From 712195693bc2c9876d257b33bf3f6954cd16980e Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Tue, 21 May 2024 15:22:39 -0700 Subject: [PATCH 1/7] docs: change fips build branch --- .../clusters/edge/edgeforge-workflow/palette-canvos/fips.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs-content/clusters/edge/edgeforge-workflow/palette-canvos/fips.md b/docs/docs-content/clusters/edge/edgeforge-workflow/palette-canvos/fips.md index e73e37feae..d85f83a7c3 100644 --- a/docs/docs-content/clusters/edge/edgeforge-workflow/palette-canvos/fips.md +++ b/docs/docs-content/clusters/edge/edgeforge-workflow/palette-canvos/fips.md @@ -68,7 +68,7 @@ This page guides you through the process of building FIPS-compliant Edge Install cd CanvOS ``` -3. Ensure that you are using the **main** branch of the repository. +3. View the available tags and check out the latest tag or any specific version of your choosing. ```bash git tag From 17ddc25293de36f65aae1842bcd920589f373e7f Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Tue, 21 May 2024 15:23:51 -0700 Subject: [PATCH 2/7] docs: remove main --- .../clusters/edge/edgeforge-workflow/palette-canvos/fips.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/docs-content/clusters/edge/edgeforge-workflow/palette-canvos/fips.md b/docs/docs-content/clusters/edge/edgeforge-workflow/palette-canvos/fips.md index d85f83a7c3..ae513338eb 100644 --- a/docs/docs-content/clusters/edge/edgeforge-workflow/palette-canvos/fips.md +++ b/docs/docs-content/clusters/edge/edgeforge-workflow/palette-canvos/fips.md @@ -68,10 +68,12 @@ This page guides you through the process of building FIPS-compliant Edge Install cd CanvOS ``` -3. View the available tags and check out the latest tag or any specific version of your choosing. +3. View the available tags and check out the latest tag or any specific version of your choosing. This guide uses + **v4.3.2** as an example. ```bash git tag + git checkout v4.3.2 ``` ### Build FIPS-Compliant Base OS Image From 9448e1c9ede44ca5e6672efe592b85e4a789f59f Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Tue, 21 May 2024 17:26:32 -0700 Subject: [PATCH 3/7] docs: add additional user data info --- .../clusters/edge/edgeforge-workflow/palette-canvos/fips.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs-content/clusters/edge/edgeforge-workflow/palette-canvos/fips.md b/docs/docs-content/clusters/edge/edgeforge-workflow/palette-canvos/fips.md index ae513338eb..8bc87e8a87 100644 --- a/docs/docs-content/clusters/edge/edgeforge-workflow/palette-canvos/fips.md +++ b/docs/docs-content/clusters/edge/edgeforge-workflow/palette-canvos/fips.md @@ -200,7 +200,7 @@ image with. ```yaml install: grub_options: - extra_cmdline: "fips=1" + extra_cmdline: "fips=1 selinux=0" stylus: site: From c8937462632734e940c3b2a546926e18fff3e274 Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Wed, 22 May 2024 15:42:22 -0700 Subject: [PATCH 4/7] docs: add further fixes --- .../edgeforge-workflow/palette-canvos/fips.md | 63 ++++++++++++++++--- 1 file changed, 54 insertions(+), 9 deletions(-) diff --git a/docs/docs-content/clusters/edge/edgeforge-workflow/palette-canvos/fips.md b/docs/docs-content/clusters/edge/edgeforge-workflow/palette-canvos/fips.md index 8bc87e8a87..afc06e36d8 100644 --- a/docs/docs-content/clusters/edge/edgeforge-workflow/palette-canvos/fips.md +++ b/docs/docs-content/clusters/edge/edgeforge-workflow/palette-canvos/fips.md @@ -15,6 +15,13 @@ Both the Edge Installer ISO and the provider images must be FIPS-compliant. This page guides you through the process of building FIPS-compliant Edge Installer ISO and provider images. +## Limitations + +- FIPS-compliant Edge installer does not work with secure boot. You need to disable secure boot first before installing + Palette on your device. The process to disable secure boot varies by device, but generally, you can press F2 upon + powering up the Edge host, and find the option to disable secure boot in the Basic Input/Output System (BIOS) + interface. + ## Prerequisites - A physical or virtual Linux machine with _AMD64_ (also known as _x86_64_) processor architecture to build the Edge @@ -193,24 +200,59 @@ image with. | BASE_IMAGE | The base image used by EdgeForge to build the Edge Installer and provider images. This must be the same image that you build in the previous