Skip to content

Commit

Permalink
docs: add missing fips cmd to user data (#2886)
Browse files Browse the repository at this point in the history
* docs: change fips build branch

* docs: remove main

* docs: add additional user data info

* docs: add further fixes

* copyedits

* Apply suggestions from code review

Co-authored-by: Karl Cardenas <[email protected]>

* docs: add project name

---------

Co-authored-by: Lenny Chen <[email protected]>
Co-authored-by: Karl Cardenas <[email protected]>
  • Loading branch information
3 people authored May 23, 2024
1 parent b47b1c2 commit 001a56c
Showing 1 changed file with 45 additions and 12 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,13 @@ Both the Edge Installer ISO and the provider images must be FIPS-compliant.

This page guides you through the process of building FIPS-compliant Edge Installer ISO and provider images.

## Limitations

- FIPS-compliant Edge installer does not work with secure boot. You need to disable secure boot first before installing
Palette on your device. The process to disable secure boot varies by device, but generally, you can press F2 upon
powering up the Edge host, and find the option to disable secure boot in the Basic Input/Output System (BIOS)
interface.

## Prerequisites

- A physical or virtual Linux machine with _AMD64_ (also known as _x86_64_) processor architecture to build the Edge
Expand Down Expand Up @@ -44,14 +51,21 @@ This page guides you through the process of building FIPS-compliant Edge Install
command to check the existing Docker version. You should have root-level or `sudo` privileges on your Linux machine to
create privileged containers.

- A [VerteX](/docs/docs-content/vertex/vertex.md) account. Refer to
- A [VerteX](/docs/docs-content/vertex/vertex.md) or Palette account. Refer to
[Palette VerteX](/docs/docs-content/vertex/vertex.md#access-palette-vertex) for information on how to set up a VerteX
account.

- VerteX registration token for pairing Edge hosts with VerteX. You will need tenant admin access to VerteX to generate
a new registration token. For detailed instructions, refer to the
- VerteX registration token for pairing Edge hosts with VerteX or a Palette registration token. You will need tenant
admin access to VerteX to generate a new registration token. For detailed instructions, refer to the
[Create Registration Token](/clusters/edge/site-deployment/site-installation/create-registration-token) guide.

:::warning

You can deploy a FIPS-compliant Edge host to Palette, but this solution will not be FIPS-compliant end-to-end because
Palette is not FIPS compliant. If you need a FIPS-compliant solution, you need to use VerteX.

:::

## Build FIPS-Enabled Edge Artifacts

### Clone CanvOS Repository
Expand Down Expand Up @@ -193,21 +207,37 @@ image with.
| BASE_IMAGE | The base image used by EdgeForge to build the Edge Installer and provider images. This must be the same image that you build in the previous step. |
| ISO_NAME | The file name of the ISO file that will be generated. |

14. Create a file named **user-data**. Add the following blocks to the root level of the **user-data** file. Replace the
value for `edgeHostToken` with your VerteX registration token, and replace the value `paletteEndPoint` with the URL
of your VerteX instance.
14. Create a file named **user-data**. It must have the `#cloud-init` header at the top of the file. Ensure you have the
following blocks at the root level of the **user-data** file. Replace the value for `edgeHostToken` with your VerteX
registration token, and replace the value `paletteEndPoint` with the URL of your Palette instance. Replace the user
`kairos` and its password with your desired username and password.

```yaml
#cloud-init
install:
grub_options:
extra_cmdline: "fips=1"
grub_options:
extra_cmdline: "fips=1 selinux=0"
stylus:
site:
edgeHostToken: ********
paletteEndpoint: https://vertex.palette-devx.spectrocloud.com
site:
edgeHostToken: ********
paletteEndpoint: https://vertex.palette-devx.spectrocloud.com
projectName: Default
stages:
initramfs:
- name: "Core system setup"
users:
kairos:
groups:
- admin
passwd: kairos
```

The command in the `install` block is required for FIPS installations. Configurations in the `stylus` block provide
the Edge Host with the registration token and the Palette endpoint. And the configurations in the `stage` block
create a system user that you can use to log in to the Operating System (OS).

15. Add further customization to the **user-data** file as needed. This file configures the Edge Installer. Refer to
[Installer Reference](../../edge-configuration/installer-reference.md) for more information.

Expand Down Expand Up @@ -247,7 +277,10 @@ FIPS-complaint provider images are built on top of the base OS image you have bu

1. Follow the [Site Installation](../../site-deployment/stage.md) guide to install the Palette Edge on your Edge host.

2. Issue the following command and ensure that the output is `1`. This means the OS is FIPS enabled.
2. Press Fn + Ctrl + Cmd + F1 or Ctrl + Cmd + F1 keys on a mac keyboard and provide user credentials to log in to the
OS.

3. Issue the following command and ensure that the output is `1`. This means the OS is FIPS enabled.

```shell
cat /proc/sys/crypto/fips_enabled
Expand Down

0 comments on commit 001a56c

Please sign in to comment.