openshift
diff --git a/‎machine_configuration/mco-coreos-layering.adoc
Lines changed: 18 additions & 1 deletion b/‎machine_configuration/mco-coreos-layering.adoc
Lines changed: 18 additions & 1 deletion
diff --git a/‎modules/coreos-layering-configuring-on-extensions.adoc
Lines changed: 117 additions & 0 deletions b/‎modules/coreos-layering-configuring-on-extensions.adoc
Lines changed: 117 additions & 0 deletions
diff --git a/‎modules/coreos-layering-configuring-on-modifying.adoc
Lines changed: 139 additions & 0 deletions b/‎modules/coreos-layering-configuring-on-modifying.adoc
Lines changed: 139 additions & 0 deletions
diff --git a/‎modules/coreos-layering-configuring-on-revert.adoc
Lines changed: 105 additions & 0 deletions b/‎modules/coreos-layering-configuring-on-revert.adoc
Lines changed: 105 additions & 0 deletions
@@ -184,13 +184,30 @@ include::modules/coreos-layering-configuring-on.adoc[leveloffset=+1]
 
 .Additional resources
 * xref:../nodes/clusters/nodes-cluster-enabling-features.adoc#nodes-cluster-enabling[Enabling features using feature gates]
+* xref:../updating/updating_a_cluster/update-using-custom-machine-config-pools.adoc#update-using-custom-machine-config-pools-pause_update-using-custom-machine-config-pools[Pausing the machine config pools]
+
+include::modules/coreos-layering-configuring-on-modifying.adoc[leveloffset=+2]
+
+.Additional resources
+* xref:../updating/updating_a_cluster/update-using-custom-machine-config-pools.adoc#update-using-custom-machine-config-pools-pause_update-using-custom-machine-config-pools[Pausing the machine config pools]
+
+include::modules/coreos-layering-configuring-on-extensions.adoc[leveloffset=+2]
+
+.Additional resources
+* xref:../machine_configuration/machine-configs-configure.html#rhcos-add-extensions_machine-configs-configure[Adding extensions to RHCOS]
+* xref:../updating/updating_a_cluster/update-using-custom-machine-config-pools.adoc#update-using-custom-machine-config-pools-pause_update-using-custom-machine-config-pools[Pausing the machine config pools]
+
+// Not in 4.18; maybe 4.19
+// include::modules/coreos-layering-configuring-on-rebuild.adoc[leveloffset=+2] 
+
+include::modules/coreos-layering-configuring-on-revert.adoc[leveloffset=+2]
 
 include::modules/coreos-layering-configuring.adoc[leveloffset=+1]
 
 .Additional resources
 xref:../machine_configuration/mco-coreos-layering.adoc#coreos-layering-updating_mco-coreos-layering[Updating with a {op-system} custom layered image]
 
-include::modules/coreos-layering-removing.adoc[leveloffset=+1]
+include::modules/coreos-layering-removing.adoc[leveloffset=+2]
 include::modules/coreos-layering-updating.adoc[leveloffset=+1]
 
 ////
 
@@ -0,0 +1,117 @@
+// Module included in the following assemblies:
+//
+// * machine_configuration/coreos-layering.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="coreos-layering-configuring-on-extensions_{context}"]
+= Installing extensions into an on-cluster custom layered image
+
+You can install {op-system-first} extensions into your on-cluster custom layered image by creating a machine config that lists the extensions that you want to install. The Machine Config Operator (MCO) installs the extensions onto the nodes associated with a specific machine config pool (MCP).
+
+For a list of the currently supported extensions, see "Adding extensions to RHCOS."
+
+After you make the change, the MCO reboots the nodes associated with the specified machine config pool.
+
+[NOTE]
+====
+include::snippets/coreos-layering-configuring-on-pause.adoc[]
+====
+
+.Prerequisites
+
+* You have opted in to on-cluster layering by creating a `MachineOSConfig` object.