step. | | ISO_NAME | The file name of the ISO file that will be generated. | -14. Create a file named **user-data**. Add the following blocks to the root level of the **user-data** file. Replace the - value for `edgeHostToken` with your VerteX registration token, and replace the value `paletteEndPoint` with the URL - of your VerteX instance. +14. Create a file named **user-data**. It must have the `#cloud-init` header at the top of the file. Ensure you have the + following blocks at the root level of the **user-data** file. Replace the value for `edgeHostToken` with your VerteX + registration token, and replace the value `paletteEndPoint` with the URL of your VerteX instance. Replace the user + `kairos` and its password with your desired username and password. ```yaml + #cloud-init install: - grub_options: - extra_cmdline: "fips=1 selinux=0" + grub_options: + extra_cmdline: "fips=1 selinux=0" stylus: - site: - edgeHostToken: ******** - paletteEndpoint: https://vertex.palette-devx.spectrocloud.com + site: + edgeHostToken: ******** + paletteEndpoint: https://vertex.palette-devx.spectrocloud.com + + stages: + initramfs: + - name: "Core system setup" + users: + kairos: + groups: + - admin + passwd: kairos ``` + The command in the `install` block is required for FIPS installations. Configurations in the `stylus` block provides + the Edge Host with the registration token and the VerteX endpoint. And the configurations in the `stage` block + creates a system user that you can use to log in to the Operating System (OS). + 15. Add further customization to the **user-data** file as needed. This file configures the Edge Installer. Refer to [Installer Reference](../../edge-configuration/installer-reference.md) for more information. + For example, you can use the following user data to add a system user `kairos` to your Edge host and provide the + registration token to the Edge host. + + ```yaml + #cloud-config + stylus: + site: + edgeHostToken: ********* + paletteEndpoint: api.spectrocloud.com + + stages: + initramfs: + - name: "Core system setup" + users: + kairos: + groups: + - admin + passwd: kairos + ``` + 16. Issue the following command to build the Edge Installer ISO. ```shell @@ -247,7 +289,10 @@ FIPS-complaint provider images are built on top of the base OS image you have bu 1. Follow the [Site Installation](../../site-deployment/stage.md) guide to install the Palette Edge on your Edge host. -2. Issue the following command and ensure that the output is `1`. This means the OS is FIPS enabled. +2. Press Fn + Ctrl + Cmd + F1 or Ctrl + Cmd + F1 keys on a mac keyboard and provide user credentials to log in to the + OS. + +3. Issue the following command and ensure that the output is `1`. This means the OS is FIPS enabled. ```shell cat /proc/sys/crypto/fips_enabled From 5738ba324d642ee2eaa6e222a82cde577bb0883f Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Wed, 22 May 2024 16:09:36 -0700 Subject: [PATCH 5/7] copyedits --- .../edgeforge-workflow/palette-canvos/fips.md | 24 ++----------------- 1 file changed, 2 insertions(+), 22 deletions(-) diff --git a/docs/docs-content/clusters/edge/edgeforge-workflow/palette-canvos/fips.md b/docs/docs-content/clusters/edge/edgeforge-workflow/palette-canvos/fips.md index afc06e36d8..65651f8cb2 100644 --- a/docs/docs-content/clusters/edge/edgeforge-workflow/palette-canvos/fips.md +++ b/docs/docs-content/clusters/edge/edgeforge-workflow/palette-canvos/fips.md @@ -226,33 +226,13 @@ image with. passwd: kairos ``` - The command in the `install` block is required for FIPS installations. Configurations in the `stylus` block provides + The command in the `install` block is required for FIPS installations. Configurations in the `stylus` block provide the Edge Host with the registration token and the VerteX endpoint. And the configurations in the `stage` block - creates a system user that you can use to log in to the Operating System (OS). + create a system user that you can use to log in to the Operating System (OS). 