From e3bbf0564a816fba52f9e396783fb9eba7ee5c06 Mon Sep 17 00:00:00 2001 From: Juanita-Balaraj Date: Wed, 23 Nov 2022 23:19:15 -0500 Subject: [PATCH] High Security Vulnerability Document Updates (r6, r6ds, r7, r7ds) Updated Patchset 7 comments Fixed merge conflicts Updated review comments from Patchset 4 Closes-Bug:1997909 Fixed build errors Greg to review and provide inputs Signed-off-by: Juanita-Balaraj Change-Id: I2f630104813210f160fa56e7af7e9754a6d9236a --- ...ring-starlingx-system-data-and-storage.rst | 1 + ...kup-playbook-locally-on-the-controller.rst | 22 ++++++++------- ...nning-ansible-backup-playbook-remotely.rst | 7 +++-- ...ore-playbook-locally-on-the-controller.rst | 2 ++ ...ning-ansible-restore-playbook-remotely.rst | 2 ++ .../aio_duplex_install_kubernetes.rst | 23 +++++++++++---- .../aio_simplex_install_kubernetes.rst | 28 ++++++++++++++----- .../controller_storage_install_kubernetes.rst | 23 +++++++++++---- .../dedicated_storage_install_kubernetes.rst | 1 + .../aio_duplex_install_kubernetes.rst | 23 +++++++++++---- .../aio_simplex_install_kubernetes.rst | 27 +++++++++++++----- .../controller_storage_install_kubernetes.rst | 23 +++++++++++---- .../dedicated_storage_install_kubernetes.rst | 28 +++++++++---------- ...he-admin-password-on-distributed-cloud.rst | 2 ++ ...de-orchestration-process-using-the-cli.rst | 1 + ...ng-redfish-platform-management-service.rst | 2 ++ ...ut-redfish-platform-management-service.rst | 2 ++ ...an-aiosx-subcloud-to-an-aiodx-subcloud.rst | 15 ++++++---- ...ge-subcloud-orchestration-eb516473582f.rst | 2 ++ .../kubernetes/rehoming-a-subcloud.rst | 2 ++ ...th-redfish-platform-management-service.rst | 2 ++ ...clouds-from-backupdata-using-dcmanager.rst | 2 ++ ...ing-the-systemcontroller-using-the-cli.rst | 1 + ...cates-to-use-cert-manager-c0b1727e4e5d.rst | 4 +++ ...tapp-deployment-as-the-storage-backend.rst | 9 ++++-- 25 files changed, 186 insertions(+), 68 deletions(-) diff --git a/doc/source/backup/kubernetes/restoring-starlingx-system-data-and-storage.rst b/doc/source/backup/kubernetes/restoring-starlingx-system-data-and-storage.rst index f0b22a6b4..ca4a10f46 100644 --- a/doc/source/backup/kubernetes/restoring-starlingx-system-data-and-storage.rst +++ b/doc/source/backup/kubernetes/restoring-starlingx-system-data-and-storage.rst @@ -1,3 +1,4 @@ +.. Greg updates required for -High Security Vulnerability Document Updates .. uzk1552923967458 .. _restoring-starlingx-system-data-and-storage: diff --git a/doc/source/backup/kubernetes/running-ansible-backup-playbook-locally-on-the-controller.rst b/doc/source/backup/kubernetes/running-ansible-backup-playbook-locally-on-the-controller.rst index e69344d54..8c6b9b9bc 100644 --- a/doc/source/backup/kubernetes/running-ansible-backup-playbook-locally-on-the-controller.rst +++ b/doc/source/backup/kubernetes/running-ansible-backup-playbook-locally-on-the-controller.rst @@ -1,4 +1,6 @@ +.. Greg updates required for -High Security Vulnerability Document Updates + .. bqg1571264986191 .. _running-ansible-backup-playbook-locally-on-the-controller: @@ -8,28 +10,28 @@ Run Ansible Backup Playbook Locally on the Controller In this method the Ansible Backup playbook is run on the active controller. -Use the following command to run the Ansible Backup playbook and back up the +Use one of the following commands to run the Ansible Backup playbook and back up the |prod| configuration, data, and user container images in registry.local data: .. code-block:: none ~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/backup.yml -e "ansible_become_pass= admin_password=" -e "backup_user_local_registry=true" + ~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/backup.yml --ask-vault-pass -e "override_files_dir=$HOME/override_dir" The and need to be set correctly -using the ``-e`` option on the command line, or an override file, or in the -Ansible secret file. +using the ``-e`` option on the command line, with an override file secured with +ansible-vault (recommended). -An example of override file follows: +For example, create your override file with the :command:`ansible-vault create $HOME/override_dir/localhost-backup.yaml` +command and copy the following lines into the file. You will be prompted for a +password to protect/encrypt the file. Use the :command:`ansible-vault edit $HOME/override_dir/localhost-backup.yaml` +command if the file needs to be edited after it is created. .. code-block:: none - cat << EOF > localhost-backup.yaml - --- ansible_become_pass: "" admin_password: "" backup_user_local_registry: "true" - ... - EOF The output files will be named: @@ -43,8 +45,8 @@ The output