diff --git a/doc/source/_includes/partial-disk-encryption-support-37cf9e2651db.rest b/doc/source/_includes/partial-disk-encryption-support-37cf9e2651db.rest new file mode 100644 index 000000000..1c86fbe24 --- /dev/null +++ b/doc/source/_includes/partial-disk-encryption-support-37cf9e2651db.rest @@ -0,0 +1,6 @@ + +.. begin-partial-disk-encrypt + +.. end-partial-disk-encrypt + + diff --git a/doc/source/backup/kubernetes/backing-up-starlingx-system-data.rst b/doc/source/backup/kubernetes/backing-up-starlingx-system-data.rst index 28183651b..c94926333 100644 --- a/doc/source/backup/kubernetes/backing-up-starlingx-system-data.rst +++ b/doc/source/backup/kubernetes/backing-up-starlingx-system-data.rst @@ -18,6 +18,10 @@ using DCManager CLI ` for how to remotely backup a subcloud from the System Controller. +.. note:: + + Backup archives should be stored in a secured (offsite) location. + .. contents:: |minitoc| :local: :depth: 1 @@ -198,6 +202,19 @@ Recommended Backup and Retention Policies backups can be performed locally or remotely, and the archive must be stored off the system. +<<<<<<< HEAD (74aef8 Move and rename file (r9)) +======= +- Backups are not allowed till the system is healthy (this excludes non-management + affecting alarms). However, a new parameter ``-e ignore_health=true`` can be + added in the ansible playbook to ignore system health and force the backup + to proceed. + + .. warning:: + + Using the ``-e ignore_health=true`` option should be avoided unless + it is required. Restoring an unhealthy backup will result in system issues. + +>>>>>>> CHANGE (42e503 Added Partial Disk (Transparent) Encryption Support via Soft) - All backups are done during off-peak hours (i.e. maintenance window). - Weekly backups should be performed under normal steady state conditions to diff --git a/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst b/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst index 323df057c..df7dd822e 100644 --- a/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst +++ b/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst @@ -162,6 +162,15 @@ Encrypt Kubernetes Secret Data at Rest encrypt-kubernetes-secret-data-at-rest +**************************************************************************** +Partial Disk (Transparent) Encryption Support via Software Encryption (LUKS) +**************************************************************************** + +.. toctree:: + :maxdepth: 1 + + partial-disk-transparent-encryption-support-via-software-enc-27a570f3142c + ********************* Linux Auditing System ********************* diff --git a/doc/source/security/kubernetes/partial-disk-transparent-encryption-support-via-software-enc-27a570f3142c.rst b/doc/source/security/kubernetes/partial-disk-transparent-encryption-support-via-software-enc-27a570f3142c.rst new file mode 100644 index 000000000..da205ad01 --- /dev/null +++ b/doc/source/security/kubernetes/partial-disk-transparent-encryption-support-via-software-enc-27a570f3142c.rst @@ -0,0 +1,18 @@ +.. _partial-disk-transparent-encryption-support-via-software-enc-27a570f3142c: + +============================================================================ +Partial Disk (Transparent) Encryption Support via Software Encryption (LUKS) +============================================================================ + +.. rubric:: |context| + +A new encrypted filesystem using Linux Unified Key Setup (LUKS) is created +automatically on all hosts to store security-sensitive files. This is mounted +at '/var/luks/stx/luks_fs' and the files kept in '/var/luks/stx/luks_fs/controller' +directory are replicated between the controllers. + +.. only:: partner + + .. include:: /_includes/partial-disk-encryption-support-37cf9e2651db.rest + :start-after: begin-partial-disk-encrypt + :end-before: end-partial-disk-encrypt diff --git a/doc/source/shared/abbrevs.txt b/doc/source/shared/abbrevs.txt index ac2e3bd91..8d9877398 100755 --- a/doc/source/shared/abbrevs.txt +++ b/doc/source/shared/abbrevs.txt @@ -89,6 +89,7 @@ .. |LDPC| replace:: :abbr:`LDPC (Low-Density Parity Check)` .. |LLDP| replace:: :abbr:`LLDP (Link Layer Discovery Protocol)` .. |LSM| replace:: :abbr:`LSM (Linux Security Modules)` +.. |LUKS| replace:: :abbr:`LUKS (Linux Unified Key Setup)` .. |LVG| replace:: :abbr:`LVG (Local Volume Groups)` .. |MAC| replace:: :abbr:`MAC (Media Access Control)` .. |MEC| replace:: :abbr:`MEC (Multi-access Edge Computing)`