To prepare DRBD kernel modules for RHEL 8 nodes

Purpose

This process ensures that DRBD modules are signed, persistent, and Secure Boot-compliant, appropriate for air-gapped or production clusters.

Perform this procedure if:

  • Secure Boot is enabled on RHEL in an NSP cluster and

  • local or shared storage is used to deploy NSP in a multi-node cluster

The procedure involves the following:

  • creating a signing certificate for kernel modules

  • installing the certificate on the host

  • compiling DRBD kernel modules

  • signing the modules for Secure Boot-enabled system

  • loading the modules persistently

Note: The VMs must have internet access while performing this procedure. SPaaS from LINBIT is required.

When using this procedure, consider the following:

  • You must rebuild modules when a kernel is upgraded.

  • Maintain a copy of the signing keys in a secure location.

  • For multiple nodes with different kernels, repeat this process per kernel version.

Before you begin

Ensure the following:

  • The RHEL 8.x node has the same kernel version as runtime

    uname -r ↵

  • Packages are installed as follows:

    sudo dnf install kernel-devel-$(uname -r) kernel-headers-$(uname -r) gcc make bc openssl ↵

    Offline installation is possible in an air-gapped network.

  • DRBD sources (drbd-9.2.14.tar.gz) are available locally or through an internal repository

  • You have root or sudo privileges on the nodes.

Steps

You must perform the following steps on all storage nodes, which are the last three nodes by default.

 

Note: If you have a signed private key and have enrolled it, go to Step 3.

Create a module signing certificate.

  1. Generate a private key:

    openssl req -new -x509 -newkey rsa:2048 -keyout /root/drbd_sign.key -out /root/drbd_sign.crt -nodes -days 365 -subj "/CN=DRBD Module Signing/" ↵

  2. Convert the certificate to DER format for the kernel:

    openssl x509 -in /root/drbd_sign.crt -outform DER -out /root/drbd_sign.der ↵

  3. Import the key into the machine’s MOK (Machine Owner Key) database: sudo mokutil --import /root/drbd_sign.der

  4. Set a password when prompted.

    This is required after the reboot to enroll the key.

Reboot and enroll the key.

  1. Reboot the host:

    #  sudo reboot ↵

  2. During reboot, MOK manager appears:

    1. Select Enroll key.

    2. Provide the password from Step 1.

    3. Confirm the password and reboot.

  3. Verify the key is enrolled:

    mokutil --list-enrolled ↵

    You should see your DRBD module signing certificate listed.

Prepare DRBD sources.

  1. Place DRBD source tarball in /usr/src:

    #  cd /usr/src/ ↵

    curl -L http://orbw-artifactory.ca.alcatel-lucent.com:8082/artifactory/alu-orbw-thirdparty-local/drbd/9.2.14/drbd-9.2.14.tar.gz -o drbd-9.2.14.tar.gz ↵

    tar -xzf drbd-9.2.14.tar.gz ↵

    cd drbd-9.2.14/drbd ↵

    A numeric value is displayed.

  2. Clean any previous builds:

    #  make clean ↵

Build the kernel modules

Compile the DRBD modules:

#  make all ↵

If build completes without errors, proceed to Step 5.

Sign the DRBD modules.

Use scripts or sign-file from the kernel headers:

sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 /root/drbd_sign.key /root/drbd_sign.crt drbd.ko ↵

sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 /root/drbd_sign.key /root/drbd_sign.crt drbd_transport_tcp.ko ↵

sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 /root/drbd_sign.key /root/drbd_sign.crt drbd_transport_rdma.ko ↵

sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 /root/drbd_sign.key /root/drbd_sign.crt drbd_transport_lb-tcp.ko ↵

This ensures the modules are accepted by a Secure Boot-enabled kernel.

Install the modules

  1. Copy the required key and crt file to /usr/src/kernels/$(uname -r)/certs/ and generate the x509 file:

    cp /opt/nsp/secureboot/drbd_sign.crt /usr/src/kernels/$(uname -r)/certs/signing_cert.pem ↵

    cp /opt/nsp/secureboot/drbd_sign.key /usr/src/kernels/$(uname -r)/certs/signing_key.pem ↵

    cd /usr/src/kernels/$(uname -r)/certs ↵

    openssl x509 -in signing_cert.pem -outform DER -out signing_key.x509 ↵

  2. Copy the .ko files kernel-compat to the required directory.

    KVER=$(uname -r) ↵

    sudo mkdir -p /lib/modules/$KVER/extra/drbd ↵

    cp /usr/src/drbd-9.2.14/drbd/build-4.18.0-553.62.1.el8_10.x86_64/*.ko /lib/modules/$KVER/extra/drbd/ ↵

    cp -r /usr/src/drbd-9.2.14/drbd/build-4.18.0-553.62.1.el8_10.x86_64/drbd-kernel-compat /lib/modules/$KVER/extra/drbd/ ↵

    sudo depmod -a ↵

    Copy the .ko files to /lib/modules/$(uname -r)/extra/ or an appropriate directory.

Load the modules

  1. Install the modules:

    cd /usr/src/drbd-9.2.14/drbd ↵

    make install ↵

    Proceed to the next step if there are no errors.

  2. Load in correct order:

    sudo modprobe drbd usermode_helper=disabled ↵

    sudo modprobe drbd_transport_tcp ↵

    sudo modprobe drbd_transport_rdma ↵

    sudo modprobe drbd_transport_lb-tcp ↵

  3. Verify the modules:

    lsmod | grep drbd ↵

    You should see output for DRBD and all transport modules.

Enable Auto-Load on reboot.

Create /etc/modules-load.d/drbd.conf:

cat <<EOF | sudo tee /etc/modules-load.d/drbd.conf

drbd_transport_tcp

drbd_transport_rdma

drbd_transport_lb-tcp

drbd

EOF

cat <<EOF | sudo tee /etc/modules-load.d/drbd.conf drbd_transport_tcp drbd_transport_rdma drbd_transport_lb-tcp drbd EOF

(Optional) Clean up.

Remove source code and archives to save space:

rm -rf /usr/src/drbd-9.2.14 ↵

rm -f /usr/src/drbd-9.2.14.tar.gz ↵

10 

Verify and troubleshoot as follows.

  • Confirm modules are loaded and signed:

    modinfo drbd | grep signer ↵

  • Check kernel logs:

    dmesg | grep drbd ↵

  • If Secure Boot rejects the module, ensure that MOK enrollment succeeded.

End of steps