Merge pull request #51073 from mburke5678/mco-coreos-layering

mburke5678 · web-flow · commit 99598d8fede1 · 2023-01-04T10:04:41.000-05:00
Replace machine-os-content with new format base image (Layering)
diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml
@@ -535,6 +535,12 @@ Topics:
   File: cluster-capabilities
 - Name: Configuring additional devices in an IBM Z or LinuxONE environment
   File: ibmz-post-install
+- Name: Red Hat Enterprise Linux CoreOS image layering
+  File: coreos-layering
+  Distros: openshift-enterprise
+- Name: Fedora CoreOS (FCOS) image layering
+  File: coreos-layering
+  Distros: openshift-origin
 ---
 Name: Updating clusters
 Dir: updating
diff --git a/modules/coreos-layering-configuring.adoc b/modules/coreos-layering-configuring.adoc
@@ -0,0 +1,203 @@
+// Module included in the following assemblies:
+//
+// * post-installation_configuration/coreos-layering.adoc
+
+:_content-type: PROCEDURE
+[id="coreos-layering-configuring_{context}"]
+= Applying a {op-system} custom layered image
+
+You can easily configure {op-system-first} image layering on the nodes in specific machine config pools. The Machine Config Operator (MCO) reboots those nodes with the new custom layered image, overriding the base {op-system-first} image.
+
+To apply a custom layered image to your cluster, you must have the custom layered image in a repository that your cluster can access. Then, create a `MachineConfig` object that points to the custom layered image. You need a separate `MachineConfig` object for each machine config pool that you want to configure.
+
+[IMPORTANT]
+====
+When you configure a custom layered image, {product-title} no longer automatically updates any node that uses the custom layered image. You become responsible for manually updating your nodes as appropriate. If you roll back the custom layer, {product-title} will again automatically update the node. See the Additional resources section that follows for important information about updating nodes that use a custom layered image.
+====
+
+.Prerequisites
+
+* You must create a custom layered image that is based on an {product-title} image digest, not a tag.
++
+[NOTE]
+====
+You should use the same base {op-system} image that is installed on the rest of your cluster. Use the `oc adm release info --image-for rhel-coreos-8` command to obtain the base image being used in your cluster.
+====
++
+For example, the following Containerfile creates a custom layered image from an {product-title} 4.12 image and a Hotfix package:
++
+.Example Containerfile for a custom layer image
+[source,yaml]
+----
+# Using a 4.12.0 image
+FROM quay.io/openshift-release/ocp-release@sha256:6499bc69a0707fcad481c3cb73225b867d <1>
+#Install hotfix rpm
+RUN rpm-ostree override replace https://example.com/hotfixes/haproxy-1.0.16-5.el8.src.rpm && \ <2>
+    rpm-ostree cleanup -m && \
+    ostree container commit
+----
+<1> Specifies an {product-title} release image.
+<2> Specifies the path to the Hotfix package.
++
+[NOTE]
+====
+Instructions on how to create a Containerfile are beyond the scope of this documentation.
+====
+
+* You must push the custom layered image to a repository that your cluster can access.
+
+.Procedure
+
+. Create a machine config file.
+
+.. Create a YAML file similar to the following:
++
+[source,yaml]
+----
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+metadata:
+  labels:
+    machineconfiguration.openshift.io/role: worker <1>
+  name: os-layer-hotfix
+spec:
+  osImageURL: quay.io/my-registry/custom-image@sha256:306b606615dcf8f0e5e7d87fee3 <2>
+----
+<1> Specifies the machine config pool to apply the custom layered image.
+<2> Specifies the path to the custom layered image in the repository.
+
+.. Create the `MachineConfig` object:
++
+[source,terminal]
+----
+$ oc create -f <file_name>.yaml
+----
++
+[IMPORTANT]
+====
+It is strongly recommended that you test your images outside of your production environment before rolling out to your cluster.
