Merge pull request #93880 from mburke5678/mco-on-cluster-layering-reorg

mburke5678 · web-flow · commit 8526b6dc4cd4 · 2025-05-30T20:46:59.000-04:00
MCO on-cluster layering reorg the using OCL module
diff --git a/machine_configuration/mco-coreos-layering.adoc b/machine_configuration/mco-coreos-layering.adoc
@@ -177,12 +177,19 @@ It is strongly recommended that you test your images outside of your production
 include::modules/coreos-layering-configuring-on.adoc[leveloffset=+1]
 
 .Additional resources
+* xref:../machine_configuration/mco-coreos-layering.adoc#coreos-layering-configuring-on-proc_mco-coreos-layering[Using on-cluster layering to apply a custom layered image]
 * xref:../machine_configuration/mco-coreos-layering.adoc#coreos-layering-configuring-on-remove_mco-coreos-layering[Removing an on-cluster custom layered image]
 * xref:../updating/updating_a_cluster/update-using-custom-machine-config-pools.adoc#update-using-custom-machine-config-pools-pause_update-using-custom-machine-config-pools[Pausing the machine config pools]
 * xref:../machine_configuration/mco-coreos-layering.adoc#coreos-layering-configuring-on-rebuild_mco-coreos-layering[Rebuilding an on-cluster custom layered image]
-* xref:../openshift_images/managing_images/using-image-pull-secrets.adoc#images-update-global-pull-secret_using-image-pull-secrets[Updating the global cluster pull secret]
+* xref:../machine_configuration/mco-coreos-layering.adoc#coreos-layering-configuring-on-revert_mco-coreos-layering[Reverting an on-cluster custom layered image]
 * xref:../machine_configuration/mco-coreos-layering.adoc#coreos-layering-configuring-on-modifying_mco-coreos-layering[Modifying a custom layered image]
 
+.Additional resources
+include::modules/coreos-layering-configuring-on-proc.adoc[leveloffset=+2]
+
+* xref:../openshift_images/managing_images/using-image-pull-secrets.adoc#images-update-global-pull-secret_using-image-pull-secrets[Updating the global cluster pull secret]
+* xref:../machine_configuration/mco-coreos-layering.adoc#coreos-layering-configuring-on-revert_mco-coreos-layering[Reverting an on-cluster custom layered image]
+
 include::modules/coreos-layering-configuring-on-modifying.adoc[leveloffset=+2]
 
