From 6f69763ec44960c5b3cdd49cc06ac3c340b0befd Mon Sep 17 00:00:00 2001 From: David Elie-Dit-Cosaque Date: Wed, 4 Dec 2024 14:40:17 -0500 Subject: [PATCH] ztp: Fix talm update detection method --- .../01-disk-encryption-pcr-rebind/build.sh | 1 + .../hwupgrade-detection-methods/talm.sh | 7 ++++--- .../01-disk-encryption-pcr-rebind/order.conf | 3 +++ .../pcr-disable-shutdown.service | 2 +- .../01-disk-encryption-pcr-rebind-master.yaml | 8 ++++++-- .../01-disk-encryption-pcr-rebind-worker.yaml | 8 ++++++-- .../01-disk-encryption-pcr-rebind-master.yaml | 8 ++++++-- .../01-disk-encryption-pcr-rebind-worker.yaml | 8 ++++++-- 8 files changed, 33 insertions(+), 12 deletions(-) create mode 100644 ztp/extra-manifests-builder/01-disk-encryption-pcr-rebind/order.conf diff --git a/ztp/extra-manifests-builder/01-disk-encryption-pcr-rebind/build.sh b/ztp/extra-manifests-builder/01-disk-encryption-pcr-rebind/build.sh index 44571399e3..16aba34e96 100755 --- a/ztp/extra-manifests-builder/01-disk-encryption-pcr-rebind/build.sh +++ b/ztp/extra-manifests-builder/01-disk-encryption-pcr-rebind/build.sh @@ -14,5 +14,6 @@ ${MCMAKER} -stdout -name 01-disk-encryption-rebind -mcp "${MCPROLE}" \ file -source hwupgrade-detection-methods/fwup.sh -path /usr/local/bin/hwupgrade-detection-methods/fwup.sh -mode 0755 \ file -source hwupgrade-detection-methods/ostree.sh -path /usr/local/bin/hwupgrade-detection-methods/ostree.sh -mode 0755 \ file -source hwupgrade-detection-methods/talm.sh -path /usr/local/bin/hwupgrade-detection-methods/talm.sh -mode 0755 \ + file -source order.conf -path /etc/systemd/system/crio-.scope.d/order.conf -mode 0644 \ unit -source pcr-rebind-boot.service \ unit -source pcr-disable-shutdown.service diff --git a/ztp/extra-manifests-builder/01-disk-encryption-pcr-rebind/hwupgrade-detection-methods/talm.sh b/ztp/extra-manifests-builder/01-disk-encryption-pcr-rebind/hwupgrade-detection-methods/talm.sh index fd2ae2e53c..563496656b 100755 --- a/ztp/extra-manifests-builder/01-disk-encryption-pcr-rebind/hwupgrade-detection-methods/talm.sh +++ b/ztp/extra-manifests-builder/01-disk-encryption-pcr-rebind/hwupgrade-detection-methods/talm.sh @@ -1,7 +1,7 @@ #!/bin/bash set -o errexit -o nounset -o pipefail -SPOKE_KUBECONFIG_PATH=/var/lib/kubelet/kubeconfig +SPOKE_KUBECONFIG_PATH=/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/lb-int.kubeconfig HUB_SECRET_NAMESPACE=open-cluster-management-agent HUB_SECRET_NAME=hub-kubeconfig-secret @@ -31,12 +31,13 @@ isZtpState() { talmState="$1" RESULT=$FALSE + clusterName=$(oc --kubeconfig "$SPOKE_KUBECONFIG_PATH" get klusterlet klusterlet -ojsonpath='{.spec.clusterName}') case "$talmState" in "running") - RESULT=$(KUBECONFIG=/tmp/kubeconfig-hub oc get managedcluster "$(hostname --short)" -ojson | jq '.metadata.labels["ztp-running"]!=null') + RESULT=$(KUBECONFIG=/tmp/kubeconfig-hub oc get managedcluster "$clusterName" -ojson | jq '.metadata.labels["ztp-running"]!=null') ;; "done") - RESULT=$(KUBECONFIG=/tmp/kubeconfig-hub oc get managedcluster "$(hostname --short)" -ojson | jq '.metadata.labels["ztp-done"]!=null') + RESULT=$(KUBECONFIG=/tmp/kubeconfig-hub oc get managedcluster "$clusterName" -ojson | jq '.metadata.labels["ztp-done"]!=null') ;; *) # Code to execute when no patterns match diff --git a/ztp/extra-manifests-builder/01-disk-encryption-pcr-rebind/order.conf b/ztp/extra-manifests-builder/01-disk-encryption-pcr-rebind/order.conf new file mode 100644 index 0000000000..00bc73e7db --- /dev/null +++ b/ztp/extra-manifests-builder/01-disk-encryption-pcr-rebind/order.conf @@ -0,0 +1,3 @@ +# This unit ensures that containers stay up on shutdown until the pcr-disable-shutdown service is able to run +[Unit] +Before=pcr-disable-shutdown.service diff --git a/ztp/extra-manifests-builder/01-disk-encryption-pcr-rebind/pcr-disable-shutdown.service b/ztp/extra-manifests-builder/01-disk-encryption-pcr-rebind/pcr-disable-shutdown.service index ae9f415125..387c0eb1fe 100644 --- a/ztp/extra-manifests-builder/01-disk-encryption-pcr-rebind/pcr-disable-shutdown.service +++ b/ztp/extra-manifests-builder/01-disk-encryption-pcr-rebind/pcr-disable-shutdown.service @@ -1,7 +1,7 @@ [Service] Type=oneshot RemainAfterExit=true -ExecStart=/usr/bin/true ExecStop=/usr/local/bin/disablePcrOnRebootOrShutdown.sh + [Install] WantedBy=multi-user.target diff --git a/ztp/kube-compare-reference/optional/machine-config/01-disk-encryption-pcr-rebind-master.yaml