Bug 1355903 - [RFE] overcloud images have a single partition. Security requirement request for multiple partition options in the RHEL Cloud image
Summary: [RFE] overcloud images have a single partition. Security requirement request ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: diskimage-builder
Version: 12.0 (Pike)
Hardware: x86_64
OS: Linux
high
urgent
Target Milestone: Upstream M2
: 12.0 (Pike)
Assignee: Yolanda Robla
QA Contact: mlammon
URL:
Whiteboard:
Depends On: 1381508 1381511 1404836 1436635 1459602
Blocks: 1347518 1350250 1389435 1442136
TreeView+ depends on / blocked
 
Reported: 2016-07-12 22:00 UTC by Mark Hooper
Modified: 2020-01-17 15:50 UTC (History)
25 users (show)

Fixed In Version: diskimage-builder-2.6.2-0.20170623054521.b0e0dd9.el7ost openstack-tripleo-image-elements-7.0.0-0.20170607161959.401d861.el7ost openstack-tripleo-common-7.1.1-0.20170623115707.4ba7d56.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-12-13 20:44:49 UTC
Target Upstream Version:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 447047 0 None MERGED Add dracut-regenerate elements 2020-11-11 04:38:32 UTC
OpenStack gerrit 448528 0 None MERGED Add creation of security hardened images 2020-11-11 04:38:32 UTC
OpenStack gerrit 449122 0 None MERGED Add overcloud-secure element 2020-11-11 04:38:51 UTC
Red Hat Bugzilla 1467676 0 unspecified CLOSED [DOC] I'd like to include an article about using security hardened images with TripleO 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHEA-2017:3462 0 normal SHIPPED_LIVE Red Hat OpenStack Platform 12.0 Enhancement Advisory 2018-02-16 01:43:25 UTC

Internal Links: 1459602

Description Mark Hooper 2016-07-12 22:00:51 UTC 
An issue came up today regarding the changing the partitioning scheme on the default RedHat Overcloud images.  I’m told that if we change them we will loose support.   These changes are standard hardening practices industry wide and are required as part of standard DoD hardening.

The DoD partitioning requirements:
·         A separate file system must be used for user home directories (such as /home or an equivalent).

·         /home filesystem must be encrypted to protect sensitive files

·         The system must use a separate file system for /var.

·         The system must use a separate file system for the system audit data path.

·         The system must use a separate file system for /tmp (or equivalent).
Comment 2 Mark Hooper 2016-07-14 01:10:39 UTC 
Also need an option to run FIPS-140-2 kernel.
Comment 4 Lucas Alvares Gomes 2016-08-26 10:14:27 UTC 
Hi @Mark,

One thing we have to understand is that Ironic kinda limited to what the Nova flavor can offer to us. But that said, Ironic does deploy two types of images:

1. Partition image: Which is an image of the root filesystem, there's no partition table or bootloader in it. With this type of image, Ironic will create a simple partitioning following Nova's flavor: The root partition, and optionals swap and/or ephemeral partitions.

2. Whole disk image: Instead of partitioning the disk and copying the root filesystem onto the root partition, this images already includes it all (the partition table, bootloader etc...). I believe that would be the way forward to you to deploy images with a custom filesystem layout in Ironic.

(You may want to take a look here too: http://docs.openstack.org/developer/ironic/deploy/install-guide.html#image-requirements)

Would that solves it for you ?

...

Also, having a tool to build those images would be great as well, but that's outside of Ironic's scope. Probably it would be an RFE for diskimage-builder or other similar tools.
Comment 6 Lucas Alvares Gomes 2016-09-01 09:05:37 UTC 
Changing the component from openstack-ironic to diskimage-builder, it was agreed with @Paul and some other folks involved that this work should be done at image building time.

The upstream work in diskimage-builder to handle this request is https://review.openstack.org/#/c/336946/
Comment 9 Yolanda Robla 2016-09-30 12:49:29 UTC 
Currently there is that change proposed on diskimage-builder to support multiple partitions:
https://review.openstack.org/#/c/375261/

Can this be reviewed and see if that matches our needs?
Comment 11 Yolanda Robla 2016-10-01 11:13:53 UTC 
I did some initial test, using full disk images instead of partition images. That means, I provide overcloud-full.qcow2 and not initrd and vmlinuz images. It is possible for ironic to do that, as documented on:http://docs.openstack.org/project-install-guide/baremetal/draft/configure-integration.html#configure-the-image-service ( it is, i use vm element instead of baremetal one).
However, when deploying TripleO i'm hitting a problem with "openstack overcloud image upload" command.
It expects to have vmlinuz and initrd files. If not present, it throws an error "Required file "./overcloud-full.vmlinuz" does not exist".

