feat: Harden ipxe-examples phase 1#103
Open
irishgordo wants to merge 2 commits intoharvester:mainfrom
Open
Conversation
There was a problem hiding this comment.
Pull request overview
This PR focuses on “zero-trust” hardening for the Vagrant-based iPXE Harvester example by pinning and verifying downloaded artifacts (checksums/digests), and by removing the deprecated airgap iPXE example.
Changes:
- Add SHA512 verification for Harvester artifacts (ISO/kernel/initrd/rootfs) using a provided
.sha512file. - Vendor iPXE binaries behind an artifact server with SHA256 verification (with an unverified boot.ipxe.org fallback).
- Pin Rancher dependencies (K3s/Helm) and MinIO to immutable versions/checksums, and remove the
vagrant-pxe-airgap-harvesterexample tree.
Reviewed changes
Copilot reviewed 63 out of 63 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| vagrant-pxe-harvester/settings.yml | Adds Harvester SHA512 checksum URL + timeouts, introduces iPXE artifact-server + checksums, pins Rancher/K3s/Helm + MinIO digest. |
| vagrant-pxe-harvester/ansible/setup_rancher.yml | Switches to checksum-verified K3s/Helm downloads and pinned versions. |
| vagrant-pxe-harvester/ansible/roles/s3/tasks/main.yml | Pins MinIO image by digest instead of :latest. |
| vagrant-pxe-harvester/ansible/roles/ipxe/tasks/main.yml | Downloads iPXE binaries from artifact server with checksum verification; falls back to boot.ipxe.org. |
| vagrant-pxe-harvester/ansible/roles/harvester/tasks/main.yml | Downloads/parses Harvester .sha512 file to enable artifact verification. |
| vagrant-pxe-harvester/ansible/roles/harvester/tasks/_download_media.yml | Enforces checksum presence + validates SHA512 for local/remote Harvester media downloads. |
| vagrant-pxe-harvester/README.md | Documents vendoring iPXE binaries and updating checksums. |
| vagrant-pxe-airgap-harvester/setup_harvester.sh | Removed deprecated airgap example script. |
| vagrant-pxe-airgap-harvester/settings.yml | Removed deprecated airgap settings. |
| vagrant-pxe-airgap-harvester/reinstall_harvester_node.sh | Removed deprecated airgap helper. |
| vagrant-pxe-airgap-harvester/makefile-helper.sh | Removed deprecated airgap helper. |
| vagrant-pxe-airgap-harvester/inventory | Removed deprecated airgap inventory. |
| vagrant-pxe-airgap-harvester/inventories/vagrant | Removed deprecated airgap inventory. |
| vagrant-pxe-airgap-harvester/ansible/setup_rancher_node.yml | Removed deprecated airgap playbook. |
| vagrant-pxe-airgap-harvester/ansible/setup_pxe_server.yml | Removed deprecated airgap playbook. |
| vagrant-pxe-airgap-harvester/ansible/setup_harvester.yml | Removed deprecated airgap playbook. |
| vagrant-pxe-airgap-harvester/ansible/roles/tftp/templates/tftpd-hpa.j2 | Removed deprecated airgap TFTP template. |
| vagrant-pxe-airgap-harvester/ansible/roles/tftp/tasks/main.yml | Removed deprecated airgap TFTP role tasks. |
| vagrant-pxe-airgap-harvester/ansible/roles/tftp/handlers/main.yml | Removed deprecated airgap TFTP handlers. |
| vagrant-pxe-airgap-harvester/ansible/roles/rancher/templates/deployment-coredns.yaml.j2 | Removed deprecated airgap Rancher template. |
| vagrant-pxe-airgap-harvester/ansible/roles/rancher/templates/configmap-coredns.yaml.j2 | Removed deprecated airgap Rancher template. |
| vagrant-pxe-airgap-harvester/ansible/roles/rancher/templates/avahi-daemon.conf.j2 | Removed deprecated airgap Rancher template. |
| vagrant-pxe-airgap-harvester/ansible/roles/rancher/tasks/main.yml | Removed deprecated airgap Rancher role implementation. |
| vagrant-pxe-airgap-harvester/ansible/roles/rancher/files/registries-yaml-edit.yaml | Removed deprecated airgap Rancher file. |
| vagrant-pxe-airgap-harvester/ansible/roles/rancher/files/get-rancher-scripts.sh | Removed deprecated airgap Rancher helper. |
| vagrant-pxe-airgap-harvester/ansible/roles/rancher/files/docker-compose.yaml | Removed deprecated airgap registry compose file. |
| vagrant-pxe-airgap-harvester/ansible/roles/rancher/files/create-self-signed-cert.sh | Removed deprecated airgap cert helper. |
| vagrant-pxe-airgap-harvester/ansible/roles/proxy/tasks/main.yml | Removed deprecated airgap proxy role tasks. |
| vagrant-pxe-airgap-harvester/ansible/roles/proxy/handlers/main.yml | Removed deprecated airgap proxy handlers. |
| vagrant-pxe-airgap-harvester/ansible/roles/proxy/files/default | Removed deprecated airgap proxy config. |
| vagrant-pxe-airgap-harvester/ansible/roles/ipxe/tasks/main.yml | Removed deprecated airgap iPXE role tasks. |
