BZ1887404: Add allowlist firewall info for NTP servers and custom DNS

Author: skrthomas

_topic_map.yml

@@ -1509,15 +1509,15 @@ Topics:
   File: applying-autoscaling
 - Name: Creating infrastructure machine sets
   File: creating-infrastructure-machinesets
+- Name: Adding a RHEL compute machine
+  File: adding-rhel-compute
+  Distros: openshift-enterprise
+- Name: Adding more RHEL compute machines
+  File: more-rhel-compute
+  Distros: openshift-enterprise
 - Name: User-provisioned infrastructure
   Dir: user_infra
   Topics:
-  - Name: Adding a RHEL compute machine
-    File: adding-rhel-compute
-    Distros: openshift-enterprise
-  - Name: Adding more RHEL compute machines
-    File: more-rhel-compute
-    Distros: openshift-enterprise
   - Name: Adding compute machines to AWS using CloudFormation templates
     File: adding-aws-compute-user-infra
   - Name: Adding compute machines to vSphere

installing/installing-fips.adoc

@@ -75,9 +75,9 @@ To install a cluster in FIPS mode, follow the instructions to install a customiz
 
 [NOTE]
 ====
-If you are using Azure File storage, you cannot enable FIPS mode. 
+If you are using Azure File storage, you cannot enable FIPS mode.
 ====
 
 To apply `AES CBC` encryption to your etcd data store, follow the xref:../security/encrypting-etcd.adoc#encrypting-etcd[Encrypting etcd data] process after you install your cluster.
 
-If you add {op-system-base} nodes to your cluster, ensure that you enable FIPS mode on the machines before their initial boot. See xref:../machine_management/user_infra/adding-rhel-compute.adoc#adding-rhel-compute[Adding RHEL compute machines to an {product-title} cluster] and link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-federal_standards_and_regulations#sec-Enabling-FIPS-Mode[Enabling FIPS Mode] in the {op-system-base} 7 documentation.
+If you add {op-system-base} nodes to your cluster, ensure that you enable FIPS mode on the machines before their initial boot. See xref:../machine_management/adding-rhel-compute.adoc#adding-rhel-compute[Adding RHEL compute machines to an {product-title} cluster] and link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-federal_standards_and_regulations#sec-Enabling-FIPS-Mode[Enabling FIPS Mode] in the {op-system-base} 7 documentation.

machine_management/adding-rhel-compute.adoc

@@ -0,0 +1,36 @@
+[id="adding-rhel-compute"]
+= Adding RHEL compute machines to an {product-title} cluster
+include::modules/common-attributes.adoc[]
+:context: adding-rhel-compute
+
+toc::[]
+
+In {product-title}, you can add Red Hat Enterprise Linux (RHEL) compute, or worker, machines to a user-provisioned infrastructure cluster or a installation-provisioned infrastructure cluster. You can use RHEL as the operating system on only compute machines.
+
+include::modules/rhel-compute-overview.adoc[leveloffset=+1]
+
+include::modules/rhel-compute-requirements.adoc[leveloffset=+1]
+
+[id="adding-rhel-compute-preparing-image-cloud"]
+== Preparing an image for your cloud
+
+Amazon Machine Images (AMI) are required because various image formats cannot be used directly by AWS. You may use the AMIs that Red Hat has provided, or you can manually import your own images. The AMI must exist before the EC2 instance can be provisioned. You will need a valid AMI ID so that the correct {op-system-base} version needed for the compute machines is selected.
+
+include::modules/rhel-images-aws.adoc[leveloffset=+2]
+
+.Additional resources
+* You may also manually link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/image_builder_guide/sect-documentation-image_builder-chapter5-section_2[import {op-system-base} images to AWS].
+
+include::modules/rhel-preparing-playbook-machine.adoc[leveloffset=+1]
+
+include::modules/rhel-preparing-node.adoc[leveloffset=+1]
+
+include::modules/rhel-worker-tag.adoc[leveloffset=+2]
+
+include::modules/rhel-adding-node.adoc[leveloffset=+1]
+
+include::modules/installation-approve-csrs.adoc[leveloffset=+1]
+
+include::modules/rhel-ansible-parameters.adoc[leveloffset=+1]
+
+include::modules/rhel-removing-rhcos.adoc[leveloffset=+2]

