
    host2-backend.example.com:
      blacklist_mpath_devices:
        - sda
        - sdb
        - sdc
      gluster_infra_luks_devices:
        - devicename: /dev/sdb
          passphrase: dev-sdb-encrypt-passphrase
        - devicename: /dev/sdc
          passphrase: dev-sdc-encrypt-passphrase
      rootpassphrase: host2-root-passphrase
      rootdevice: /dev/sda2
      networkinterface: eth0
    host3-backend.example.com:
      blacklist_mpath_devices:
        - sda
        - sdb
        - sdc
      gluster_infra_luks_devices:
        - devicename: /dev/sdb
          passphrase: dev-sdb-encrypt-passphrase
        - devicename: /dev/sdc
          passphrase: dev-sdc-encrypt-passphrase
      rootpassphrase: host3-root-passphrase
      rootdevice: /dev/sda2
      networkinterface: eth0
  vars:
    ip_version: IPv4
    ip_config_method: dhcp
    gluster_infra_tangservers:
      - url: http://key-server1.example.com:80
      - url: http://key-server2.example.com:80
Comment 36 SATHEESARAN 2020-07-29 01:47:53 UTC 
Verified the documentation guides with the provided internal link.
Content has adequate information on
1. How to install NBDE server ?
2. Installing tang 
3. Configuring firewall on NBDE server
4. Creating ansible inventory file and helpful suggestions
5. How to execute the playbook ?
6. How to verify NBDE post deployment
7. Debugging info in the case of errors

All the above said topics are well covered