| vagrant-pxe-airgap-harvester/ansible/roles/ipxe/files/init.ipxe | Removed deprecated airgap iPXE init script. |
| vagrant-pxe-airgap-harvester/ansible/roles/https/templates/openssl.conf.j2 | Removed deprecated airgap HTTPS template. |
| vagrant-pxe-airgap-harvester/ansible/roles/https/tasks/main.yml | Removed deprecated airgap HTTPS role tasks. |
| vagrant-pxe-airgap-harvester/ansible/roles/https/meta/main.yaml | Removed deprecated airgap HTTPS role metadata. |
| vagrant-pxe-airgap-harvester/ansible/roles/https/files/ssl-params.conf | Removed deprecated airgap HTTPS snippet. |
| vagrant-pxe-airgap-harvester/ansible/roles/https/files/self-signed.conf | Removed deprecated airgap HTTPS snippet. |
| vagrant-pxe-airgap-harvester/ansible/roles/https/files/https | Removed deprecated airgap HTTPS site config. |
| vagrant-pxe-airgap-harvester/ansible/roles/http/tasks/main.yml | Removed deprecated airgap HTTP role tasks. |
| vagrant-pxe-airgap-harvester/ansible/roles/http/handlers/main.yml | Removed deprecated airgap HTTP handlers. |
| vagrant-pxe-airgap-harvester/ansible/roles/http/files/default | Removed deprecated airgap HTTP site config. |
| vagrant-pxe-airgap-harvester/ansible/roles/harvester/templates/registries-edit.yaml.j2 | Removed deprecated airgap Harvester template. |
| vagrant-pxe-airgap-harvester/ansible/roles/harvester/templates/ipxe-join.j2 | Removed deprecated airgap Harvester iPXE template. |
| vagrant-pxe-airgap-harvester/ansible/roles/harvester/templates/ipxe-create.j2 | Removed deprecated airgap Harvester iPXE template. |
| vagrant-pxe-airgap-harvester/ansible/roles/harvester/templates/deployment-rke2-coredns-rke2-coredns.yaml.j2 | Removed deprecated airgap Harvester template. |
| vagrant-pxe-airgap-harvester/ansible/roles/harvester/templates/configmap-rke2-coredns-rke2-coredns.yaml.j2 | Removed deprecated airgap Harvester template. |
| vagrant-pxe-airgap-harvester/ansible/roles/harvester/templates/config-join.yaml.j2 | Removed deprecated airgap Harvester template. |
| vagrant-pxe-airgap-harvester/ansible/roles/harvester/templates/config-create.yaml.j2 | Removed deprecated airgap Harvester template. |
| vagrant-pxe-airgap-harvester/ansible/roles/harvester/tasks/main.yml | Removed deprecated airgap Harvester role tasks. |
| vagrant-pxe-airgap-harvester/ansible/roles/harvester/tasks/_download_media.yml | Removed deprecated airgap Harvester media download tasks. |
| vagrant-pxe-airgap-harvester/ansible/roles/dhcp/templates/dhcpd.conf.j2 | Removed deprecated airgap DHCP template. |
| vagrant-pxe-airgap-harvester/ansible/roles/dhcp/tasks/main.yml | Removed deprecated airgap DHCP role tasks. |
| vagrant-pxe-airgap-harvester/ansible/roles/dhcp/handlers/main.yml | Removed deprecated airgap DHCP handlers. |
| vagrant-pxe-airgap-harvester/ansible/roles/dhcp/files/isc-dhcp-server | Removed deprecated airgap DHCP config. |
| vagrant-pxe-airgap-harvester/ansible/roles/dhcp/files/ipxe.conf | Removed deprecated airgap DHCP iPXE options. |
| vagrant-pxe-airgap-harvester/ansible/reinstall_harvester_node.yml | Removed deprecated airgap playbook. |
| vagrant-pxe-airgap-harvester/ansible/prepare_harvester_nodes.yml | Removed deprecated airgap playbook. |
| vagrant-pxe-airgap-harvester/ansible/boot_harvester_node.yml | Removed deprecated airgap playbook. |
| vagrant-pxe-airgap-harvester/ansible/adjust_harvester_nodes.yml | Removed deprecated airgap playbook. |
| vagrant-pxe-airgap-harvester/ansible.cfg | Removed deprecated airgap Ansible config. |
| vagrant-pxe-airgap-harvester/Vagrantfile | Removed deprecated airgap Vagrant environment. |
| vagrant-pxe-airgap-harvester/README.md | Removed deprecated airgap documentation. |
| vagrant-pxe-airgap-harvester/Makefile | Removed deprecated airgap Makefile. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
45
to
+49
| get_url: | ||
| url: "{{ harvester_media_url }}" | ||
| dest: /var/www/harvester/{{ media_filename }} | ||
| checksum: "sha512:{{ expected_checksum }}" | ||
| timeout: "{{ harvester_iso_download_and_sha512_check_timeout_seconds }}" |
There was a problem hiding this comment.
timeout references harvester_iso_download_and_sha512_check_timeout_seconds as a bare variable, but this playbook passes configuration under the settings dict (see Vagrantfile extra_vars). This will raise an undefined-variable error at runtime. Use settings['harvester_iso_download_and_sha512_check_timeout_seconds'] (or set a role var default) so the value is actually found.