b/ztp/kube-compare-reference/optional/machine-config/01-disk-encryption-pcr-rebind-master.yaml index c4cfa41ad2..f1f54052c5 100644 --- a/ztp/kube-compare-reference/optional/machine-config/01-disk-encryption-pcr-rebind-master.yaml +++ b/ztp/kube-compare-reference/optional/machine-config/01-disk-encryption-pcr-rebind-master.yaml @@ -37,9 +37,13 @@ spec: mode: 493 path: /usr/local/bin/hwupgrade-detection-methods/ostree.sh - contents: - source: data:text/plain;charset=utf-8;base64,IyEvYmluL2Jhc2gKc2V0IC1vIGVycmV4aXQgLW8gbm91bnNldCAtbyBwaXBlZmFpbAoKU1BPS0VfS1VCRUNPTkZJR19QQVRIPS92YXIvbGliL2t1YmVsZXQva3ViZWNvbmZpZwpIVUJfU0VDUkVUX05BTUVTUEFDRT1vcGVuLWNsdXN0ZXItbWFuYWdlbWVudC1hZ2VudApIVUJfU0VDUkVUX05BTUU9aHViLWt1YmVjb25maWctc2VjcmV0CgojIHJldHJpZXZlcyB0aGUga3ViZWNvbmZpZyBmb3IgdGhpcyBzcG9rZSdzIGNsdXN0ZXIKZ2V0SHViS3ViZWNvbmZpZygpIHsKCWxvY2FsIGt1YmVDb25maWdQYXRoIG5hbWVzcGFjZSBzZWNyZXROYW1lIEtVQkVDT05GSUdfREFUQSBUTFNfS0VZIFRMU19DUlQKCglrdWJlQ29uZmlnUGF0aD0iJDEiCgluYW1lc3BhY2U9IiQyIgoJc2VjcmV0TmFtZT0iJDMiCglLVUJFQ09ORklHX0RBVEE9JChvYyAtLWt1YmVjb25maWcgIiRrdWJlQ29uZmlnUGF0aCIgZ2V0IHNlY3JldCAtbiAiJG5hbWVzcGFjZSIgIiRzZWNyZXROYW1lIiAtbyBqc29uIHwganEgLmRhdGEua3ViZWNvbmZpZyB8IHNlZCAncy8iLy9nJyB8IGJhc2U2NCAtZCkKCWlmIFsgLXogIiRLVUJFQ09ORklHX0RBVEEiIF07IHRoZW4KCQlyZXR1cm4gIiRGQUxTRSIKCWZpCglUTFNfS0VZPSQob2MgLS1rdWJlY29uZmlnICIka3ViZUNvbmZpZ1BhdGgiIGdldCBzZWNyZXQgLW4gIiRuYW1lc3BhY2UiICIkc2VjcmV0TmFtZSIgLW8ganNvbiB8IGpxICcuZGF0YS4idGxzLmtleSInIHwgc2VkICdzLyIvL2cnKQoJVExTX0NSVD0kKG9jIC0ta3ViZWNvbmZpZyAiJGt1YmVDb25maWdQYXRoIiBnZXQgc2VjcmV0IC1uICIkbmFtZXNwYWNlIiAiJHNlY3JldE5hbWUiIC1vIGpzb24gfCBqcSAnLmRhdGEuInRscy5jcnQiJyB8IHNlZCAncy8iLy9nJykKCWVjaG8gIiRLVUJFQ09ORklHX0RBVEEiIHwgc2VkIC1lICJzL2NsaWVudC1jZXJ0aWZpY2F0ZTogdGxzLmNydC9jbGllbnQtY2VydGlmaWNhdGUtZGF0YTogJFRMU19DUlQvZyIgfCBzZWQgLWUgInMvY2xpZW50LWtleTogdGxzLmtleS9jbGllbnQta2V5LWRhdGE6ICRUTFNfS0VZL2ciID4vdG1wL2t1YmVjb25maWctaHViCglyZXR1cm4gIiRUUlVFIgp9CgojIFJldHJlaXZlcyBUQUxNJ3Mgc3RhdGUgaW4gdGhlIGh1YiBjbHVzdGVyJ3MgbWFuYWdlZENsdXN0ZXIgb2JqZWN0LiBUYWtlcyBvbmUgYXJndW1lbnQ6CiMgZG9uZSAtPiByZXR1cm4gJFRSVUUgaWYgdGhlIHp0cC1kb25lIGxhYmVsIGlzIHNldCwgJEZBTFNFIG90aGVyd2lzZQojIHJ1bm5pbmcgLT4gcmV0dXJuICRUUlVFIGlmIHRoZSB6dHAtcnVubmluZyBsYWJlbCBpcyBzZXQsICRGQUxTRSBvdGhlcndpc2UKaXNadHBTdGF0ZSgpIHsKCWxvY2FsIHRhbG1TdGF0ZSBSRVNVTFQKCgl0YWxtU3RhdGU9IiQxIgoJUkVTVUxUPSRGQUxTRQoKCWNhc2UgIiR0YWxtU3RhdGUiIGluCgkicnVubmluZyIpCgkJUkVTVUxUPSQoS1VCRUNPTkZJRz0vdG1wL2t1YmVjb25maWctaHViIG9jIGdldCBtYW5hZ2VkY2x1c3RlciAiJChob3N0bmFtZSAtLXNob3J0KSIgLW9qc29uIHwganEgJy5tZXRhZGF0YS5sYWJlbHNbInp0cC1ydW5uaW5nIl0hPW51bGwnKQoJCTs7CgkiZG9uZSIpCgkJUkVTVUxUPSQoS1VCRUNPTkZJRz0vdG1wL2t1YmVjb25maWctaHViIG9jIGdldCBtYW5hZ2VkY2x1c3RlciAiJChob3N0bmFtZSAtLXNob3J0KSIgLW9qc29uIHwganEgJy5tZXRhZGF0YS5sYWJlbHNbInp0cC1kb25lIl0hPW51bGwnKQoJCTs7CgkqKQoJCSMgQ29kZSB0byBleGVjdXRlIHdoZW4gbm8gcGF0dGVybnMgbWF0Y2gKCQk7OwoJZXNhYwoJaWYgWyAiJFJFU1VMVCIgPT0gImZhbHNlIiBdOyB0aGVuCgkJbG9nRGVidWcgIlRBTE0gJHRhbG1TdGF0ZSBzdGF0ZSBpcyAkUkVTVUxUIgoJCXJldHVybiAiJEZBTFNFIgoJZmkKCWxvZ0RlYnVnICJUQUxNICR0YWxtU3RhdGUgc3RhdGUgaXMgJFJFU1VMVCIKCXJldHVybiAiJFRSVUUiCn0KCmlzVEFMTVVwZGF0aW5nKCkgewoJaWYgISBnZXRIdWJLdWJlY29uZmlnICRTUE9LRV9LVUJFQ09ORklHX1BBVEggJEhVQl9TRUNSRVRfTkFNRVNQQUNFICRIVUJfU0VDUkVUX05BTUU7IHRoZW4KCQlsb2dJbmZvICJUQUxNIG5vdCBhdmFpbGFibGUgb3IgaHViIGt1YmVjb25maWcgaXMgbm8gcmVhZHkgeWV0IGF0ICRTUE9LRV9LVUJFQ09ORklHX1BBVEggcGF0aCwgY2Fubm90IGdldCBzcG9rZSBzZWNyZXQgJEhVQl9TRUNSRVRfTkFNRSBpbiAkSFVCX1NFQ1JFVF9OQU1FU1BBQ0UgbmFtZXNwYWNlIgoJCXJldHVybiAiJEZBTFNFIgoJZmkKCWlzWnRwU3RhdGUgInJ1bm5pbmciCglyZXR1cm4gJD8KfQoKIyBBZGQgYSBuZXcgZnVuY3Rpb24gdG8gdGhlIGFycmF5IG9mIHVwZGF0ZSBkZXRlY3Rpb24gbWV0aG9kcwpzZXJ2ZXJVcGRhdGVEZXRlY3Rpb25NZXRob2RzKz0oImlzVEFMTVVwZGF0aW5nIikK + source: data:text/plain;charset=utf-8;base64,IyEvYmluL2Jhc2gKc2V0IC1vIGVycmV4aXQgLW8gbm91bnNldCAtbyBwaXBlZmFpbAoKU1BPS0VfS1VCRUNPTkZJR19QQVRIPS9ldGMva3ViZXJuZXRlcy9zdGF0aWMtcG9kLXJlc291cmNlcy9rdWJlLWFwaXNlcnZlci1jZXJ0cy9zZWNyZXRzL25vZGUta3ViZWNvbmZpZ3MvbGItaW50Lmt1YmVjb25maWcKSFVCX1NFQ1JFVF9OQU1FU1BBQ0U9b3Blbi1jbHVzdGVyLW1hbmFnZW1lbnQtYWdlbnQKSFVCX1NFQ1JFVF9OQU1FPWh1Yi1rdWJlY29uZmlnLXNlY3JldAoKIyByZXRyaWV2ZXMgdGhlIGt1YmVjb25maWcgZm9yIHRoaXMgc3Bva2UncyBjbHVzdGVyCmdldEh1Ykt1YmVjb25maWcoKSB7Cglsb2NhbCBrdWJlQ29uZmlnUGF0aCBuYW1lc3BhY2Ugc2VjcmV0TmFtZSBLVUJFQ09ORklHX0RBVEEgVExTX0tFWSBUTFNfQ1JUCgoJa3ViZUNvbmZpZ1BhdGg9IiQxIgoJbmFtZXNwYWNlPSIkMiIKCXNlY3JldE5hbWU9IiQzIgoJS1VCRUNPTkZJR19EQVRBPSQob2MgLS1rdWJlY29uZmlnICIka3ViZUNvbmZpZ1BhdGgiIGdldCBzZWNyZXQgLW4gIiRuYW1lc3BhY2UiICIkc2VjcmV0TmFtZSIgLW8ganNvbiB8IGpxIC5kYXRhLmt1YmVjb25maWcgfCBzZWQgJ3MvIi8vZycgfCBiYXNlNjQgLWQpCglpZiBbIC16ICIkS1VCRUNPTkZJR19EQVRBIiBdOyB0aGVuCgkJcmV0dXJuICIkRkFMU0UiCglmaQoJVExTX0tFWT0kKG9jIC0ta3ViZWNvbmZpZyAiJGt1YmVDb25maWdQYXRoIiBnZXQgc2VjcmV0IC1uICIkbmFtZXNwYWNlIiAiJHNlY3JldE5hbWUiIC1vIGpzb24gfCBqcSAnLmRhdGEuInRscy5rZXkiJyB8IHNlZCAncy8iLy9nJykKCVRMU19DUlQ9JChvYyAtLWt1YmVjb25maWcgIiRrdWJlQ29uZmlnUGF0aCIgZ2V0IHNlY3JldCAtbiAiJG5hbWVzcGFjZSIgIiRzZWNyZXROYW1lIiAtbyBqc29uIHwganEgJy5kYXRhLiJ0bHMuY3J0IicgfCBzZWQgJ3MvIi8vZycpCgllY2hvICIkS1VCRUNPTkZJR19EQVRBIiB8IHNlZCAtZSAicy9jbGllbnQtY2VydGlmaWNhdGU6IHRscy5jcnQvY2xpZW50LWNlcnRpZmljYXRlLWRhdGE6ICRUTFNfQ1JUL2ciIHwgc2VkIC1lICJzL2NsaWVudC1rZXk6IHRscy5rZXkvY2xpZW50LWtleS1kYXRhOiAkVExTX0tFWS9nIiA+L3RtcC9rdWJlY29uZmlnLWh1YgoJcmV0dXJuICIkVFJVRSIKfQoKIyBSZXRyZWl2ZXMgVEFMTSdzIHN0YXRlIGluIHRoZSBodWIgY2x1c3RlcidzIG1hbmFnZWRDbHVzdGVyIG9iamVjdC4gVGFrZXMgb25lIGFyZ3VtZW50OgojIGRvbmUgLT4gcmV0dXJuICRUUlVFIGlmIHRoZSB6dHAtZG9uZSBsYWJlbCBpcyBzZXQsICRGQUxTRSBvdGhlcndpc2UKIyBydW5uaW5nIC0+IHJldHVybiAkVFJVRSBpZiB0aGUgenRwLXJ1bm5pbmcgbGFiZWwgaXMgc2V0LCAkRkFMU0Ugb3RoZXJ3aXNlCmlzWnRwU3RhdGUoKSB7Cglsb2NhbCB0YWxtU3RhdGUgUkVTVUxUCgoJdGFsbVN0YXRlPSIkMSIKCVJFU1VMVD0kRkFMU0UKCgljbHVzdGVyTmFtZT0kKG9jIC0ta3ViZWNvbmZpZyAiJFNQT0tFX0tVQkVDT05GSUdfUEFUSCIgZ2V0IGtsdXN0ZXJsZXQga2x1c3RlcmxldCAtb2pzb25wYXRoPSd7LnNwZWMuY2x1c3Rlck5hbWV9JykKCWNhc2UgIiR0YWxtU3RhdGUiIGluCgkicnVubmluZyIpCgkJUkVTVUxUPSQoS1VCRUNPTkZJRz0vdG1wL2t1YmVjb25maWctaHViIG9jIGdldCBtYW5hZ2VkY2x1c3RlciAiJGNsdXN0ZXJOYW1lIiAtb2pzb24gfCBqcSAnLm1ldGFkYXRhLmxhYmVsc1sienRwLXJ1bm5pbmciXSE9bnVsbCcpCgkJOzsKCSJkb25lIikKCQlSRVNVTFQ9JChLVUJFQ09ORklHPS90bXAva3ViZWNvbmZpZy1odWIgb2MgZ2V0IG1hbmFnZWRjbHVzdGVyICIkY2x1c3Rlck5hbWUiIC1vanNvbiB8IGpxICcubWV0YWRhdGEubGFiZWxzWyJ6dHAtZG9uZSJdIT1udWxsJykKCQk7OwoJKikKCQkjIENvZGUgdG8gZXhlY3V0ZSB3aGVuIG5vIHBhdHRlcm5zIG1hdGNoCgkJOzsKCWVzYWMKCWlmIFsgIiRSRVNVTFQiID09ICJmYWxzZSIgXTsgdGhlbgoJCWxvZ0RlYnVnICJUQUxNICR0YWxtU3RhdGUgc3RhdGUgaXMgJFJFU1VMVCIKCQlyZXR1cm4gIiRGQUxTRSIKCWZpCglsb2dEZWJ1ZyAiVEFMTSAkdGFsbVN0YXRlIHN0YXRlIGlzICRSRVNVTFQiCglyZXR1cm4gIiRUUlVFIgp9Cgppc1RBTE1VcGRhdGluZygpIHsKCWlmICEgZ2V0SHViS3ViZWNvbmZpZyAkU1BPS0VfS1VCRUNPTkZJR19QQVRIICRIVUJfU0VDUkVUX05BTUVTUEFDRSAkSFVCX1NFQ1JFVF9OQU1FOyB0aGVuCgkJbG9nSW5mbyAiVEFMTSBub3QgYXZhaWxhYmxlIG9yIGh1YiBrdWJlY29uZmlnIGlzIG5vIHJlYWR5IHlldCBhdCAkU1BPS0VfS1VCRUNPTkZJR19QQVRIIHBhdGgsIGNhbm5vdCBnZXQgc3Bva2Ugc2VjcmV0ICRIVUJfU0VDUkVUX05BTUUgaW4gJEhVQl9TRUNSRVRfTkFNRVNQQUNFIG5hbWVzcGFjZSIKCQlyZXR1cm4gIiRGQUxTRSIKCWZpCglpc1p0cFN0YXRlICJydW5uaW5nIgoJcmV0dXJuICQ/Cn0KCiMgQWRkIGEgbmV3IGZ1bmN0aW9uIHRvIHRoZSBhcnJheSBvZiB1cGRhdGUgZGV0ZWN0aW9uIG1ldGhvZHMKc2VydmVyVXBkYXRlRGV0ZWN0aW9uTWV0aG9kcys9KCJpc1RBTE1VcGRhdGluZyIpCg== mode: 493 path: /usr/local/bin/hwupgrade-detection-methods/talm.sh + - contents: + source: data:text/plain;charset=utf-8;base64,IyBUaGlzIHVuaXQgZW5zdXJlcyB0aGF0IGNvbnRhaW5lcnMgc3RheSB1cCBvbiBzaHV0ZG93biB1bnRpbCB0aGUgcGNyLWRpc2FibGUtc2h1dGRvd24gc2VydmljZSBpcyBhYmxlIHRvIHJ1biAKW1VuaXRdCkJlZm9yZT1wY3ItZGlzYWJsZS1zaHV0ZG93bi5zZXJ2aWNlCg== + mode: 420 + path: /etc/systemd/system/crio-.scope.d/order.conf systemd: units: - contents: | @@ -57,8 +61,8 @@ spec: [Service] Type=oneshot RemainAfterExit=true - ExecStart=/usr/bin/true ExecStop=/usr/local/bin/disablePcrOnRebootOrShutdown.sh + [Install] WantedBy=multi-user.target enabled: true diff --git a/ztp/kube-compare-reference/optional/machine-config/01-disk-encryption-pcr-rebind-worker.yaml b/ztp/kube-compare-reference/optional/machine-config/01-disk-encryption-pcr-rebind-worker.yaml index bc6be4afd4..adc36489e1 100644 --- a/ztp/kube-compare-reference/optional/machine-config/01-disk-encryption-pcr-rebind-worker.yaml +++ b/ztp/kube-compare-reference/optional/machine-config/01-disk-encryption-pcr-rebind-worker.yaml @@ -37,9 +37,13 @@ spec: mode: 493 path: /usr/local/bin/hwupgrade-detection-methods/ostree.sh - contents: - source: data:text/plain;charset=utf-8;base64,IyEvYmluL2Jhc2gKc2V0IC1vIGVycmV4aXQgLW8gbm91bnNldCAtbyBwaXBlZmFpbAoKU1BPS0VfS1VCRUNPTkZJR19QQVRIPS92YXIvbGliL2t1YmVsZXQva3ViZWNvbmZpZwpIVUJfU0VDUkVUX05BTUVTUEFDRT1vcGVuLWNsdXN0ZXItbWFuYWdlbWVudC1hZ2VudApIVUJfU0VDUkVUX05BTUU9aHViLWt1YmVjb25maWctc2VjcmV0CgojIHJldHJpZXZlcyB0aGUga3ViZWNvbmZpZyBmb3IgdGhpcyBzcG9rZSdzIGNsdXN0ZXIKZ2V0SHViS3ViZWNvbmZpZygpIHsKCWxvY2FsIGt1YmVDb25maWdQYXRoIG5hbWVzcGFjZSBzZWNyZXROYW1lIEtVQkVDT05GSUdfREFUQSBUTFNfS0VZIFRMU19DUlQKCglrdWJlQ29uZmlnUGF0aD0iJDEiCgluYW1lc3BhY2U9IiQyIgoJc2VjcmV0TmFtZT0iJDMiCglLVUJFQ09ORklHX0RBVEE9JChvYyAtLWt1YmVjb25maWcgIiRrdWJlQ29uZmlnUGF0aCIgZ2V0IHNlY3JldCAtbiAiJG5hbWVzcGFjZSIgIiRzZWNyZXROYW1lIiAtbyBqc29uIHwganEgLmRhdGEua3ViZWNvbmZpZyB8IHNlZCAncy8iLy9nJyB8IGJhc2U2NCAtZCkKCWlmIFsgLXogIiRLVUJFQ09ORklHX0RBVEEiIF07IHRoZW4KCQlyZXR1cm4gIiRGQUxTRSIKCWZpCglUTFNfS0VZPSQob2MgLS1rdWJlY29uZmlnICIka3ViZUNvbmZpZ1BhdGgiIGdldCBzZWNyZXQgLW4gIiRuYW1lc3BhY2UiICIkc2VjcmV0TmFtZSIgLW8ganNvbiB8IGpxICcuZGF0YS4idGxzLmtleSInIHwgc2VkICdzLyIvL2cnKQoJVExTX0NSVD0kKG9jIC0ta3ViZWNvbmZpZyAiJGt1YmVDb25maWdQYXRoIiBnZXQgc2VjcmV0IC1uICIkbmFtZXNwYWNlIiAiJHNlY3JldE5hbWUiIC1vIGpzb24gfCBqcSAnLmRhdGEuInRscy5jcnQiJyB8IHNlZCAncy8iLy9nJykKCWVjaG8gIiRLVUJFQ09ORklHX0RBVEEiIHwgc2VkIC1lICJzL2NsaWVudC1jZXJ0aWZpY2F0ZTogdGxzLmNydC9jbGllbnQtY2VydGlmaWNhdGUtZGF0YTogJFRMU19DUlQvZyIgfCBzZWQgLWUgInMvY2xpZW50LWtleTogdGxzLmtleS9jbGllbnQta2V5LWRhdGE6ICRUTFNfS0VZL2ciID4vdG1wL2t1YmVjb25maWctaHViCglyZXR1cm4gIiRUUlVFIgp9CgojIFJldHJlaXZlcyBUQUxNJ3Mgc3RhdGUgaW4gdGhlIGh1YiBjbHVzdGVyJ3MgbWFuYWdlZENsdXN0ZXIgb2JqZWN0LiBUYWtlcyBvbmUgYXJndW1lbnQ6CiMgZG9uZSAtPiByZXR1cm4gJFRSVUUgaWYgdGhlIHp0cC1kb25lIGxhYmVsIGlzIHNldCwgJEZBTFNFIG90aGVyd2lzZQojIHJ1bm5pbmcgLT4gcmV0dXJuICRUUlVFIGlmIHRoZSB6dHAtcnVubmluZyBsYWJlbCBpcyBzZXQsICRGQUxTRSBvdGhlcndpc2UKaXNadHBTdGF0ZSgpIHsKCWxvY2FsIHRhbG1TdGF0ZSBSRVNVTFQKCgl0YWxtU3RhdGU9IiQxIgoJUkVTVUxUPSRGQUxTRQoKCWNhc2UgIiR0YWxtU3RhdGUiIGluCgkicnVubmluZyIpCgkJUkVTVUxUPSQoS1VCRUNPTkZJRz0vdG1wL2t1YmVjb25maWctaHViIG9jIGdldCBtYW5hZ2VkY2x1c3RlciAiJChob3N0bmFtZSAtLXNob3J0KSIgLW9qc29uIHwganEgJy5tZXRhZGF0YS5sYWJlbHNbInp0cC1ydW5uaW5nIl0hPW51bGwnKQoJCTs7CgkiZG9uZSIpCgkJUkVTVUxUPSQoS1VCRUNPTkZJRz0vdG1wL2t1YmVjb25maWctaHViIG9jIGdldCBtYW5hZ2VkY2x1c3RlciAiJChob3N0bmFtZSAtLXNob3J0KSIgLW9qc29uIHwganEgJy5tZXRhZGF0YS5sYWJlbHNbInp0cC1kb25lIl0hPW51bGwnKQoJCTs7CgkqKQoJCSMgQ29kZSB0byBleGVjdXRlIHdoZW4gbm8gcGF0dGVybnMgbWF0Y2gKCQk7OwoJZXNhYwoJaWYgWyAiJFJFU1VMVCIgPT0gImZhbHNlIiBdOyB0aGVuCgkJbG9nRGVidWcgIlRBTE0gJHRhbG1TdGF0ZSBzdGF0ZSBpcyAkUkVTVUxUIgoJCXJldHVybiAiJEZBTFNFIgoJZmkKCWxvZ0RlYnVnICJUQUxNICR0YWxtU3RhdGUgc3RhdGUgaXMgJFJFU1VMVCIKCXJldHVybiAiJFRSVUUiCn0KCmlzVEFMTVVwZGF0aW5nKCkgewoJaWYgISBnZXRIdWJLdWJlY29uZmlnICRTUE9LRV9LVUJFQ09ORklHX1BBVEggJEhVQl9TRUNSRVRfTkFNRVNQQUNFICRIVUJfU0VDUkVUX05BTUU7IHRoZW4KCQlsb2dJbmZvICJUQUxNIG5vdCBhdmFpbGFibGUgb3IgaHViIGt1YmVjb25maWcgaXMgbm8gcmVhZHkgeWV0IGF0ICRTUE9LRV9LVUJFQ09ORklHX1BBVEggcGF0aCwgY2Fubm90IGdldCBzcG9rZSBzZWNyZXQgJEhVQl9TRUNSRVRfTkFNRSBpbiAkSFVCX1NFQ1JFVF9OQU1FU1BBQ0UgbmFtZXNwYWNlIgoJCXJldHVybiAiJEZBTFNFIgoJZmkKCWlzWnRwU3RhdGUgInJ1bm5pbmciCglyZXR1cm4gJD8KfQoKIyBBZGQgYSBuZXcgZnVuY3Rpb24gdG8gdGhlIGFycmF5IG9mIHVwZGF0ZSBkZXRlY3Rpb24gbWV0aG9kcwpzZXJ2ZXJVcGRhdGVEZXRlY3Rpb25NZXRob2RzKz0oImlzVEFMTVVwZGF0aW5nIikK + source: data:text/plain;charset=utf-8;base64,IyEvYmluL2Jhc2gKc2V0IC1vIGVycmV4aXQgLW8gbm91bnNldCAtbyBwaXBlZmFpbAoKU1BPS0VfS1VCRUNPTkZJR19QQVRIPS9ldGMva3ViZXJuZXRlcy9zdGF0aWMtcG9kLXJlc291cmNlcy9rdWJlLWFwaXNlcnZlci1jZXJ0cy9zZWNyZXRzL25vZGUta3ViZWNvbmZpZ3MvbGItaW50Lmt1YmVjb25maWcKSFVCX1NFQ1JFVF9OQU1FU1BBQ0U9b3Blbi1jbHVzdGVyLW1hbmFnZW1lbnQtYWdlbnQKSFVCX1NFQ1JFVF9OQU1FPWh1Yi1rdWJlY29uZmlnLXNlY3JldAoKIyByZXRyaWV2ZXMgdGhlIGt1YmVjb25maWcgZm9yIHRoaXMgc3Bva2UncyBjbHVzdGVyCmdldEh1Ykt1YmVjb25maWcoKSB7Cglsb2NhbCBrdWJlQ29uZmlnUGF0aCBuYW1lc3BhY2Ugc2VjcmV0TmFtZSBLVUJFQ09ORklHX0RBVEEgVExTX0tFWSBUTFNfQ1JUCgoJa3ViZUNvbmZpZ1BhdGg9IiQxIgoJbmFtZXNwYWNlPSIkMiIKCXNlY3JldE5hbWU9IiQzIgoJS1VCRUNPTkZJR19EQVRBPSQob2MgLS1rdWJlY29uZmlnICIka3ViZUNvbmZpZ1BhdGgiIGdldCBzZWNyZXQgLW4gIiRuYW1lc3BhY2UiICIkc2VjcmV0TmFtZSIgLW8ganNvbiB8IGpxIC5kYXRhLmt1YmVjb25maWcgfCBzZWQgJ3MvIi8vZycgfCBiYXNlNjQgLWQpCglpZiBbIC16ICIkS1VCRUNPTkZJR19EQVRBIiBdOyB0aGVuCgkJcmV0dXJuICIkRkFMU0UiCglmaQoJVExTX0tFWT0kKG9jIC0ta3ViZWNvbmZpZyAiJGt1YmVDb25maWdQYXRoIiBnZXQgc2VjcmV0IC1uICIkbmFtZXNwYWNlIiAiJHNlY3JldE5hbWUiIC1vIGpzb24gfCBqcSAnLmRhdGEuInRscy5rZXkiJyB8IHNlZCAncy8iLy9nJykKCVRMU19DUlQ9JChvYyAtLWt1YmVjb25maWcgIiRrdWJlQ29uZmlnUGF0aCIgZ2V0IHNlY3JldCAtbiAiJG5hbWVzcGFjZSIgIiRzZWNyZXROYW1lIiAtbyBqc29uIHwganEgJy5kYXRhLiJ0bHMuY3J0IicgfCBzZWQgJ3MvIi8vZycpCgllY2hvICIkS1VCRUNPTkZJR19EQVRBIiB8IHNlZCAtZSAicy9jbGllbnQtY2VydGlmaWNhdGU6IHRscy5jcnQvY2xpZW50LWNlcnRpZmljYXRlLWRhdGE6ICRUTFNfQ1JUL2ciIHwgc2VkIC1lICJzL2NsaWVudC1rZXk6IHRscy5rZXkvY2xpZW50LWtleS1kYXRhOiAkVExTX0tFWS9nIiA+L3RtcC9rdWJlY29uZmlnLWh1YgoJcmV0dXJuICIkVFJVRSIKfQoKIyBSZXRyZWl2ZXMgVEFMTSdzIHN0YXRlIGluIHRoZSBodWIgY2x1c3RlcidzIG1hbmFnZWRDbHVzdGVyIG9iamVjdC4gVGFrZXMgb25lIGFyZ3VtZW50OgojIGRvbmUgLT4gcmV0dXJuICRUUlVFIGlmIHRoZSB6dHAtZG9uZSBsYWJlbCBpcyBzZXQsICRGQUxTRSBvdGhlcndpc2UKIyBydW5uaW5nIC0+IHJldHVybiAkVFJVRSBpZiB0aGUgenRwLXJ1bm5pbmcgbGFiZWwgaXMgc2V0LCAkRkFMU0Ugb3RoZXJ3aXNlCmlzWnRwU3RhdGUoKSB7Cglsb2NhbCB0YWxtU3RhdGUgUkVTVUxUCgoJdGFsbVN0YXRlPSIkMSIKCVJFU1VMVD0kRkFMU0UKCgljbHVzdGVyTmFtZT0kKG9jIC0ta3ViZWNvbmZpZyAiJFNQT0tFX0tVQkVDT05GSUdfUEFUSCIgZ2V0IGtsdXN0ZXJsZXQga2x1c3RlcmxldCAtb2pzb25wYXRoPSd7LnNwZWMuY2x1c3Rlck5hbWV9JykKCWNhc2UgIiR0YWxtU3RhdGUiIGluCgkicnVubmluZyIpCgkJUkVTVUxUPSQoS1VCRUNPTkZJRz0vdG1wL2t1YmVjb25maWctaHViIG9jIGdldCBtYW5hZ2VkY2x1c3RlciAiJGNsdXN0ZXJOYW1lIiAtb2pzb24gfCBqcSAnLm1ldGFkYXRhLmxhYmVsc1sienRwLXJ1bm5pbmciXSE9bnVsbCcpCgkJOzsKCSJkb25lIikKCQlSRVNVTFQ9JChLVUJFQ09ORklHPS90bXAva3ViZWNvbmZpZy1odWIgb2MgZ2V0IG1hbmFnZWRjbHVzdGVyICIkY2x1c3Rlck5hbWUiIC1vanNvbiB8IGpxICcubWV0YWRhdGEubGFiZWxzWyJ6dHAtZG9uZSJdIT1udWxsJykKCQk7OwoJKikKCQkjIENvZGUgdG8gZXhlY3V0ZSB3aGVuIG5vIHBhdHRlcm5zIG1hdGNoCgkJOzsKCWVzYWMKCWlmIFsgIiRSRVNVTFQiID09ICJmYWxzZSIgXTsgdGhlbgoJCWxvZ0RlYnVnICJUQUxNICR0YWxtU3RhdGUgc3RhdGUgaXMgJFJFU1VMVCIKCQlyZXR1cm4gIiRGQUxTRSIKCWZpCglsb2dEZWJ1ZyAiVEFMTSAkdGFsbVN0YXRlIHN0YXRlIGlzICRSRVNVTFQiCglyZXR1cm4gIiRUUlVFIgp9Cgppc1RBTE1VcGRhdGluZygpIHsKCWlmICEgZ2V0SHViS3ViZWNvbmZpZyAkU1BPS0VfS1VCRUNPTkZJR19QQVRIICRIVUJfU0VDUkVUX05BTUVTUEFDRSAkSFVCX1NFQ1JFVF9OQU1FOyB0aGVuCgkJbG9nSW5mbyAiVEFMTSBub3QgYXZhaWxhYmxlIG9yIGh1YiBrdWJlY29uZmlnIGlzIG5vIHJlYWR5IHlldCBhdCAkU1BPS0VfS1VCRUNPTkZJR19QQVRIIHBhdGgsIGNhbm5vdCBnZXQgc3Bva2Ugc2VjcmV0ICRIVUJfU0VDUkVUX05BTUUgaW4gJEhVQl9TRUNSRVRfTkFNRVNQQUNFIG5hbWVzcGFjZSIKCQlyZXR1cm4gIiRGQUxTRSIKCWZpCglpc1p0cFN0YXRlICJydW5uaW5nIgoJcmV0dXJuICQ/Cn0KCiMgQWRkIGEgbmV3IGZ1bmN0aW9uIHRvIHRoZSBhcnJheSBvZiB1cGRhdGUgZGV0ZWN0aW9uIG1ldGhvZHMKc2VydmVyVXBkYXRlRGV0ZWN0aW9uTWV0aG9kcys9KCJpc1RBTE1VcGRhdGluZyIpCg== mode: 493 path: /usr/local/bin/hwupgrade-detection-methods/talm.sh + - contents: + source: data:text/plain;charset=utf-8;base64,IyBUaGlzIHVuaXQgZW5zdXJlcyB0aGF0IGNvbnRhaW5lcnMgc3RheSB1cCBvbiBzaHV0ZG93biB1bnRpbCB0aGUgcGNyLWRpc2FibGUtc2h1dGRvd24gc2VydmljZSBpcyBhYmxlIHRvIHJ1biAKW1VuaXRdCkJlZm9yZT1wY3ItZGlzYWJsZS1zaHV0ZG93bi5zZXJ2aWNlCg== + mode: 420 + path: /etc/systemd/system/crio-.scope.d/order.conf systemd: units: - contents: | @@ -57,8 +61,8 @@ spec: [Service] Type=oneshot RemainAfterExit=true - ExecStart=/usr/bin/true ExecStop=/usr/local/bin/disablePcrOnRebootOrShutdown.sh + [Install] WantedBy=multi-user.target enabled: true diff --git a/ztp/source-crs/extra-manifest/01-disk-encryption-pcr-rebind-master.yaml b/ztp/source-crs/extra-manifest/01-disk-encryption-pcr-rebind-master.yaml index c4cfa41ad2..f1f54052c5 100644 --- a/ztp/source-crs/extra-manifest/01-disk-encryption-pcr-rebind-master.yaml +++ b/ztp/source-crs/extra-manifest/01-disk-encryption-pcr-rebind-master.yaml @@ -37,9 +37,13 @@ spec: mode: 493 path: /usr/local/bin/hwupgrade-detection-methods/ostree.sh - contents: - source: data:text/plain;charset=utf-8;base64,IyEvYmluL2Jhc2gKc2V0IC1vIGVycmV4aXQgLW8gbm91bnNldCAtbyBwaXBlZmFpbAoKU1BPS0VfS1VCRUNPTkZJR19QQVRIPS92YXIvbGliL2t1YmVsZXQva3ViZWNvbmZpZwpIVUJfU0VDUkVUX05BTUVTUEFDRT1vcGVuLWNsdXN0ZXItbWFuYWdlbWVudC1hZ2VudApIVUJfU0VDUkVUX05BTUU9aHViLWt1YmVjb25maWctc2VjcmV0CgojIHJldHJpZXZlcyB0aGUga3ViZWNvbmZpZyBmb3IgdGhpcyBzcG9rZSdzIGNsdXN0ZXIKZ2V0SHViS3ViZWNvbmZpZygpIHsKCWxvY2FsIGt1YmVDb25maWdQYXRoIG5hbWVzcGFjZSBzZWNyZXROYW1lIEtVQkVDT05GSUdfREFUQSBUTFNfS0VZIFRMU19DUlQKCglrdWJlQ29uZmlnUGF0aD0iJDEiCgluYW1lc3BhY2U9IiQyIgoJc2VjcmV0TmFtZT0iJDMiCglLVUJFQ09ORklHX0RBVEE9JChvYyAtLWt1YmVjb25maWcgIiRrdWJlQ29uZmlnUGF0aCIgZ2V0IHNlY3JldCAtbiAiJG5hbWVzcGFjZSIgIiRzZWNyZXROYW1lIiAtbyBqc29uIHwganEgLmRhdGEua3ViZWNvbmZpZyB8IHNlZCAncy8iLy9nJyB8IGJhc2U2NCAtZCkKCWlmIFsgLXogIiRLVUJFQ09ORklHX0RBVEEiIF07IHRoZW4KCQlyZXR1cm4gIiRGQUxTRSIKCWZpCglUTFNfS0VZPSQob2MgLS1rdWJlY29uZmlnICIka3ViZUNvbmZpZ1BhdGgiIGdldCBzZWNyZXQgLW4gIiRuYW1lc3BhY2UiICIkc2VjcmV0TmFtZSIgLW8ganNvbiB8IGpxICcuZGF0YS4idGxzLmtleSInIHwgc2VkICdzLyIvL2cnKQoJVExTX0NSVD0kKG9jIC0ta3ViZWNvbmZpZyAiJGt1YmVDb25maWdQYXRoIiBnZXQgc2VjcmV0IC1uICIkbmFtZXNwYWNlIiAiJHNlY3JldE5hbWUiIC1vIGpzb24gfCBqcSAnLmRhdGEuInRscy5jcnQiJyB8IHNlZCAncy8iLy9nJykKCWVjaG8gIiRLVUJFQ09ORklHX0RBVEEiIHwgc2VkIC1lICJzL2NsaWVudC1jZXJ0aWZpY2F0ZTogdGxzLmNydC9jbGllbnQtY2VydGlmaWNhdGUtZGF0YTogJFRMU19DUlQvZyIgfCBzZWQgLWUgInMvY2xpZW50LWtleTogdGxzLmtleS9jbGllbnQta2V5LWRhdGE6ICRUTFNfS0VZL2ciID4vdG1wL2t1YmVjb25maWctaHViCglyZXR1cm4gIiRUUlVFIgp9CgojIFJldHJlaXZlcyBUQUxNJ3Mgc3RhdGUgaW4gdGhlIGh1YiBjbHVzdGVyJ3MgbWFuYWdlZENsdXN0ZXIgb2JqZWN0LiBUYWtlcyBvbmUgYXJndW1lbnQ6CiMgZG9uZSAtPiByZXR1cm4gJFRSVUUgaWYgdGhlIHp0cC1kb25lIGxhYmVsIGlzIHNldCwgJEZBTFNFIG90aGVyd2lzZQojIHJ1bm5pbmcgLT4gcmV0dXJuICRUUlVFIGlmIHRoZSB6dHAtcnVubmluZyBsYWJlbCBpcyBzZXQsICRGQUxTRSBvdGhlcndpc2UKaXNadHBTdGF0ZSgpIHsKCWxvY2FsIHRhbG1TdGF0ZSBSRVNVTFQKCgl0YWxtU3RhdGU9IiQxIgoJUkVTVUxUPSRGQUxTRQoKCWNhc2UgIiR0YWxtU3RhdGUiIGluCgkicnVubmluZyIpCgkJUkVTVUxUPSQoS1VCRUNPTkZJRz0vdG1wL2t1YmVjb25maWctaHViIG9jIGdldCBtYW5hZ2VkY2x1c3RlciAiJChob3N0bmFtZSAtLXNob3J0KSIgLW9qc29uIHwganEgJy5tZXRhZGF0YS5sYWJlbHNbInp0cC1ydW5uaW5nIl0hPW51bGwnKQoJCTs7CgkiZG9uZSIpCgkJUkVTVUxUPSQoS1VCRUNPTkZJRz0vdG1wL2t1YmVjb25maWctaHViIG9jIGdldCBtYW5hZ2VkY2x1c3RlciAiJChob3N0bmFtZSAtLXNob3J0KSIgLW9qc29uIHwganEgJy5tZXRhZGF0YS5sYWJlbHNbInp0cC1kb25lIl0hPW51bGwnKQoJCTs7CgkqKQoJCSMgQ29kZSB0byBleGVjdXRlIHdoZW4gbm8gcGF0dGVybnMgbWF0Y2gKCQk7OwoJZXNhYwoJaWYgWyAiJFJFU1VMVCIgPT0gImZhbHNlIiBdOyB0aGVuCgkJbG9nRGVidWcgIlRBTE0gJHRhbG1TdGF0ZSBzdGF0ZSBpcyAkUkVTVUxUIgoJCXJldHVybiAiJEZBTFNFIgoJZmkKCWxvZ0RlYnVnICJUQUxNICR0YWxtU3RhdGUgc3RhdGUgaXMgJFJFU1VMVCIKCXJldHVybiAiJFRSVUUiCn0KCmlzVEFMTVVwZGF0aW5nKCkgewoJaWYgISBnZXRIdWJLdWJlY29uZmlnICRTUE9LRV9LVUJFQ09ORklHX1BBVEggJEhVQl9TRUNSRVRfTkFNRVNQQUNFICRIVUJfU0VDUkVUX05BTUU7IHRoZW4KCQlsb2dJbmZvICJUQUxNIG5vdCBhdmFpbGFibGUgb3IgaHViIGt1YmVjb25maWcgaXMgbm8gcmVhZHkgeWV0IGF0ICRTUE9LRV9LVUJFQ09ORklHX1BBVEggcGF0aCwgY2Fubm90IGdldCBzcG9rZSBzZWNyZXQgJEhVQl9TRUNSRVRfTkFNRSBpbiAkSFVCX1NFQ1JFVF9OQU1FU1BBQ0UgbmFtZXNwYWNlIgoJCXJldHVybiAiJEZBTFNFIgoJZmkKCWlzWnRwU3RhdGUgInJ1bm5pbmciCglyZXR1cm4gJD8KfQoKIyBBZGQgYSBuZXcgZnVuY3Rpb24gdG8gdGhlIGFycmF5IG9mIHVwZGF0ZSBkZXRlY3Rpb24gbWV0aG9kcwpzZXJ2ZXJVcGRhdGVEZXRlY3Rpb25NZXRob2RzKz0oImlzVEFMTVVwZGF0aW5nIikK + source: data:text/plain;charset=utf-8;base64,IyEvYmluL2Jhc2gKc2V0IC1vIGVycmV4aXQgLW8gbm91bnNldCAtbyBwaXBlZmFpbAoKU1BPS0VfS1VCRUNPTkZJR19QQVRIPS9ldGMva3ViZXJuZXRlcy9zdGF0aWMtcG9kLXJlc291cmNlcy9rdWJlLWFwaXNlcnZlci1jZXJ0cy9zZWNyZXRzL25vZGUta3ViZWNvbmZpZ3MvbGItaW50Lmt1YmVjb25maWcKSFVCX1NFQ1JFVF9OQU1FU1BBQ0U9b3Blbi1jbHVzdGVyLW1hbmFnZW1lbnQtYWdlbnQKSFVCX1NFQ1JFVF9OQU1FPWh1Yi1rdWJlY29uZmlnLXNlY3JldAoKIyByZXRyaWV2ZXMgdGhlIGt1YmVjb25maWcgZm9yIHRoaXMgc3Bva2UncyBjbHVzdGVyCmdldEh1Ykt1YmVjb25maWcoKSB7Cglsb2NhbCBrdWJlQ29uZmlnUGF0aCBuYW1lc3BhY2Ugc2VjcmV0TmFtZSBLVUJFQ09ORklHX0RBVEEgVExTX0tFWSBUTFNfQ1JUCgoJa3ViZUNvbmZpZ1BhdGg9IiQxIgoJbmFtZXNwYWNlPSIkMiIKCXNlY3JldE5hbWU9IiQzIgoJS1VCRUNPTkZJR19EQVRBPSQob2MgLS1rdWJlY29uZmlnICIka3ViZUNvbmZpZ1BhdGgiIGdldCBzZWNyZXQgLW4gIiRuYW1lc3BhY2UiICIkc2VjcmV0TmFtZSIgLW8ganNvbiB8IGpxIC5kYXRhLmt1YmVjb25maWcgfCBzZWQgJ3MvIi8vZycgfCBiYXNlNjQgLWQpCglpZiBbIC16ICIkS1VCRUNPTkZJR19EQVRBIiBdOyB0aGVuCgkJcmV0dXJuICIkRkFMU0UiCglmaQoJVExTX0tFWT0kKG9jIC0ta3ViZWNvbmZpZyAiJGt1YmVDb25maWdQYXRoIiBnZXQgc2VjcmV0IC1uICIkbmFtZXNwYWNlIiAiJHNlY3JldE5hbWUiIC1vIGpzb24gfCBqcSAnLmRhdGEuInRscy5rZXkiJyB8IHNlZCAncy8iLy9nJykKCVRMU19DUlQ9JChvYyAtLWt1YmVjb25maWcgIiRrdWJlQ29uZmlnUGF0aCIgZ2V0IHNlY3JldCAtbiAiJG5hbWVzcGFjZSIgIiRzZWNyZXROYW1lIiAtbyBqc29uIHwganEgJy5kYXRhLiJ0bHMuY3J0IicgfCBzZWQgJ3MvIi8vZycpCgllY2hvICIkS1VCRUNPTkZJR19EQVRBIiB8IHNlZCAtZSAicy9jbGllbnQtY2VydGlmaWNhdGU6IHRscy5jcnQvY2xpZW50LWNlcnRpZmljYXRlLWRhdGE6ICRUTFNfQ1JUL2ciIHwgc2VkIC1lICJzL2NsaWVudC1rZXk6IHRscy5rZXkvY2xpZW50LWtleS1kYXRhOiAkVExTX0tFWS9nIiA+L3RtcC9rdWJlY29uZmlnLWh1YgoJcmV0dXJuICIkVFJVRSIKfQoKIyBSZXRyZWl2ZXMgVEFMTSdzIHN0YXRlIGluIHRoZSBodWIgY2x1c3RlcidzIG1hbmFnZWRDbHVzdGVyIG9iamVjdC4gVGFrZXMgb25lIGFyZ3VtZW50OgojIGRvbmUgLT4gcmV0dXJuICRUUlVFIGlmIHRoZSB6dHAtZG9uZSBsYWJlbCBpcyBzZXQsICRGQUxTRSBvdGhlcndpc2UKIyBydW5uaW5nIC0+IHJldHVybiAkVFJVRSBpZiB0aGUgenRwLXJ1bm5pbmcgbGFiZWwgaXMgc2V0LCAkRkFMU0Ugb3RoZXJ3aXNlCmlzWnRwU3RhdGUoKSB7Cglsb2NhbCB0YWxtU3RhdGUgUkVTVUxUCgoJdGFsbVN0YXRlPSIkMSIKCVJFU1VMVD0kRkFMU0UKCgljbHVzdGVyTmFtZT0kKG9jIC0ta3ViZWNvbmZpZyAiJFNQT0tFX0tVQkVDT05GSUdfUEFUSCIgZ2V0IGtsdXN0ZXJsZXQga2x1c3RlcmxldCAtb2pzb25wYXRoPSd7LnNwZWMuY2x1c3Rlck5hbWV9JykKCWNhc2UgIiR0YWxtU3RhdGUiIGluCgkicnVubmluZyIpCgkJUkVTVUxUPSQoS1VCRUNPTkZJRz0vdG1wL2t1YmVjb25maWctaHViIG9jIGdldCBtYW5hZ2VkY2x1c3RlciAiJGNsdXN0ZXJOYW1lIiAtb2pzb24gfCBqcSAnLm1ldGFkYXRhLmxhYmVsc1sienRwLXJ1bm5pbmciXSE9bnVsbCcpCgkJOzsKCSJkb25lIikKCQlSRVNVTFQ9JChLVUJFQ09ORklHPS90bXAva3ViZWNvbmZpZy1odWIgb2MgZ2V0IG1hbmFnZWRjbHVzdGVyICIkY2x1c3Rlck5hbWUiIC1vanNvbiB8IGpxICcubWV0YWRhdGEubGFiZWxzWyJ6dHAtZG9uZSJdIT1udWxsJykKCQk7OwoJKikKCQkjIENvZGUgdG8gZXhlY3V0ZSB3aGVuIG5vIHBhdHRlcm5zIG1hdGNoCgkJOzsKCWVzYWMKCWlmIFsgIiRSRVNVTFQiID09ICJmYWxzZSIgXTsgdGhlbgoJCWxvZ0RlYnVnICJUQUxNICR0YWxtU3RhdGUgc3RhdGUgaXMgJFJFU1VMVCIKCQlyZXR1cm4gIiRGQUxTRSIKCWZpCglsb2dEZWJ1ZyAiVEFMTSAkdGFsbVN0YXRlIHN0YXRlIGlzICRSRVNVTFQiCglyZXR1cm4gIiRUUlVFIgp9Cgppc1RBTE1VcGRhdGluZygpIHsKCWlmICEgZ2V0SHViS3ViZWNvbmZpZyAkU1BPS0VfS1VCRUNPTkZJR19QQVRIICRIVUJfU0VDUkVUX05BTUVTUEFDRSAkSFVCX1NFQ1JFVF9OQU1FOyB0aGVuCgkJbG9nSW5mbyAiVEFMTSBub3QgYXZhaWxhYmxlIG9yIGh1YiBrdWJlY29uZmlnIGlzIG5vIHJlYWR5IHlldCBhdCAkU1BPS0VfS1VCRUNPTkZJR19QQVRIIHBhdGgsIGNhbm5vdCBnZXQgc3Bva2Ugc2VjcmV0ICRIVUJfU0VDUkVUX05BTUUgaW4gJEhVQl9TRUNSRVRfTkFNRVNQQUNFIG5hbWVzcGFjZSIKCQlyZXR1cm4gIiRGQUxTRSIKCWZpCglpc1p0cFN0YXRlICJydW5uaW5nIgoJcmV0dXJuICQ/Cn0KCiMgQWRkIGEgbmV3IGZ1bmN0aW9uIHRvIHRoZSBhcnJheSBvZiB1cGRhdGUgZGV0ZWN0aW9uIG1ldGhvZHMKc2VydmVyVXBkYXRlRGV0ZWN0aW9uTWV0aG9kcys9KCJpc1RBTE1VcGRhdGluZyIpCg== mode: 