TELCODOCS-1820: kmod changes

Author: StephenJamesSmith

hardware_enablement/kmm-kernel-module-management.adoc

@@ -41,7 +41,7 @@ include::modules/kmm-replacing-in-tree-modules-with-out-of-tree-modules.adoc[lev
 * link:https://fastbitlab.com/building-a-linux-kernel-module/[Building a linux kernel module]
 
 include::modules/kmm-example-module-cr.adoc[leveloffset=+2]
-include::modules/kmm-creating-moduleloader-image.adoc[leveloffset=+1]
+include::modules/kmm-creating-kmod-image.adoc[leveloffset=+1]
 include::modules/kmm-running-depmod.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
@@ -78,8 +78,8 @@ include::modules/kmm-using-driver-toolkit.adoc[leveloffset=+2]
 include::modules/kmm-using-signing-with-kmm.adoc[leveloffset=+1]
 include::modules/kmm-adding-the-keys-for-secureboot.adoc[leveloffset=+1]
 include::modules/kmm-checking-the-keys.adoc[leveloffset=+2]
-include::modules/kmm-signing-a-prebuilt-driver-container.adoc[leveloffset=+1]
-include::modules/kmm-building-and-signing-a-moduleloader-container-image.adoc[leveloffset=+1]
+include::modules/kmm-signing-kmods-in-a-prebuilt-image.adoc[leveloffset=+1]
+include::modules/kmm-building-and-signing-a-kmod-image.adoc[leveloffset=+1]
 [role="_additional-resources"]
 .Additional resources
 * link:https://docs.openshift.com/container-platform/4.12/authentication/understanding-and-creating-service-accounts.html#service-accounts-managing_understanding-service-accounts[Creating service accounts]
@@ -135,19 +135,21 @@ include::modules/kmm-debugging-and-troubleshooting.adoc[leveloffset=+1]
 // Added for TELCODOCS-1067
 include::modules/kmm-firmware-support.adoc[leveloffset=+1]
 [role="_additional-resources"]
-.Additional resources
-* xref:../hardware_enablement/kmm-kernel-module-management.adoc#kmm-creating-moduleloader-image_kernel-module-management-operator[Creating a ModuleLoader image]
 
 include::modules/kmm-configuring-the-lookup-path-on-nodes.adoc[leveloffset=+2]
 [role="_additional-resources"]
 .Additional resources
 * xref:../post_installation_configuration/machine-configuration-tasks.adoc#understanding-the-machine-config-operator[Machine Config Operator]
 
-include::modules/kmm-building-a-moduleloader-image.adoc[leveloffset=+2]
+include::modules/kmm-building-a-kmod-image.adoc[leveloffset=+2]
 include::modules/kmm-tuning-the-module-resource.adoc[leveloffset=+2]
 
 // Added for TELCODOCS-1059
 include::modules/kmm-troubleshooting.adoc[leveloffset=+1]
+// Added for TELCODOCS-1820
+include::modules/kmm-reading-operator-logs.adoc[leveloffset=+2]
+include::modules/kmm-observing-events.adoc[leveloffset=+2]
+
 include::modules/kmm-must-gather-tool.adoc[leveloffset=+2]
 [role="_additional-resources"]
 .Additional resources

modules/kmm-building-a-kmod-image.adoc

@@ -0,0 +1,27 @@
+// Module included in the following assemblies:
+//
+// * hardware_enablement/kmm-kernel-module-management.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="kmm-building-a-kmod-image_{context}"]
+= Building a kmod image
+
+.Procedure
+
+* In addition to building the kernel module itself, include the binary firmware in the builder image:
++
+[source,dockerfile]
+----
+FROM registry.redhat.io/ubi9/ubi-minimal as builder
+
+# Build the kmod
+
+RUN ["mkdir", "/firmware"]
+RUN ["curl", "-o", "/firmware/firmware.bin", "https://artifacts.example.com/firmware.bin"]
+
+FROM registry.redhat.io/ubi9/ubi-minimal
+
+# Copy the kmod, install modprobe, run depmod
+
+COPY --from=builder /firmware /firmware
+----

