From 9493ed3b1dc075d75032975ac0c95f4578a0e405 Mon Sep 17 00:00:00 2001 From: Dalton Hubble Date: Sat, 9 Mar 2019 19:34:15 -0800 Subject: [PATCH] Change default iPXE kernel/initrd download from HTTP to HTTPS * Require an iPXE-enabled network boot environment with support for TLS downloads. PXE clients must chainload to iPXE firmware compiled with `DOWNLOAD_PROTO_HTTPS` enabled ([crypto](https://ipxe.org/crypto)) * iPXE's pre-compiled firmware binaries do _not_ enable HTTPS. Admins should build iPXE from source with support enabled * Affects the Container Linux and Flatcar Linux install profiles that pull from public downloads. No effect when cached_install=true or using Fedora Atomic, as those download from Matchbox * Add `download_protocol` variable. Recognizing boot firmware TLS support is difficult in some environments, set the protocol to "http" for the old behavior (discouraged) --- CHANGES.md | 7 +++++++ bare-metal/container-linux/kubernetes/profiles.tf | 8 ++++---- bare-metal/container-linux/kubernetes/variables.tf | 6 ++++++ docs/cl/bare-metal.md | 13 +++++++++---- docs/topics/hardware.md | 2 +- 5 files changed, 27 insertions(+), 9 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 4b23c31d..fe38ec9b 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -11,6 +11,13 @@ Notable changes between versions. * Support `terraform-provider-aws` v2.0+ ([#419](https://github.com/poseidon/typhoon/pull/419)) +#### Bare-Metal + +* Change the default iPXE kernel and initrd download protocol from HTTP to HTTPS ([#420](https://github.com/poseidon/typhoon/pull/420)) + * Require an iPXE-enabled network boot environment with support for TLS downloads. PXE clients must chainload to iPXE firmware compiled with `DOWNLOAD_PROTO_HTTPS` [enabled](https://ipxe.org/crypto). (**action required**) + * Affects Container Linux and Flatcar Linux install profiles that pull from public images (default). No affect when `cached_install=true` or Fedora Atomic, since those download from Matchbox + * Add `download_protocol` variable. Recognizing boot firmware TLS support is difficult in some environments, set the protocol to "http" for the old behavior (discouraged) + #### Addons * Update Prometheus from v2.7.1 to v2.7.2 diff --git a/bare-metal/container-linux/kubernetes/profiles.tf b/bare-metal/container-linux/kubernetes/profiles.tf index 4b576efe..11e718c7 100644 --- a/bare-metal/container-linux/kubernetes/profiles.tf +++ b/bare-metal/container-linux/kubernetes/profiles.tf @@ -11,10 +11,10 @@ resource "matchbox_profile" "container-linux-install" { count = "${length(var.controller_names) + length(var.worker_names)}" name = "${format("%s-container-linux-install-%s", var.cluster_name, element(concat(var.controller_names, var.worker_names), count.index))}" - kernel = "http://${local.channel}.release.core-os.net/amd64-usr/${var.os_version}/coreos_production_pxe.vmlinuz" + kernel = "${var.download_protocol}://${local.channel}.release.core-os.net/amd64-usr/${var.os_version}/coreos_production_pxe.vmlinuz" initrd = [ - "http://${local.channel}.release.core-os.net/amd64-usr/${var.os_version}/coreos_production_pxe_image.cpio.gz", + "${var.download_protocol}://${local.channel}.release.core-os.net/amd64-usr/${var.os_version}/coreos_production_pxe_image.cpio.gz", ] args = [ @@ -96,10 +96,10 @@ resource "matchbox_profile" "flatcar-install" { count = "${length(var.controller_names) + length(var.worker_names)}" name = "${format("%s-flatcar-install-%s", var.cluster_name, element(concat(var.controller_names, var.worker_names), count.index))}" - kernel = "http://${local.channel}.release.flatcar-linux.net/amd64-usr/${var.os_version}/flatcar_production_pxe.vmlinuz" + kernel = "${var.download_protocol}://${local.channel}.release.flatcar-linux.net/amd64-usr/${var.os_version}/flatcar_production_pxe.vmlinuz" initrd = [ - "http://${local.channel}.release.flatcar-linux.net/amd64-usr/${var.os_version}/flatcar_production_pxe_image.cpio.gz", + "${var.download_protocol}://${local.channel}.release.flatcar-linux.net/amd64-usr/${var.os_version}/flatcar_production_pxe_image.cpio.gz", ] args = [ diff --git a/bare-metal/container-linux/kubernetes/variables.tf b/bare-metal/container-linux/kubernetes/variables.tf index da09eeee..3e0a4043 100644 --- a/bare-metal/container-linux/kubernetes/variables.tf +++ b/bare-metal/container-linux/kubernetes/variables.tf @@ -118,6 +118,12 @@ variable "cluster_domain_suffix" { default = "cluster.local" } +variable "download_protocol" { + type = "string" + default = "https" + description = "Protocol iPXE should use to download the kernel and initrd. Defaults to https, which requires iPXE compiled with crypto support. Unused if