+
+.Procedure
+
+. Create a YAML file for the machine config similar to the following example: 
++
+[source,yaml]
+----
+apiVersion: machineconfiguration.openshift.io/v1 <1>
+kind: MachineConfig
+metadata:
+  labels:
+    machineconfiguration.openshift.io/role: layered <2>
+  name: 80-worker-extensions
+spec:
+  config:
+    ignition:
+      version: 3.2.0
+  extensions: <3>
+    - usbguard
+    - kerberos
+----
+<1> Specifies the `machineconfiguration.openshift.io/v1` API that is required for `MachineConfig` CRs.
+<2> Specifies the machine config pool to apply the `MachineConfig` object to.
+<3> Lists the {op-system-first} extensions that you want to install.
+
+. Create the MCP object:
++
+[source,terminal]
+----
+$ oc create -f <file_name>.yaml
+----
+
+.Verification
+
+. You can watch the build progress by using the following command:
++
+[source,terminal]
+----
+$ oc get machineosbuilds
+----
++
+.Example output
+[source,terminal]
+----
+NAME                                       PREPARED   BUILDING   SUCCEEDED   INTERRUPTED   FAILED
+layered-f8ab2d03a2f87a2acd449177ceda805d   False      True       False       False         False <1>
+----
+<1> The value `True` in the `BUILDING` column indicates that the `MachineOSBuild` object is building. When the `SUCCEEDED` column reports `TRUE`, the build is complete. 
+
+. You can watch as the new machine config is rolled out to the nodes by using the following command:
++
+[source,terminal]
+----
+$ oc get machineconfigpools
+----
++
+.Example output
+[source,terminal]
+----
+NAME      CONFIG                                              UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
+layered   rendered-layered-221507009cbcdec0eec8ab3ccd789d18   False     True       False      1              0                   0                     0                      167m <1>
+master    rendered-master-a0b404d061a6183cc36d302363422aba    True      False      False      3              3                   3                     0                      3h38m
+worker    rendered-worker-221507009cbcdec0eec8ab3ccd789d18    True      False      False      2              2                   2                     0                      3h38m
+----
+<1> The value `FALSE` in the `UPDATED` column indicates that the `MachineOSBuild` object is building. When the `UPDATED` column reports `FALSE`, the new custom layered image has rolled out to the nodes.
+
+. When the associated machine config pool is updated, check that the extensions were installed:
+
+.. Open an `oc debug` session to the node by running the following command:
++
+[source,terminal]
+----
+$ oc debug node/<node_name>
+----
+
+.. Set `/host` as the root directory within the debug shell by running the following command:
++
+[source,terminal]
+----
+sh-5.1# chroot /host
+----
+
+.. Use an appropriate command to verify that the extensions were installed. The following example shows that the usbguard extension was installed:
++
+[source,terminal]
+----
+sh-5.1# rpm -qa |grep usbguard
+----
++
+.Example output
+[source,terminal]
+----
+usbguard-selinux-1.0.0-15.el9.noarch
+usbguard-1.0.0-15.el9.x86_64
+----
@@ -0,0 +1,139 @@
+// Module included in the following assemblies:
+//
+// * machine_configuration/coreos-layering.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="coreos-layering-configuring-on-modifying_{context}"]
+= Modifying a custom layered image
+
+You can modify an on-cluster custom layered image, as needed. This allows you to install additional packages, remove existing packages, change the pull or push repositories, update secrets, or other similar changes. You can edit the `MachineOSConfig` object, apply changes to the YAML file that created the `MachineOSConfig` object, or create a new YAML file for that purpose.
+
+If you modify and apply the `MachineOSConfig` object YAML or create a new YAML file, the YAML overwrites any changes you made directly to the `MachineOSConfig` object itself.
+
+include::snippets//coreos-layering-configuring-on-pause.adoc[]
+
+.Prerequisites
+
+* You have opted in to on-cluster layering by creating a `MachineOSConfig` object.
+
+.Procedure
+
+* Modify an object to update the associated custom layered image:
+
+.. Edit the `MachineOSConfig` object to modify the custom layered image. The following example adds the `rngd` daemon to nodes that already have the tree package that was installed using a custom layered image.
