Remove file

Michael Burke · Michael Burke · commit 8973f3ed1dd6 · 2025-07-16T15:36:40.000-04:00
diff --git a/modules/coreos-layering-configuring-on.adoc b/modules/coreos-layering-configuring-on.adoc
@@ -1,54 +1,70 @@
 // Module included in the following assemblies:
 //
-// * machine_configuration/coreos-layering.adoc
+// * machine_configuration/mco-coreos-layering.adoc
 
-:_mod-docs-content-type: PROCEDURE
+:_mod-docs-content-type: CONCEPT
 [id="coreos-layering-configuring-on_{context}"]
-= Using on-cluster layering to apply a custom layered image
+= About {image-mode-os-on-lower}
 
-To apply a custom layered image to your cluster by using the on-cluster build process, make a `MachineOSConfig` custom resource (CR) that specifies the following parameters: 
+You can use the {image-mode-os-lower} on-cluster build process to apply a custom layered image to your nodes by creating a `MachineOSConfig` custom resource (CR), as described in "Using {image-mode-os-on-caps} to apply a custom layered image". 
 
-* the Containerfile to build
-* the machine config pool to associate the build
-* where the final image should be pushed and pulled from
-* the push and pull secrets to use
-
-When you create the object, the Machine Config Operator (MCO) creates a `MachineOSBuild` object and a builder pod. The build process also creates transient objects, such as config maps, which are cleaned up after the build is complete. The `MachineOSBuild` object and the associated `builder-*` pod use the same naming scheme, `<MachineOSConfig_CR_name>-<hash>`, for example:
+When you create the object, the Machine Config Operator (MCO) creates a `MachineOSBuild` object and a builder pod. The process also creates transient objects, such as config maps, which are cleaned up after the build is complete. The `MachineOSBuild` object and the associated `builder-*` pod use the same naming scheme, `<MachineOSConfig_CR_name>-<hash>`, for example:
 
 .Example `MachineOSBuild` object
 [source,terminal]
 ----
-NAME                                       PREPARED   BUILDING   SUCCEEDED   INTERRUPTED   FAILED
-layered-c8765e26ebc87e1e17a7d6e0a78e8bae   False      False      True        False         False
+NAME                                             PREPARED   BUILDING   SUCCEEDED   INTERRUPTED   FAILED
+layered-image-c8765e26ebc87e1e17a7d6e0a78e8bae   False      False      True        False         False
 ----
 
 .Example builder pod
 [source,terminal]
 ----
-NAME                                                READY   STATUS      RESTARTS        AGE
-build-layered-c8765e26ebc87e1e17a7d6e0a78e8bae      2/2     Running     0               11m
+NAME                                                      READY   STATUS      RESTARTS        AGE
+build-layered-image-c8765e26ebc87e1e17a7d6e0a78e8bae      2/2     Running     0               11m
 ----
 
-When the build is complete, the MCO pushes the new custom layered image to your repository and rolled out to the nodes in the associated machine config pool. You can see the digested image pull spec for the new custom layered image in the `MachineOSBuild` object and `machine-os-builder` pod.
+You should not need to interact with these new objects or the `machine-os-builder` pod. However, you can use all of these resources for troubleshooting, if necessary.
+
+When the build is complete, the MCO pushes the new custom layered image to your repository and rolls the image out to the nodes in the associated machine config pool. You can see the digested image pull spec for the new custom layered image in the `MachineOSConfig` object. This is now the active image pull spec for this `MachineOSConfig`.
+
+.Example digested image pull spec
+[source,terminal]
+----
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineOSConfig
+metadata:
+  annotations:
+    machineconfiguration.openshift.io/current-machine-os-build: layered-9a8f89455246fa0c42ecee6ff1fa1a45
+  labels:
+    machineconfiguration.openshift.io/createdByOnClusterBuildsHelper: ""
+  name: layered-image
+# ...
+status:
+  currentImagePullSpec: image-registry.openshift-image-registry.svc:5000/openshift-machine-config-operator/os-image@sha256:3c8fc667adcb432ce0c83581f16086afec08a961dd28fed69bb6bad6db0a0754
+----
 
