[IMAGING: BYOI SLES] root Login, password encryption, Bonding Mode, and Hosting.md

Hosting.md

@@ -0,0 +1,50 @@
+<!-- (C) Copyright 2024 Hewlett Packard Enterprise Development LP -->
+
+# Requirements for Hosting BYOI files
+
+This file will describe some of the requirements enforced for the web server hosting the final BYOI ISO file
+
+## Secure Web Server
+
+HPE Bare Metal requires the ISO file be hosted on an SSL-enabled web server (HTTPS). This web server's SSL
+certificate must be issued by a common, public trusted Certificate Authority.
+
+Starting with Bare Metal v0.24.143, this SSL certificate validation can be skipped for an individual file. This
+can be useful for internal web servers that use either a self-signed, or private CA issued SSL certificate.
+In the `files` section of the yml file, add `skip_ssl_verify: true` so the section looks like:
+```
+files:
+  - path: "sles.iso"
+    file_size: 13026459648
+    display_url: "SLESBYOI"
+    secure_url: "https://www.company.com/dir/SLE-15-SP4-Full-x86_64-GM-Media1-hpe-glm-20241108-11322.iso"
+    skip_ssl_verify: true
+    download_timeout: 5000
+    signature: "5bfea2fd9626463edc68608ee53ce0198db44a422968856e51c1f8c447ff8445"
+    algorithm: sha256sum
+```
+
+## Accessibility
+
+This web server must be accessible from the On-Prem controller. This web server can be internal in the
+customer network or on the public internet (ex: AWS S3, Azure Blob Storage).
+
+## Target webserver specification
+
+This webserver URL prefix should be specified as a command line parameter `-p <image-url-prefix>` while running
+the build so the output yml file will contain the correct `secure_url`.
+If you need to change the location the ISO should be downloaded from, you can modify the `secure_url` line of the
+yml file without needing to rebuild the entire ISO.
+
+## Further reading
+
+Specific webserver configuration is beyond the scope of this document. Please see the vendor webserver
+product documentation on how to create an SSL-enabled webserver to host your ISO file. Below is a
+non-exhaustive list:
+* Public Hosting
+  * https://docs.aws.amazon.com/AmazonS3/latest/userguide/WebsiteHosting.html
+  * https://learn.microsoft.com/en-us/azure/storage/blobs/storage-quickstart-blobs-portal
+* Private Hosting
+  * https://learn.microsoft.com/en-us/iis/manage/configuring-security/how-to-set-up-ssl-on-iis
+  * https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html
+  * https://nginx.org/en/docs/http/configuring_https_servers.html

README.md

@@ -1,4 +1,4 @@
-<!-- (C) Copyright 2022 Hewlett Packard Enterprise Development LP -->
+<!-- (C) Copyright 2022,2024 Hewlett Packard Enterprise Development LP -->
 
 # SLES Bring Your Own Image (BYOI) for GreenLake Metal (GLM)
 # Table of contents
@@ -12,15 +12,56 @@ This github repository contains the script/template files and
 documentation for creating a SLES service for HPE GreenLake Metal
 (GLM) from a SLES install .ISO file.
 