cached_install is true." +} + variable "cached_install" { type = "string" default = "false" diff --git a/docs/cl/bare-metal.md b/docs/cl/bare-metal.md index 73b14542..a6d11b3a 100644 --- a/docs/cl/bare-metal.md +++ b/docs/cl/bare-metal.md @@ -9,7 +9,7 @@ Controllers are provisioned to run an `etcd-member` peer and a `kubelet` service ## Requirements * Machines with 2GB RAM, 30GB disk, PXE-enabled NIC, IPMI -* PXE-enabled [network boot](https://coreos.com/matchbox/docs/latest/network-setup.html) environment +* PXE-enabled [network boot](https://coreos.com/matchbox/docs/latest/network-setup.html) environment (with HTTPS support) * Matchbox v0.6+ deployment with API enabled * Matchbox credentials `client.crt`, `client.key`, `ca.crt` * Terraform v0.11.x, [terraform-provider-matchbox](https://github.com/coreos/terraform-provider-matchbox), and [terraform-provider-ct](https://github.com/coreos/terraform-provider-ct) installed locally @@ -82,7 +82,7 @@ $ openssl s_client -connect matchbox.example.com:8081 \ ## PXE Environment -Create a iPXE-enabled network boot environment. Configure PXE clients to chainload [iPXE](http://ipxe.org/cmd) and instruct iPXE clients to chainload from your Matchbox service's `/boot.ipxe` endpoint. +Create an iPXE-enabled network boot environment. Configure PXE clients to chainload [iPXE](http://ipxe.org/cmd) firmware compiled to support [HTTPS downloads](https://ipxe.org/crypto). Instruct iPXE clients to chainload from your Matchbox service's `/boot.ipxe` endpoint. For networks already supporting iPXE clients, you can add a `default.ipxe` config. @@ -93,8 +93,6 @@ chain http://matchbox.foo:8080/boot.ipxe For networks with Ubiquiti Routers, you can [configure the router](/topics/hardware/#ubiquiti) itself to chainload machines to iPXE and Matchbox. -For a small lab, you may wish to checkout the [quay.io/coreos/dnsmasq](https://quay.io/repository/coreos/dnsmasq) container image and [copy-paste examples](https://github.com/coreos/matchbox/blob/master/Documentation/network-setup.md#coreosdnsmasq). - Read about the [many ways](https://coreos.com/matchbox/docs/latest/network-setup.html) to setup a compliant iPXE-enabled network. There is quite a bit of flexibility: * Continue using existing DHCP, TFTP, or DNS services @@ -104,6 +102,9 @@ Read about the [many ways](https://coreos.com/matchbox/docs/latest/network-setup !!! note "" TFTP chainloading to modern boot firmware, like iPXE, avoids issues with old NICs and allows faster transfer protocols like HTTP to be used. +!!! warning + Compile iPXE from [source](https://github.com/ipxe/ipxe) with support for [HTTPS downloads](https://ipxe.org/crypto). iPXE's pre-built firmware binaries do not enable this. If you cannot enable HTTPS downloads, set `download_protocol = "http"` (discouraged). + ## Terraform Setup Install [Terraform](https://www.terraform.io/downloads.html) v0.11.x on your system. @@ -215,6 +216,9 @@ module "bare-metal-mercury" { "node2.example.com", "node3.example.com", ] + + # set to http only if you cannot chainload to iPXE firmware with https support + # download_protocol = "http" } ``` @@ -375,6 +379,7 @@ Check the [variables.tf](https://github.com/poseidon/typhoon/blob/master/bare-me | Name | Description | Default | Example | |:-----|:------------|:--------|:--------| +| download_protocol | Protocol iPXE uses to download the kernel and initrd. iPXE must be compiled with [crypto](https://ipxe.org/crypto) support for https. Unused if cached_install is true | "https" | "http" | | cached_install | PXE boot and install from the Matchbox `/assets` cache. Admin MUST have downloaded Container Linux or Flatcar images into the cache | false | true | | install_disk | Disk device where Container Linux should be installed | "/dev/sda" | "/dev/sdb" | | networking | Choice of networking provider | "calico" | "calico" or "flannel" | diff --git a/docs/topics/hardware.md b/docs/topics/hardware.md index 385a1fee..5751b18b 100644 --- a/docs/topics/hardware.md +++ b/docs/topics/hardware.md @@ -47,7 +47,7 @@ set service dns forwarding options 'pxe-service=tag:ipxe,x86PC,iPXE,http://match ### TFTP -Use `dnsmasq` as a TFTP server to serve `undionly.kpxe`. Compiling from [source](https://github.com/ipxe/ipxe) with TLS support is recommended, but you may also download a [pre-compiled](http://boot.ipxe.org/undionly.kpxe) copy. +Use `dnsmasq` as a TFTP server to serve `undionly.kpxe`. Compiling from [source](https://github.com/ipxe/ipxe) with TLS support is strongly recommended. If you use a [pre-compiled](http://boot.ipxe.org/undionly.kpxe) copy, you must set `download_protocol = "http"` in your cluster definition (discouraged). ``` sudo -i