+====
+
+.Verification
+
+You can verify that the custom layered image is applied by performing any of the following checks:
+
+. Check that the worker machine config pool has rolled out with the new machine config:
+
+.. Check that the new machine config is created:
++
+[source,terminal]
+----
+$ oc get mc
+----
++
+.Sample output
+[source,terminal]
+----
+NAME                                               GENERATEDBYCONTROLLER                      IGNITIONVERSION   AGE
+00-master                                          5bdb57489b720096ef912f738b46330a8f577803   3.2.0             95m
+00-worker                                          5bdb57489b720096ef912f738b46330a8f577803   3.2.0             95m
+01-master-container-runtime                        5bdb57489b720096ef912f738b46330a8f577803   3.2.0             95m
+01-master-kubelet                                  5bdb57489b720096ef912f738b46330a8f577803   3.2.0             95m
+01-worker-container-runtime                        5bdb57489b720096ef912f738b46330a8f577803   3.2.0             95m
+01-worker-kubelet                                  5bdb57489b720096ef912f738b46330a8f577803   3.2.0             95m
+99-master-generated-registries                     5bdb57489b720096ef912f738b46330a8f577803   3.2.0             95m
+99-master-ssh                                                                                 3.2.0             98m
+99-worker-generated-registries                     5bdb57489b720096ef912f738b46330a8f577803   3.2.0             95m
+99-worker-ssh                                                                                 3.2.0             98m
+os-layer-hotfix                                                                                                 10s <1>
+rendered-master-15961f1da260f7be141006404d17d39b   5bdb57489b720096ef912f738b46330a8f577803   3.2.0             95m
+rendered-worker-5aff604cb1381a4fe07feaf1595a797e   5bdb57489b720096ef912f738b46330a8f577803   3.2.0             95m
+rendered-worker-5de4837625b1cbc237de6b22bc0bc873   5bdb57489b720096ef912f738b46330a8f577803   3.2.0             4s  <2>
+----
+<1> New machine config
+<2> New rendered machine config
+
+.. Check that the `osImageURL` value in the new machine config points to the expected image:
++
+[source,terminal]
+----
+$ oc describe mc rendered-master-4e8be63aef68b843b546827b6ebe0913
+----
++
+.Example output
+[source,terminal]
+----
+Name:         rendered-master-4e8be63aef68b843b546827b6ebe0913
+Namespace:
+Labels:       <none>
+Annotations:  machineconfiguration.openshift.io/generated-by-controller-version: 8276d9c1f574481043d3661a1ace1f36cd8c3b62
+              machineconfiguration.openshift.io/release-image-version: 4.12.0-ec.3
+API Version:  machineconfiguration.openshift.io/v1
+Kind:         MachineConfig
+...
+  Os Image URL: quay.io/my-registry/custom-image@sha256:306b606615dcf8f0e5e7d87fee3
+----
+
+.. Check that the associated machine config pool is updating with the new machine config:
++
+[source,terminal]
+----
+$ oc get mcp
+----
++
+.Sample output
+[source,terminal]
+----
+NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
+master   rendered-master-6faecdfa1b25c114a58cf178fbaa45e2   True      False      False      3              3                   3                     0                      39m
+worker   rendered-worker-6b000dbc31aaee63c6a2d56d04cd4c1b   False     True       False      3              0                   0                     0                      39m <1>
+----
+<1> When the `UPDATING` field is `True`, the machine config pool is updating with the new machine config. When the field becomes `False`, the worker machine config pool has rolled out to the new machine config.
+
+.. Check the nodes to see that scheduling on the nodes is disabled. This indicates that the change is being applied:
++
+[source,terminal]
+----
+$ oc get nodes
+----
++
+.Example output
+[source,terminal]
+----
+NAME                                         STATUS                     ROLES                  AGE   VERSION
+ip-10-0-148-79.us-west-1.compute.internal    Ready                      worker                 32m   v1.25.0+3ef6ef3
+ip-10-0-155-125.us-west-1.compute.internal   Ready,SchedulingDisabled   worker                 35m   v1.25.0+3ef6ef3
+ip-10-0-170-47.us-west-1.compute.internal    Ready                      control-plane,master   42m   v1.25.0+3ef6ef3
+ip-10-0-174-77.us-west-1.compute.internal    Ready                      control-plane,master   42m   v1.25.0+3ef6ef3
+ip-10-0-211-49.us-west-1.compute.internal    Ready                      control-plane,master   42m   v1.25.0+3ef6ef3
+ip-10-0-218-151.us-west-1.compute.internal   Ready                      worker                 31m   v1.25.0+3ef6ef3
+----
+
+. When the node is back in the `Ready` state, check that the node is using the custom layered image:
+
+.. Open an `oc debug` session to the node. For example:
++
+[source,terminal]
+----
+$ oc debug node/ip-10-0-155-125.us-west-1.compute.internal
+----
+
+.. Set `/host` as the root directory within the debug shell:
++
+[source,terminal]
+----
+sh-4.4# chroot /host
+----
+
+.. Run the `rpm-ostree status` command to view that the custom layered image is in use:
++
+[source,terminal]
+----
+sh-4.4# sudo rpm-ostree status
+----
++
+.Example output
++
+----
+State: idle
+Deployments:
+* ostree-unverified-registry:quay.io/my-registry/custom-image@sha256:306b606615dcf8f0e5e7d87fee3
+                   Digest: sha256:306b606615dcf8f0e5e7d87fee3
+----
+
diff --git a/modules/coreos-layering-removing.adoc b/modules/coreos-layering-removing.adoc
@@ -0,0 +1,93 @@
+// Module included in the following assemblies:
+//
+// * post-installation_configuration/coreos-layering.adoc
+
+:_content-type: PROCEDURE
+[id="coreos-layering-removing_{context}"]
+= Removing a {op-system} custom layered image
+
+You can easily revert {op-system-first} image layering from the nodes in specific machine config pools. The Machine Config Operator (MCO) reboots those nodes with the cluster base {op-system-first} image, overriding the custom layered image.
