Merge pull request lxc#480 from gibmat/add-system-docs

Add system configuration docs

Author: stgraber

doc/.wordlist.txt

@@ -5,7 +5,9 @@ customizer
 db
 dbx
 DCO
+decrypt
 DHCP
+DNS
 ECDSA
 FAT
 formatters
@@ -14,6 +16,7 @@ GiB
 Github
 Incus
 IncusOS
+IPv
 iSCSI
 ISO
 JSON
@@ -24,19 +27,24 @@ LLDP
 LLMs
 LUKS
 LVM
+MAC
+MACs
 MOK
+MTU
 Multipath
 Netbird
 NTP
 NVMe
 OEM
 OVN
 OVS
+parsable
 PCR
 PCRs
 PK
 preseed
 Proxmox
+raidz
 RSA
 SLAAC
 struct
@@ -53,6 +61,7 @@ UEFI
 UKI
 USBIP
 VLAN
+VLANs
 VMware
 YAML
 ZFS

doc/reference/api.md

@@ -1,7 +1,9 @@
 # REST API
 
-**WARNING** The IncusOS debug API endpoints have no guarantee of API stability, and should not be used
+```{warning}
+The IncusOS debug API endpoints have no guarantee of API stability, and should not be used
 in normal day-to-day operations.
+```
 
 <link rel="stylesheet" type="text/css" href="../../_static/swagger-ui/swagger-ui.css" ></link>
 <link rel="stylesheet" type="text/css" href="../../_static/swagger-override.css" ></link>

