TELCODOCS-2005: Add topics to Telco Day 2 Troubleshooting and Maintenance

Author: amolnar-rh

_topic_maps/_topic_map.yml

@@ -3444,14 +3444,14 @@ Topics:
       File: telco-troubleshooting-general-troubleshooting
     - Name: Cluster maintenance
       File: telco-troubleshooting-cluster-maintenance
-#    - Name: Security
-#      File: telco-troubleshooting-security
-#    - Name: Certificate maintenance
-#      File: telco-troubleshooting-cert-maintenance
-#    - Name: Machine Config Operator
-#      File: telco-troubleshooting-mco
-#    - Name: Bare-metal node maintenance
-#      File: telco-troubleshooting-bmn-maintenance
+    - Name: Security
+      File: telco-troubleshooting-security
+    - Name: Certificate maintenance
+      File: telco-troubleshooting-cert-maintenance
+    - Name: Machine Config Operator
+      File: telco-troubleshooting-mco
+    - Name: Bare-metal node maintenance
+      File: telco-troubleshooting-bmn-maintenance
 ---
 Name: Specialized hardware and driver enablement
 Dir: hardware_enablement

edge_computing/day_2_core_cnf_clusters/troubleshooting/telco-troubleshooting-bmn-maintenance.adoc

@@ -0,0 +1,29 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="telco-troubleshooting-bmn-maintenance"]
+= Bare-metal node maintenance
+include::_attributes/common-attributes.adoc[]
+:context: telco-troubleshooting-bmn-maintenance
+
+toc::[]
+
+You can connect to a node for general troubleshooting.
+However, in some cases, you need to perform troubleshooting or maintenance tasks on certain hardware components.
+This section discusses topics that you need to perform that hardware maintenance.
+
+include::modules/telco-troubleshooting-bmn-connect-to-node.adoc[leveloffset=+1]
+include::modules/telco-troubleshooting-bmn-move-apps-to-pods.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../../nodes/nodes/nodes-nodes-working.adoc#nodes-nodes-working_nodes-nodes-working[Working with nodes]
+
+include::modules/telco-troubleshooting-bmn-replace-dimm.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../../storage/index.adoc#storage-overview_storage-overview[{product-title} storage overview]
+
+include::modules/telco-troubleshooting-bmn-replace-disk.adoc[leveloffset=+1]
+include::modules/telco-troubleshooting-bmn-replace-nw-card.adoc[leveloffset=+1]

edge_computing/day_2_core_cnf_clusters/troubleshooting/telco-troubleshooting-cert-maintenance.adoc

@@ -0,0 +1,66 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="telco-troubleshooting-cert-maintenance"]
+= Certificate maintenance
+include::_attributes/common-attributes.adoc[]
+:context: telco-troubleshooting-cert-maintenance
+
+toc::[]
+
+Certificate maintenance is required for continuous cluster authentication.
+As a cluster administrator, you must manually renew certain certificates, while others are automatically renewed by the cluster.
+
+Learn about certificates in {product-title} and how to maintain them by using the following resources:
+
+* link:https://access.redhat.com/solutions/5018231[Which OpenShift certificates do rotate automatically and which do not in Openshift 4.x?]
+* link:https://access.redhat.com/solutions/7000968[Checking etcd certificate expiry in OpenShift 4]
+
+include::modules/telco-troubleshooting-certs-manual.adoc[leveloffset=+1]
+include::modules/telco-troubleshooting-certs-manual-proxy.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../../security/certificate_types_descriptions/proxy-certificates.adoc#cert-types-proxy-certificates[Proxy certificates]
+
+include::modules/telco-troubleshooting-certs-manual-user-provisioned.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../../security/certificate_types_descriptions/user-provided-certificates-for-api-server.adoc#cert-types-user-provided-certificates-for-the-api-server[User-provisioned certificates for the API server]
+
+include::modules/telco-troubleshooting-certs-auto.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../../security/certificate_types_descriptions/service-ca-certificates.adoc#cert-types-service-ca-certificates_cert-types-service-ca-certificates[Service CA certificates]
+* xref:../../../security/certificate_types_descriptions/node-certificates.adoc#cert-types-node-certificates_cert-types-node-certificates[Node certificates]
+* xref:../../../security/certificate_types_descriptions/bootstrap-certificates.adoc#cert-types-bootstrap-certificates_cert-types-bootstrap-certificates[Bootstrap certificates]
+* xref:../../../security/certificate_types_descriptions/etcd-certificates.adoc#cert-types-etcd-certificates-cert-types-etcd-certificates[etcd certificates]
+* xref:../../../security/certificate_types_descriptions/olm-certificates.adoc#cert-types-olm-certificates_cert-types-olm-certificates[OLM certificates]
+* xref:../../../security/certificate_types_descriptions/machine-config-operator-certificates.adoc#cert-types-machine-config-operator-certificates_cert-types-machine-config-operator-certificates[Machine Config Operator certificates]
+* xref:../../../security/certificate_types_descriptions/monitoring-and-cluster-logging-operator-component-certificates.adoc#cert-types-monitoring-and-cluster-logging-operator-component-certificates_cert-types-monitoring-and-cluster-logging-operator-component-certificates[Monitoring and cluster logging Operator component certificates]
+* xref:../../../security/certificate_types_descriptions/control-plane-certificates.adoc#cert-types-control-plane-certificates_cert-types-control-plane-certificates[Control plane certificates]
+* xref:../../../security/certificate_types_descriptions/ingress-certificates.adoc#cert-types-ingress-certificates_cert-types-ingress-certificates[Ingress certificates]
+
+include::modules/telco-troubleshooting-certs-auto-etcd.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../../security/certificate_types_descriptions/etcd-certificates.adoc#cert-types-etcd-certificates_cert-types-etcd-certificates[etcd certificates]
+
+include::modules/telco-troubleshooting-certs-auto-node.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../../security/certificate_types_descriptions/node-certificates.adoc#cert-types-node-certificates_cert-types-node-certificates[Node certificates]
+
+include::modules/telco-troubleshooting-certs-auto-service-ca.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../../security/certificate_types_descriptions/service-ca-certificates.adoc#cert-types-service-ca-certificates_cert-types-service-ca-certificates[Service CA certificates]