files will be named: - inventory_hostname_dc_vault_backup_timestamp.tgz -The variables prefix can be overridden using the ``-e`` option on the command -line or by using an override file. +The output files' prefixes can be overridden with the following variables +using the ``-e`` option on the command line or by using an override file. .. _running-ansible-backup-playbook-locally-on-the-controller-ul-rdp-gyh-pmb: diff --git a/doc/source/backup/kubernetes/running-ansible-backup-playbook-remotely.rst b/doc/source/backup/kubernetes/running-ansible-backup-playbook-remotely.rst index fbff67815..b172f96d0 100644 --- a/doc/source/backup/kubernetes/running-ansible-backup-playbook-remotely.rst +++ b/doc/source/backup/kubernetes/running-ansible-backup-playbook-remotely.rst @@ -1,5 +1,8 @@ +.. Greg updates required for -High Security Vulnerability Document Updates + .. kpt1571265015137 + .. _running-ansible-backup-playbook-remotely: ==================================== @@ -59,7 +62,7 @@ and target it at controller-0. #. Switch to the directory created previously. #. Create a new secret file encrypted with Ansible-Vault using the - :command:`ansible-vault create secrets.yml` command. + :command:`ansible-vault create $HOME/override_dir/secrets.yml` command. Set and confirm a new Ansible-Vault password. Ansible will open an editing window where you can enter your desired contents. @@ -82,7 +85,7 @@ and target it at controller-0. Save your changes and quit the editor. If you need to make additional changes, you can use the command :command:`ansible-vault edit - override_dir/secrets.yml`. + $HOME/override_dir/secrets.yml`. #. Run Ansible Backup playbook: diff --git a/doc/source/backup/kubernetes/running-restore-playbook-locally-on-the-controller.rst b/doc/source/backup/kubernetes/running-restore-playbook-locally-on-the-controller.rst index 23a70aa7a..a683f3497 100644 --- a/doc/source/backup/kubernetes/running-restore-playbook-locally-on-the-controller.rst +++ b/doc/source/backup/kubernetes/running-restore-playbook-locally-on-the-controller.rst @@ -1,4 +1,6 @@ +.. Greg updates required for -High Security Vulnerability Document Updates + .. rmy1571265233932 .. _running-restore-playbook-locally-on-the-controller: diff --git a/doc/source/backup/kubernetes/system-backup-running-ansible-restore-playbook-remotely.rst b/doc/source/backup/kubernetes/system-backup-running-ansible-restore-playbook-remotely.rst index 92d1d68dd..5c5df8522 100644 --- a/doc/source/backup/kubernetes/system-backup-running-ansible-restore-playbook-remotely.rst +++ b/doc/source/backup/kubernetes/system-backup-running-ansible-restore-playbook-remotely.rst @@ -1,4 +1,6 @@ +.. Greg updates required for -High Security Vulnerability Document Updates + .. quy1571265365123 .. _system-backup-running-ansible-restore-playbook-remotely: diff --git a/doc/source/deploy_install_guides/r6_release/bare_metal/aio_duplex_install_kubernetes.rst b/doc/source/deploy_install_guides/r6_release/bare_metal/aio_duplex_install_kubernetes.rst index 743612f94..31c922226 100644 --- a/doc/source/deploy_install_guides/r6_release/bare_metal/aio_duplex_install_kubernetes.rst +++ b/doc/source/deploy_install_guides/r6_release/bare_metal/aio_duplex_install_kubernetes.rst @@ -1,4 +1,6 @@ +.. Greg updates required for -High Security Vulnerability Document Updates + .. _aio_duplex_install_kubernetes_r6: ================================================ @@ -96,19 +98,30 @@ Bootstrap system on controller-0 Specify the user configuration override file for the Ansible bootstrap playbook using one of the following methods: + .. note:: + + This Ansible Overrides file for the Bootstrap Playbook ($HOME/localhost.yml) + contains security sensitive information, use the + :command:`ansible-vault create $HOME/localhost.yml` command to create it. + You will be prompted for a password to protect/encrypt the file. + Use the :command:`ansible-vault edit $HOME/localhost.yml` command if the + file needs to be edited after it is created. + #. Use a copy of the default.yml file listed above to provide your overrides. The default.yml file lists all available parameters for bootstrap configuration with a brief description for each parameter in the file comments. - To use this method, copy the default.yml file listed above to - ``$HOME/localhost.yml`` and edit the configurable values as desired. + To use this method, run the :command:`ansible-vault create $HOME/localhost.yml` + command and copy the contents of the ``default.yml`` file into the + ansible-vault editor, and edit the configurable values as required. #. Create a minimal user configuration override