 .Additional resources
diff --git a/modules/coreos-layering-configuring-on-proc.adoc b/modules/coreos-layering-configuring-on-proc.adoc
@@ -0,0 +1,204 @@
+// Module included in the following assemblies:
+//
+// * machine_configuration/mco-coreos-layering.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="coreos-layering-configuring-on-proc_{context}"]
+= Using on-cluster layering to apply a custom layered image
+
+To apply a custom layered image to your cluster by using the on-cluster build process, create a `MachineOSConfig` custom resource (CR) that specifies the following parameters: 
+
+* the Containerfile to build
+* the machine config pool to associate the build
+* where the final image should be pushed and pulled from
+* the push and pull secrets to use
+
+.Prerequisites
+
+* You have the pull secret in the `openshift-machine-config-operator` namespace that the Machine Config Operator (MCO) needs in order to pull the base operating system image from your repository. By default, the MCO uses the cluster global pull secret, which it synchronizes into the `openshift-machine-config-operator` namespace. You can add your pull secret to the {product-title} global pull secret or you can use a different pull secret. For information on modifying the global pull secret, see "Updating the global cluster pull secret".
+
+* You have the push secret of the registry that the MCO needs to push the new custom layered image to. The credentials provided by the secret must also grant permission to delete an image from the registry.
++
+[NOTE]
+====
+In a disconnected environment, ensure that the disconnected cluster can access the registry where you want to push the image. Image mirroring applies only to pulling images.
+====
+
+* You have the pull secret that your nodes need to pull the new custom layered image from your registry. This should be a different secret than the one used to push the image to the repository.
+
+* You are familiar with how to configure a Containerfile. Instructions on how to create a Containerfile are beyond the scope of this documentation.
+
+* Optional: You have a separate machine config pool for the nodes where you want to apply the custom layered image. One benefit to having a custom machine config pool for the nodes it that you can easily revert to the base image, if needed. For more information, see "Reverting an on-cluster layered node".
+
+.Procedure
+
+. Create a `MachineOSconfig` object:
+
+.. Create a YAML file similar to the following:
++
+[source,yaml]
+----
+apiVersion: machineconfiguration.openshift.io/v1 <1>
+kind: MachineOSConfig
+metadata:
+  name: layered-image <2>
+spec:
+  machineConfigPool:
+    name: layered <3>
+  containerFile: # <4>
+  - containerfileArch: NoArch <5>
+    content: |-
+      FROM configs AS final
+      RUN dnf install -y cowsay && \
+        dnf clean all && \
+        ostree container commit
+  imageBuilder: # <6>
+    imageBuilderType: Job
+  baseImagePullSecret: # <7>
+    name: global-pull-secret-copy
+  renderedImagePushSpec: image-registry.openshift-image-registry.svc:5000/openshift/os-image:latest  # <8>
+  renderedImagePushSecret: # <9>
+    name: builder-dockercfg-mtcl23
+----
+<1> Specifies the `machineconfiguration.openshift.io/v1` API that is required for `MachineConfig` CRs.
+<2> Specifies a name for the `MachineOSConfig` object. This name is used with other on-cluster layering resources. The examples in this documentation use the name `layered-image`. 
+<3> Specifies the name of the machine config pool associated with the nodes where you want to deploy the custom layered image. The examples in this documentation use the `layered` machine config pool.
+<4> Specifies the Containerfile to configure the custom layered image.
+<5> Specifies the architecture this containerfile is to be built for: `ARM64`, `AMD64`, `PPC64LE`, `S390X`, or `NoArch`. The default is `NoArch`, which defines a Containerfile that can be applied to any architecture. 
+<6> Specifies the name of the image builder to use. This must be `Job`, which is a reference to the `job` object that is managing the image build.
+<7> Optional: Specifies the name of the pull secret that the MCO needs to pull the base operating system image from the registry. By default, the global pull secret is used.
+<8> Specifies the image registry to push the newly-built custom layered image to. This can be any registry that your cluster has access to in the `host[:port][/namespace]/name` or `svc_name.namespace.svc[:port]/repository/name:<tag>` format. This example uses the internal {product-title} registry. You can specify a mirror registry if you cluster is properly configured to use a mirror registry.
+<9> Specifies the name of the push secret that the MCO needs to push the newly-built custom layered image to that registry.
+
+.. Create the `MachineOSConfig` object:
++
+[source,terminal]
+----
+$ oc create -f <filename>.yaml
+----
+
+. If necessary, when the `MachineOSBuild` object has been created and is in the `READY` state, modify the node spec for the nodes where you want to use the new custom layered image:
++
+.. Check that the `MachineOSBuild` object is ready, by running the following command:
++
+[source,terminal]
+----
+$ oc get machineosbuild
+----
++
+When the `SUCCEEDED` value is `True`, the build is complete:
++
+.Example output showing that the `MachineOSBuild` object is ready
+[source,terminal]
+----
+NAME                                                     PREPARED   BUILDING   SUCCEEDED   INTERRUPTED   FAILED   AGE
+layered-image-ad5a3cad36303c363cf458ab0524e7c0-builder   False      False      True        False         False    43s
+----
+
+.. Edit the nodes where you want to deploy the custom layered image by adding a label for the machine config pool you specified in the `MachineOSConfig` object:
++
+[source,terminal]
+----
+$ oc label node <node_name> 'node-role.kubernetes.io/<mcp_name>='
+----
++
+--
+where:
+
+node-role.kubernetes.io/<mcp_name>=:: Specifies a node selector that identifies the nodes to deploy the custom layered image. 
+--
++
+When you save the changes, the MCO drains, cordons, and reboots the nodes. After the reboot, the node uses the new custom layered image.
+
+.Verification
+
+. Verify that the new pods are ready by running the following command:
++
+[source,terminal]
+----
+$ oc get pods -n openshift-machine-config-operator
+----
++
+.Example output
+[source,terminal]
+----
+NAME                                                                    READY   STATUS    RESTARTS   AGE
+build-layered-image-ad5a3cad36303c363cf458ab0524e7c0-hxrws              2/2     Running   0          2m40s # <1>
+# ...
+machine-os-builder-6fb66cfb99-zcpvq                                     1/1     Running   0          2m42s # <2>
+----
+<1> This is the build pod where the custom layered image is building, named in the `build-<MachineOSConfig_CR_name>-<hash>` format.
+<2> This pod can be used for troubleshooting.
+
+. Verify the current stage of your layered build by running the following command:
++
+[source,terminal]
+----
+$ oc get machineosbuilds
+----
++
+.Example output
+[source,terminal]
+----
+NAME                                             PREPARED   BUILDING   SUCCEEDED   INTERRUPTED   FAILED   AGE
+layered-image-ad5a3cad36303c363cf458ab0524e7c0   False      True       False       False         False    12m <1> 
+----
+<1> The `MachineOSBuild` is named in the `<MachineOSConfig_CR_name>-<hash>` format.
+
+. Verify that the `MachineOSConfig` object contains a reference to the new custom layered image by running the following command:
++
+[source,terminal]
+----
+$ oc describe machineosconfig <object_name>
+----
++
+.Example digested image pull spec
+[source,terminal]
+----
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineOSConfig
+metadata:
+  annotations:
+    machineconfiguration.openshift.io/current-machine-os-build: layered-9a8f89455246fa0c42ecee6ff1fa1a45
+  labels:
+    machineconfiguration.openshift.io/createdByOnClusterBuildsHelper: ""
+  name: layered-image
+# ...
+status:
+  currentImagePullSpec: image-registry.openshift-image-registry.svc:5000/openshift-machine-config-operator/os-image@sha256:3c8fc667adcb432ce0c83581f16086afec08a961dd28fed69bb6bad6db0a0754 <1>
+----
+<1> Digested image pull spec for the new custom layered image.
+
+. Verify that the appropriate nodes are using the new custom layered image:
+
+.. Start a debug session as root for a control plane node by running the following command:
++
+[source,terminal]
+----
+$ oc debug node/<node_name>
+----
+
+.. Set `/host` as the root directory within the debug shell:
++
+[source,terminal]
+----
+sh-4.4# chroot /host
+----
+
+.. Run the `rpm-ostree status` command to view that the custom layered image is in use:
++
+[source,terminal]
+----
+sh-5.1# rpm-ostree status
+----
++
+.Example output
+[source,terminal]
+----
+# ...
+Deployments:
+* ostree-unverified-registry:image-registry.openshift-image-registry.svc:5000/openshift-machine-config-operator/os-images@sha256:3c8fc667adcb432ce0c83581f16086afec08a961dd28fed69bb6bad6db0a0754
+                   Digest: sha256:3c8fc667adcb432ce0c83581f16086afec08a961dd28fed69bb6bad6db0a0754 <1>
+                  Version: 419.94.202502100215-0 (2025-02-12T19:20:44Z)
+----
+<1> Digested image pull spec for the new custom layered image.
diff --git a/modules/coreos-layering-configuring-on.adoc b/modules/coreos-layering-configuring-on.adoc