-# Building the SLES image
+**Prerequisites:**
+```
+1. You will need a Web Server with HTTPS support for storage of the HPE Base Metal images.
+2. The Web Server is anything that:
+    A. you have the ability to upload large OS image (.iso) to, and
+    B. is on a network that will be reachable from the HPE On-Premises Controller.
+       When an OS image service (.yml) is used to create an HPE Bare Metal Host, the HPE Bare Metal
+       OS image (.iso) will be downloaded via the `secure_url` mentioned in the service file (.yml).
+3. IMPORTANT:
+   The test `glm-test-service-image.sh` script is to verify the HPE Bare Metal OS image (.iso).
+   To run this test, edit the file `./glm-build-image-and-service.sh` to set the required
+   Web Server-related parameters, listed below:
+      +----------------------------------------------------------------------------
+      | +--------------------------------------------------------------------------
+      | | File `./glm-build-image-and-service.sh`
+      | |   <1> WEB_SERVER_IP: IP address of web server to transfer ISO to (via SSH)
+      | |       Example: WEB_SERVER_IP="10.152.3.96"
+      | |   <2> REMOTE_PATH:   Path on web server to copy files to
+      | |       Example: REMOTE_PATH="/var/www/images/"
+      | |   <3> SSH_USER:      Username for SSH transfer
+      | |       Example: SSH_USER_NAME="root"
+      | | Note: Add your Linux test machine's SSH key to the Web Server
+      | +--------------------------------------------------------------------------
+      +----------------------------------------------------------------------------
+   In this document, for the manual build example:
+   A. a local Web Server "https://10.152.3.96" is used for the storage of OS images (.iso).
+   B. we are assuming that the HPE Bare Metal OS images will be kept in: https://10.152.3.96/images/<.iso>
+4. Linux machine for building OS image:
+   A. Image building has been successfully tested with the following list of Ubuntu OS and its LTS versions:
+      Ubuntu 20.04.6 LTS (focal)
+      Ubuntu 22.04.5 LTS (jammy)
+      Ubuntu 24.04.1 LTS (noble)
+   B. Install supporting tools (git, xorriso, isomd5sum, figlet, and cowsay)
+```
 
-These are the high level steps required to generate the SLES service:
-* Setup Linux system
-* Downloading recipe repo from github
-* Downloading a SLES .ISO file
-* Build the GLM SLES image/service
+# Building the SLES image
 
-These are the high level steps required to use this built GLM SLES
+These are the high-level steps required to generate the SLES service:
+* Set up a Linux system with 20-40GB of free file system space for the build
+* Set up a local file transfer/storage tool (E.g. **Local Web Server with HTTPS support**) that Bare Metal can reach over the network.
+  * For **unsecured Web Server access**, please refer to the [Hosting](Hosting.md) for additional requirements, listed below:
+    *  A. **HTTPS** with certificates signed by **publicly trusted Certificate authority**, and
+    *  B. **Skip** the host’s **SSL certificate verification**.
+  * For **Web Server running behind the Firewall**, the Web Server IP address and Port has to be whitelisted in the **rules** and **Proxy**.
+* Install Git Version Control (git) and other supporting tools (xorriso, isomd5sum, figlet, and cowsay)
+* Downloading recipe repo from GitHub
+* Download a SLES .ISO file
+* Build the Bare Metal SLES image/service
+
+These are the high-level steps required to use this built GLM SLES
 service/image on GLM:
 * Copy the built GLM SLES .ISO image to your web server
 * Add the GLM SLES .YML service file to the appropriate GLM portal
@@ -106,33 +147,49 @@ So you can run the build with the following command line parameters:
     -s <glm-yml-service-file>
 ```
 
-Here is an example of running the built:
+Example: Run the build including artifact verification
+
+```
+./glm-build-image-and-service.sh \
+   -i SLE-15-SP3-Full-x86_64-GM-Media1.iso \
+   -v 15SP3 \
+   -r qPassw0rd \
+   -p https://10.152.3.96 \
+   -o glm-metal-sles.iso
+   -s glm-metal-sles-service.yml
+```
+Example: Run the build excluding artifact verification
 