doc/reference/system.md

@@ -3,8 +3,11 @@
 ```{toctree}
 :maxdepth: 1
 
+Backup/Restore </reference/system/backup>
 Logging </reference/system/logging>
 Network </reference/system/network>
+Power </reference/system/power>
+Providers </reference/system/providers>
 Resources </reference/system/resources>
 Security </reference/system/security>
 Storage </reference/system/storage>

doc/reference/system/backup.md

@@ -0,0 +1,75 @@
+# Backup/Restore
+
+IncusOS can perform a system-level backup of its configuration and state. This backup can then be restored at a later point in time. Additionally, a full factory reset can be performed which will bring IncusOS back to a clean state as if it had just been installed.
+
+```{important}
+The system-level backup doesn't include information from any installed applications. Each application has its own backup/restore functionality which can be used in conjunction with the system-level backup to perform a comprehensive system backup.
+```
+
+## Backup
+
+```{important}
+An IncusOS backup will contain its current state as well as copies of the encryption key(s) for any local storage pool(s). As such, the backup should not be stored in any publicly-accessible location.
+```
+
+Create the backup by running
+
+```
+incus admin os system backup backup.tar.gz
+```
+
+## Restore
+
+```{warning}
+Restoring a backup will overwrite any existing OS-level state and potentially one or more encryption keys. As such, use caution when restoring.
+```
+
+### Configuration options
+
+The following "skip" options can be set when restoring a backup:
+
+* `encryption-recovery-keys`: Don't overwrite any existing main system drive encryption recovery keys.
+
+* `local-data-encryption-key`: Don't overwrite the local storage pool's encryption key.
+
+* `network-macs`: Don't use any hard-coded MACs from the backup, but rather attempt to determine the proper MACs from the existing interfaces.
+
+### Examples
+
+Restore the back up by running
+
+```
+incus admin os system restore backup.tar.gz
+```
+
+## Factory reset
+
+```{warning}
+A factory reset will erase all data on the main system drive. This includes any installed applications, their configuration and the system-level state and configuration.
+
+User-created local storage pools will be untouched, but will be unable to be imported when the system reboots. Be certain you have a copy of each local storage pool's encryption key __before__ performing the factory reset.
+```
+
+### Configuration options
+
+The following configuration options can be set when performing a factory reset:
+
+*`allow_tpm_reset_failure`: If `true`, ignore failures when resetting TPM state.
+
+* `seeds`: A map of seeds to write to the seed partition just before rebooting the system. This can be useful to change/update existing seed data when the system configures itself after booting.
+
+* `wipe_existing_seeds`: If `true`, wipe any existing seed data that may be present in the seed partition.
+
+### Examples
+
+Perform a basic reset that will reuse any existing seed data by running
+
+```
+incus admin os system factory-reset
+```
+
+Perform a reset that allows TPM failure, wipes any existing seeds, and configures a basic Incus application upon reboot by running
+
+```
+incus admin os system factory-reset -d '{"allow_tpm_reset_failure":true,"wipe_existing_seeds":true,"seeds":{"incus":{"apply_defaults":true}}}'
+```

doc/reference/system/logging.md

@@ -1 +1,13 @@
 # Logging
+
+IncusOS can be configured to log to a remote syslog server.
+
+## Configuration options
+
+The following configuration options can be set:
+
+* `address`: The remote syslog server IP address.
+
+* `protocol`: The protocol to use when connecting to the remote syslog server.
+
+* `log_format`: The format of log entries to use.

doc/reference/system/network.md

@@ -1 +1,87 @@
 # Network
+
+IncusOS supports complex network configurations consisting of interfaces, bonds, and VLANs. By default, IncusOS will configure each discovered interface to automatically acquire IPv4/IPv6 addresses, DNS, and NTP information from the local network. More complex network setups can be configured via an [install seed](../seed.md), or post-install via the network API.
+
+Before applying any new/updated network configuration, basic validation checks are performed. If this check fails, or the network fails to come up properly as reported by `systemd-networkd`, the changes will be reverted to minimize the chance of accidentally knocking the IncusOS system offline.
+
+Be aware that changing network configuration may result in a brief period of time when the system is unreachable over the network.
+
+## Configuration options
+
+Interfaces, bonds, and VLANs have a significant number of fields, which are largely self-descriptive and can be viewed in the [API definition](https://github.com/lxc/incus-os/blob/main/incus-osd/api/system_network.go).
+
+One special feature of note is the handling of hardware addresses (MACs). Both interfaces and bonds associate their configuration with the hardware address, which can be specified in two ways:
+
+* Raw MAC: Specify the hardware address directly, such as `10:66:6a:e5:6a:1c`.
+
+* Interface name: If an interface name is provided, such as `enp5s0`, at startup IncusOS will attempt to get its MAC address and substitute that value in the configuration. This is useful when installing IncusOS across multiple physically identical servers with only a single [install seed](../seed.md).
+
+The following configuration options can be set:
+
+* `interfaces`: Zero or more interfaces that should be configured for the system.
+
+* `bonds`: Zero or more bonds that should be configured for the system.
+
+* `vlans`: Zero or more VLANs that should be configured for the system.
+
+* `dns`: Optionally, configure custom DNS information for the system.
+
+* `ntp`: Optionally, configure custom NTP server(s) for the system.
+
+* `proxy`: Optionally, configure a proxy for the system.
+
+### Examples
+
+Configure two network interfaces, one with IPv4 and the other with IPv6:
+
+```
+{
+    "interfaces": [
+        {"name": "ip4iface",
+         "hwaddr": "enp5s0",
+         "addresses": ["dhcp4"]},
+        {"name": "ip6iface",
+         "hwaddr": "enp6s0",
+         "addresses": ["slaac"]}
+    ]
+}
+```
+
+Configure a VLAN with ID 123 on top of an active-backup bond composed of two interfaces with MTU of 9000 and LLDP enabled:
+
+```
+{
+    "bonds": [
+        {"name:", "management",
+         "mode": "active-backup",
+         "mtu": 9000,
+         "lldp": true,
+         "members": ["enp5s0", "enp6s0"],
+         "roles": ["management", "interfaces"]
+        }
+    ],
+    "vlans": [
+        {"name": "uplink",
+         "parent": "management",
+         "id": 123,
+         "addresses": ["dhcp4", "slaac"]
+        }
+    ]
+}
+```
+
+Configure custom DNS and NTP for IncusOS:
+
+```
+{
+    "dns": {
+        "hostname": "server01",
+        "domain": "example.com",
+        "search_domains": ["example.com", "example.org"],
+        "nameservers": ["ns1.example.com", "ns2.example.com"]
+    },
+    "ntp": {
+        "timeservers": ["ntp.example.com"]
+    }
+}
+```

doc/reference/system/power.md

@@ -0,0 +1,17 @@
+# Power
+
+## Rebooting IncusOS
+
+IncusOS can be rebooted via
+
+```
+incus admin os system reboot
+```
+
+## Powering off IncusOS
+
+IncusOS can be safely powered off via
+
+```
+incus admin os system poweroff
+```

doc/reference/system/providers.md

@@ -0,0 +1,15 @@
+# Providers
+
+IncusOS receives [updates](update.md) from the currently configured provider. Two providers are supported:
+
+* `images`: The default IncusOS provider, which fetches updates from the [Linux Containers {abbr}`CDN (Content Delivery Network)`](https://images.linuxcontainers.org/os/).
+
+* `operations-center`: When IncusOS is deployed in a managed environment controlled by [Operations Center](../applications/operations-center.md), it is registered with the `operations-center` provider. This allows an administrator to centrally control all IncusOS systems, even in restricted or air-gaped environments that may not have Internet access.
+
+## Configuration options
+
+The following configuration options can be set:
+
+* `name`: The name of the provider. One of `images`, `operations-center`, or `local`. `local` is intended for use by developers working on IncusOS.
+
+* `config`: A map of provider-specific configuration key-value pairs.

doc/reference/system/resources.md

@@ -1 +1,11 @@
 # Resources
+
+A detailed low-level dump of information about the IncusOS system hardware can be obtained by running
+
+```
+incus admin os system show resources
+```
+
+## Configuration options
+
+There are no configuration options for this read-only system information.

doc/reference/system/security.md

@@ -1 +1,25 @@
 # Security
+
+IncusOS has a fairly robust [security setup](../security.md) that is enforced on all systems. Under normal operation, IncusOS relies on the TPM to automatically unlock the main system drive, which in turn holds the encryption keys for any [local storage pools](storage.md).
+
+As part of its first boot, IncusOS generates a strong recovery key that can be used to decrypt the main system drive in recovery scenarios, such accidental TPM reset or needing to perform offline data recovery. Additional recovery keys can be added if desired. It is imperative to protect the recovery key(s) in a manner consistent with the importance of data stored on the corresponding IncusOS system.
+
+The recovery key(s) can be retrieved by running
+
+```
+incus admin os system show security
+```
+
+## Configuration options
+
+The following configuration options can be set:
+
+* `encryption_recovery_keys`: An array of one or more encryption recovery keys for the IncusOS main system drive. At least one recovery key must always be provided, but no length or complexity policy is enforced by IncusOS. Any existing recovery key(s) not present in the array will be removed, and any new key(s) will be added.
+
+## Resetting TPM bindings
+
+If IncusOS fails to automatically unlock the main system drive, after booing using a recovery key, it is possible to forcefully reset the TPM bindings:
+
+```
+incus admin os system tpm-rebind
+```