+
+To remove a {op-system-first} custom layered image from your cluster, you need to delete the machine config that applied the image.
+
+.Procedure
+
+. Delete the machine config that applied the custom layered image.
++
+[source,terminal]
+----
+$ oc delete mc os-layer-hotfix
+----
++
+After deleting the machine config, the nodes reboot.
+
+.Verification
+
+You can verify that the custom layered image is removed by performing any of the following checks:
+
+. Check that the worker machine config pool is updating with the previous machine config:
++
+[source,terminal]
+----
+$ oc get mcp
+----
++
+.Sample output
+[source,terminal]
+----
+NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
+master   rendered-master-6faecdfa1b25c114a58cf178fbaa45e2   True      False      False      3              3                   3                     0                      39m
+worker   rendered-worker-6b000dbc31aaee63c6a2d56d04cd4c1b   False     True       False      3              0                   0                     0                      39m <1>
+----
+<1> When the `UPDATING` field is `True`, the machine config pool is updating with the previous machine config. When the field becomes `False`, the worker machine config pool has rolled out to the previous machine config.
+
+. Check the nodes to see that scheduling on the nodes is disabled. This indicates that the change is being applied:
++
+[source,terminal]
+----
+$ oc get nodes
+----
++
+.Example output
+[source,terminal]
+----
+NAME                                         STATUS                     ROLES                  AGE   VERSION
+ip-10-0-148-79.us-west-1.compute.internal    Ready                      worker                 32m   v1.25.0+3ef6ef3
+ip-10-0-155-125.us-west-1.compute.internal   Ready,SchedulingDisabled   worker                 35m   v1.25.0+3ef6ef3
+ip-10-0-170-47.us-west-1.compute.internal    Ready                      control-plane,master   42m   v1.25.0+3ef6ef3
+ip-10-0-174-77.us-west-1.compute.internal    Ready                      control-plane,master   42m   v1.25.0+3ef6ef3
+ip-10-0-211-49.us-west-1.compute.internal    Ready                      control-plane,master   42m   v1.25.0+3ef6ef3
+ip-10-0-218-151.us-west-1.compute.internal   Ready                      worker                 31m   v1.25.0+3ef6ef3
+----
+
+. When the node is back in the `Ready` state, check that the node is using the base image:
+
+.. Open an `oc debug` session to the node. For example:
++
+[source,terminal]
+----
+$ oc debug node/ip-10-0-155-125.us-west-1.compute.internal
+----
+
+.. Set `/host` as the root directory within the debug shell:
++
+[source,terminal]
+----
+sh-4.4# chroot /host
+----
+
+.. Run the `rpm-ostree status` command to view that the custom layered image is in use:
++
+[source,terminal]
+----
+sh-4.4# sudo rpm-ostree status
+----
++
+.Example output
++
+----
+State: idle
+Deployments:
+* ostree-unverified-registry:podman pull quay.io/openshift-release-dev/ocp-release@sha256:e2044c3cfebe0ff3a99fc207ac5efe6e07878ad59fd4ad5e41f88cb016dacd73
+                   Digest: sha256:e2044c3cfebe0ff3a99fc207ac5efe6e07878ad59fd4ad5e41f88cb016dacd73
+----
diff --git a/modules/coreos-layering-updating.adoc b/modules/coreos-layering-updating.adoc
@@ -0,0 +1,20 @@
+// Module included in the following assemblies:
+//
+// * post-installation_configuration/coreos-layering.adoc
+
+:_content-type: REFERENCE
+[id="coreos-layering-updating_{context}"]
+= Updating with a {op-system} custom layered image
+
+When you configure {op-system-first} image layering, {product-title} no longer automatically updates the node pool that uses the custom layered image. You become responsible to manually update your nodes as appropriate.
+
+To update a node that uses a custom layered image, follow these general steps:
+
+. The cluster automatically upgrades to version x.y.z+1, except for the nodes that use the custom layered image.
+
+. You could then create a new Containerfile that references the updated {product-title} image and the RPM that you had previously applied.
+
+. Create a new machine config that points to the updated custom layered image.
+
+Updating a node with a custom layered image is not required. However, if that node gets too far behind the current {product-title} version, you could experience unexpected results.
+
diff --git a/post_installation_configuration/coreos-layering.adoc b/post_installation_configuration/coreos-layering.adoc
