summaryrefslogtreecommitdiffstats
path: root/doc/book-enea-nfv-access-getting-started
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2019-10-01 07:44:43 +0200
committerMiruna Paun <Miruna.Paun@enea.com>2019-10-01 18:23:11 +0200
commit6a7862077b08ae360635cdc962253a3e321fd0cf (patch)
tree4f21df9e3a8f25936406a0ce8023b747196084e1 /doc/book-enea-nfv-access-getting-started
parent1b9b859ee60570de0064781de3cca45f7b8ddfbc (diff)
downloadel_releases-nfv-access-6a7862077b08ae360635cdc962253a3e321fd0cf.tar.gz
GettingStarted: add "Advanced Configurations" ch
- Move "Hugepage Reservation Service", "UEFI Secure Boot and "Bare Metal Provisioning" to "Advanced Configurations" chapter - Fix review comments on "Bare Metal Provisioning" chapter Change-Id: I2dbaf2d419d4a19e900b31472fc8690ec7f88169 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Diffstat (limited to 'doc/book-enea-nfv-access-getting-started')
-rw-r--r--doc/book-enea-nfv-access-getting-started/doc/advanced_configurations.xml519
-rw-r--r--doc/book-enea-nfv-access-getting-started/doc/bare_metal_provisioning.xml210
-rw-r--r--doc/book-enea-nfv-access-getting-started/doc/book.xml8
-rw-r--r--doc/book-enea-nfv-access-getting-started/doc/getting_started_nfv_access.xml138
-rw-r--r--doc/book-enea-nfv-access-getting-started/doc/secure_boot.xml174
5 files changed, 520 insertions, 529 deletions
diff --git a/doc/book-enea-nfv-access-getting-started/doc/advanced_configurations.xml b/doc/book-enea-nfv-access-getting-started/doc/advanced_configurations.xml
new file mode 100644
index 0000000..0dbdd84
--- /dev/null
+++ b/doc/book-enea-nfv-access-getting-started/doc/advanced_configurations.xml
@@ -0,0 +1,519 @@
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
4<chapter id="advanced_conf">
5 <title>Advanced Configurations</title>
6
7 <para>This chapter describes possible configurations for select advanced features
8 such as the Hugepage Reservation Service, UEFI Secure Boot and Bare Metal
9 Provisioning. These features are optional in the Enea NFV Access platform.
10 If you do not intend to use these features, skip this chapter.</para>
11
12 <section id="hugepage_reservation">
13 <title>Hugepage Reservation Service</title>
14
15 <para>NFV Access implements an automatic hugepage allocation service that
16 is triggered at each startup. The service is skipped if hugepages have
17 been allocated in the kernel boot command line.</para>
18
19 <para>There are two strategies outlined for hugepage allocation:</para>
20
21 <itemizedlist>
22 <listitem>
23 <para>If a system has an amount of memory up to 8GB, the allocation
24 algorithm will reserve up to 30% (no more than 2GB), for the OS and
25 the rest as 2MB hugepages.</para>
26 </listitem>
27
28 <listitem>
29 <para>If a system has an amount of memory that's higher than 8GB, the
30 allocation algorithm will reserve all but 2GB of memory as 1GB
31 hugepages, leaving the rest (2GB) to be used by the OS.</para>
32 </listitem>
33 </itemizedlist>
34
35 <note>
36 <para>This is a best effort reservation after kernel boot, so the
37 results may vary accordingly.</para>
38 </note>
39
40 <section id="hugepage_customizing_auto">
41 <title>Customizing Automatic Hugepage Reservation</title>
42
43 <para>Configuration of Hugepage reservation is done in
44 <literal>/etc/enea-nfv-access/hugepages.cfg</literal>.</para>
45
46 <para><emphasis role="bold">Parameters used by the automatic algorithm:
47 </emphasis></para>
48
49 <itemizedlist spacing="compact">
50 <listitem>
51 <para><literal>hugepage_setup</literal>: Enables the automatic
52 configuraiton algorithm. It has only one value,
53 <literal>auto</literal>. For manual configuration comment or remove
54 this parameter. Use the other parameter descriptions as a
55 template/example.</para>
56 </listitem>
57
58 <listitem>
59 <para><literal>threshold_to_use_1g</literal>: Decides the threshold
60 which instructs the algorithm to use 1GB hugepages. If a system's
61 memory is higher than <literal>threshold_to_use_1g</literal>, then
62 the algorithm will use 1GB hugepages, otherwise it will use 2MB
63 hugepages.</para>
64 </listitem>
65
66 <listitem>
67 <para><literal>percent_os_alloc</literal>: Decides how much memory
68 to try to reserve for userspace applications. The algorithm will try
69 to reserve at least the value of <literal>percent_os_alloc</literal> of the total
70 system memory for userspace applications.</para>
71 </listitem>
72
73 <listitem>
74 <para><literal>maximum_os_alloc_mb</literal>: Maximum amount of
75 memory to allocate for userspace applications. If
76 <literal>percent_os_alloc</literal> of the total system memory
77 exceeds <literal>maximum_os_alloc_mb</literal> then the maximum
78 allocated memory for userspace applications is
79 <literal>maximum_os_alloc_mb</literal>.</para>
80 </listitem>
81 </itemizedlist>
82
83 <para><emphasis role="bold">Example of automatic Hugepage
84 Configuration:</emphasis></para>
85
86 <programlisting> hugepage_setup = auto
87 threshold_to_use_1g = 8192
88 percent_os_alloc = 30
89 maximum_os_alloc_mb = 2048</programlisting>
90
91 <para>The following possible allocations can result (based on total
92 system memory available):</para>
93
94 <itemizedlist>
95 <listitem>
96 <para>2GB of memory: approximately 30% will be allocated for the OS
97 and the rest will be allocated as 2MB hugepages.</para>
98 </listitem>
99
100 <listitem>
101 <para>4GB of memory: approximately 30% will be allocated for the OS
102 and the rest will be allocated as 2MB hugepages.</para>
103 </listitem>
104
105 <listitem>