 ```
 ./glm-build-image-and-service.sh \
    -i SLE-15-SP3-Full-x86_64-GM-Media1.iso \
    -v 15SP3 \
-   -p http://192.169.1.131 \
+   -r qPassw0rd \
+   -p https://10.152.3.96 \
    -o glm-metal-sles.iso
    -s glm-metal-sles-service.yml
+   -x true
 ```
 
 At the end of script run, it will output the following instructions for next steps:
 ```
 +------------------------------------------------------------------------------------------
 | +----------------------------------------------------------------------------------------
-| | This build has generated a new GreenLake Metal (GLM) SLES service/image
+| | This build has generated a new HPE Bare Metal SLES service/image
 | | that consists of the following 2 new files:
-| |     glm-metal-sles.iso
-| |     glm-metal-sles-service.yml
+| |     images/SLE-15-SP4-Full-x86_64-GM-GLM.iso
+| |     images/SLE-15-SP4-Full-x86_64-GM-GLM.yml
 | |
-| | To use this new GLM SLES service/image in HPE GLM take the following steps:
-| | (1) Copy the new .ISO file (glm-metal-sles.iso) to your web server (http://192.169.1.131)
-| |     such that the file can be downloaded from the following URL:
-| |     http://192.169.1.131/glm-metal-sles.iso
-| | (2) Add the GreenLake Metal Service file to your GLM Portal using this command:
-| |     qctl services create -f glm-metal-sles-service.yml
-| | (3) Create a host in GLM using this OS image service.
+| | To use this new Bare Metal SLES service/image in Bare Metal, take the following steps:
+| | (1) Copy the new .ISO file (images/SLE-15-SP4-Full-x86_64-GM-GLM.iso)
+| |     to your web server (https://10.152.3.96) such that the file can be downloaded
+| |     from the following URL: https://10.152.3.96/images/SLE-15-SP4-Full-x86_64-GM-GLM.iso
+| | (2) Add the Bare Metal Service file (images/SLE-15-SP4-Full-x86_64-GM-GLM.yml) to the HPE Bare Metal Portal
+| |     (https://client.greenlake.hpe.com/). To add the HPE Metal Service file,
+| |     sign in to the Bare Metal Portal and select the Tenant by clicking "Go to tenant".
+| |     Select the Dashboard tile "Metal Consumption" and click on the Tab "OS/application images".
+| |     Click on the button "Add OS/application image" to Upload the OS/application YML file.
+| | (3) Create a Bare Metal host using this OS image service.
 | +----------------------------------------------------------------------------------------
 +------------------------------------------------------------------------------------------
 ```
@@ -164,7 +221,7 @@ glm-build-image-and-service.sh command line options | Description
 -i \<sles-iso-filename\>     | local filename of the Full SLES .ISO file that was already downloaded. Used as input file.
 -v \<sles-version-number\>   | a xy SLES version number.  Example: -v 15SP3
 -o \<glm-custom-sles-iso\>   | local filename of the GLM-modified SLES .ISO file that will be output by the script.  This file should be uploaded to your web server.
--p \<image-url-prefix\>      | the beginning of the image URL (on your web server). Example: -p http://192.168.1.131.  The GLM service .YML will assume that the image file will be available at a URL constructed with \<image-url-prefix\>/\<glm-custom-sles-iso\>.
+-p \<image-url-prefix\>      | the beginning of the image URL (on your web server). Example: -p https://10.152.3.96.  The GLM service .YML will assume that the image file will be available at a URL constructed with \<image-url-prefix\>/\<glm-custom-sles-iso\>.
 -s \<glm-yml-service-file\>  | local filename of the GLM .YML service file that will be output by the script.  This file should be uploaded to the GLM portal.
 