++
+[source,yaml]
+----
+apiVersion: machineconfiguration.openshift.io/v1alpha1
+kind: MachineOSConfig
+metadata:
+  name: layered-alpha1
+spec:
+  machineConfigPool:
+    name: layered
+  buildInputs:
+    containerFile:
+    - containerfileArch: noarch
+      content: |- <1>
+        FROM configs AS final
+
+        RUN rpm-ostree install rng-tools && \
+            systemctl enable rngd && \
+            rpm-ostree cleanup -m && \
+            ostree container commit
+
+        RUN rpm-ostree install tree && \
+            ostree container commit
+    imageBuilder:
+      imageBuilderType: PodImageBuilder
+    baseImagePullSecret:
+      name: global-pull-secret-copy <2>
+    renderedImagePushspec: image-registry.openshift-image-registry.svc:5000/openshift-machine-config-operator/os-images:latest <3>
+    renderedImagePushSecret:  <4>
+      name: new-secret-name
+  buildOutputs:
+    currentImagePullSecret:
+      name: new-secret-name <5>
+----
+<1> Optional: Modify the Containerfile, for example to add or remove packages.
+<2> Optional: Update the secret needed to pull the base operating system image from the registry.
+<3> Optional: Modify the image registry to push the newly-built custom layered image to.
+<4> Optional: Update the secret needed to push the newly-built custom layered image to the registry.
+<5> Optional: Update the secret needed to pull the newly-built custom layered image from the registry.
++
+When you save the changes, the MCO drains, cordons, and reboots the nodes. After the reboot, the node uses the cluster base {op-system-first} image. If your changes modify a secret only, no new build is triggered and no reboot is performed.
+
+.Verification
+
+. Verify that the new `MachineOSBuild` object was created by using the following command:
++
+[source,terminal]
+----
+$ oc get machineosbuild
+----
++
+.Example output
+[source,terminal]
+----
+NAME                                       PREPARED   BUILDING   SUCCEEDED   INTERRUPTED   FAILED
+layered-a5457b883f5239cdcb71b57e1a30b6ef   False      False      True        False         False
+layered-f91f0f5593dd337d89bf4d38c877590b   False      True       False       False         False <1>
+----
+<1> The value `True` in the `BUILDING` column indicates that the `MachineOSBuild` object is building. When the `SUCCEEDED` column reports `True`, the build is complete.
+
+. You can watch as the new machine config is rolled out to the nodes by using the following command:
++
+[source,terminal]
+----
+$ oc get machineconfigpools
+----
++
+.Example output
+[source,terminal]
+----
+NAME      CONFIG                                              UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
+layered   rendered-layered-221507009cbcdec0eec8ab3ccd789d18   False     True       False      1              0                   0                     0                      167m <1>
+master    rendered-master-a0b404d061a6183cc36d302363422aba    True      False      False      3              3                   3                     0                      3h38m
+worker    rendered-worker-221507009cbcdec0eec8ab3ccd789d18    True      False      False      2              2                   2                     0                      3h38m
+----
+<1> The value `FALSE` in the `UPDATED` column indicates that the `MachineOSBuild` object is building. When the `UPDATED` column reports `FALSE`, the new custom layered image has rolled out to the nodes.
+
+. When the node is back in the `Ready` state, check that the changes were applied:
+
+.. Open an `oc debug` session to the node by running the following command:
++
+[source,terminal]
+----
+$ oc debug node/<node_name>
+----
+
+.. Set `/host` as the root directory within the debug shell by running the following command:
++
+[source,terminal]
+----
+sh-5.1# chroot /host
+----
+
+.. Use an appropriate command to verify that change was applied. The following examples shows that the `rngd` daemon was installed:
++
+[source,terminal]
+----
+sh-5.1# rpm -qa |grep rng-tools
+----
++
+.Example output
+[source,terminal]
+----
+rng-tools-6.17-3.fc41.x86_64
+----
++
+[source,terminal]
+----
+sh-5.1# rngd -v
+----
++
+.Example output
+[source,terminal]
+----
+rngd 6.16
+----
@@ -0,0 +1,105 @@
+// Module included in the following assemblies:
+//
+// * machine_configuration/coreos-layering.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="coreos-layering-configuring-on-revert_{context}"]
+= Reverting an on-cluster custom layered image
+
+You can revert an on-cluster custom layered image from nodes by removing the label for the machine config pool (MCP) that you specified in the `MachineOSConfig` object. After you remove the label, the Machine Config Operator (MCO) reboots the nodes in that MCP with the cluster base {op-system-first} image, along with any previously-made machine config changes, overriding the custom layered image. 
