To prepare DRBD kernel modules for RHEL 9 nodes

Purpose

This process ensures that DRBD modules are signed, persistent, and Secure Boot-compliant, appropriate for air-gapped or production clusters.

Creating and importing a new signing certificate and key for the system are required only when they have not been imported into mokutil.

Enter the following command to verify if a signing certificate and key need to be created and imported:

mokutil --list-enrolled ↵

If they have been imported into mokutil, you do not need perform this procedure.

Perform this procedure if the following apply:

  • Secure Boot is enabled on RHEL in an NSP cluster

  • local or shared storage is used to deploy NSP in a multi-node cluster

The procedure involves the following:

  • creating a signing certificate for kernel modules

  • installing the certificate on the host

  • compiling DRBD kernel modules

  • signing the modules for Secure Boot-enabled system

  • loading the modules persistently

When using this procedure, consider the following:

  • You must rebuild modules when a kernel is upgraded.

  • Maintain a copy of the signing keys in a secure location.

  • For multiple nodes with different kernels, repeat this process per kernel version.

Note: When the kernel is upgraded, you can perform this procedure.

Ensure that the latest RPMs (kernel-headers and kernel-devel) are installed as described in Before you begin Before you begin.

Before you begin

Ensure the following:

  • The RHEL 9.x node has the same kernel version as runtime:

    uname -r ↵

  • When you are installing RHEL with your own RHEL images, install packages as follows:

    sudo dnf install kernel-devel-$(uname -r) kernel-headers-$(uname -r) gcc make bc openssl ↵

    Offline installation is possible in an air-gapped network.

  • You have root or sudo privileges on the nodes.

Steps

You must perform the following steps on all storage nodes, which are the last three nodes by default.

 

Create a module signing certificate.

  1. Generate the private key and signing certificate:

    openssl req -x509 -newkey rsa:4096 -utf8 -sha256 -days 36500 -nodes -batch -outform DER -out signing_key.x509 -keyout signing_key.pem -subj "/CN=Piraeus Datastore kernel module signing key" ↵

  2. Copy the keys and certificate generated in Substep a to all storage nodes and the deployer:

    Note: In Secure Boot, enable setup.

    The keys and certificate are required when you install Kubernetes secrets on the deployer host.

  3. Import the key into the machine’s MOK (Machine Owner Key) database.

    Perform this step on all storage nodes.

    sudo mokutil --import /root/signing_key.x509 ↵

  4. Set a password when prompted.

    This is required after the reboot to enroll the key.

Reboot and enroll the key.

  1. Reboot the host:

    #  sudo reboot ↵

  2. During reboot, MOK manager appears:

    1. Select Enroll key.

    2. Provide the password from Step 1.

    3. Confirm the password and reboot.

  3. Verify the key is enrolled:

    mokutil --list-enrolled ↵

    You should see your DRBD module signing certificate listed.

End of steps