file. - To use this method, create your override file at ``$HOME/localhost.yml`` - and provide the minimum required parameters for the deployment + To use this method, create your override file with + the :command:`ansible-vault create $HOME/localhost.yml` + command and provide the minimum required parameters for the deployment configuration as shown in the example below. Use the OAM IP SUBNET and IP ADDRESSing applicable to your deployment environment. @@ -189,7 +202,7 @@ Bootstrap system on controller-0 :: - ansible-playbook /usr/share/ansible/stx-ansible/playbooks/bootstrap.yml + ansible-playbook --ask-vault-pass /usr/share/ansible/stx-ansible/playbooks/bootstrap.yml Wait for Ansible bootstrap playbook to complete. This can take 5-10 minutes, depending on the performance of the host machine. diff --git a/doc/source/deploy_install_guides/r6_release/bare_metal/aio_simplex_install_kubernetes.rst b/doc/source/deploy_install_guides/r6_release/bare_metal/aio_simplex_install_kubernetes.rst index 3e924deac..306479703 100644 --- a/doc/source/deploy_install_guides/r6_release/bare_metal/aio_simplex_install_kubernetes.rst +++ b/doc/source/deploy_install_guides/r6_release/bare_metal/aio_simplex_install_kubernetes.rst @@ -1,6 +1,9 @@ +.. Greg updates required for High Security Vulnerability Document Updates + .. _aio_simplex_install_kubernetes_r6: + ================================================= Install Kubernetes Platform on All-in-one Simplex ================================================= @@ -96,21 +99,32 @@ Bootstrap system on controller-0 Specify the user configuration override file for the Ansible bootstrap playbook using one of the following methods: + .. note:: + + This Ansible Overrides file for the Bootstrap Playbook ($HOME/localhost.yml) + contains security sensitive information, use the + :command:`ansible-vault create $HOME/localhost.yml` command to create it. + You will be prompted for a password to protect/encrypt the file. + Use the :command:`ansible-vault edit $HOME/localhost.yml` command if the + file needs to be edited after it is created. + #. Use a copy of the default.yml file listed above to provide your overrides. The default.yml file lists all available parameters for bootstrap configuration with a brief description for each parameter in the file comments. - To use this method, copy the default.yml file listed above to - ``$HOME/localhost.yml`` and edit the configurable values as desired. + To use this method, run the :command:`ansible-vault create $HOME/localhost.yml` + command and copy the contents of the ``default.yml`` file into the + ansible-vault editor, and edit the configurable values as required. #. Create a minimal user configuration override file. - To use this method, create your override file at ``$HOME/localhost.yml`` - and provide the minimum required parameters for the deployment - configuration as shown in the example below. Use the |OAM| IP SUBNET and - IP ADDRESSing applicable to your deployment environment. + To use this method, create your override file with + the :command:`ansible-vault create $HOME/localhost.yml` + command and provide the minimum required parameters for the deployment + configuration as shown in the example below. Use the OAM IP SUBNET and IP + ADDRESSing applicable to your deployment environment. .. include:: /_includes/min-bootstrap-overrides-simplex.rest @@ -190,7 +204,7 @@ Bootstrap system on controller-0 :: - ansible-playbook /usr/share/ansible/stx-ansible/playbooks/bootstrap.yml + ansible-playbook --ask-vault-pass /usr/share/ansible/stx-ansible/playbooks/bootstrap.yml Wait for Ansible bootstrap playbook to complete. This can take 5-10 minutes, depending on the performance of the host machine. diff --git a/doc/source/deploy_install_guides/r6_release/bare_metal/controller_storage_install_kubernetes.rst b/doc/source/deploy_install_guides/r6_release/bare_metal/controller_storage_install_kubernetes.rst index 036607ebf..7b7390791 100644 --- a/doc/source/deploy_install_guides/r6_release/bare_metal/controller_storage_install_kubernetes.rst +++ b/doc/source/deploy_install_guides/r6_release/bare_metal/controller_storage_install_kubernetes.rst @@ -1,4 +1,6 @@ +.. Greg updates required for -High Security Vulnerability Document Updates + .. _controller_storage_install_kubernetes_r6: =============================================================== @@ -95,19 +97,30 @@ Bootstrap system on controller-0 Specify the user configuration override file for the Ansible bootstrap playbook using one of the following methods: + .. note:: + + This Ansible Overrides file for the Bootstrap Playbook ($HOME/localhost.yml) + contains security sensitive information, use the + :command:`ansible-vault create $HOME/localhost.yml` command to create it. + You will be prompted for a password to protect/encrypt the file. + Use the :command:`ansible-vault edit $HOME/localhost.yml` command if the + file needs to be edited after it is created. + #. Use a copy of the default.yml file listed above to provide your overrides. The default.yml file lists all available parameters for bootstrap configuration with a brief description for each parameter in the file comments. - To use this method, copy the default.yml file listed above to - ``$HOME/localhost.yml`` and edit the configurable values as desired. + To use this method, run the :command:`ansible-vault create $HOME/localhost.yml` + command and copy the contents of the ``default.yml`` file into the + ansible-vault editor, and edit the configurable values as required. #. Create a minimal user configuration override file. - To use this method, create your override file at ``$HOME/localhost.yml`` - and provide the minimum required parameters for the deployment + To use this method, create your override file with + the :command:`ansible-vault create $HOME/localhost.yml` + command and provide the minimum required parameters for the deployment configuration as shown in the example below. Use the OAM IP SUBNET and IP ADDRESSing applicable to your deployment environment. @@ -187,7 +200,7 @@ Bootstrap system on controller-0 :: - ansible-playbook /usr/share/ansible/stx-ansible/playbooks/bootstrap.yml + ansible-playbook --ask-vault-pass /usr/share/ansible/stx-ansible/playbooks/bootstrap.yml Wait for Ansible bootstrap playbook to complete. This can take 5-10 minutes, depending on the performance of the host machine. diff --git a/doc/source/deploy_install_guides/r6_release/bare_metal/dedicated_storage_install_kubernetes.rst b/doc/source/deploy_install_guides/r6_release/bare_metal/dedicated_storage_install_kubernetes.rst index 54876557e..050a0af1d 100644 --- a/doc/source/deploy_install_guides/r6_release/bare_metal/dedicated_storage_install_kubernetes.rst +++ b/doc/source/deploy_install_guides/r6_release/bare_metal/dedicated_storage_install_kubernetes.rst @@ -1,4 +1,5 @@ +.. Greg updates required for -High Security Vulnerability Document Updates .. _dedicated_storage_install_kubernetes_r6: diff --git a/doc/source/deploy_install_guides/r7_release/bare_metal/aio_duplex_install_kubernetes.rst b/doc/source/deploy_install_guides/r7_release/bare_metal/aio_duplex_install_kubernetes.rst index c64c227c3..2e4079be9 100644 --- a/doc/source/deploy_install_guides/r7_release/bare_metal/aio_duplex_install_kubernetes.rst +++ b/doc/source/deploy_install_guides/r7_release/bare_metal/aio_duplex_install_kubernetes.rst @@ -1,4 +1,6 @@ +.. Greg updates required for -High Security Vulnerability Document Updates + .. _aio_duplex_install_kubernetes_r7: ================================================ @@ -222,19 +224,30 @@ Bootstrap system on controller-0 Specify the user configuration override file for the Ansible bootstrap playbook using one of the following methods: + .. note:: + + This Ansible Overrides file for the Bootstrap Playbook ($HOME/localhost.yml) + contains security sensitive information, use the + :command:`ansible-vault create $HOME/localhost.yml` command to create it. + You will be prompted for a password to protect/encrypt the file. + Use the :command:`ansible-vault edit $HOME/localhost.yml` command if the + file needs to be edited after it is created. + #. Use a copy of the default.yml file listed above to provide your overrides. The default.yml file lists all available parameters for bootstrap configuration with a brief description for each parameter in the file comments. - To use this method, copy the default.yml file listed above to - ``$HOME/localhost.yml`` and edit the configurable values as desired. + To use this method, run the :command:`ansible-vault create $HOME/localhost.yml` + command and copy the contents of the ``default.yml`` file into the + ansible-vault editor, and edit the configurable values as required. #. Create a minimal user configuration override file. - To use this method, create your override file at ``$HOME/localhost.yml`` - and provide the minimum required parameters for the deployment + To use this method, create your override file with + the :command:`ansible-vault create $HOME/localhost.yml` + command and provide the minimum required parameters for the deployment configuration as shown in the example below. Use the OAM IP SUBNET and IP ADDRESSing applicable to your deployment environment. @@ -315,7 +328,7 @@ Bootstrap system on controller-0 :: - ansible-playbook /usr/share/ansible/stx-ansible/playbooks/bootstrap.yml + ansible-playbook --ask-vault-pass /usr/share/ansible/stx-ansible/playbooks/bootstrap.yml Wait for Ansible bootstrap playbook to complete. This can take 5-10 minutes, depending on the performance of the host machine. diff --git a/doc/source/deploy_install_guides/r7_release/bare_metal/aio_simplex_install_kubernetes.rst b/doc/source/deploy_install_guides/r7_release/bare_metal/aio_simplex_install_kubernetes.rst index 16fbe0e3e..025536131 100644 --- a/doc/source/deploy_install_guides/r7_release/bare_metal/aio_simplex_install_kubernetes.rst +++ b/doc/source/deploy_install_guides/r7_release/bare_metal/aio_simplex_install_kubernetes.rst @@ -1,4 +1,6 @@ +.. Greg updates required for -High Security Vulnerability Document Updates + .. _aio_simplex_install_kubernetes_r7: ================================================= @@ -117,21 +119,32 @@ Bootstrap system on controller-0 Specify the user configuration override file for the Ansible bootstrap playbook using one of the following methods: + .. note:: + + This Ansible Overrides file for the Bootstrap Playbook ($HOME/localhost.yml) + contains security sensitive information, use the + :command:`ansible-vault create $HOME/localhost.yml` command to create it. + You will be prompted for a password to protect/encrypt the file. + Use the :command:`ansible-vault edit $HOME/localhost.yml` command if the + file needs to be edited after it is created. + #. Use a copy of the default.yml file listed above to provide your overrides. The default.yml file lists all available parameters for bootstrap configuration with a brief description for each parameter in the file comments. - To use this method, copy the default.yml file listed above to - ``$HOME/localhost.yml`` and edit the configurable values as desired. + To use this method, run the :command:`ansible-vault create $HOME/localhost.yml` + command and copy the contents of the ``default.yml`` file into the + ansible-vault editor, and edit the configurable values as required. #. Create a minimal user configuration override file. - To use this method, create your override file at ``$HOME/localhost.yml`` - and provide the minimum required parameters for the deployment - configuration as shown in the example below. Use the |OAM| IP SUBNET and - IP ADDRESSing applicable to your deployment environment. + To use this method, create your override file with + the :command:`ansible-vault create $HOME/localhost.yml` + command and provide the minimum required parameters for the deployment + configuration as shown in the example below. Use the OAM IP SUBNET and IP + ADDRESSing applicable to your deployment environment. .. include:: /_includes/min-bootstrap-overrides-simplex.rest @@ -211,7 +224,7 @@ Bootstrap system on controller-0 :: - ansible-playbook /usr/share/ansible/stx-ansible/playbooks/bootstrap.yml + ansible-playbook --ask-vault-pass /usr/share/ansible/stx-ansible/playbooks/bootstrap.yml Wait for Ansible bootstrap playbook to complete. This can take 5-10 minutes, depending on the performance of the host machine. diff --git a/doc/source/deploy_install_guides/r7_release/bare_metal/controller_storage_install_kubernetes.rst b/doc/source/deploy_install_guides/r7_release/bare_metal/controller_storage_install_kubernetes.rst index 9aff9f288..19494b606 100644 --- a/doc/source/deploy_install_guides/r7_release/bare_metal/controller_storage_install_kubernetes.rst +++ b/doc/source/deploy_install_guides/r7_release/bare_metal/controller_storage_install_kubernetes.rst @@ -1,5 +1,7 @@ |hideable| +.. Greg updates required for -High Security Vulnerability Document Updates + .. _controller_storage_install_kubernetes_r7: =============================================================== @@ -182,19 +184,30 @@ Bootstrap system on controller-0 Specify the user configuration override file for the Ansible bootstrap playbook using one of the following methods: + .. note:: + + This Ansible Overrides file for the Bootstrap Playbook ($HOME/localhost.yml) + contains security sensitive information, use the + :command:`ansible-vault create $HOME/localhost.yml` command to create it. + You will be prompted for a password to protect/encrypt the file. + Use the :command:`ansible-vault edit $HOME/localhost.yml` command if the + file needs to be edited after it is created. + #. Use a copy of the default.yml file listed above to provide your overrides. The default.yml file lists all available parameters for bootstrap configuration with a brief description for each parameter in the file comments. - To use this