machine_management/more-rhel-compute.adoc

@@ -0,0 +1,32 @@
+[id="more-rhel-compute"]
+= Adding more RHEL compute machines to an {product-title} cluster
+include::modules/common-attributes.adoc[]
+:context: more-rhel-compute
+
+toc::[]
+
+If your {product-title} cluster already includes Red Hat Enterprise Linux (RHEL) compute machines, which are also known as worker machines, you can add more RHEL compute machines to it.
+
+include::modules/rhel-compute-overview.adoc[leveloffset=+1]
+
+include::modules/rhel-compute-requirements.adoc[leveloffset=+1]
+
+[id="more-rhel-compute-preparing-image-cloud"]
+== Preparing an image for your cloud
+
+Amazon Machine Images (AMI) are required since various image formats cannot be used directly by AWS. You may use the AMIs that Red Hat has provided, or you can manually import your own images. The AMI must exist before the EC2 instance can be provisioned. You must list the AMI IDs so that the correct {op-system-base} version needed for the compute machines is selected.
+
+include::modules/rhel-images-aws.adoc[leveloffset=+2]
+
+.Additional resources
+* You may also manually link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/image_builder_guide/sect-documentation-image_builder-chapter5-section_2[import {op-system-base} images to AWS].
+
+include::modules/rhel-preparing-node.adoc[leveloffset=+1]
+
+include::modules/rhel-worker-tag.adoc[leveloffset=+2]
+
+include::modules/rhel-adding-more-nodes.adoc[leveloffset=+1]
+
+include::modules/installation-approve-csrs.adoc[leveloffset=+1]
+
+include::modules/rhel-ansible-parameters.adoc[leveloffset=+1]

machine_management/user_infra/adding-rhel-compute.adoc

@@ -58,7 +58,7 @@ In {product-title} {product-version}, you use the OpenShift installation program
 For more information, see xref:../../architecture/architecture-installation.adoc#installation-process_architecture-installation[Installation process].
 
 ifndef::openshift-origin[]
-If you want to add {op-system-base-full} ({op-system-base}) worker machines to your {product-title} {product-version} cluster, you use an Ansible playbook to join the {op-system-base} worker machines after the cluster is running. For more information, see xref:../../machine_management/user_infra/adding-rhel-compute.adoc#adding-rhel-compute[Adding {op-system-base} compute machines to an {product-title} cluster].
+If you want to add {op-system-base-full} ({op-system-base}) worker machines to your {product-title} {product-version} cluster, you use an Ansible playbook to join the {op-system-base} worker machines after the cluster is running. For more information, see xref:../../machine_management/adding-rhel-compute.adoc#adding-rhel-compute[Adding {op-system-base} compute machines to an {product-title} cluster].
 endif::[]
 
 [discrete]

machine_management/user_infra/more-rhel-compute.adoc

@@ -151,3 +151,13 @@ the routes work. If you are the cluster administrator and do not want to allow
 * `console-openshift-console.apps.<cluster_name>.<base_domain>`, or the host name
 that is specified in the `spec.route.hostname` field of the
 `consoles.operator/cluster` object if the field is not empty.
+
+. If you use a default Red Hat Network Time Protocol (NTP) server allow the following URLs:
+* `1.rhel.pool.ntp.org`
+* `2.rhel.pool.ntp.org`
+* `3.rhel.pool.ntp.org`
+
+[NOTE]
+====
+If you do not use a default Red Hat NTP server, verify the NTP server for your platform and allow it in your firewall.
+====