106 <para>16GB of memory: approximately 2GB will be allocated for the OS
107 and the rest as 1GB hugepages.</para>
108 </listitem>
109 </itemizedlist>
110
111 <note>
112 <para>The memory allocated for the kernel and hugepages might vary
113 slightly depending on how much memory is available.</para>
114 </note>
115 </section>
116
117 <section id="hugepage_customizing_man">
118 <title>Customizing Manual Hugepage Reservation</title>
119
120 <para>The automatic algorithm can be disabled and hugepages in turn, configured
121 manually. To do this, comment the line which defines
122 <literal>hugepage_setup</literal> as <literal>auto</literal> and
123 configure memory for each CPU socket in the following manner:</para>
124
125 <programlisting>&lt;NUMA node&gt;.&lt;hugepage size&gt; = &lt;number of pages&gt;</programlisting>
126
127 <para>Where <literal>&lt;NUMA node&gt;</literal> refers to a node which
128 is part of the system's NUMA topology, <literal>&lt;hugepage
129 size&gt;</literal> decides what type of hugepages should be set and
130 <literal>&lt;number of hugepages&gt;</literal> is how many hugepages of
131 <literal>&lt;hugepage size&gt;</literal> should be allocated.</para>
132
133 <para>To list the available system nodes, run:</para>
134
135 <programlisting>ls -d /sys/devices/system/node/node* </programlisting>
136
137 <para>To list available hugepage sizes, per node, run:</para>
138
139 <programlisting>ls -d /sys/devices/system/node/node*/hugepages/hugepages-*</programlisting>
140
141 <para>Example of Manual Hugepage Configuration, configuring the system
142 to allocate three 1GB hugepages and 512 of 2MB hugepages on node:</para>
143
144 <programlisting>node0.2048kB = 512
145node0.1048576kB = 3 </programlisting>
146 </section>
147 </section>
148
149 <section id="uefi_secure_boot">
150 <title>UEFI Secure Boot</title>
151
152 <para>Secure Boot was designed to enhance security in the pre-boot
153 environment. It prevents malicious software and applications from being
154 loaded during the system start-up process.</para>
155
156 <para>The basic principle of UEFI Secure Boot is that it requires all
157 artifacts involved in the boot process (bootloaders, kernel, initramfs)
158 to be signed using a set of private keys. On a Secure Boot enabled uCPE
159 device these artifacts are checked against a set of public certificates
160 which correspond to these keys. If there are any mismatches the boot
161 process will fail at the stage(s) they are detected.</para>
162
163 <para>For more information about Secure Boot please refer to <ulink
164 url="https://www.uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf">Secure
165 Boot in Modern Computer Security Solutions</ulink>.</para>
166
167 <section id="secure_boot_keys">
168 <title>Enabling UEFI Secure Boot</title>
169
170 <para>All Enea NFV Access image artifacts delivered with the release are
171 signed using the Enea UEFI Secure boot private keys. These artifacts can
172 be used on a uCPE device that doesn't have Secure Boot enabled. To use
173 the Secure Boot feature, however, the user must make the Enea UEFI
174 Secure Boot public certificates available on the uCPE device before
175 enabling the feature in BIOS. This process is called
176 "Provisioning".</para>
177
178 <section id="manual_key_provisioning">
179 <title>Provisioning the Enea UEFI Secure Boot Certificates</title>
180
181 <para>The UEFI firmware is normally shipped with factory preloaded
182 certificates. If these do not already include Certificates from Enea,
183 they will need to be appended or replaced with the Enea
184 Certificates.</para>
185
186 <para><emphasis role="bold">UEFI Secure Boot certificates provided
187 with your release:</emphasis></para>
188
189 <itemizedlist>
190 <listitem>
191 <para><literal>Platform Key (PK)</literal>: this key protects the
192 next key from uncontrolled modification. Once this key is
193 enrolled, Secure Boot enters into <literal>User Mode</literal>.
194 The drivers and loaders signed with the <literal>Platform
195 Key</literal> can then be loaded by the firmware.</para>
196 </listitem>
197
198 <listitem>
199 <para><literal>Key Exchange key (KEK)</literal>: this key allows
200 other certificates which have a connection to the private portion
201 of the <literal>Platform Key</literal> to be used.</para>
202 </listitem>
203
204 <listitem>
205 <para><literal>Authorized Signature (DB)</literal>: contains the
206 <literal>trusted keys</literal> used for authenticating any
207 drivers or applications executed in the UEFI environment.</para>
208 </listitem>
209 </itemizedlist>
210
211 <para>The Enea UEFI Secure Boot certificates are installed together
212 with the Enea NFV Access Run Time Platform onto the hard drive. They
213 can be found on the EFI partition (usually the first partition of the
214 drive) under <literal>/uefi_sb_keys</literal>.</para>
215
216 <para><emphasis role="bold">How to manually enroll Enea
217 Certificates</emphasis></para>
218
219 <orderedlist>
220 <listitem>
221 <para>Reboot the uCPE device and press <literal>DEL</literal> to
222 enter into BIOS.</para>
223 </listitem>
224
225 <listitem>
226 <para>Select <literal>Secure Boot Mode</literal> -&gt;
227 <literal>Custom</literal>.</para>
228 </listitem>
229
230 <listitem>
231 <para>Select <literal>Key Management</literal> from the
232 <literal>Security</literal> menu.</para>
233 </listitem>
234
235 <listitem>
236 <para>Enroll the <literal>Platform Key (PK)</literal>:
237 <itemizedlist>
238 <listitem>
239 Select <literal>Set New Key</literal> -&gt;
240 <literal>File from a file system</literal>. .