493 path: /usr/local/bin/hwupgrade-detection-methods/talm.sh + - contents: + source: data:text/plain;charset=utf-8;base64,IyBUaGlzIHVuaXQgZW5zdXJlcyB0aGF0IGNvbnRhaW5lcnMgc3RheSB1cCBvbiBzaHV0ZG93biB1bnRpbCB0aGUgcGNyLWRpc2FibGUtc2h1dGRvd24gc2VydmljZSBpcyBhYmxlIHRvIHJ1biAKW1VuaXRdCkJlZm9yZT1wY3ItZGlzYWJsZS1zaHV0ZG93bi5zZXJ2aWNlCg== + mode: 420 + path: /etc/systemd/system/crio-.scope.d/order.conf systemd: units: - contents: | @@ -57,8 +61,8 @@ spec: [Service] Type=oneshot RemainAfterExit=true - ExecStart=/usr/bin/true ExecStop=/usr/local/bin/disablePcrOnRebootOrShutdown.sh + [Install] WantedBy=multi-user.target enabled: true diff --git a/ztp/source-crs/extra-manifest/01-disk-encryption-pcr-rebind-worker.yaml b/ztp/source-crs/extra-manifest/01-disk-encryption-pcr-rebind-worker.yaml index bc6be4afd4..adc36489e1 100644 --- a/ztp/source-crs/extra-manifest/01-disk-encryption-pcr-rebind-worker.yaml +++ b/ztp/source-crs/extra-manifest/01-disk-encryption-pcr-rebind-worker.yaml @@ -37,9 +37,13 @@ spec: mode: 493 path: /usr/local/bin/hwupgrade-detection-methods/ostree.sh - contents: - source: data:text/plain;charset=utf-8;base64,IyEvYmluL2Jhc2gKc2V0IC1vIGVycmV4aXQgLW8gbm91bnNldCAtbyBwaXBlZmFpbAoKU1BPS0VfS1VCRUNPTkZJR19QQVRIPS92YXIvbGliL2t1YmVsZXQva3ViZWNvbmZpZwpIVUJfU0VDUkVUX05BTUVTUEFDRT1vcGVuLWNsdXN0ZXItbWFuYWdlbWVudC1hZ2VudApIVUJfU0VDUkVUX05BTUU9aHViLWt1YmVjb25maWctc2VjcmV0CgojIHJldHJpZXZlcyB0aGUga3ViZWNvbmZpZyBmb3IgdGhpcyBzcG9rZSdzIGNsdXN0ZXIKZ2V0SHViS3ViZWNvbmZpZygpIHsKCWxvY2FsIGt1YmVDb25maWdQYXRoIG5hbWVzcGFjZSBzZWNyZXROYW1lIEtVQkVDT05GSUdfREFUQSBUTFNfS0VZIFRMU19DUlQKCglrdWJlQ29uZmlnUGF0aD0iJDEiCgluYW1lc3BhY2U9IiQyIgoJc2VjcmV0TmFtZT0iJDMiCglLVUJFQ09ORklHX0RBVEE9JChvYyAtLWt1YmVjb25maWcgIiRrdWJlQ29uZmlnUGF0aCIgZ2V0IHNlY3JldCAtbiAiJG5hbWVzcGFjZSIgIiRzZWNyZXROYW1lIiAtbyBqc29uIHwganEgLmRhdGEua3ViZWNvbmZpZyB8IHNlZCAncy8iLy9nJyB8IGJhc2U2NCAtZCkKCWlmIFsgLXogIiRLVUJFQ09ORklHX0RBVEEiIF07IHRoZW4KCQlyZXR1cm4gIiRGQUxTRSIKCWZpCglUTFNfS0VZPSQob2MgLS1rdWJlY29uZmlnICIka3ViZUNvbmZpZ1BhdGgiIGdldCBzZWNyZXQgLW4gIiRuYW1lc3BhY2UiICIkc2VjcmV0TmFtZSIgLW8ganNvbiB8IGpxICcuZGF0YS4idGxzLmtleSInIHwgc2VkICdzLyIvL2cnKQoJVExTX0NSVD0kKG9jIC0ta3ViZWNvbmZpZyAiJGt1YmVDb25maWdQYXRoIiBnZXQgc2VjcmV0IC1uICIkbmFtZXNwYWNlIiAiJHNlY3JldE5hbWUiIC1vIGpzb24gfCBqcSAnLmRhdGEuInRscy5jcnQiJyB8IHNlZCAncy8iLy9nJykKCWVjaG8gIiRLVUJFQ09ORklHX0RBVEEiIHwgc2VkIC1lICJzL2NsaWVudC1jZXJ0aWZpY2F0ZTogdGxzLmNydC9jbGllbnQtY2VydGlmaWNhdGUtZGF0YTogJFRMU19DUlQvZyIgfCBzZWQgLWUgInMvY2xpZW50LWtleTogdGxzLmtleS9jbGllbnQta2V5LWRhdGE6ICRUTFNfS0VZL2ciID4vdG1wL2t1YmVjb25maWctaHViCglyZXR1cm4gIiRUUlVFIgp9CgojIFJldHJlaXZlcyBUQUxNJ3Mgc3RhdGUgaW4gdGhlIGh1YiBjbHVzdGVyJ3MgbWFuYWdlZENsdXN0ZXIgb2JqZWN0LiBUYWtlcyBvbmUgYXJndW1lbnQ6CiMgZG9uZSAtPiByZXR1cm4gJFRSVUUgaWYgdGhlIHp0cC1kb25lIGxhYmVsIGlzIHNldCwgJEZBTFNFIG90aGVyd2lzZQojIHJ1bm5pbmcgLT4gcmV0dXJuICRUUlVFIGlmIHRoZSB6dHAtcnVubmluZyBsYWJlbCBpcyBzZXQsICRGQUxTRSBvdGhlcndpc2UKaXNadHBTdGF0ZSgpIHsKCWxvY2FsIHRhbG1TdGF0ZSBSRVNVTFQKCgl0YWxtU3RhdGU9IiQxIgoJUkVTVUxUPSRGQUxTRQoKCWNhc2UgIiR0YWxtU3RhdGUiIGluCgkicnVubmluZyIpCgkJUkVTVUxUPSQoS1VCRUNPTkZJRz0vdG1wL2t1YmVjb25maWctaHViIG9jIGdldCBtYW5hZ2VkY2x1c3RlciAiJChob3N0bmFtZSAtLXNob3J0KSIgLW9qc29uIHwganEgJy5tZXRhZGF0YS5sYWJlbHNbInp0cC1ydW5uaW5nIl0hPW51bGwnKQoJCTs7CgkiZG9uZSIpCgkJUkVTVUxUPSQoS1VCRUNPTkZJRz0vdG1wL2t1YmVjb25maWctaHViIG9jIGdldCBtYW5hZ2VkY2x1c3RlciAiJChob3N0bmFtZSAtLXNob3J0KSIgLW9qc29uIHwganEgJy5tZXRhZGF0YS5sYWJlbHNbInp0cC1kb25lIl0hPW51bGwnKQoJCTs7CgkqKQoJCSMgQ29kZSB0byBleGVjdXRlIHdoZW4gbm8gcGF0dGVybnMgbWF0Y2gKCQk7OwoJZXNhYwoJaWYgWyAiJFJFU1VMVCIgPT0gImZhbHNlIiBdOyB0aGVuCgkJbG9nRGVidWcgIlRBTE0gJHRhbG1TdGF0ZSBzdGF0ZSBpcyAkUkVTVUxUIgoJCXJldHVybiAiJEZBTFNFIgoJZmkKCWxvZ0RlYnVnICJUQUxNICR0YWxtU3RhdGUgc3RhdGUgaXMgJFJFU1VMVCIKCXJldHVybiAiJFRSVUUiCn0KCmlzVEFMTVVwZGF0aW5nKCkgewoJaWYgISBnZXRIdWJLdWJlY29uZmlnICRTUE9LRV9LVUJFQ09ORklHX1BBVEggJEhVQl9TRUNSRVRfTkFNRVNQQUNFICRIVUJfU0VDUkVUX05BTUU7IHRoZW4KCQlsb2dJbmZvICJUQUxNIG5vdCBhdmFpbGFibGUgb3IgaHViIGt1YmVjb25maWcgaXMgbm8gcmVhZHkgeWV0IGF0ICRTUE9LRV9LVUJFQ09ORklHX1BBVEggcGF0aCwgY2Fubm90IGdldCBzcG9rZSBzZWNyZXQgJEhVQl9TRUNSRVRfTkFNRSBpbiAkSFVCX1NFQ1JFVF9OQU1FU1BBQ0UgbmFtZXNwYWNlIgoJCXJldHVybiAiJEZBTFNFIgoJZmkKCWlzWnRwU3RhdGUgInJ1bm5pbmciCglyZXR1cm4gJD8KfQoKIyBBZGQgYSBuZXcgZnVuY3Rpb24gdG8gdGhlIGFycmF5IG9mIHVwZGF0ZSBkZXRlY3Rpb24gbWV0aG9kcwpzZXJ2ZXJVcGRhdGVEZXRlY3Rpb25NZXRob2RzKz0oImlzVEFMTVVwZGF0aW5nIikK + source: data:text/plain;charset=utf-8;base64,IyEvYmluL2Jhc2gKc2V0IC1vIGVycmV4aXQgLW8gbm91bnNldCAtbyBwaXBlZmFpbAoKU1BPS0VfS1VCRUNPTkZJR19QQVRIPS9ldGMva3ViZXJuZXRlcy9zdGF0aWMtcG9kLXJlc291cmNlcy9rdWJlLWFwaXNlcnZlci1jZXJ0cy9zZWNyZXRzL25vZGUta3ViZWNvbmZpZ3MvbGItaW50Lmt1YmVjb25maWcKSFVCX1NFQ1JFVF9OQU1FU1BBQ0U9b3Blbi1jbHVzdGVyLW1hbmFnZW1lbnQtYWdlbnQKSFVCX1NFQ1JFVF9OQU1FPWh1Yi1rdWJlY29uZmlnLXNlY3JldAoKIyByZXRyaWV2ZXMgdGhlIGt1YmVjb25maWcgZm9yIHRoaXMgc3Bva2UncyBjbHVzdGVyCmdldEh1Ykt1YmVjb25maWcoKSB7Cglsb2NhbCBrdWJlQ29uZmlnUGF0aCBuYW1lc3BhY2Ugc2VjcmV0TmFtZSBLVUJFQ09ORklHX0RBVEEgVExTX0tFWSBUTFNfQ1JUCgoJa3ViZUNvbmZpZ1BhdGg9IiQxIgoJbmFtZXNwYWNlPSIkMiIKCXNlY3JldE5hbWU9IiQzIgoJS1VCRUNPTkZJR19EQVRBPSQob2MgLS1rdWJlY29uZmlnICIka3ViZUNvbmZpZ1BhdGgiIGdldCBzZWNyZXQgLW4gIiRuYW1lc3BhY2UiICIkc2VjcmV0TmFtZSIgLW8ganNvbiB8IGpxIC5kYXRhLmt1YmVjb25maWcgfCBzZWQgJ3MvIi8vZycgfCBiYXNlNjQgLWQpCglpZiBbIC16ICIkS1VCRUNPTkZJR19EQVRBIiBdOyB0aGVuCgkJcmV0dXJuICIkRkFMU0UiCglmaQoJVExTX0tFWT0kKG9jIC0ta3ViZWNvbmZpZyAiJGt1YmVDb25maWdQYXRoIiBnZXQgc2VjcmV0IC1uICIkbmFtZXNwYWNlIiAiJHNlY3JldE5hbWUiIC1vIGpzb24gfCBqcSAnLmRhdGEuInRscy5rZXkiJyB8IHNlZCAncy8iLy9nJykKCVRMU19DUlQ9JChvYyAtLWt1YmVjb25maWcgIiRrdWJlQ29uZmlnUGF0aCIgZ2V0IHNlY3JldCAtbiAiJG5hbWVzcGFjZSIgIiRzZWNyZXROYW1lIiAtbyBqc29uIHwganEgJy5kYXRhLiJ0bHMuY3J0IicgfCBzZWQgJ3MvIi8vZycpCgllY2hvICIkS1VCRUNPTkZJR19EQVRBIiB8IHNlZCAtZSAicy9jbGllbnQtY2VydGlmaWNhdGU6IHRscy5jcnQvY2xpZW50LWNlcnRpZmljYXRlLWRhdGE6ICRUTFNfQ1JUL2ciIHwgc2VkIC1lICJzL2NsaWVudC1rZXk6IHRscy5rZXkvY2xpZW50LWtleS1kYXRhOiAkVExTX0tFWS9nIiA+L3RtcC9rdWJlY29uZmlnLWh1YgoJcmV0dXJuICIkVFJVRSIKfQoKIyBSZXRyZWl2ZXMgVEFMTSdzIHN0YXRlIGluIHRoZSBodWIgY2x1c3RlcidzIG1hbmFnZWRDbHVzdGVyIG9iamVjdC4gVGFrZXMgb25lIGFyZ3VtZW50OgojIGRvbmUgLT4gcmV0dXJuICRUUlVFIGlmIHRoZSB6dHAtZG9uZSBsYWJlbCBpcyBzZXQsICRGQUxTRSBvdGhlcndpc2UKIyBydW5uaW5nIC0+IHJldHVybiAkVFJVRSBpZiB0aGUgenRwLXJ1bm5pbmcgbGFiZWwgaXMgc2V0LCAkRkFMU0Ugb3RoZXJ3aXNlCmlzWnRwU3RhdGUoKSB7Cglsb2NhbCB0YWxtU3RhdGUgUkVTVUxUCgoJdGFsbVN0YXRlPSIkMSIKCVJFU1VMVD0kRkFMU0UKCgljbHVzdGVyTmFtZT0kKG9jIC0ta3ViZWNvbmZpZyAiJFNQT0tFX0tVQkVDT05GSUdfUEFUSCIgZ2V0IGtsdXN0ZXJsZXQga2x1c3RlcmxldCAtb2pzb25wYXRoPSd7LnNwZWMuY2x1c3Rlck5hbWV9JykKCWNhc2UgIiR0YWxtU3RhdGUiIGluCgkicnVubmluZyIpCgkJUkVTVUxUPSQoS1VCRUNPTkZJRz0vdG1wL2t1YmVjb25maWctaHViIG9jIGdldCBtYW5hZ2VkY2x1c3RlciAiJGNsdXN0ZXJOYW1lIiAtb2pzb24gfCBqcSAnLm1ldGFkYXRhLmxhYmVsc1sienRwLXJ1bm5pbmciXSE9bnVsbCcpCgkJOzsKCSJkb25lIikKCQlSRVNVTFQ9JChLVUJFQ09ORklHPS90bXAva3ViZWNvbmZpZy1odWIgb2MgZ2V0IG1hbmFnZWRjbHVzdGVyICIkY2x1c3Rlck5hbWUiIC1vanNvbiB8IGpxICcubWV0YWRhdGEubGFiZWxzWyJ6dHAtZG9uZSJdIT1udWxsJykKCQk7OwoJKikKCQkjIENvZGUgdG8gZXhlY3V0ZSB3aGVuIG5vIHBhdHRlcm5zIG1hdGNoCgkJOzsKCWVzYWMKCWlmIFsgIiRSRVNVTFQiID09ICJmYWxzZSIgXTsgdGhlbgoJCWxvZ0RlYnVnICJUQUxNICR0YWxtU3RhdGUgc3RhdGUgaXMgJFJFU1VMVCIKCQlyZXR1cm4gIiRGQUxTRSIKCWZpCglsb2dEZWJ1ZyAiVEFMTSAkdGFsbVN0YXRlIHN0YXRlIGlzICRSRVNVTFQiCglyZXR1cm4gIiRUUlVFIgp9Cgppc1RBTE1VcGRhdGluZygpIHsKCWlmICEgZ2V0SHViS3ViZWNvbmZpZyAkU1BPS0VfS1VCRUNPTkZJR19QQVRIICRIVUJfU0VDUkVUX05BTUVTUEFDRSAkSFVCX1NFQ1JFVF9OQU1FOyB0aGVuCgkJbG9nSW5mbyAiVEFMTSBub3QgYXZhaWxhYmxlIG9yIGh1YiBrdWJlY29uZmlnIGlzIG5vIHJlYWR5IHlldCBhdCAkU1BPS0VfS1VCRUNPTkZJR19QQVRIIHBhdGgsIGNhbm5vdCBnZXQgc3Bva2Ugc2VjcmV0ICRIVUJfU0VDUkVUX05BTUUgaW4gJEhVQl9TRUNSRVRfTkFNRVNQQUNFIG5hbWVzcGFjZSIKCQlyZXR1cm4gIiRGQUxTRSIKCWZpCglpc1p0cFN0YXRlICJydW5uaW5nIgoJcmV0dXJuICQ/Cn0KCiMgQWRkIGEgbmV3IGZ1bmN0aW9uIHRvIHRoZSBhcnJheSBvZiB1cGRhdGUgZGV0ZWN0aW9uIG1ldGhvZHMKc2VydmVyVXBkYXRlRGV0ZWN0aW9uTWV0aG9kcys9KCJpc1RBTE1VcGRhdGluZyIpCg== mode: 493 path: /usr/local/bin/hwupgrade-detection-methods/talm.sh + - contents: + source: data:text/plain;charset=utf-8;base64,IyBUaGlzIHVuaXQgZW5zdXJlcyB0aGF0IGNvbnRhaW5lcnMgc3RheSB1cCBvbiBzaHV0ZG93biB1bnRpbCB0aGUgcGNyLWRpc2FibGUtc2h1dGRvd24gc2VydmljZSBpcyBhYmxlIHRvIHJ1biAKW1VuaXRdCkJlZm9yZT1wY3ItZGlzYWJsZS1zaHV0ZG93bi5zZXJ2aWNlCg== + mode: 420 + path: /etc/systemd/system/crio-.scope.d/order.conf systemd: units: - contents: | @@ -57,8 +61,8 @@ spec: [Service] Type=oneshot RemainAfterExit=true - ExecStart=/usr/bin/true ExecStop=/usr/local/bin/disablePcrOnRebootOrShutdown.sh + [Install] WantedBy=multi-user.target enabled: true