linux-system-roles / nbde_client Goto Github PK

Ideally the role uses /usr/local instead of /usr, as /usr is typically reserved for package managers. Some systems may also leave /usr read only with a writeable /usr/local, like in ostree based systems.

I'm unsure if dracut supports /usr/local/lib/dracut as an additional path however, but a rough equivalent of the network flushing scripts can be achieved via NetworkManager config to place in /etc/NetworkManager/conf.d/ like this:

[device]
keep-configuration=no
allowed-connections=except:origin:nm-initrd-generator

New system is unable to unlock after running the nbde_client role, after running the role get an all good from Ansible but upon reboot the system stops at the Luks encryption screen.

    - name: Import nbde_client role
      ansible.builtin.import_role:
        name: linux-system-roles.nbde_client
      vars:
        nbde_client_bindings:
          - device: "{{ root_disk | d('/dev/vda2') }}"
            encryption_password: "{{ current_password }}"
            servers: "{{ tang_servers }}"

I would like to recommend adding support for defining dracut parameters for ip, both static and dhcp. Also supporting the option of adding support for configuring dracut for, omit_dracutmodules+="ifcfg", so that devices with multiple IPs are not disrupted by the dracut networking configuration.

You may want to add network flushing support so that the kernel networking configuration is flushed and replaced with the system networking configuration. This prevents dracut/boot from destroying system network configurations such as multiple IPs on a single network interface, bonding, ect.

I would like to recommend adding support for [email protected] and [email protected] support. This will allow unlocking of non / partitions upon boot.

jose is not installed by default (on Fedora Server/EL9) and is required as a dependency of the role.

Suggestion to add to documentation.

• If you run the role again with the same nbde_client_bindings, will it do all of these steps again, and report that something changed? If so, I'm not sure how to prevent that from happening - how would you know ahead of time that you have already brought the managed hosts to the desired state?
  Originally posted by @richm in https://github.com/linux-system-roles/nbde_client/pull/3/files#r439106448

• passphrase_temporary is definitely not idempotent, because first time it will remove the passphrase and second time it will fail.

As part of the conscious language project, the master branch is to be renamed to the main branch.

Here are the instructions.

1. Rename the master branch to main: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-branches-in-your-repository/renaming-a-branch
2. Check this to ensure the default branch has been changed to main: https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-branches-in-your-repository/changing-the-default-branch - this should keep the github history, as well as updating the default branch configuration and updating any existing PRs

If you use the gh cli (highly recommended) you can use this to check which repos need to be updated:

gh repo list linux-system-roles -L 100 --json name,defaultBranchRef --source | \
  jq --raw-output '.[] | select(.defaultBranchRef.name == "master") | .name'

Thanks.