241 </listitem>
242
243 <listitem>
244 Specify the folder: <literal>&lt;user-keys&gt;/&lt;uefi_sb_keys&gt;/PK.esl</literal>
245 </listitem>
246
247 <listitem>
248 Select <literal>Public Key Certificate</literal> and then <literal>Ok</literal>.
249 </listitem>
250 </itemizedlist></para>
251 </listitem>
252
253 <listitem>
254 <para>Enroll the <literal>Key Exchange key (KEK)</literal>:
255 <itemizedlist>
256 <listitem>
257 Select <literal>Set New Key</literal> -&gt; <literal>File from a file system</literal>.
258 </listitem>
259
260 <listitem>
261 Specify the folder: <literal>&lt;user-keys&gt;/&lt;uefi_sb_keys&gt;/KEK.esl</literal>
262 </listitem>
263
264 <listitem>
265 Select <literal>Public Key Certificate</literal> and then <literal>Ok</literal>.
266 </listitem>
267 </itemizedlist></para>
268 </listitem>
269
270 <listitem>
271 <para>Enroll the <literal>Authorized Signature (DB)</literal>:
272 <itemizedlist>
273 <listitem>
274 Select <literal>Set New Key</literal> -&gt; <literal>File from a file system</literal>.
275 </listitem>
276
277 <listitem>
278 Specify the folder: <literal>&lt;user-keys&gt;/&lt;uefi_sb_keys&gt;/DB.esl</literal>
279 </listitem>
280
281 <listitem>
282 Select <literal>Public Key Certificate</literal> and then <literal>Ok</literal>.
283 </listitem>
284 </itemizedlist></para>
285 </listitem>
286 </orderedlist>
287
288 <note>
289 <para>Details on how to provision the certificates may vary with
290 different versions of UEFI firmware.</para>
291 </note>
292 </section>
293
294 <section id="enable_secure_boot">
295 <title>Enabling Secure Boot in BIOS</title>
296
297 <para>Once the certificates are provisioned we can enable the Secure
298 Boot feature:</para>
299
300 <orderedlist>
301 <listitem>
302 <para>Within BIOS, select the <literal>Security option</literal> from the top
303 menu.</para>
304 </listitem>
305
306 <listitem>
307 <para>Set the <literal>Boot Menu</literal> -&gt;
308 <literal>Enabled.</literal></para>
309 </listitem>
310 </orderedlist>
311 </section>
312 </section>
313 </section>
314
315 <section id="bare_meta_prov">
316 <title>Bare Metal Provisioning</title>
317
318 <para>Bare Metal Provisioning can be used for automated deployment of
319 the Enea NFV Access Run Time Platform on a large number of uCPE devices.
