1809125 – [Doc RFE] Document LUKS/Clevis/Tang implementation

Bug 1809125 - [Doc RFE] Document LUKS/Clevis/Tang implementation

Summary: [Doc RFE] Document LUKS/Clevis/Tang implementation

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Gluster Storage
Classification:	Red Hat Storage
Component:	doc-Deploying_RHHI
Sub Component:
Version:	rhhiv-1.8
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	RHHI-V 1.8
Assignee:	Laura Bailey
QA Contact:	SATHEESARAN
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	RHHI-V-1.8-Documentation-RFE-BZs
TreeView+	depends on / blocked

Reported:	2020-03-02 13:45 UTC by Anjana Suparna Sriram
Modified:	2020-08-11 13:15 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-08-11 13:15:18 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Comment 4 Gobinda Das 2020-03-06 05:43:55 UTC

Laura,
 The clevis packages(clevis,clevis-dracut) required from hypervisor side will be included with RHVH ISO, but for Tang server user has to configure manually like:

# sudo yum install tang
# sudo firewall-cmd --add-service http --permanent && sudo firewall-cmd --reload
# sudo systemctl enable tangd.socket --now


For RHEl based installation clevis,clevis-dracut pkgs also need to be install manually by user in RHHI nodes.

Comment 16 SATHEESARAN 2020-06-09 01:45:47 UTC

Laura,

As I read through the doc, I found few issues and recording it here for correction:

1. Deployment flow include 'Modifying firewall rules for additional software'
This is not required on the RHVH side.
This firewall configuration to be done only on the NBDE Key server side.

So it shouldn't be the part of deployment flow

Comment 17 SATHEESARAN 2020-06-09 02:06:02 UTC

Laura,

Section 6.2 elaborately describes about how to install RHEL 7 or RHEL 8 on the machines,
but I suggest to include, how to install 'tang' package on these server too.

1. subscribe to particular repo
2. Install tang package - # yum install tang
3. Open the required port 80 ( default port )
4. start the service - # systemctl start tangd.socket

Also point to RHEL 8 doc on configuring tang with custom port, if required

Comment 31 SATHEESARAN 2020-07-20 17:53:24 UTC

@Laura,

The step to include installation of tang is missing in RHHI-V 3 node deployment with RHVH docs.
Can you add that step, before starting tangd in chapter-10

Comment 34 SATHEESARAN 2020-07-21 06:54:49 UTC

Few changes required for Appendix section B.1 that explains the inventory file contents

Under the section - ip_config_method (required) corresponding to 'static' method.
Content goes like:

<snip>
 The other valid value for this option is static, which requires the following additional parameters:

hc_nodes:
  vars:
    ip_config_method: static
    host_ip_addr: 192.168.1.101
    host_ip_prefix: 24
    host_net_gateway: 192.168.1.100
</snip>

This content should be added per host, not in common vars.
So the expected content should be:
<expected>
 The other valid value for this option is static, which requires the following additional parameters per host:

hc_nodes:
  host1:
    ip_config_method: static
    host_ip_addr: 192.168.1.101
    host_ip_prefix: 24
    host_net_gateway: 192.168.1.100

  host2:
    ip_config_method: static
    host_ip_addr: 192.168.1.102
    host_ip_prefix: 24
    host_net_gateway: 192.168.1.100

  host3:
    ip_config_method: static
    host_ip_addr: 192.168.1.103
    host_ip_prefix: 24
    host_net_gateway: 192.168.1.100
</expected>


Example in B.2 has 3 issues

1. Blacklist devices are empty
2. explains the usage of 'static' network configuration
3. Last (third) host interface is mentioned as 'enp0s31f6', but
for other hosts, the interface uses the template term - 'if-to-bind-tang-server-on'
4. The common vars uses 'dhcp' and so it would better to remove static host values per hosts

For example:
hc_nodes:
  hosts:
    host1-backend.example.com:
      blacklist_mpath_devices:
        - sda
        - sdb
        - sdc
      gluster_infra_luks_devices:
        - devicename: /dev/sdb
          passphrase: dev-sdb-encrypt-passphrase
        - devicename: /dev/sdc
          passphrase: dev-sdc-encrypt-passphrase
      rootpassphrase: host1-root-passphrase
      rootdevice: /dev/sda2
      networkinterface: eth0                 <-----------interface used
    host2-backend.example.com:
      blacklist_mpath_devices:
        - sda
        - sdb
        - sdc
      gluster_infra_luks_devices:
        - devicename: /dev/sdb
          passphrase: dev-sdb-encrypt-passphrase
        - devicename: /dev/sdc
          passphrase: dev-sdc-encrypt-passphrase
      rootpassphrase: host2-root-passphrase
      rootdevice: /dev/sda2
      networkinterface: eth0
    host3-backend.example.com:
      blacklist_mpath_devices:
        - sda
        - sdb
        - sdc
      gluster_infra_luks_devices:
        - devicename: /dev/sdb
          passphrase: dev-sdb-encrypt-passphrase
        - devicename: /dev/sdc
          passphrase: dev-sdc-encrypt-passphrase
      rootpassphrase: host3-root-passphrase
      rootdevice: /dev/sda2
      networkinterface: eth0
  vars:
    ip_version: IPv4
    ip_config_method: dhcp
    gluster_infra_tangservers:
      - url: http://key-server1.example.com:80
      - url: http://key-server2.example.com:80

Comment 36 SATHEESARAN 2020-07-29 01:47:53 UTC

Verified the documentation guides with the provided internal link.
Content has adequate information on
1. How to install NBDE server ?
2. Installing tang 
3. Configuring firewall on NBDE server
4. Creating ansible inventory file and helpful suggestions
5. How to execute the playbook ?
6. How to verify NBDE post deployment
7. Debugging info in the case of errors

All the above said topics are well covered

Note You need to log in before you can comment on or make changes to this bug.