 NOTE: The users of this script are expected to copy the
@@ -257,6 +314,8 @@ glm-service-cloud-init.template | This is the cloud-init template file that GLM
 glm-service-ks-hostdef.cfg.template | A SLES autoinst file (templated with hostdef-v1) that is included into the core autoinst file.
 glm-service-ks-install-env.cfg.template | The core SLES autoinst file (templated with install-env-v1)
 glm-service-sles-service.yml.template | This is the GLM .YML service file template.
+glm-test-service-image.sh | This script will verify that the OS image referred to in a corresponding Bare Metal OS service .yml is correct.
+Hosting.md | This file is for additional requirements on the web server.
 
 Feel free to modify these file to suite your specifc needs.  General
 changes that you want to contribute back via a pull request are much
@@ -301,18 +360,21 @@ portal.  For example:
 ```
 +------------------------------------------------------------------------------------------
 | +----------------------------------------------------------------------------------------
-| | This build has generated a new GreenLake Metal (GLM) SLES service/image
+| | This build has generated a new HPE Bare Metal SLES service/image
 | | that consists of the following 2 new files:
-| |     glm-metal-sles.iso
-| |     glm-metal-sles-service.yml
+| |     images/SLE-15-SP4-Full-x86_64-GM-GLM.iso
+| |     images/SLE-15-SP4-Full-x86_64-GM-GLM.yml
 | |
-| | To use this new GLM SLES service/image in HPE GLM take the following steps:
-| | (1) Copy the new .ISO file (glm-metal-sles.iso) to your web server (http://192.169.1.131)
-| |     such that the file can be downloaded from the following URL:
-| |     http://192.169.1.131/glm-metal-sles.iso
-| | (2) Add the GreenLake Metal Service file to your GLM Portal using this command:
-| |     qctl services create -f glm-metal-sles-service.yml
-| | (3) Create a host in GLM using this OS image service.
+| | To use this new Bare Metal SLES service/image in Bare Metal, take the following steps:
+| | (1) Copy the new .ISO file (images/SLE-15-SP4-Full-x86_64-GM-GLM.iso)
+| |     to your web server (https://10.152.3.96) such that the file can be downloaded
+| |     from the following URL: https://10.152.3.96/images/SLE-15-SP4-Full-x86_64-GM-GLM.iso
+| | (2) Add the Bare Metal Service file (images/SLE-15-SP4-Full-x86_64-GM-GLM.yml) to the HPE Bare Metal Portal
+| |     (https://client.greenlake.hpe.com/). To add the HPE Metal Service file,
+| |     sign in to the Bare Metal Portal and select the Tenant by clicking "Go to tenant".
+| |     Select the Dashboard tile "Metal Consumption" and click on the Tab "OS/application images".
+| |     Click on the button "Add OS/application image" to Upload the OS/application YML file.
+| | (3) Create a Bare Metal host using this OS image service.
 | +----------------------------------------------------------------------------------------
 +------------------------------------------------------------------------------------------
 ```
@@ -408,10 +470,3 @@ volume should be automatcally setup, for example:
 [7:0:0:0]    disk    Nimble   Server           1.0   /dev/sdb
 [root@host ~]#
 ```
-
-### Prometheus node_exporter
-
-These instructions also add Prometheus node_exporter to the running system.
-Node_exporter is needed for GL Metal to collect telemetry information about
-running Compute Instances for uptime calculation. If node_exporter is not running
-on the Compute Instance, then GL Metal will not be able to calculate uptime for it.