320 The uCPE devices may have no previous operating system installed, or are
321 reinstalled without preserving any existing data. Enea NFV Access Bare
322 Metal Provisioning is based on standardized Pre-Boot Execution
323 environment (PXE) booting.</para>
324
325 <para>The Bare Metal Provisioning process begins by PXE booting an Enea
326 NFV Access installer <literal>initramfs</literal> image. The installer
327 downloads a configuration file, as well as the Enea NFV Access Run Time
328 Platform image and then proceeds to install the system by dividing the
329 disk into 2 partitions. A GPT partition containing the GRUB boot loader
330 and a second partition containing the Enea NFV Access Run Time Platform
331 root filesystem. When the installation is complete, the uCPE device is
332 automatically rebooted into Enea NFV Access Run Time Platform.</para>
333
334 <section id="bare_meta_prov_prereq">
335 <title>Prerequisites</title>
336
337 <itemizedlist>
338 <listitem>
339 <para>The uCPE devices to be installed are connected in a working
340 PXE network boot environment. The PXE server can be set up using any
341 Linux distribution that includes TFTP and DHCP software packages.
342 Refer to the documentation for your distribution for setup
343 instructions.</para>
344 </listitem>
345
346 <listitem>
347 <para>An HTTP server must be available and accessible from the uCPE
348 devices in the provisioning network. Note that the installer will
349 use the same interface that the uCPE device is PXE-booted from, to
350 obtain an IP address using DHCP and access the HTTP server.</para>
351 </listitem>
352
353 <listitem>
354 <para>The uCPE devices are preconfigured in BIOS to boot from the
355 hard drive where the Enea NFV Access Run Time Platform will be
356 installed.</para>
357 </listitem>
358
359 <listitem>
360 <para>A remote management tool is available that can be used to set
361 the next boot option to PXE and reboot the uCPE devices in order to
362 begin the installation.</para>
363 </listitem>
364 </itemizedlist>
365 </section>
366
367 <section id="bare_meta_prov_server">
368 <title>Server Configuration</title>
369
370 <para>The following images provided with your Enea NFV Access release
371 need to be made available on the PXE and HTTP servers:</para>
372
373 <orderedlist>
374 <listitem>
375 <para>Copy the Enea NFV Access installer
376 <literal>initramfs</literal> image and kernel
377 <literal>bzImage</literal> for your uCPE device architecture to the
378 TFTP directory on the PXE server (e.g
379 <literal>/var/lib/tftpboot</literal>).</para>
380 </listitem>
381
382 <listitem>
383 <para>Compress the Enea NFV Access Run Time Platform
384 <literal>hddimg</literal> image for the uCPE device architecture
385 using <literal>gzip</literal> and copy the resulting
386 <literal>hddimg.gz</literal> file to the HTTP server.</para>
387 </listitem>
388 </orderedlist>
389
390 <section id="bare_meta_prov_install_config">
391 <title>Installation Configuration File</title>
392
393 <para>An installation configuration file needs to be prepared on the
394 HTTP server. The format of the configuration file is a list of
395 "<literal>name = value</literal>" pairs and the available parameters
396 are described below.</para>
397
398 <para>Mandatory parameters:</para>
399
400 <itemizedlist>
401 <listitem>
402 <para><literal>image_url</literal>. The HTTP server URL used for
403 downloading the Enea NFV Access Run Time Platform image. This
404 image will be installed on the uCPE device(s) in the
405 <literal>hddimg.gz</literal> format.</para>
406 </listitem>
407 </itemizedlist>
408
409 <para>Optional parameters:</para>
410
411 <itemizedlist>
412 <listitem>
413 <para><literal>install_drive</literal>. The name of the drive
414 where the Enea NFV Access Run Time Platform will be installed (e.g
415 <literal>/dev/sda</literal>). If not set, the installer will use
416 the largest detected (non-USB) drive on the uCPE device.</para>
417 </listitem>
418
419 <listitem>
420 <para><literal>prompt_user</literal>. If the parameter is set to
421 "yes", the installer will ask for confirmation before formatting
422 and partitioning the drive. The default behaviour is to proceed
423 automatically without any user interaction.</para>
424 </listitem>
425 </itemizedlist>
426
427 <para>Optional parameters for sending status notifications to a
428 server. All three must be provided if used:</para>
429
430 <itemizedlist>
431 <listitem>
432 <para><literal>notify_user</literal>. Server SSH username.</para>
433 </listitem>
434
435 <listitem>
436 <para><literal>notify_pass</literal>. Server SSH password.</para>
437 </listitem>
438
439 <listitem>
440 <para><literal>notify_path</literal>. Location where notification
441 files will be placed, specified in <literal>Server IP:directory</literal>
442 format.</para>
443 </listitem>
444 </itemizedlist>
445
446 <para>Installation Configuration File Example:</para>
447
448 <programlisting>
449 image_url = http://192.168.1.100/enea-nfv-access-xeon-d.hddimg.gz
450 install_drive = /dev/sda
451 notify_user = username
452 notify_pass = password
453 notify_path = 192.168.1.100:/home/user/status_notifications
454
455</programlisting>
456 </section>
457
458 <section id="bare_meta_prov_pxe">
459 <title>PXE Configuration</title>
460
461 <para>A PXE entry for the Enea NFV Access installation needs to be
462 added as the default boot selection in the pxelinux configuration file
463 (e.g <literal>/var/lib/tftpboot/pxelinux.cfg/default</literal>). The
464 PXE entry should have the following settings:</para>
465
466 <programlisting>
467 default nfv_access
468 label nfv_access
469 menu label ^NFV_ACCESS_INSTALLER
470 kernel &lt;Path to kernel&gt;
471 append root=/dev/ram0 initrd=&lt;Path to initramfs&gt; LABEL=pxe-installer \
472 INSTALL_CFG=http://&lt;Server IP&gt;/&lt;Path to install config file&gt;
473 ipappend 2
474 </programlisting>
475 </section>
476 </section>
477
478 <section id="bare_meta_prov_inst">
479 <title>Starting the Installation</title>
480
481 <para>To initiate the installation, set the boot device (for next boot
482 only) to PXE and reboot the uCPE devices. How to do this depends on the
483 remote management capabilities of the uCPE devices and may require
484 vendor-specific tools.</para>
485
486 <para>Example initiation using <literal>ipmitool</literal>:</para>
487
488 <programlisting>
489 ipmitool -U &lt;user&gt; -P &lt;password&gt; -H &lt;uCPE device IPMI IP address&gt; chassis bootdev pxe