method, copy the default.yml file listed above to - ``$HOME/localhost.yml`` and edit the configurable values as desired. + To use this method, run the :command:`ansible-vault create $HOME/localhost.yml` + command and copy the contents of the ``default.yml`` file into the + ansible-vault editor, and edit the configurable values as required. #. Create a minimal user configuration override file. - To use this method, create your override file at ``$HOME/localhost.yml`` - and provide the minimum required parameters for the deployment + To use this method, create your override file with + the :command:`ansible-vault create $HOME/localhost.yml` + command and provide the minimum required parameters for the deployment configuration as shown in the example below. Use the OAM IP SUBNET and IP ADDRESSing applicable to your deployment environment. @@ -274,7 +287,7 @@ Bootstrap system on controller-0 :: - ansible-playbook /usr/share/ansible/stx-ansible/playbooks/bootstrap.yml + ansible-playbook --ask-vault-pass /usr/share/ansible/stx-ansible/playbooks/bootstrap.yml Wait for Ansible bootstrap playbook to complete. This can take 5-10 minutes, depending on the performance of the host machine. diff --git a/doc/source/deploy_install_guides/r7_release/bare_metal/dedicated_storage_install_kubernetes.rst b/doc/source/deploy_install_guides/r7_release/bare_metal/dedicated_storage_install_kubernetes.rst index 1f7807df1..49f71d41b 100644 --- a/doc/source/deploy_install_guides/r7_release/bare_metal/dedicated_storage_install_kubernetes.rst +++ b/doc/source/deploy_install_guides/r7_release/bare_metal/dedicated_storage_install_kubernetes.rst @@ -68,54 +68,54 @@ Install Software on Controller-0 .. .. only:: starlingx -.. +.. .. .. -------- .. .. Overview .. .. -------- -.. +.. .. .. .. include:: /shared/_includes/installation-prereqs.rest .. .. :start-after: begin-install-prereqs-ded .. .. :end-before: end-install-prereqs-ded -.. +.. .. --------------------- .. Hardware Requirements .. --------------------- -.. +.. .. .. include:: /shared/_includes/prepare-servers-for-installation-91baad307173.rest .. :start-after: begin-min-hw-reqs-common-intro .. :end-before: end-min-hw-reqs-common-intro -.. +.. .. .. include:: /shared/_includes/prepare-servers-for-installation-91baad307173.rest .. :start-after: begin-min-hw-reqs-sx .. :end-before: end-min-hw-reqs-sx -.. +.. .. The following requirements must be met for worker nodes. -.. +.. .. .. include:: /shared/_includes/prepare-servers-for-installation-91baad307173.rest .. :start-after: begin-worker-hw-reqs .. :end-before: end-worker-hw-reqs -.. +.. .. The following requirements must be met for storage nodes. -.. +.. .. .. include:: /shared/_includes/prepare-servers-for-installation-91baad307173.rest .. :start-after: begin-storage-hw-reqs .. :end-before: end-storage-hw-reqs -.. +.. .. .. include:: /shared/_includes/prepare-servers-for-installation-91baad307173.rest .. :start-after: start-prepare-servers-common .. :end-before: end-prepare-servers-common -.. +.. .. ------------------- .. Create bootable USB .. ------------------- -.. +.. .. Refer to :ref:`Bootable USB ` for instructions on how to .. create a bootable USB with the StarlingX ISO on your system. -.. +.. .. -------------------------------- .. Install software on controller-0 .. -------------------------------- -.. +.. .. .. include:: /shared/_includes/inc-install-software-on-controller.rest .. :start-after: incl-install-software-controller-0-standard-start .. :end-before: incl-install-software-controller-0-standard-end diff --git a/doc/source/dist_cloud/kubernetes/changing-the-admin-password-on-distributed-cloud.rst b/doc/source/dist_cloud/kubernetes/changing-the-admin-password-on-distributed-cloud.rst index a946e26f4..30f58a01e 100644 --- a/doc/source/dist_cloud/kubernetes/changing-the-admin-password-on-distributed-cloud.rst +++ b/doc/source/dist_cloud/kubernetes/changing-the-admin-password-on-distributed-cloud.rst @@ -1,4 +1,6 @@ +.. Greg updates required for -High Security Vulnerability Document Updates + .. xvn1592596490325 .. _changing-the-admin-password-on-distributed-cloud: diff --git a/doc/source/dist_cloud/kubernetes/distributed-upgrade-orchestration-process-using-the-cli.rst b/doc/source/dist_cloud/kubernetes/distributed-upgrade-orchestration-process-using-the-cli.rst index 2218792d5..c52937202 100644 --- a/doc/source/dist_cloud/kubernetes/distributed-upgrade-orchestration-process-using-the-cli.rst +++ b/doc/source/dist_cloud/kubernetes/distributed-upgrade-orchestration-process-using-the-cli.rst @@ -1,3 +1,4 @@ +.. Greg updates required for -High Security Vulnerability