The powervs-tang-server-automation
project provides Terraform
based automation code to help with the deployment
of Network Bound Disk Encryption (NBDE)
on IBM® Power Systems™ Virtual Server on IBM Cloud.
The NBDE Server, also called the tang server, is deployed in a 3-node cluster with a single bastion host. The tang server socket listens on port 7500.
You'll need to use git to clone the deployment code when working off the main branch
$ git clone https://github.com/ibm/powervs-tang-server-automation
$ cd powervs-tang-server-automation
Update following variables in the var.tfvars based on your environment.
ibmcloud_api_key = "xyzaaaaaaaabcdeaaaaaa"
ibmcloud_region = "xya"
ibmcloud_zone = "abc"
service_instance_id = "abc123xyzaaaa"
rhel_image_name = "<rhel_or_centos_image-name>"
network_name = "ocp-net"
public_key_file = "data/id_rsa.pub"
private_key_file = "data/id_rsa"
rhel_subscription_username = "user@test.com"
rhel_subscription_password = "mypassword"
Note: rhel_image_name should reference a PowerVS image for Red Hat Enterprise Linux 9.0 or Centos 9.0.
Run the following commands from within the directory.
$ terraform init
$ terraform plan -var-file=var.tfvars
$ terraform apply -var-file=var.tfvars
Note: Terraform Version should be ~>1.2.0
Now wait for the installation to complete. It may take around 20 mins to complete provisioning.
On successful install cluster details will be printed as shown below.
bastion_ip = [
"193.168.*.*",
]
bastion_public_ip = [
"163.68.*.*",
]
tang_ip = "193.168.*.*,193.168.*.*,193.168.*.*"
These details can be retrieved anytime by running the following command from the root folder of the code
$ terraform output
In case of any errors, you'll have to re-apply.
Once the deployment is completed successfully, you can connect to bastion node and fetch keys for every tang server
$ cat /root/nbde_server/keys/*
Destroy the Tang Server
$ terraform destroy -var-file var.tfvars
Per Red Hat'
s blog, we've added the nbde_server_fetch_keys: yes
This downloads the keys to the 'bastion host' and customers are
expected to backup the keys using their operations processes.
- Connect to your Bastion host
- Change directory to
nbde_server
cd nbde_server
- Run the playbook with the rotate keys variable
ANSIBLE_HOST_KEY_CHECKING = False ansible-playbook -i inventory tasks/powervs-tang.yml -e nbde_server_rotate_keys = yes
-
Connect to your Bastion host
-
Change directory to
nbde_server
cd nbde_server
- Copy the
inventory
toinventory-del
cp inventory inventory-del
-
Edit the
inventory-del
for the hosts you want to rekey -
Run the playbook with the rotate keys variable
ANSIBLE_HOST_KEY_CHECKING = False ansible-playbook -i inventory tasks/powervs-tang.yml -e nbde_server_rotate_keys = yes
The automation needs to run from a system with internet access. This could be your laptop or a VM with public internet connectivity. This automation code have been tested on the following Operating Systems:
- Mac OSX (Darwin)
- Linux (x86_64/ppc64le)
- Windows 10
Follow the guide to complete the prerequisites.
Follow the guide to complete the PowerVS prerequisites.
Follow the quickstart guide for NBDE installation on PowerVS.
For bugs/enhancement requests etc. please open a GitHub issue
Please see the contributing doc for more details.
PRs are most welcome !!