edge_computing/day_2_core_cnf_clusters/troubleshooting/telco-troubleshooting-mco.adoc

@@ -0,0 +1,20 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="telco-troubleshooting-mco"]
+= Machine Config Operator
+include::_attributes/common-attributes.adoc[]
+:context: telco-troubleshooting-mco
+
+toc::[]
+
+The Machine Config Operator provides useful information to cluster administrators and controls what is running directly on the bare-metal host.
+
+The Machine Config Operator differentiates between different groups of nodes in the cluster, allowing control plane nodes and worker nodes to run with different configurations.
+These groups of nodes run worker or application pods, which are called `MachineConfigPool` (`mcp`) groups.
+The same machine config is applied on all nodes or only on one MCP in the cluster.
+
+For more information about how and why to apply MCPs in a telco core cluster, see xref:../../../edge_computing/day_2_core_cnf_clusters/updating/telco-update-ocp-update-prep.adoc#telco-update-applying-mcp-labels-to-nodes-before-the-update_ocp-update-prep[Applying MachineConfigPool labels to nodes before the update].
+
+For more information about the Machine Config Operator, see xref:../../../operators/operator-reference.adoc#machine-config-operator_cluster-operators-ref[Machine Config Operator].
+
+include::modules/telco-troubleshooting-mco-purpose.adoc[leveloffset=+1]
+include::modules/telco-troubleshooting-mco-apply-several-mcs.adoc[leveloffset=+1]

edge_computing/day_2_core_cnf_clusters/troubleshooting/telco-troubleshooting-security.adoc

@@ -0,0 +1,16 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="telco-troubleshooting-security"]
+= Security
+include::_attributes/common-attributes.adoc[]
+:context: telco-troubleshooting-security
+
+toc::[]
+
+Implementing a robust cluster security profile is important for building resilient telco networks.
+
+include::modules/telco-troubleshooting-security-authentication.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../../authentication/understanding-identity-provider.adoc#supported-identity-providers[Supported identity providers]