modules/kmm-building-and-signing-a-kmod-image.adoc

@@ -0,0 +1,85 @@
+// Module included in the following assemblies:
+//
+// * hardware_enablement/kmm-kernel-module-management.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="kmm-building-and-signing-a-kmod-image_{context}"]
+= Building and signing a kmod image
+
+Use this procedure if you have source code and must build your image first.
+
+The following YAML file builds a new container image using the source code from the repository. The image produced is saved back in the registry with a temporary name, and this temporary image is then signed using the parameters in the `sign` section.
+
+The temporary image name is based on the final image name and is set to be `<containerImage>:<tag>-<namespace>_<module name>_kmm_unsigned`.
+
+For example, using the following YAML file, Kernel Module Management (KMM) builds an image named `example.org/repository/minimal-driver:final-default_example-module_kmm_unsigned` containing the build with unsigned kmods and pushes it to the registry. Then it creates a second image named `example.org/repository/minimal-driver:final` that contains the signed kmods. It is this second image that is pulled by the worker pods and contains the kmods to be loaded on the cluster nodes.
+
+After it is signed, you can safely delete the temporary image from the registry. It will be rebuilt, if needed.
+
+.Prerequisites
+
+* The `keySecret` and `certSecret` secrets have been created in the same namespace as the rest of the resources.
+
+.Procedure
+
+* Apply the YAML file:
++
+[source,yaml]
+----
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: example-module-dockerfile
+  namespace: <namespace> <1>
+data:
+  Dockerfile: |
+    ARG DTK_AUTO
+    ARG KERNEL_VERSION
+    FROM ${DTK_AUTO} as builder
+    WORKDIR /build/
+    RUN git clone -b main --single-branch https://github.com/rh-ecosystem-edge/kernel-module-management.git
+    WORKDIR kernel-module-management/ci/kmm-kmod/
+    RUN make
+    FROM registry.access.redhat.com/ubi9/ubi:latest
+    ARG KERNEL_VERSION
+    RUN yum -y install kmod && yum clean all
+    RUN mkdir -p /opt/lib/modules/${KERNEL_VERSION}
+    COPY --from=builder /build/kernel-module-management/ci/kmm-kmod/*.ko /opt/lib/modules/${KERNEL_VERSION}/
+    RUN /usr/sbin/depmod -b /opt
+---
+apiVersion: kmm.sigs.x-k8s.io/v1beta1
+kind: Module
+metadata:
+  name: example-module
+  namespace: <namespace> <1>
+spec:
+  moduleLoader:
+    serviceAccountName: default <2>
+    container:
+      modprobe:
+        moduleName: simple_kmod
+      kernelMappings:
+        - regexp: '^.*\.x86_64$'
+          containerImage: <final_driver_container_name>
+          build:
+            dockerfileConfigMap:
+              name: example-module-dockerfile
+          sign:
+            keySecret:
+              name: <private_key_secret_name>
+            certSecret:
+              name: <certificate_secret_name>
+            filesToSign:
+              - /opt/lib/modules/4.18.0-348.2.1.el8_5.x86_64/kmm_ci_a.ko
+  imageRepoSecret: <3>
+    name: repo-pull-secret
+  selector: # top-level selector
+    kubernetes.io/arch: amd64
+----
+
+<1> Replace `default` with a valid namespace.
+
+<2> The default `serviceAccountName` does not have the required permissions to run a module that is privileged. For information on creating a service account, see "Creating service accounts" in the "Additional resources" of this section.
+
+<3> Used as `imagePullSecrets` in the `DaemonSet` object and to pull and push for the build and sign features.

modules/kmm-building-in-cluster.adoc

@@ -7,7 +7,7 @@
 
 = Building in the cluster
 
-KMM can build module loader images in the cluster. Follow these guidelines:
+KMM can build kmod images in the cluster. Follow these guidelines:
 
 * Provide build instructions using the `build` section of a kernel mapping.
 * Copy the `Dockerfile` for your container image into a `ConfigMap` resource, under the `dockerfile` key.

modules/kmm-creating-kmod-image.adoc

@@ -0,0 +1,15 @@
+// Module included in the following assemblies:
+//
+// * hardware_enablement/kmm-kernel-module-management.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="kmm-creating-kmod-image_{context}"]
+= Creating a kmod image
+
+Kernel Module Management (KMM) works with purpose-built kmod images, which are standard OCI images that contain `.ko` files.
+The location of the `.ko` files must match the following pattern: `<prefix>/lib/modules/[kernel-version]/`.
+
+Keep the following in mind when working with the `.ko` files:
+
+* In most cases, `<prefix>` should be equal to `/opt`. This is the `Module` CRD's default value.
+* `kernel-version` must not be empty and must be equal to the kernel version the kernel modules were built for.

modules/kmm-creating-module-cr.adoc

@@ -7,21 +7,20 @@
 
 = The Module custom resource definition
 
-The `Module` custom resource definition (CRD) represents a kernel module that can be loaded on all or select nodes in the cluster, through a module loader image.
-A `Module` custom resource (CR) specifies one or more kernel versions with which it is compatible, and a node selector.
+The `Module` custom resource definition (CRD) represents a kernel module that can be loaded on all or select nodes in the cluster, through a kmod image. A `Module` custom resource (CR) specifies one or more kernel versions with which it is compatible, and a node selector.
 
-The compatible versions for a `Module` resource are listed under `.spec.moduleLoader.container.kernelMappings`.
-A kernel mapping can either match a `literal` version, or use `regexp` to match many of them at the same time.
+The compatible versions for a `Module` resource are listed under `.spec.moduleLoader.container.kernelMappings`. A kernel mapping can either match a `literal` version, or use `regexp` to match many of them at the same time.
 