glm-autoinst.xml.template

@@ -403,7 +403,8 @@
       <package>golang-github-prometheus-node_exporter</package>
       <!-- Need cloud-init for first-boot configuration -->
       <package>cloud-init</package>
-      <!-- Need multipath for iSCSI -->
+      <!-- Need iSCSI related packages-->
+      <package>open-iscsi</package>
       <package>multipath-tools</package>
     </packages>
     <patterns t="list">
@@ -445,6 +446,7 @@
     <user t="map">
       <authorized_keys t="list"/>
       <encrypted t="boolean">true</encrypted>
+      <user_password>%ROOTPW%</user_password>
       <fullname>root</fullname>
       <gid>0</gid>
       <home>/root</home>
@@ -459,7 +461,6 @@
       </password_settings>
       <shell>/bin/bash</shell>
       <uid>0</uid>
-      <user_password>$6$bFPLKRB7r8BgV0Vz$Jq.dBr9TdpfQYAnwuvIH7VhoUSSv/94MS6HKX03/CrYuXI92WKc/t96twOs2lIl.TJN.ylpwEXHxqUBfg/SIw/</user_password>
       <username>root</username>
     </user>
   </users>
@@ -544,17 +545,37 @@
         <interpreter>shell</interpreter>
         <source>
           <![CDATA[
-            # Configure cloud-init for GLM server configuration
-            echo "datasource_list: [\"None\"]" >> /mnt/etc/cloud/cloud.cfg
-
-            # disable password login over SSH (make PasswordAuthentication options 'no')
-            grep -q ^PasswordAuthentication /mnt/etc/ssh/sshd_config && \
-                sed -i "s/^PasswordAuthentication.*$/PasswordAuthentication no/" /mnt/etc/ssh/sshd_config || \
-                echo "PasswordAuthentication no" >> /mnt/etc/ssh/sshd_config
+            # sshd configurations for Quake use of ssh keys and not login passwords
+            sed -i "s|#HostKey /etc/ssh/ssh_host_rsa_key|HostKey /etc/ssh/ssh_host_rsa_key|" /mnt/etc/ssh/sshd_config
+            sed -i "s|#HostKey /etc/ssh/ssh_host_ecdsa_key|HostKey /etc/ssh/ssh_host_ecdsa_key|" /mnt/etc/ssh/sshd_config
+            sed -i "s|#HostKey /etc/ssh/ssh_host_ed25519_key|HostKey /etc/ssh/ssh_host_ed25519_key|" /mnt/etc/ssh/sshd_config
+            sed -i "s/^.*PermitRootLogin.*$/PermitRootLogin without-password/" /mnt/etc/ssh/sshd_config
+            sed -i "s/^.*PasswordAuthentication.*$/PasswordAuthentication no/" /mnt/etc/ssh/sshd_config
+            sed -i "s/#ChallengeResponseAuthentication yes/ChallengeResponseAuthentication no/" /mnt/etc/ssh/sshd_config
+            sed -i "s/#GSSAPIAuthentication no/GSSAPIAuthentication no/" /mnt/etc/ssh/sshd_config
 
             # enable root password login from the GreenLake Metal console/serial port
             echo ttyS1 >> /mnt/etc/securetty
 
+            # enable cloud-init to setup root login via ssh
+            sed -i 's/disable_root:.*$/disable_root: false/' /mnt/etc/cloud/cloud.cfg
+
+            # create multipath.conf
+            cat << EOF > /mnt/etc/multipath.conf
+blacklist {
+   devnode "^(ram|raw|loop|fd|md|dm-|sr|scd|st)[0-9]*"
+   devnode "^nvme[0-9]"
+   devnode "^hd[a-z][0-9]*"
+   protocol "scsi:unspec"
+}
+EOF
+            # enable use of the GreenLake Metal console/serial port(s)
+            echo ttyS0 >> /mnt/etc/securetty
+            echo ttyS1 >> /mnt/etc/securetty
+
+            # Configure cloud-init for GLM server configuration
+            echo "datasource_list: [\"None\"]" >> /mnt/etc/cloud/cloud.cfg
+
             # Copy the cloud-init config files over
             cp /tmp/92_DATASOURCE.CFG /mnt/etc/cloud/cloud.cfg.d/92_datasource.cfg
             cp /tmp/95_DATASOURCE.CFG /mnt/etc/cloud/cloud.cfg.d/95_datasource.cfg
@@ -568,14 +589,20 @@
         <interpreter>shell</interpreter>
         <source>
           <![CDATA[
-            # Now we should enable the cloud-init services
+            # enable SSH daemon
+            systemctl enable sshd
+
+            # enable cloud-init
             systemctl enable cloud-init-local
             systemctl enable cloud-init
             systemctl enable cloud-config
             systemctl enable cloud-final
+
+            # enable multipathd
+            systemctl enable multipathd
           ]]>
         </source>
       </script>
     </post-scripts>
   </scripts>
-</profile>
+</profile>