Comment on lines
+26
to
+31
| - name: Install k3s using install script with pre-downloaded binary | ||
| shell: INSTALL_K3S_SKIP_DOWNLOAD=true /tmp/k3s-install.sh | ||
| environment: | ||
| INSTALL_K3S_CHANNEL: "{{ settings.rancher_config.k3s_channel }}" | ||
| INSTALL_K3S_VERSION: "{{ settings.rancher_config.k3s_version }}" | ||
| INSTALL_K3S_BIN_DIR: /tmp | ||
| - name: Download helm tarball |
There was a problem hiding this comment.
K3s is being installed with INSTALL_K3S_BIN_DIR: /tmp, which will place the installed k3s binary (and systemd unit references) under /tmp. /tmp is not persistent across reboots and may be mounted as tmpfs, so the Rancher VM can break after restart. Install k3s into a persistent location (typically /usr/local/bin) and only use /tmp as a download staging dir.
Comment on lines
+172
to
174
| version: v2.13.0 | ||
| k3s_channel: v1.34 | ||
| repo: https://releases.rancher.com/server-charts/latest |
There was a problem hiding this comment.
rancher_config.k3s_channel is still present/updated in settings.yml, but it is no longer referenced anywhere in vagrant-pxe-harvester (the install now uses k3s_version). Leaving an unused setting is confusing and makes future updates error-prone. Either remove k3s_channel from the config or wire it back into the installation logic/documentation.
Comment on lines
+45
to
+48
| ipxe_config: | ||
| # Empty = use boot.ipxe.org directly (not recommended) | ||
| artifact_server: "http://10.115.1.6/iso/ipxe-binaries-for-vagrant/2026-03-27/" | ||
|
|
There was a problem hiding this comment.
The default ipxe_config.artifact_server points at a specific private IP (10.115.1.6). For most users this will be unreachable and will break provisioning by default. Consider defaulting artifact_server to an empty string (so it falls back to boot.ipxe.org) and documenting how to set a local artifact server for checksum-verified installs.
Comment on lines
+41
to
+44
| # Version: iPXE 2.0.0+ (g6d2f6) - downloaded from boot.ipxe.org on 2026-03-27 | ||
| # | ||
| # Set ipxe_artifact_server to empty string to use boot.ipxe.org directly , we shouldn't | ||
| # |
There was a problem hiding this comment.
This comment is incomplete/unclear: “Set ipxe_artifact_server to empty string to use boot.ipxe.org directly , we shouldn't”. Please rewrite it to explicitly state the recommended default and why using boot.ipxe.org is discouraged (e.g., lack of published checksums).
irishgordo
force-pushed
the
feat/harden-ipxe-examples-phase1
branch
2 times, most recently
from
97400ea to
77ae20b
Compare
* harvester artifacts now are checked against their 512 checksums * minio community edition shifted from using "latest" to using a tagged release * minio community edition shifted from using the version to the tagged release sha256 checksum * helm shifted to using a tagged version instead of the latest release for Rancher * helm shifted to using sha256 checksum for validation of tagged version instead of version * k3s now utilizing the set version and to perform the sha256 checksum of that * remove/deprecate: airgap ipxe-examples, too many issues, too many problems with such deep nested virtualization tied to a single host, we have airgap methodologies in place elsewhere Resolves: feat/harden-ipxe-examples-phase1 Signed-off-by: Mike Russell <michael.russell@suse.com>
irishgordo
force-pushed
the
feat/harden-ipxe-examples-phase1
branch
from
77ae20b to
cfb57c1
Compare
* Pin Vagrant box version. Related-to: feat/harden-ipxe-examples-phase1 Signed-off-by: Moritz Röhrich <moritz.rohrich@suse.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves: feat/harden-ipxe-examples-phase1
Problem:
zero-trust hardening
Solution:
harden
Related Issue(s):
n/a
Test plan:
provision w/ minio & rancher single node - see that things are accessible
Additional documentation or context
removing the vagrant pxe examples airgap, it isn't useful, it's got too many problems, most of the problems stem from trying to run multiple levels deep nested virtualization that's tied to one singular host, currently our loadout with vagrant only supports one host not a cluster of hosts, as we typically just use this for quick temporary environments
we have airgap methodologies that exist for provisioning on bare-metal to align us more with users
potentially harvester-on-harvester airgapping could take place later with nested harvester clusters, but that would be something later to audit