 The reconciliation loop for the `Module` resource runs the following steps:
 
 . List all nodes matching `.spec.selector`.
 . Build a set of all kernel versions running on those nodes.
 . For each kernel version:
- .. Go through `.spec.moduleLoader.container.kernelMappings` and find the appropriate container image name. If the kernel mapping has `build` or `sign` defined and the container image does not already exist, run the build, the signing job, or both, as needed.
-.. Create a module loader daemon set with the container image determined in the previous step.
-.. If `.spec.devicePlugin` is defined, create a device plugin daemon set using the configuration specified under `.spec.devicePlugin.container`.
+ .. Go through `.spec.moduleLoader.container.kernelMappings` and find the appropriate container image name.
+ If the kernel mapping has `build` or `sign` defined and the container image does not already exist, run the build, the signing pod, or both, as needed.
+ .. Create a worker pod to pull the container image determined in the previous step and run `modprobe`.
+ .. If `.spec.devicePlugin` is defined, create a device plugin daemon set using the configuration specified under `.spec.devicePlugin.container`.
 . Run `garbage-collect` on:
- .. Existing daemon set resources targeting kernel versions that are not run by any node in the cluster.
- .. Successful build jobs.
- .. Successful signing jobs.
+ .. Obsolete device plugin `DaemonSets` that do not target any node.
+ .. Successful build pods.
+ .. Successful signing pods.

modules/kmm-creating-moduleloader-image.adoc

@@ -6,21 +6,18 @@
 [id="kmm-deploy-kernel-modules_{context}"]
 = Kernel module deployment
 
-For each `Module` resource, Kernel Module Management (KMM) can create a number of `DaemonSet` resources:
+Kernel Module Management (KMM) monitors `Node` and `Module` resources in the cluster to determine if a kernel module should be loaded on or unloaded from a node.
 
-* One ModuleLoader `DaemonSet` per compatible kernel version running in the cluster.
-* One device plugin `DaemonSet`, if configured.
+To be eligible for a module, a node must contain the following:
 
-The module loader daemon set resources run ModuleLoader images to load kernel modules.
-A module loader image is an OCI image that contains the `.ko` files and both the `modprobe` and `sleep` binaries.
+* Labels that match the module's `.spec.selector` field.
+* A kernel version matching one of the items in the module's `.spec.moduleLoader.container.kernelMappings` field.
+* If ordered upgrade (`ordered_upgrade.md`) is configured in the module, a label that matches its `.spec.moduleLoader.container.version` field.
 
-When the module loader pod is created, the pod runs `modprobe` to insert the specified module into the kernel.
-It then enters a sleep state until it is terminated.
-When that happens, the `ExecPreStop` hook runs `modprobe -r` to unload the kernel module.
+When KMM reconciles nodes with the desired state as configured in the `Module` resource, it creates worker pods on the target nodes to run the necessary action. The KMM Operator monitors the outcome of the pods and records the information. The Operator uses this information to label the `Node` objects when the module is successfully loaded, and to run the device plugin, if configured.
 
-If the `.spec.devicePlugin` attribute is configured in a `Module` resource, then KMM creates a link:https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/[device plugin]
-daemon set in the cluster.
-That daemon set targets:
+Worker pods run the KMM `worker` binary that performs the following tasks:
 
-* Nodes that match the `.spec.selector` of the `Module` resource.
-* Nodes with the kernel module loaded (where the module loader pod is in the `Ready` condition).
+ * Pulls the kmod image configured in the `Module` resource. Kmod images are standard OCI images that  contain `.ko` files.
+ * Extracts the image in the pod's filesystem.
+ * Runs `modprobe` with the specified arguments to perform the necessary action.

modules/kmm-deploying-modules.adoc

@@ -6,7 +6,7 @@
 [id="kmm-firmware-support_{context}"]
 = KMM firmware support
 
-Kernel modules sometimes need to load firmware files from the file system. KMM supports copying firmware files from the ModuleLoader image to the node's file system.
+Kernel modules sometimes need to load firmware files from the file system. KMM supports copying firmware files from the kmod image to the node's file system.
 
 The contents of `.spec.moduleLoader.container.modprobe.firmwarePath` are copied into the `/var/lib/firmware` path on the node before running the `modprobe` command to insert the kernel module.
 

modules/kmm-firmware-support.adoc

@@ -14,7 +14,8 @@
 +
 [source,terminal]
 ----
-$ export MUST_GATHER_IMAGE=$(oc get deployment -n openshift-kmm-hub kmm-operator-hub-controller -ojsonpath='{.spec.template.spec.containers[?(@.name=="manager")].env[?(@.name=="RELATED_IMAGES_MUST_GATHER")].value}')
+$ export MUST_GATHER_IMAGE=$(oc get deployment -n openshift-kmm-hub kmm-operator-hub-controller -ojsonpath='{.spec.template.spec.containers[?(@.name=="manager")].env[?(@.name=="RELATED_IMAGE_MUST_GATHER")].value}')
+$ oc adm must-gather --image="${MUST_GATHER_IMAGE}" -- /usr/bin/gather -u
 ----
 +
 [NOTE]