-
Notifications
You must be signed in to change notification settings - Fork 258
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(xo-web/VM): display accurate Secure Boot status #7751
base: master
Are you sure you want to change the base?
Conversation
95ed982
to
8542b5c
Compare
</td> | ||
</tr> | ||
)} | ||
{vm.boot.firmware === 'uefi' && semver.satisfies(host?.version, '>=8.3.0') && ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At the moment the warning "This feature is only available for UEFI VMs" is always displayed, this should be fixed when this PR will be merged, thanks to the fix in #7767
const SECUREBOOT_STATUS_MESSAGES = { | ||
disabled: _('secureBootStatusNotEnforced'), | ||
first_boot: _('secureBootStatusPending'), | ||
ready: _('secureBootStatus'), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This displays just "Secure Boot status". I think that it's a mistake and that a secureBootStatusReady
message is missing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Most things work well, but I found a few issues, and there's also something important from the specs that is missing : "This should be displayed both in the general VM view, because it's an important piece of information, and also below the Secure Boot switch in the Advanced view of the VM, updated whenever someone changes the switch's state." (by "general VM view", I meant the VM's "General" tab).
setup_mode: _('secureBootWantedButDisabled'), | ||
certs_incomplete: _('secureBootWantedButCertificatesMissing'), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I initially thought all message identifiers were to start with secureBootStatus
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some identifiers are already pretty long and I wanted to keep a certain consistency, but reading this again I see I failed at that in some of them... Maybe change this one to just secureBootNoDbx
or change them all to start with securebootStatus
> | ||
{_('propagateCertificates')} | ||
</ActionButton> | ||
{isDisabled && ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I read it well, this condition is not enough. It should not display the warning about UEFI being required in the case when the reason why it's disabled is because poolGuestSecurebootReadiness === 'not_ready'
.
As currently implemented, when the pool is not ready for Secure Boot, both warnings are displayed. We should only see one.
}) | ||
} | ||
|
||
await vmSetUefiMode(vm, 'user') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This fails with method not found: vm.setUefiMode
.
In addition to this, the error popup has a "show logs" button, but when clicked it doesn't show any log that is related to the error.
</td> | ||
</tr> | ||
)} | ||
{vm.boot.firmware === 'uefi' && ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it was not very clear in the specs, but the new method that allows to propagate certificates is only available starting with XCP-ng 8.3 (and possibly XenServer 8, but they don't really need it).
1f1ea57
to
30a628f
Compare
packages/xo-server/src/api/pool.mjs
Outdated
} | ||
|
||
getGuestSecureBootReadiness.params = { | ||
pool: { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
name the param as id
instead
@@ -36,6 +36,7 @@ import { | |||
import { CpuSparkLines, MemorySparkLines, NetworkSparkLines, XvdSparkLines } from 'xo-sparklines' | |||
import { injectState, provideState } from 'reaclette' | |||
import { find } from 'lodash' | |||
import { subscribeSecurebootReadiness } from '../../common/xo' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
move this import into the xo
import. Line 15
Co-authored-by: Pierre Donias <pierre.donias@gmail.com>
Co-authored-by: Mathieu <70369997+MathieuRA@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nothing to add.
This will need to be tested again end-to-end after the latest changes.
Don't forget to add xo-server
in the commit message's scope.
Description
Fixes #7495
![secureBootStatus](https://private-user-images.githubusercontent.com/119158464/342390780-fd81fc94-c1d3-4b6c-97cb-b802ac8404e6.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTk3NTEzMjAsIm5iZiI6MTcxOTc1MTAyMCwicGF0aCI6Ii8xMTkxNTg0NjQvMzQyMzkwNzgwLWZkODFmYzk0LWMxZDMtNGI2Yy05N2NiLWI4MDJhYzg0MDRlNi5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNjMwJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDYzMFQxMjM3MDBaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT02OWFjMzc0YTNiNGI5MDk4ODJkNmU1ZjE3NmZiNGJiMDZjM2ZhNzZmMjU0M2E2MzhhMDE1ZjRhNmYwYzdmZTgzJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.qgg-m6WHiJbiIESIRWhdVkqmJEaxXszk51QHGy0Neqw)
![propagateCertificatesButton](https://private-user-images.githubusercontent.com/119158464/342390820-0fff694b-23ee-478d-99e6-f0899907b583.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTk3NTEzMjAsIm5iZiI6MTcxOTc1MTAyMCwicGF0aCI6Ii8xMTkxNTg0NjQvMzQyMzkwODIwLTBmZmY2OTRiLTIzZWUtNDc4ZC05OWU2LWYwODk5OTA3YjU4My5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNjMwJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDYzMFQxMjM3MDBaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1iZjg4ODlmN2JiY2U0YWJmYTdkYTQxZjMxYjVjM2Q5MmFmZDExZTk2YzZiY2MxNTIzYmIzMzJiMGIyZTVlMjg0JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.g8Vi5_TJ2x1aJxr7dqFPC6pC1vXMfBx4aK4KCY1vdRI)
![propagateCertificates](https://private-user-images.githubusercontent.com/119158464/342390839-3025afcd-33a4-4980-9267-01ae09264e68.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTk3NTEzMjAsIm5iZiI6MTcxOTc1MTAyMCwicGF0aCI6Ii8xMTkxNTg0NjQvMzQyMzkwODM5LTMwMjVhZmNkLTMzYTQtNDk4MC05MjY3LTAxYWUwOTI2NGU2OC5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNjMwJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDYzMFQxMjM3MDBaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT02MWNjZTRjNGI3N2VmNjYxOTMyMTZlNjdiOTA3NDk1NDdmYjBjODVjNDA5YWI4NzAyNmY2NjEwOGE0NjM1OWRlJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.EmBm8PTRp56VXaZz8GHnOMvZlllOTpVIgJ0VjnR-YCA)
Checklist
Fixes #007
,See xoa-support#42
,See https://...
)Introduced by
CHANGELOG.unreleased.md