Can image upload command be customized to don't require that files?
Comment 13 Yolanda Robla 2016-10-04 10:52:31 UTC 
Related BZ for tripleo: https://bugzilla.redhat.com/show_bug.cgi?id=1381508
Comment 14 Yolanda Robla 2016-10-04 10:58:20 UTC 
Related BZ for ironic: https://bugzilla.redhat.com/show_bug.cgi?id=1381511
Comment 15 Frank Zdarsky 2016-11-16 09:12:11 UTC 
A better approach might be to segregate those directories to different (logical) volumes rather than partitions, as this would allow operators to resize later.

Would this also meet DoD requirements?
Comment 16 Yves Brissette 2016-12-05 13:57:54 UTC 
There is two angles to this requirement; the first one is to ensure that disk space usage does not exceed a specified limit (for example ensure logs does not fill the partition), the second one is to be able to encrypt certain filesystem (for example /home).  
Would the proposed solution meet both those requirements?
Comment 17 Dmitry Tantsur 2016-12-06 15:44:09 UTC 
Support for advanced partitioning in Ironic won't arrive before Pike (OSP 12), so I'd recommend using whole disk images for now.
Comment 18 Yolanda Robla 2016-12-07 16:19:18 UTC 
Hi Dmitry. Can you clarify a bit more about advanced partitioning in Ironic? What use cases will it cover? Will it be suitable for our security use case?
Also i'm aware of the separated way of working of ironic: whole disk images vs flat partition one. Will advanced partitioning support creation of extra partitions on whole disk images, or will it be limited for the flat partition use case?
Comment 19 Dmitry Tantsur 2016-12-07 16:21:23 UTC 
> What use cases will it cover?

Hart to tell, we haven't even started planning. I only there is a consistent demand (like this RFE, for example).

> Will it be suitable for our security use case?

Likely yes.

> Will advanced partitioning support creation of extra partitions on whole disk images

We never modify partitions on whole disk images, this is the idea of whole disk images. We will modify the way we deploy partition images.
Comment 21 Yolanda Robla 2016-12-14 18:57:56 UTC 
So I have a working script with libguestfs, to convert a single partition overcloud image to a whole disk image.
That worked when using partitions, but when trying to switch to volumes, I got the problem that we cannot boot from volumes, because lvm modules are not shipped in the ramdisk image.

Console is just stuck on:
[ ***  ] A start job is running for dev-mapp....device (1h 17min 3s / no limit)

It means that is unable to mount the root volume. Also a quick look at the ramdisk image, shows that no lvm modules are loaded.
Comment 22 Yolanda Robla 2016-12-22 10:05:18 UTC 
While the changes for diskimage-builder land, I have created some script that generates a whole disk image from the overcloud flat partition one:

http://teknoarticles.blogspot.com.es/2016/12/start-using-whole-disk-images-with.html
http://teknoarticles.blogspot.com.es/2016/12/how-to-encrypt-your-home-with-guestfs.html

There is a pending article i need to write, about how to expand the filesystem after deployment, to consume the remaining disk space.
Comment 23 Yolanda Robla 2017-01-05 13:15:48 UTC 
Hitting some problems with pre-creating config-drive partition:
https://bugs.launchpad.net/ironic/+bug/1654269
Comment 24 Yolanda Robla 2017-02-27 12:52:50 UTC 
https://blueprints.launchpad.net/tripleo/+spec/build-whole-disk-images
Comment 26 Yolanda Robla 2017-03-21 14:27:45 UTC 
devel_ack+
Comment 30 Yolanda Robla 2017-06-07 14:27:44 UTC 
Code landed for pike-2
Comment 33 mlammon 2017-11-15 14:07:07 UTC 
This can now be marked verified and tested. Whole Disk Image was tested and deployed into the overcloud containing the requirements of separate partition with the security hardened image created and deployed on many nodes.

openstack overcloud image build --image-name overcloud-hardened-full --config-file /usr/share/openstack-tripleo-common/image-yaml/overcloud-hardened-images.yaml --config-file /usr/share/openstack-tripleo-common/image-yaml/overcloud-hardened-images-rhel7.yaml --verbose

cd
mv ~/images/overcloud-full.qcow2 ~/images/overcloud-full-old.qcow2
cp ~/images/overcloud-hardened-full.qcow2 overcloud-full.qcow2
Comment 36 errata-xmlrpc 2017-12-13 20:44:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3462
Note You need to log in before you can comment on or make changes to this bug.