migration/migrating_3_4/planning-migration-3-to-4.adoc

@@ -0,0 +1,55 @@
+// Module included in the following assemblies:
+//
+// * machine_management/adding-rhel-compute.adoc
+// * machine_management/more-rhel-compute.adoc
+
+[id="rhel-images-aws_{context}"]
+= Listing latest available RHEL images on AWS
+
+AMI IDs correspond to native boot images for AWS. Because an AMI must exist before the EC2 instance is provisioned, you will need to know the AMI ID before configuration. The link:https://aws.amazon.com/cli/[AWS Command Line Interface (CLI)] is used to list the available {op-system-base-full} image IDs.
+
+.Prerequisites
+
+* You have installed the AWS CLI.
+
+.Procedure
+
+* Use this command to list {op-system-base} 7.9 Amazon Machine Images (AMI):
++
+[source,terminal]
+----
+$ aws ec2 describe-images --owners 309956199498 \ <1>
+--query 'sort_by(Images, &CreationDate)[*].[CreationDate,Name,ImageId]' \ <2>
+--filters "Name=name,Values=RHEL-7.9*" \ <3>
+--region us-east-1 \ <4>
+--output table <5>
+----
++
+<1> The `--owners` command option shows Red Hat images based on the account ID `309956199498`.
++
+[IMPORTANT]
+====
+This account ID is required to display AMI IDs for images that are provided by Red Hat.
+====
++
+<2> The `--query` command option sets how the images are sorted with the parameters `'sort_by(Images, &CreationDate)[*].[CreationDate,Name,ImageId]'`. In this case, the images are sorted by the creation date, and the table is structured to show the creation date, the name of the image, and the AMI IDs.
+<3> The `--filter` command option sets which version of {op-system-base} is shown. In this example, since the filter is set by `"Name=name,Values=RHEL-7.9*"`, then {op-system-base} 7.9 AMIs are shown.
+<4> The `--region` command option sets where the region where an AMI is stored.
+<5> The `--output` command option sets how the results are displayed.
+
+[NOTE]
+====
+When creating a {op-system-base} compute machine for AWS, ensure that the AMI is {op-system-base} 7.9.
+====
++
+.Example output
+[source,terminal]
+----
+----------------------------------------------------------------------------------------------------------
+|                                             DescribeImages                                             |
++---------------------------+----------------------------------------------------+-----------------------+
+|  2020-05-13T09:50:36.000Z |  RHEL-7.9_HVM_BETA-20200422-x86_64-0-Hourly2-GP2  |  ami-038714142142a6a64 |
+|  2020-09-18T07:51:03.000Z |  RHEL-7.9_HVM_GA-20200917-x86_64-0-Hourly2-GP2    |  ami-005b7876121b7244d |
+|  2021-02-09T09:46:19.000Z |  RHEL-7.9_HVM-20210208-x86_64-0-Hourly2-GP2       |  ami-030e754805234517e |
++---------------------------+----------------------------------------------------+-----------------------+
+----

modules/configuring-firewall.adoc

@@ -0,0 +1,22 @@
+// Module included in the following assemblies:
+//
+// * machine_management/adding-rhel-compute.adoc
+// * machine_management/more-rhel-compute.adoc
+
+
+[id="rhel-worker-tag_{context}"]
+= Tagging a {op-system-base} worker node as owned or shared
+
+A cluster uses the value of the `kubernetes.io/cluster/<clusterid>,Value=(owned|shared)` tag to determine the lifetime of the resources related to the AWS cluster.
+
+* The `owned` tag value should be added if the resource should be destroyed as part of destroying the cluster.
+* The `shared` tag value should be added if the resource continues to exist after the cluster has been destroyed. This tagging denotes that the cluster uses this resource, but there is a separate owner for the resource.
+
+.Procedure
+
+* With {op-system-base} compute machines, the {op-system-base} worker instance must be tagged with `kubernetes.io/cluster/<clusterid>=owned` or `kubernetes.io/cluster/<cluster-id>=shared`.
+
+[NOTE]
+====
+Do not tag all existing security groups with the `kubernetes.io/cluster/<name>,Value=<clusterid>` tag, or the Elastic Load Balancing (ELB) will not be able to create a load balancer.
+====