490 ipmitool -U &lt;user&gt; -P &lt;password&gt; -H &lt;uCPE device IPMI IP address&gt; power reset
491 </programlisting>
492
493 <para>The uCPE devices should be configured in BIOS to boot from the
494 installation drive first in order to automatically start the Enea NFV
495 Access Run Time Platform when the installation is finished.</para>
496
497 <section>
498 <title>Server Notifications</title>
499
500 <para>Optionally, the uCPE devices can send a notification file to a
501 server once the installation is complete and Enea NFV Access Run Time
502 Platform has successfully booted. Notifications are enabled by
503 providing the <literal>notify_*</literal> parameters in the
504 installation configuration file.</para>
505
506 <para>Each uCPE device will push a file to the server location
507 specified in the installation configuration file. The file name will
508 be the MAC address of the PXE boot network interface in order to
509 uniquely identify the device.</para>
510
511 <note>
512 <para>Note that the status notification will only be sent on the
513 first boot after installation is done, subsequent reboots of the
514 uCPE device will not cause any new notifications to be sent.</para>
515 </note>
516 </section>
517 </section>
518 </section>
519</chapter>
diff --git a/doc/book-enea-nfv-access-getting-started/doc/bare_metal_provisioning.xml b/doc/book-enea-nfv-access-getting-started/doc/bare_metal_provisioning.xml
deleted file mode 100644
index 8ff70ee..0000000
--- a/doc/book-enea-nfv-access-getting-started/doc/bare_metal_provisioning.xml
+++ /dev/null
@@ -1,210 +0,0 @@
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
4<chapter id="bare_meta_prov">
5 <title>Bare Metal Provisioning</title>
6
7 <para>This chapter contains information needed in order to use Bare Metal
8 Provisioning. Bare Metal Provisioning is an optional feature in the Enea NFV
9 Access Run Time Platform. If you do not intend to use this feature, skip to
10 the next chapter.</para>
11
12 <section id="bare_meta_prov_intro">
13 <title>Introduction</title>
14
15 <para>Bare Metal Provisioning can be used for automated deployment of the
16 Enea NFV Access Run Time Platform on a large number of uCPE devices. The
17 uCPE devices may have no previous operating system installed, or are
18 reinstalled without preserving any existing data. Enea NFV Access Bare
19 Metal Provisioning is based on standardized Pre-Boot Execution environment
20 (PXE) booting.</para>
21
22 <para>The Bare Metal Provisioning process begins by PXE booting an Enea
23 NFV Access installer <literal>initramfs</literal> image. The installer
24 downloads a configuration file, as well as the Enea NFV Access Run Time
25 Platform image and then proceeds to install the system by dividing the
26 disk into 2 partitions. A GPT partition containing the GRUB boot loader
27 and a second partition containing the Enea NFV Access Run Time Platform
28 root filesystem. When the installation is complete, the uCPE device is
29 automatically rebooted into Enea NFV Access Run Time Platform.</para>
30 </section>
31
32 <section id="bare_meta_prov_prereq">
33 <title>Prerequisites</title>
34
35 <itemizedlist>
36 <listitem>
37 <para>The uCPE devices to be installed are connected in a working PXE
38 network boot environment. The PXE server can be set up using any Linux
39 distribution that includes TFTP and DHCP software packages. Refer to
40 the documentation for your distribution for setup instructions.</para>
41 </listitem>
42
43 <listitem>
44 <para>An HTTP server must be available and accessible from the uCPE
45 devices in the provisioning network. Note that the installer will use
46 the same interface that the uCPE device is PXE-booted from, to obtain
47 an IP address using DHCP and access the HTTP server.</para>
48 </listitem>
49
50 <listitem>
51 <para>The uCPE devices are preconfigured in BIOS to boot from the hard
52 drive where the Enea NFV Access Run Time Platform will be
53 installed.</para>
54 </listitem>
55
56 <listitem>
57 <para>A remote management tool is available that can be used to set
58 the next boot option to PXE and reboot the uCPE devices in order to
59 begin the installation.</para>
60 </listitem>
61 </itemizedlist>
62 </section>
63
64 <section id="bare_meta_prov_server">
65 <title>Server Configuration</title>
66
67 <para>The following images provided with your Enea NFV Access release
68 needs to be made available on the PXE and HTTP servers:</para>
69
70 <orderedlist>
71 <listitem>
72 <para>Copy the Enea NFV Access installer <literal>initramfs</literal>
73 image and kernel <literal>bzImage</literal> for the uCPE device
74 architecture to the TFTP directory on the PXE server (e.g
75 <literal>/var/lib/tftpboot</literal>).</para>
76 </listitem>
77
78 <listitem>
79 <para>Compress the Enea NFV Access Run Time Platform
80 <literal>hddimg</literal> image for the uCPE device architecture using
81 <literal>gzip</literal> and copy the resulting
82 <literal>hddimg.gz</literal> file to the HTTP server.</para>
83 </listitem>
84 </orderedlist>
85
86 <section id="bare_meta_prov_install_config">
87 <title>Installation Configuration File</title>
88
89 <para>An installation configuration file needs to be prepared on the
90 HTTP server. The format of the configuration file is a list of
91 "<literal>name = value</literal>" pairs and the available parameters are
92 described below.</para>
93
94 <para>Mandatory parameters:</para>
95
96 <itemizedlist>
97 <listitem>
98 <para><literal>image_url</literal>. The HTTP server URL used for
99 downloading the Enea NFV Access Run Time Platform image to be
100 installed on the uCPE devices in <literal>hddimg.gz</literal>
101 format.</para>
102 </listitem>
103 </itemizedlist>
104
105 <para>Optional parameters:</para>
106
107 <itemizedlist>
108 <listitem>
109 <para><literal>install_drive</literal>. The name of the drive where
110 the Enea NFV Access Run Time Platform will be installed (e.g
111 <literal>/dev/sda</literal>). If not set, the installer will use the
112 largest detected (non-USB) drive on the uCPE device.</para>
113 </listitem>
114
115 <listitem>
116 <para><literal>prompt_user</literal>. If the parameter is set to
117 "yes", the installer will ask for confirmation before formatting and
118 partitioning the drive. The default behaviour is to proceed
119 automatically without any user interaction.</para>
120 </listitem>
121 </itemizedlist>
122
123 <para>Optional parameters for sending status notifications to a server.
124 All three must be provided if used:</para>
125
126 <itemizedlist>
127 <listitem>
128 <para><literal>notify_user</literal>. Server SSH username</para>
129 </listitem>
130
131 <listitem>
132 <para><literal>notify_pass</literal>. Server SSH password</para>
133 </listitem>
134
135 <listitem>
136 <para><literal>notify_path</literal>. Location where notification
137 files will be placed, specified in "Server IP:directory"
138 format.</para>
139 </listitem>
140 </itemizedlist>
141
142 <para>Installation Configuration File Example:</para>
143
144 <programlisting>
145 image_url = http://192.168.1.100/enea-nfv-access-xeon-d.hddimg.gz
146 install_drive = /dev/sda
147 notify_user = username
148 notify_pass = password
149 notify_path = 192.168.1.100:/home/user/status_notifications
150
151</programlisting>
152 </section>
153
154 <section id="bare_meta_prov_pxe">
155 <title>PXE Configuration</title>
156
157 <para>A PXE entry for the Enea NFV Access installation needs to be added
158 as the default boot selection in the pxelinux configuration file (e.g
159 <literal>/var/lib/tftpboot/pxelinux.cfg/default</literal>). The PXE
160 entry should have the following settings:</para>
161
162 <programlisting>
163 default nfv_access
164 label nfv_access
165 menu label ^NFV_ACCESS_INSTALLER
166 kernel &lt;Path to kernel&gt;
167 append root=/dev/ram0 initrd=&lt;Path to initramfs&gt; LABEL=pxe-installer \
168 INSTALL_CFG=http://&lt;Server IP&gt;/&lt;Path to install config file&gt;
169 ipappend 2
170 </programlisting>
171 </section>
172 </section>
173
174 <section id="bare_meta_prov_inst">
175 <title>Starting the Installation</title>
176
177 <para>To initiate the installation, set the boot device (for next boot
178 only) to PXE and reboot the uCPE devices. How to do this depends on the
179 remote management capabilities of the uCPE devices and may require
180 vendor-specific tools.</para>
181
182 <para>Example initiation using <literal>ipmitool</literal>:</para>
183
184 <programlisting>
185 ipmitool -U &lt;user&gt; -P &lt;password&gt; -H &lt;uCPE device IPMI IP address&gt; chassis bootdev pxe
186 ipmitool -U &lt;user&gt; -P &lt;password&gt; -H &lt;uCPE device IPMI IP address&gt; power reset
187 </programlisting>
188
189 <para>The uCPE devices should be configured in BIOS to boot from the
190 installation drive first in order to automatically start the Enea NFV
191 Access Run Time Platform when the installation is finished.</para>
192
193 <section>
194 <title>Server Notifications</title>
195
196 <para>Optionally, the uCPE devices can send a notification file to a
197 server once the installation is complete and Enea NFV Access Runtime
198 Platform has successfully booted. Notifications are enabled by providing
199 the <literal>notify_*</literal> parameters in the installation
200 configuration file.</para>
201
202 <para>Each uCPE device will push a file to the server location specified
203 in the installation configuration file. The file name will be the MAC
204 address of the PXE boot network interface in order to uniquely identify
205 the device. Note that the status notification will only be sent on the
206 first boot after installation is done, subsequent reboots of the uCPE
207 device will not cause any new notifications to be sent.</para>
208 </section>
209 </section>
210</chapter> \ No newline at end of file
diff --git a/doc/book-enea-nfv-access-getting-started/doc/book.xml b/doc/book-enea-nfv-access-getting-started/doc/book.xml
index 9289fe8..4ddc693 100644
--- a/doc/book-enea-nfv-access-getting-started/doc/book.xml
+++ b/doc/book-enea-nfv-access-getting-started/doc/book.xml
@@ -27,12 +27,6 @@
27 <xi:include href="getting_started_ucpe_manager.xml" 27 <xi:include href="getting_started_ucpe_manager.xml"
28 xmlns:xi="http://www.w3.org/2001/XInclude" /> 28 xmlns:xi="http://www.w3.org/2001/XInclude" />
29 29
30 <xi:include href="secure_boot.xml" 30 <xi:include href="advanced_configurations.xml"
31 xmlns:xi="http://www.w3.org/2001/XInclude" />
32
33 <xi:include href="bare_metal_provisioning.xml"
34 xmlns:xi="http://www.w3.org/2001/XInclude" />
35
36 <xi:include href="in_band_management.xml"
37 xmlns:xi="http://www.w3.org/2001/XInclude" /> 31 xmlns:xi="http://www.w3.org/2001/XInclude" />
38</book> 32</book>
diff --git a/doc/book-enea-nfv-access-getting-started/doc/getting_started_nfv_access.xml b/doc/book-enea-nfv-access-getting-started/doc/getting_started_nfv_access.xml
index 7a30f28..6d9e8c4 100644
--- a/doc/book-enea-nfv-access-getting-started/doc/getting_started_nfv_access.xml
+++ b/doc/book-enea-nfv-access-getting-started/doc/getting_started_nfv_access.xml
@@ -238,7 +238,6 @@ of=/dev/sdb bs=4M conv=fsync</programlisting></para>
238 Platform using a bootable USB stick image</emphasis></para> 238 Platform using a bootable USB stick image</emphasis></para>
239 239
240 <orderedlist> 240 <orderedlist>
241
242 <listitem> 241 <listitem>
243 <para>Plug the USB stick into the reference uCPE device. Make sure 242 <para>Plug the USB stick into the reference uCPE device. Make sure
244 you are connected to the serial port.</para> 243 you are connected to the serial port.</para>
@@ -480,143 +479,6 @@ run</programlisting>
480 </section> 479 </section>
481 </section> 480 </section>
482 481
483 <section id="hugepage_reservation">
484 <title>Hugepage Reservation Service</title>
485
486 <para>NFV Access implements an automatic hugepage allocation service that
487 is triggered at each startup. The service is skipped if hugepages have
488 been allocated in the kernel boot command line.</para>
489
490 <para>There are two strategies outlined for hugepage allocation:</para>
491
492 <itemizedlist>
493 <listitem>
494 <para>If a system has an amount of memory up to 8GB, the allocation
495 algorithm will reserve up to 30%, but no more than 2GB, for the OS and
496 the rest as 2MB hugepages.</para>
497 </listitem>
498
499 <listitem>
500 <para>If a system has an amount of memory that's higher than 8GB, the
501 allocation algorithm will reserve all but 2GB of memory as 1GB
502 hugepages, leaving the rest (2GB) to be used by the OS.</para>
503 </listitem>
504 </itemizedlist>
505
506 <note>
507 <para>This is a best effort reservation, after the kernel boot, so the
508 results may not be as described.</para>
509 </note>
510
511 <section id="hugepage_customizing_auto">
512 <title>Customizing Automatic Hugepage Reservation</title>
513
514 <para>Configuration of Hugepage reservation is done in
515 <literal>/etc/enea-nfv-access/hugepages.cfg.</literal></para>
516
517 <para><emphasis role="bold">Parameters used by the automatic algorithm:
518 </emphasis></para>
519
520 <itemizedlist spacing="compact">
521 <listitem>
522 <para><literal>hugepage_setup</literal>: Enables the automatic
523 configuraiton algorithm. It has only one value,
524 <literal>auto</literal>. For manual configuration comment or remove
525 the parameter. Use the other parameter descriptions as a
526 template/example.</para>
527 </listitem>
528
529 <listitem>
530 <para><literal>threshold_to_use_1g</literal>: Decides the threshold
531 which instructs the algorithm to use 1GB hugepages. If a system's
532 memory is higher than <literal>threshold_to_use_1g</literal>, then
533 the algorithm will use 1GB hugepages, otherwise it will use 2MB
534 hugepages.</para>
535 </listitem>
536
537 <listitem>
538 <para><literal>percent_os_alloc</literal>: Decides how much memory
539 to try to reserve for userspace applications. The algorithm will try
540 to reserve at least <literal>percent_os_alloc</literal> of the total
541 system memory to user space applications.</para>
542 </listitem>
543
544 <listitem>
545 <para><literal>maximum_os_alloc_mb</literal>: Maximum amount of
546 memory to allocate for userspace applications. If
547 <literal>percent_os_alloc</literal> of the total system memory
548 exceeds <literal>maximum_os_alloc_mb</literal> then the maximum
549 allocated memory for userspace applications is
550 <literal>maximum_os_alloc_mb</literal>.</para>
551 </listitem>
552 </itemizedlist>
553
554 <para><emphasis role="bold">Example of automatic Hugepage
555 Configuration:</emphasis></para>
556
557 <programlisting> hugepage_setup = auto
558 threshold_to_use_1g = 8192
559 percent_os_alloc = 30
560 maximum_os_alloc_mb = 2048</programlisting>
561
562 <para>The following possible allocations could result (based on total
563 system memory available):</para>
564
565 <itemizedlist>
566 <listitem>
567 <para>2GB of memory: approximately 30% will be allocated for the OS
568 and the rest will be allocated as 2MB hugepages.</para>
569 </listitem>
570
571 <listitem>
572 <para>4GB of memory: approximately 30% will be allocated for the OS
573 and the rest will be allocated as 2MB hugepages.</para>
574 </listitem>
575
576 <listitem>
577 <para>16GB of memory: approximately 2GB will be allocated for the OS
578 and the rest as 1GB hugepages.</para>
579 </listitem>
580 </itemizedlist>
581
582 <note>
583 <para>The memory allocated for the kernel and hugepages might vary
584 slightly depending on how much memory is available.</para>
585 </note>
586 </section>
587
588 <section id="hugepage_customizing_man">
589 <title>Customizing Manual Hugepage Reservation</title>
590
591 <para>The automatic algorithm can be disabled and hugepages configured
592 manually. To do this, comment the line which defines
593 <literal>hugepage_setup</literal> as <literal>auto</literal> and
594 configure memory for each CPU socket in the following manner:</para>
595
596 <programlisting>&lt;NUMA node&gt;.&lt;hugepage size&gt; = &lt;number of pages&gt; </programlisting>
597
598 <para>Where <literal>&lt;NUMA node&gt;</literal> refers to a node which
599 is part of the system's NUMA topology, <literal>&lt;hugepage
600 size&gt;</literal> decides what type of hugepages should be set and
601 <literal>&lt;number of hugepages&gt;</literal> is how many hugepages of
602 <literal>&lt;hugepage size&gt;</literal> should be allocated.</para>
603
604 <para>To list the available system nodes, run:</para>
605
606 <programlisting>ls -d /sys/devices/system/node/node* </programlisting>
607
608 <para>To list available hugepage sizes, per node, run:</para>
609
610 <programlisting>ls -d /sys/devices/system/node/node*/hugepages/hugepages-*</programlisting>
611
612 <para>Example of Manual Hugepage Configuration, to configure the sytem
613 to allocate e.g. 3 1GB hugepages and 512 2MB hugepages on node:</para>
614
615 <programlisting>node0.2048kB = 512
616node0.1048576kB = 3 </programlisting>
617 </section>
618 </section>
619
620 <section condition="hidden" id="release-content"> 482 <section condition="hidden" id="release-content">
621 <title>NFV Access Release content</title> 483 <title>NFV Access Release content</title>
622 484
diff --git a/doc/book-enea-nfv-access-getting-started/doc/secure_boot.xml b/doc/book-enea-nfv-access-getting-started/doc/secure_boot.xml
deleted file mode 100644
index 7b07086..0000000
--- a/doc/book-enea-nfv-access-getting-started/doc/secure_boot.xml
+++ /dev/null
@@ -1,174 +0,0 @@
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
4<chapter id="secure_boot">
5 <title>UEFI Secure Boot</title>
6
7 <para>This chapter contains information needed in order to enable the Secure
8 Boot. Secure Boot is an optional feature in the Enea NFV Access Run Time
9 Platform. If you do not intend to use this feature, skip to the next
10 chapter.</para>
11
12 <section id="intro">
13 <title>Introduction</title>
14
15 <para>Secure Boot was designed to enhance security in the pre-boot
16 environment. It prevents malicious software and applications from being
17 loaded during the system start-up process.</para>
18
19 <para>The basic principle of UEFI Secure Boot is that it requires all
20 artifacts involved in the boot process (bootloaders, kernel, initramfs) to
21 be signed using a set of private keys. On a Secure Boot enabled uCPE
22 device these artifacts are checked against a set of public certificates
23 which correspond to these keys. If there are any mismatches the boot
24 process will fail at various stages.</para>
25
26 <para>For more information about Secure Boot please refer to <ulink
27 url="https://www.uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf">Secure
28 Boot in Modern Computer Security Solutions</ulink>.</para>
29 </section>
30
31 <section id="secure_boot_keys">
32 <title>Enabling UEFI Secure Boot</title>
33
34 <para>All Enea NFV Access image artifacts delivered with the release are
35 signed using the Enea UEFI Secure boot private keys. These artifacts can
36 be used on a uCPE device that doesn't have Secure Boot enabled. To use the
37 Secure Boot feature, however, the user must make the Enea UEFI Secure Boot
38 public certificates available on the uCPE device before enabling the
39 feature in BIOS. This process is called "Provisioning".</para>
40
41 <section id="manual_key_provisioning">
42 <title>Provisioning the Enea UEFI Secure Boot Certificates</title>
43
44 <para>The UEFI firmware is normally shipped with factory preloaded
45 certificates. If these do not already include Certificates from Enea,
46 they will need to be appended or replaced with the Enea
47 Certificates.</para>
48
49 <para><emphasis role="bold">UEFI Secure Boot certificates provided with
50 your release:</emphasis></para>
51
52 <itemizedlist>
53 <listitem>
54 <para><literal>Platform Key (PK)</literal>: this key protects the
55 next key from uncontrolled modification. Once this key is enrolled,
56 Secure Boot enters into <literal>User Mode</literal>. The drivers
57 and loaders signed with the <literal>Platform Key</literal> can then
58 be loaded by the firmware.</para>
59 </listitem>
60
61 <listitem>
62 <para><literal>Key Exchange key (KEK)</literal>: this key allows
63 other certificates which have a connection to the private portion of
64 the <literal>Platform Key</literal> to be used.</para>
65 </listitem>
66
67 <listitem>
68 <para><literal>Authorized Signature (DB)</literal>: contains the
69 <literal>trusted keys</literal> used for authenticating any drivers
70 or applications executed in the UEFI environment.</para>
71 </listitem>
72 </itemizedlist>
73
74 <para>The Enea UEFI Secure Boot certificates are installed together with
75 the Enea NFV Access Run Time Platform onto the hard drive. They can be
76 found on the EFI partition (usually the first partition of the drive)
77 under <literal>/uefi_sb_keys</literal>.</para>
78
79 <para><emphasis role="bold">How to manually enroll Enea
80 Certificates</emphasis></para>
81
82 <orderedlist>
83 <listitem>
84 <para>Reboot the uCPE device and press <literal>DEL</literal> to
85 enter into BIOS.</para>
86 </listitem>
87
88 <listitem>
89 <para>Select <literal>Secure Boot Mode</literal> -&gt;
90 <literal>Custom</literal>.</para>
91 </listitem>
92
93 <listitem>
94 <para>Select <literal>Key Management</literal> from the
95 <literal>Security</literal> menu.</para>
96 </listitem>
97
98 <listitem>
99 <para>Enroll the <literal>Platform Key (PK)</literal>: <itemizedlist>
100 <listitem>
101 Select <literal>Set New Key</literal> -&gt; <literal>File from a file system</literal>.
102 </listitem>
103
104 <listitem>
105 Specify the folder:
106 <literal>&lt;user-keys&gt;/&lt;uefi_sb_keys&gt;/PK.esl</literal>.</listitem>
107
108 <listitem>
109 Select <literal>Public Key Certificate</literal> and then <literal>Ok</literal>.
110 </listitem>
111 </itemizedlist></para>
112 </listitem>
113
114 <listitem>
115 <para>Enroll the <literal>Key Exchange key (KEK)</literal>:
116 <itemizedlist>
117 <listitem>
118 Select <literal>Set New Key</literal> -&gt; <literal>File from a file system</literal>.
119 </listitem>
120
121 <listitem>
122 Specify the folder:
123 <literal>&lt;user-keys&gt;/&lt;uefi_sb_keys&gt;/KEK.esl</literal>.
124 </listitem>
125
126 <listitem>
127 Select <literal>Public Key Certificate</literal> and then <literal>Ok</literal>.
128 </listitem>
129 </itemizedlist>
130 </para>
131 </listitem>
132
133 <listitem>
134 <para>Enroll the <literal>Authorized Signature (DB)</literal>:
135 <itemizedlist>
136 <listitem>
137 Select <literal>Set New Key</literal> -&gt; <literal>File from a file system</literal>.
138 </listitem>
139
140 <listitem>
141 Specify the folder:
142 <literal>&lt;user-keys&gt;/&lt;uefi_sb_keys&gt;/DB.esl</literal>. .
143 </listitem>
144
145 <listitem>
146 Select <literal>Public Key Certificate</literal> and then <literal>Ok</literal>.
147 </listitem>
148 </itemizedlist></para>
149 </listitem>
150 </orderedlist>
151
152 <note>
153 <para>Details on how to provision the certificates may vary with
154 different versions of UEFI firmware.</para>
155 </note>
156 </section>
157
158 <section id="enable_secure_boot">
159 <title>Turning on Secure Boot in BIOS</title>
160
161 <para>Once the certificates are provisioned we can enable the Secure Boot feature:</para>
162
163 <orderedlist>
164 <listitem>
165 <para>Select <literal>Security option</literal> from the top menu.</para>
166 </listitem>
167
168 <listitem>
169 <para>Set the <literal>Boot Menu</literal> -&gt; <literal>Enabled.</literal></para>
170 </listitem>
171 </orderedlist>
172 </section>
173 </section>
174</chapter> \ No newline at end of file
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-11-14 17:38:00 +0000