+
+[IMPORTANT]
+====
+If the node where the custom layered image is deployed uses a custom machine config pool, before you remove the label, make sure the node is associated with a second MCP.
+====
+
+You can reapply the custom layered image to the node by using the `oc label node/<node_name> 'node-role.kubernetes.io/<mcp_name>='` label.
+
+.Prerequisites
+
+* You have opted in to on-cluster layering by creating a `MachineOSConfig` object.
+
+.Procedure
+
+* Remove the label from the node by using the following command:
++
+[source,terminal]
+----
+$ oc label node/<node_name> node-role.kubernetes.io/<mcp_name>-
+----
++
+When you save the changes, the MCO drains, cordons, and reboots the nodes. After the reboot, the node uses the cluster base {op-system-first} image.
+
+.Verification
+
+You can verify that the custom layered image is removed by performing the following checks:
+
+. Check that the worker machine config pool is updating with the previous machine config:
++
+[source,terminal]
+----
+$ oc get mcp
+----
++
+.Sample output
+[source,terminal]
+----
+NAME      CONFIG                                              UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
+layered   rendered-layered-bde4e4206442c0a48b1a1fb35ba56e85   True      False      False      0              0                   0                     0                      4h46m
+master    rendered-master-8332482204e0b76002f15ecad15b6c2d    True      False      False      3              3                   3                     0                      5h26m
+worker    rendered-worker-bde4e4206442c0a48b1a1fb35ba56e85    False     True       False      3              2                   2                     0                      5h26m <1>
+----
+<1> The value `FALSE` in the `UPDATED` column indicates that the `MachineOSBuild` object is building. When the `UPDATED` column reports `FALSE`, the base image has rolled out to the nodes.
+
+. Check the nodes to see that scheduling on the nodes is disabled. This indicates that the change is being applied:
++
+[source,terminal]
+----
+$ oc get nodes
+----
++
+.Example output
+[source,terminal]
+----
+NAME                                         STATUS                     ROLES                  AGE   VERSION
+ip-10-0-148-79.us-west-1.compute.internal    Ready                      worker                 32m   v1.31.3
+ip-10-0-155-125.us-west-1.compute.internal   Ready,SchedulingDisabled   worker                 35m   v1.31.3
+ip-10-0-170-47.us-west-1.compute.internal    Ready                      control-plane,master   42m   v1.31.3
+ip-10-0-174-77.us-west-1.compute.internal    Ready                      control-plane,master   42m   v1.31.3
+ip-10-0-211-49.us-west-1.compute.internal    Ready                      control-plane,master   42m   v1.31.3
+ip-10-0-218-151.us-west-1.compute.internal   Ready                      worker                 31m   v1.31.3
+----
+
+. When the node is back in the `Ready` state, check that the node is using the base image:
+
+.. Open an `oc debug` session to the node. For example:
++
+[source,terminal]
+----
+$ oc debug node/<node_name>
+----
+
+.. Set `/host` as the root directory within the debug shell:
++
+[source,terminal]
+----
+sh-5.1# chroot /host
+----
+
+.. Run an `rpm-ostree status` command to view that the base image is in use:
++
+[source,terminal]
+----
+sh-5.1# rpm-ostree status
+----
++
+.Example output
++
+[source,terminal]
+----
+State: idle
+Deployments:
+* ostree-unverified-image:containers-storage:quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:76721c875a2b79688be46b1dca654c2c6619a6be28b29a2822cd86c3f9d8e3c1
+                   Digest: sha256:76721c875a2b79688be46b1dca654c2c6619a6be28b29a2822cd86c3f9d8e3c1
+                  Version: 418.94.202501300706-0 (2025-01-30T07:10:58Z)
+----