Document Updates .. pek1594745988225 .. _distributed-upgrade-orchestration-process-using-the-cli: diff --git a/doc/source/dist_cloud/kubernetes/installing-a-subcloud-using-redfish-platform-management-service.rst b/doc/source/dist_cloud/kubernetes/installing-a-subcloud-using-redfish-platform-management-service.rst index bf2981fdc..b28b54daa 100644 --- a/doc/source/dist_cloud/kubernetes/installing-a-subcloud-using-redfish-platform-management-service.rst +++ b/doc/source/dist_cloud/kubernetes/installing-a-subcloud-using-redfish-platform-management-service.rst @@ -69,6 +69,8 @@ subcloud, the subcloud installation has these phases: files that are referenced in the ``bootstrap.yml`` file must exist on both controllers (for example, ``/home/sysadmin/docker-registry-ca-cert.pem``). +.. Greg updates required for -High Security Vulnerability Document Updates + .. _increase-subcloud-platform-backup-size: ---------------------------------------------------- diff --git a/doc/source/dist_cloud/kubernetes/installing-a-subcloud-without-redfish-platform-management-service.rst b/doc/source/dist_cloud/kubernetes/installing-a-subcloud-without-redfish-platform-management-service.rst index 1f4dc5a3a..7063a8c9e 100644 --- a/doc/source/dist_cloud/kubernetes/installing-a-subcloud-without-redfish-platform-management-service.rst +++ b/doc/source/dist_cloud/kubernetes/installing-a-subcloud-without-redfish-platform-management-service.rst @@ -1,4 +1,6 @@ +.. Greg updates required for -High Security Vulnerability Document Updates + .. pja1558616715987 |hideable| diff --git a/doc/source/dist_cloud/kubernetes/migrate-an-aiosx-subcloud-to-an-aiodx-subcloud.rst b/doc/source/dist_cloud/kubernetes/migrate-an-aiosx-subcloud-to-an-aiodx-subcloud.rst index b2ef2baf4..27aa1e473 100644 --- a/doc/source/dist_cloud/kubernetes/migrate-an-aiosx-subcloud-to-an-aiodx-subcloud.rst +++ b/doc/source/dist_cloud/kubernetes/migrate-an-aiosx-subcloud-to-an-aiodx-subcloud.rst @@ -64,6 +64,8 @@ Manually Migrate a Subcloud from AIO-SX to AIO-DX. .. _use-ansible-playbook-to-migrate-a-subcloud-from-AIO-SX-to-AIO-DX: +.. Updates required for -High Security Vulnerability Document Updates + ================================================================ Use Ansible Playbook to Migrate a Subcloud from AIO-SX to AIO-DX ================================================================ @@ -80,10 +82,10 @@ using the ansible playbook. .. rubric:: |proc| -#. Create a configuration file and specify the |OAM| unit IP addresses and - the ansible ssh password in the **migrate-subcloud1-overrides-EXAMPLE.yml** - file. The existing |OAM| IP address of the |AIO-SX| system will be used as - the |OAM| floating IP address of the new |AIO-DX| system. +#. Use the :command:`ansible-vault create migrate-subcloud1-overrides-EXAMPLE.yml` + command to securely specify the |OAM| unit IP addresses and the ansible + ssh password. The existing |OAM| IP address of the |AIO-SX| system will be + used as the |OAM| floating IP address of the new |AIO-DX| system. In the following example, 10.10.10.13 and 10.10.10.14 are the new |OAM| unit IP addresses for controller-0 and controller-1 respectively. @@ -96,6 +98,9 @@ using the ansible playbook. "external_oam_node_1_address": "10.10.10.14", } + Use the :command:`ansible-vault edit migrate-subcloud1-overrides-EXAMPLE.yml` + command if the file needs to be edited after it is created. + #. On the system controller, run the ansible playbook to migrate the |AIO-SX| subcloud to an |AIO-DX|. @@ -103,7 +108,7 @@ using the ansible playbook. .. code-block:: none - ~(keystone_admin)$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/migrate_sx_to_dx.yml -e @migrate-subcloud1-overrides-EXAMPLE.yml -i subcloud1, -v + ~(keystone_admin)$ ansible-playbook --ask-vault-pass /usr/share/ansible/stx-ansible/playbooks/migrate_sx_to_dx.yml -e @migrate-subcloud1-overrides-EXAMPLE.yml -i subcloud1, -v The ansible playbook will lock the subcloud's controller-0, if it not already locked, apply the configuration changes to convert the subcloud to diff --git a/doc/source/dist_cloud/kubernetes/prestage-subcloud-orchestration-eb516473582f.rst b/doc/source/dist_cloud/kubernetes/prestage-subcloud-orchestration-eb516473582f.rst index 65fa7d3b9..408af5010 100644 --- a/doc/source/dist_cloud/kubernetes/prestage-subcloud-orchestration-eb516473582f.rst +++ b/doc/source/dist_cloud/kubernetes/prestage-subcloud-orchestration-eb516473582f.rst @@ -1,3 +1,5 @@ +.. Greg updates required for -High Security Vulnerability Document Updates + .. _prestage-subcloud-orchestration-eb516473582f: =============================== diff --git