modules/telco-troubleshooting-bmn-connect-to-node.adoc

@@ -0,0 +1,63 @@
+// Module included in the following assemblies:
+//
+// * edge_computing/day_2_core_cnf_clusters/troubleshooting/telco-troubleshooting-bmn-maintenance.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="telco-troubleshooting-bmn-connect-to-node_{context}"]
+= Connecting to a bare-metal node in your cluster
+
+You can connect to bare-metal cluster nodes for general maintenance tasks.
+
+[NOTE]
+====
+Configuring the cluster node from the host operating system is not recommended or supported.
+====
+
+To troubleshoot your nodes, you can do the following tasks:
+
+* Retrieve logs from node
+* Use debugging
+* Use SSH to connect to the node
+
+[IMPORTANT]
+====
+Use SSH only if you cannot connect to the node with the `oc debug` command.
+====
+
+.Procedure
+
+. Retrieve the logs from a node by running the following command:
++
+[source,terminal]
+----
+$ oc adm node-logs <node_name> -u crio
+----
+
+. Use debugging by running the following command:
++
+[source,terminal]
+----
+$ oc debug node/<node_name>
+----
+
+. Set `/host` as the root directory within the debug shell. The debug pod mounts the host’s root file system in `/host` within the pod. By changing the root directory to `/host`, you can run binaries contained in the host’s executable paths:
++
+--
+[source,terminal]
+----
+# chroot /host
+----
+
+.Output
+[source,terminal]
+----
+You are now logged in as root on the node
+----
+--
+
+. Optional: Use SSH to connect to the node by running the following command:
++
+[source,terminal]
+----
+$ ssh core@<node_name>
+----

modules/telco-troubleshooting-bmn-move-apps-to-pods.adoc

@@ -0,0 +1,26 @@
+// Module included in the following assemblies:
+//
+// * edge_computing/day_2_core_cnf_clusters/troubleshooting/telco-troubleshooting-bmn-maintenance.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="telco-troubleshooting-bmn-move-apps-to-pods_{context}"]
+= Moving applications to pods within the cluster
+
+For scheduled hardware maintenance, you need to consider how to move your application pods to other nodes within the cluster without affecting the pod workload.
+
+.Procedure
+
+* Mark the node as unschedulable by running the following command:
++
+[source,terminal]
+----
+$ oc adm cordon <node_name>
+----
+
+When the node is unschedulable, no pods can be scheduled on the node. 
+For more information, see "Working with nodes".
+
+[NOTE]
+====
+When moving CNF applications, you might need to verify ahead of time that there are enough additional worker nodes in the cluster due to anti-affinity and pod disruption budget.
+====

modules/telco-troubleshooting-bmn-replace-dimm.adoc

@@ -0,0 +1,17 @@
+// Module included in the following assemblies:
+//
+// * edge_computing/day_2_core_cnf_clusters/troubleshooting/telco-troubleshooting-bmn-maintenance.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="telco-troubleshooting-bmn-replace-dimm_{context}"]
+= DIMM memory replacement
+
+Dual in-line memory module (DIMM) problems sometimes only appear after a server reboots.
+You can check the log files for these problems.
+
+When you perform a standard reboot and the server does not start, you can see a message in the console that there is a faulty DIMM memory.
+In that case, you can acknowledge the faulty DIMM and continue rebooting if the remaining memory is sufficient.
+Then, you can schedule a maintenance window to replace the faulty DIMM.
+
+Sometimes, a message in the event logs indicates a bad memory module.
+In these cases, you can schedule the memory replacement before the server is rebooted.

modules/telco-troubleshooting-bmn-replace-disk.adoc

@@ -0,0 +1,14 @@
+// Module included in the following assemblies:
+//
+// * edge_computing/day_2_core_cnf_clusters/troubleshooting/telco-troubleshooting-bmn-maintenance.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="telco-troubleshooting-bmn-replace-disk_{context}"]
+= Disk replacement
+
+If you do not have disk redundancy configured on your node through hardware or software redundant array of independent disks (RAID), you need to check the following:
+
+* Does the disk contain running pod images?
+* Does the disk contain persistent data for pods?
+
+For more information, see "{product-title} storage overview" in _Storage_.

modules/telco-troubleshooting-bmn-replace-nw-card.adoc

@@ -0,0 +1,16 @@
+// Module included in the following assemblies:
+//
+// * edge_computing/day_2_core_cnf_clusters/troubleshooting/telco-troubleshooting-bmn-maintenance.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="telco-troubleshooting-bmn-replace-nw-card_{context}"]
+= Cluster network card replacement
+
+When you replace a network card, the MAC address changes.
+The MAC address can be part of the DHCP or SR-IOV Operator configuration, router configuration, firewall rules, or application Cloud-native Network Function (CNF) configuration.
+Before you bring back a node online after replacing a network card, you must verify that these configurations are up-to-date.
+
+[IMPORTANT]
+====
+If you do not have specific procedures for MAC address changes within the network, contact your network administrator or network hardware vendor.
+====