15. Add further customization to the **user-data** file as needed. This file configures the Edge Installer. Refer to [Installer Reference](../../edge-configuration/installer-reference.md) for more information. - For example, you can use the following user data to add a system user `kairos` to your Edge host and provide the - registration token to the Edge host. - - ```yaml - #cloud-config - stylus: - site: - edgeHostToken: ********* - paletteEndpoint: api.spectrocloud.com - - stages: - initramfs: - - name: "Core system setup" - users: - kairos: - groups: - - admin - passwd: kairos - ``` - 16. Issue the following command to build the Edge Installer ISO. ```shell From 91fad2a5296af90eec675ee9b63fc984ab6f2623 Mon Sep 17 00:00:00 2001 From: Lenny Chen <55669665+lennessyy@users.noreply.github.com> Date: Thu, 23 May 2024 13:28:35 -0700 Subject: [PATCH 6/7] Apply suggestions from code review Co-authored-by: Karl Cardenas --- .../clusters/edge/edgeforge-workflow/palette-canvos/fips.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/docs-content/clusters/edge/edgeforge-workflow/palette-canvos/fips.md b/docs/docs-content/clusters/edge/edgeforge-workflow/palette-canvos/fips.md index 65651f8cb2..8c24759e45 100644 --- a/docs/docs-content/clusters/edge/edgeforge-workflow/palette-canvos/fips.md +++ b/docs/docs-content/clusters/edge/edgeforge-workflow/palette-canvos/fips.md @@ -202,7 +202,7 @@ image with. 14. Create a file named **user-data**. It must have the `#cloud-init` header at the top of the file. Ensure you have the following blocks at the root level of the **user-data** file. Replace the value for `edgeHostToken` with your VerteX - registration token, and replace the value `paletteEndPoint` with the URL of your VerteX instance. Replace the user + registration token, and replace the value `paletteEndPoint` with the URL of your Palette instance. Replace the user `kairos` and its password with your desired username and password. ```yaml @@ -227,7 +227,7 @@ image with. ``` The command in the `install` block is required for FIPS installations. Configurations in the `stylus` block provide - the Edge Host with the registration token and the VerteX endpoint. And the configurations in the `stage` block + the Edge Host with the registration token and the Palette endpoint. And the configurations in the `stage` block create a system user that you can use to log in to the Operating System (OS). 15. Add further customization to the **user-data** file as needed. This file configures the Edge Installer. Refer to From fdd2495f0c308ca2927eda70a2f8ea13109f0aae Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Thu, 23 May 2024 13:34:31 -0700 Subject: [PATCH 7/7] docs: add project name --- .../edge/edgeforge-workflow/palette-canvos/fips.md | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/docs/docs-content/clusters/edge/edgeforge-workflow/palette-canvos/fips.md b/docs/docs-content/clusters/edge/edgeforge-workflow/palette-canvos/fips.md index 8c24759e45..731c5b9f16 100644 --- a/docs/docs-content/clusters/edge/edgeforge-workflow/palette-canvos/fips.md +++ b/docs/docs-content/clusters/edge/edgeforge-workflow/palette-canvos/fips.md @@ -51,14 +51,21 @@ This page guides you through the process of building FIPS-compliant Edge Install command to check the existing Docker version. You should have root-level or `sudo` privileges on your Linux machine to create privileged containers. -- A [VerteX](/docs/docs-content/vertex/vertex.md) account. Refer to +- A [VerteX](/docs/docs-content/vertex/vertex.md) or Palette account. Refer to [Palette VerteX](/docs/docs-content/vertex/vertex.md#access-palette-vertex) for information on how to set up a VerteX account. -- VerteX registration token for pairing Edge hosts with VerteX. You will need tenant admin access to VerteX to generate - a new registration token. For detailed instructions, refer to the +- VerteX registration token for pairing Edge hosts with VerteX or a Palette registration token. You will need tenant + admin access to VerteX to generate a new registration token. For detailed instructions, refer to the [Create Registration Token](/clusters/edge/site-deployment/site-installation/create-registration-token) guide. +:::warning + +You can deploy a FIPS-compliant Edge host to Palette, but this solution will not be FIPS-compliant end-to-end because +Palette is not FIPS compliant. If you need a FIPS-compliant solution, you need to use VerteX. + +::: + ## Build FIPS-Enabled Edge Artifacts ### Clone CanvOS Repository @@ -215,6 +222,7 @@ image with. site: edgeHostToken: ******** paletteEndpoint: https://vertex.palette-devx.spectrocloud.com + projectName: Default stages: initramfs: