Fixes #37566 - Add UEFI Secure Boot Firmware to Libvirt #10321
Conversation
|
Failing tests should be fixed automatically after fog/fog-libvirt#155 is merged. |
|
As noted in my comment on the VMware-related PR #10324 (comment), the same issue occurs with Libvirt. The |
| :port => '-1' } | ||
| :port => '-1' }, | ||
| :firmware => 'automatic', | ||
| :firmware_features => { "secure-boot" => "no" } |
There was a problem hiding this comment.
Is there a reason for having strings as keys in the inner hash?
| { | ||
| firmware_features: { 'secure-boot' => 'yes', 'enrolled-keys' => 'yes' }, | ||
| loader: { 'secure' => 'yes' }, | ||
| secure_boot: true, |
There was a problem hiding this comment.
For other keys and values, you use 'key' => 'yes'. Wouldn't it make sense to do the same here?
There was a problem hiding this comment.
The secure_boot: true setting here is a special case, required only for displaying the correct firmware in the compute_attributes form. We don't process this setting in fog-libvirt the same way we do when creating a new VM. Therefore, if we change its format, there’s little reason to use it, as we could instead rely on the loader attribute. This approach simplifies the usage of the ComputeResource#firmware_type method, aligning it with how we handle VMs.
| @@ -8,6 +8,13 @@ | |||
| <% checked = params[:host] && params[:host][:compute_attributes] && params[:host][:compute_attributes][:start] || '1' %> | |||
| <%= checkbox_f f, :start, { :checked => (checked == '1'), :help_inline => _("Power ON this machine"), :label => _('Start'), :label_size => "col-md-2"} if new_vm && controller_name != "compute_attributes" %> | |||
| <% firmware_type = new_vm && controller_name != 'compute_attributes' ? 'automatic' : compute_resource.firmware_type(f.object.firmware, f.object.secure_boot) %> | |||
There was a problem hiding this comment.
Can we make it as a helper method?
There was a problem hiding this comment.
I've decided to remove the conditions so that firmware_type is now consistently determined by the compute_resource.firmware_type method. The previous logic aimed to set the firmware to Automatic instead of BIOS for new VMs, but it didn't account for scenarios where the firmware is inherited from the Compute Profile.
| <% firmware_type = new_vm && controller_name != 'compute_attributes' ? 'automatic' : compute_resource.firmware_type(f.object.firmware, f.object.secure_boot) %> | |
| <% firmware_type = compute_resource.firmware_type(f.object.firmware, f.object.secure_boot) %> |
|
Oh I missed the failing tests: This needs to be fixed. |
As I mentioned here, this should be fixed automatically after fog/fog-libvirt#155 is merged. |
There was a problem hiding this comment.
I haven't tested this myself, but the code reads well to me and the packaging side is correct.
@stejskalleos leaving the merge to you.
Yes, you are correct. I'm looking into that now. |
|
For me, the libvirt connection errors are also happening in my PR (#10351), where I don't touch Libvirt at all. |
- Added a new firmware type for Secure Boot. - Enable `enrolled-keys` by default when Secure Boot is activated. - Added firmware-related methods to the ComputeResource model for shared use between VMware and Libvirt.
|
The connection errors are unrelated to the changes in this PR. |
Normally, I would proceed with a merge, but in this case, I would prefer to fix tests first and then merge PRs. |
The tests are running without any errors in my local environment, but I can fix them if you'd prefer. |
|
@nofaralfasi the Redmine issue check is failing, can you please squash the comments? I can't overpass that check. |
Requires:
This PR includes two commits:
When creating a new host in Foreman, after selecting
Libvirtas the compute resource, a new option to select the VM's firmware will appear under theVirtual Machinetab. See the screenshot below for a demonstration:Notes:
enrolled-keysare enabled by default when Secure Boot is activated.loader secure='yes'setting.For more details: community post.