a/doc/source/dist_cloud/kubernetes/rehoming-a-subcloud.rst b/doc/source/dist_cloud/kubernetes/rehoming-a-subcloud.rst index 185368fe5..b8efeab5c 100644 --- a/doc/source/dist_cloud/kubernetes/rehoming-a-subcloud.rst +++ b/doc/source/dist_cloud/kubernetes/rehoming-a-subcloud.rst @@ -1,4 +1,6 @@ +.. Greg updates required for -High Security Vulnerability Document Updates + .. _rehoming-a-subcloud: ================= diff --git a/doc/source/dist_cloud/kubernetes/reinstalling-a-subcloud-with-redfish-platform-management-service.rst b/doc/source/dist_cloud/kubernetes/reinstalling-a-subcloud-with-redfish-platform-management-service.rst index 915b78e7e..f14b9afbf 100644 --- a/doc/source/dist_cloud/kubernetes/reinstalling-a-subcloud-with-redfish-platform-management-service.rst +++ b/doc/source/dist_cloud/kubernetes/reinstalling-a-subcloud-with-redfish-platform-management-service.rst @@ -1,5 +1,7 @@ +.. Greg updates required for -High Security Vulnerability Document Updates + .. _reinstalling-a-subcloud-with-redfish-platform-management-service: ============================================================= diff --git a/doc/source/dist_cloud/kubernetes/restoring-subclouds-from-backupdata-using-dcmanager.rst b/doc/source/dist_cloud/kubernetes/restoring-subclouds-from-backupdata-using-dcmanager.rst index 3b501a09d..0e7e14854 100644 --- a/doc/source/dist_cloud/kubernetes/restoring-subclouds-from-backupdata-using-dcmanager.rst +++ b/doc/source/dist_cloud/kubernetes/restoring-subclouds-from-backupdata-using-dcmanager.rst @@ -1,4 +1,6 @@ +.. Greg updates required for -High Security Vulnerability Document Updates + .. _restoring-subclouds-from-backupdata-using-dcmanager: ========================================================= diff --git a/doc/source/dist_cloud/kubernetes/upgrading-the-systemcontroller-using-the-cli.rst b/doc/source/dist_cloud/kubernetes/upgrading-the-systemcontroller-using-the-cli.rst index 24e7c96d0..b7f1a3aea 100644 --- a/doc/source/dist_cloud/kubernetes/upgrading-the-systemcontroller-using-the-cli.rst +++ b/doc/source/dist_cloud/kubernetes/upgrading-the-systemcontroller-using-the-cli.rst @@ -1,3 +1,4 @@ +.. Greg updates required for -High Security Vulnerability Document Updates .. vco1593176327490 .. _upgrading-the-systemcontroller-using-the-cli: diff --git a/doc/source/security/kubernetes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rst b/doc/source/security/kubernetes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rst index 7283bf618..2b5ba7a1d 100644 --- a/doc/source/security/kubernetes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rst +++ b/doc/source/security/kubernetes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rst @@ -1,3 +1,7 @@ +.. Greg updates required for -High Security Vulnerability Document Updates +.. Is this the target file that the rest of the updates need to point to?? + + .. _migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d: ======================================================== diff --git a/doc/source/storage/kubernetes/configure-an-external-netapp-deployment-as-the-storage-backend.rst b/doc/source/storage/kubernetes/configure-an-external-netapp-deployment-as-the-storage-backend.rst index 1365ed429..9bfb5d3cd 100644 --- a/doc/source/storage/kubernetes/configure-an-external-netapp-deployment-as-the-storage-backend.rst +++ b/doc/source/storage/kubernetes/configure-an-external-netapp-deployment-as-the-storage-backend.rst @@ -1,3 +1,4 @@ +.. Greg updates required for -High Security Vulnerability Document Updates .. rzp1584539804482 .. _configure-an-external-netapp-deployment-as-the-storage-backend: @@ -93,8 +94,10 @@ procedure. You can make changes-in-place to your existing localhost.yml file or create another in an alternative location. In either case, you - also have the option of using an ansible vault named secrets.yml - for sensitive data. The alternative must be named localhost.yaml. + also have the option of using an ansible vault to secure/encrypt the + localhost.yaml file containing sensitive data, i.e, using + :command:`ansible-vault create $HOME/localhost.yml` or :command:`ansible-vault edit $HOME/localhost.yml` + commands. The following parameters are mandatory: @@ -225,7 +228,7 @@ procedure. .. code-block:: none - ansible-playbook /usr/share/ansible/stx-ansible/playbooks/install_netapp_backend.yml -e "override_files_dir=" + ansible-playbook --ask-vault-pass /usr/share/ansible/stx-ansible/playbooks/install_netapp_backend.yml -e "override_files_dir=" Upon successful launch, there will be one Trident pod running on each node, plus an extra pod for the REST API running on one of the