 [TIP]
 ====
 You can test a `MachineOSBuild` object to make sure it builds correctly without rolling out the custom layered image to active nodes by using a custom machine config pool that contains non-production nodes. Alternatively, you can use a custom machine config pool that has no nodes. The `MachineOSBuild` object builds even if there are no nodes for the MCO to deploy the custom layered image onto.
 ====
 
-You should not need to interact with these new objects or the `machine-os-builder` pod. However, you can use all of these resources for troubleshooting, if necessary.
+You can apply a custom layered image to any machine config pool in your cluster, including the control plane, worker, or custom pools.
 
-You need a separate `MachineOSConfig` CR for each machine config pool where you want to use a custom layered image.
+[NOTE]
+====
+For {sno} clusters, you can apply a custom layered image to the control plane node only.
+====
 
 include::snippets//coreos-layering-configuring-on-pause.adoc[]
 
-In the case of a build failure, for example due to network issues or an invalid secret, the MCO retries the build three additional times before the job fails. The MCO creates a different build pod for each build attempt. You can use the build pod logs to troubleshoot any build failures. However, the MCO automatically removes these build pods after a short period of time. 
+In the case of a build failure, for example due to network issues or an invalid secret, the MCO retries the build three additional times before the job fails. The MCO creates a different build pod for each build attempt. You can use the build pod logs to troubleshoot any build failures. Note that the MCO automatically removes these build pods after a short period of time. 
 
 .Example failed `MachineOSBuild` object
 [source,terminal]
 ----
-NAME                                       PREPARED   BUILDING   SUCCEEDED   INTERRUPTED   FAILED
-layered-c8765e26ebc87e1e17a7d6e0a78e8bae   False      False      False        False        True
+NAME                                             PREPARED   BUILDING   SUCCEEDED   INTERRUPTED   FAILED   AGE
+layered-image-c8765e26ebc87e1e17a7d6e0a78e8bae   False      False      False        False        True     12m
 ----
 
 You can manually rebuild your custom layered image by either modifying your `MachineOSConfig` object or applying an annotation to the `MachineOSConfig` object. For more information, see "Rebuilding an on-cluster custom layered image".
@@ -59,221 +75,17 @@ You can modify an on-custom layered image as needed, to install additional packa
 
 [discrete]
 [id="coreos-layering-configuring-on-limitations_{context}"]
-== On-cluster layering known limitations
+== {image-mode-os-on-caps} known limitations
 
 Note the following limitations when working with the on-cluster layering feature:
 
-* On-cluster layering is supported only for {product-title} clusters on the AMD64 architecture.
-* On-cluster layering is not supported on multi-architecture compute machines, or {sno} clusters.
+* {image-mode-os-on-caps} is not supported on multi-architecture compute machines.
+* Using multiple `MachineOSConfig` objects on the same machine config pool is not supported. You need a separate `MachineOSConfig` CR for each machine config pool where you want to use a distinct custom layered image. 
 * If you scale up a machine set that uses a custom layered image, the nodes reboot two times. The first, when the node is initially created with the base image and a second time when the custom layered image is applied.
 * Node disruption policies are not supported on nodes with a custom layered image. As a result the following configuration changes cause a node reboot:
 ** Modifying the configuration files in the `/var` or `/etc` directory
 ** Adding or modifying a systemd service
 ** Changing SSH keys
 ** Removing mirroring rules from `ICSP`, `ITMS`, and `IDMS` objects
 ** Changing the trusted CA, by updating the `user-ca-bundle` configmap in the `openshift-config` namespace
-* The images used in creating custom layered images take up space in your push registry. Always be aware of the free space in your registry and prune the images as needed. You can automatically remove an on-cluster custom layered image from the repository by deleting the MachineOSBuild object that created the image. Note that the credentials provided by the registry push secret must also grant permission to delete an image from the registry. For more information, see "Removing an on-cluster custom layered image".
-
-.Prerequisites
-
-* You have a copy of the pull secret in the `openshift-machine-config-operator` namespace that the MCO needs to pull the base operating system image.
-+
-For example, if you are using the global pull secret, you can run the following command:
-+
-[source,terminal]
-----
-$oc create secret docker-registry global-pull-secret-copy \
-  --namespace "openshift-machine-config-operator" \
-  --from-file=.dockerconfigjson=<(oc get secret/pull-secret -n openshift-config -o go-template='{{index .data ".dockerconfigjson" | base64decode}}')
-----
-// https://issues.redhat.com/browse/OCPBUGS-42013
-
-// Not in 4.18; maybe in 4.19
-// If you are using the global pull secret, the MCO automatically creates a copy when you first create a `MachineOSconfig` object.
-
-* You have the push secret of the registry that the MCO needs to push the new custom layered image to.
-
-* You have a pull secret that your nodes need to pull the new custom layered image from your registry. This should be a different secret than the one used to push the image to the repository.
-
-* You are familiar with how to configure a Containerfile. Instructions on how to create a Containerfile are beyond the scope of this documentation.
-
-* Optional: You have a separate machine config pool for the nodes where you want to apply the custom layered image. One benefit to having a custom machine config pool for the nodes it that you can easily revert to the base image, if needed. For more information, see "Reverting an on-cluster layered node".
-
-.Procedure
-
-. Create a `MachineOSconfig` object:
-
-.. Create a YAML file similar to the following:
-+
-[source,yaml]
-----
-apiVersion: machineconfiguration.openshift.io/v1 <1>
-kind: MachineOSConfig
-metadata:
-  name: layered <2>
-spec:
-  machineConfigPool:
-    name: layered <3>
-  containerFile: # <4>
-  - containerfileArch: NoArch <5>
-    content: |-
-      FROM configs AS final
-      RUN dnf install -y cowsay && \
-        dnf clean all && \
-        ostree container commit
-  imageBuilder: # <6>
-    imageBuilderType: Job
-  baseImagePullSecret: # <7>
-    name: global-pull-secret-copy
-  renderedImagePushSpec: image-registry.openshift-image-registry.svc:5000/openshift/os-image:latest  # <8>
-  renderedImagePushSecret: # <9>
-    name: builder-dockercfg-mtcl23
-----
-<1> Specifies the `machineconfiguration.openshift.io/v1` API that is required for `MachineConfig` CRs.
-<2> Specifies a name for the `MachineOSConfig` object. This name is used with other [image-mode-os-on-lower] resources. The examples in this documentation use the name `layered`. 
-<3> Specifies the name of the machine config pool associated with the nodes where you want to deploy the custom layered image. The examples in this documentation use the `layered` machine config pool.
-<4> Specifies the Containerfile to configure the custom layered image.
-<5> Specifies the architecture this containerfile is to be built for: `ARM64`, `AMD64`, `PPC64LE`, `S390X`, or `NoArch`. The default is `NoArch`, which defines a Containerfile that can be applied to any architecture. 
-<6> Specifies the name of the image builder to use. This must be `Job`, which is a reference to the `job` object that is managing the image build.
-<7> Optional: Specifies the name of the pull secret that the MCO needs to pull the base operating system image from the registry. By default, the global pull secret is used.
-<8> Specifies the image registry to push the newly-built custom layered image to. This can be any registry that your cluster has access to in the `host[:port][/namespace]/name` or `svc_name.namespace.svc[:port]/repository/name:<tag>` format. This example uses the internal {product-title} registry. You can specify a mirror registry if you cluster is properly configured to use a mirror registry.
-<9> Specifies the name of the push secret that the MCO needs to push the newly-built custom layered image to that registry.
-
-.. Create the `MachineOSConfig` object:
-+
-[source,terminal]
-----
-$ oc create -f <file_name>.yaml
-----
-
-. If necessary, when the `MachineOSBuild` object has been created and is in the `READY` state, modify the node spec for the nodes where you want to use the new custom layered image:
-+
-.. Check that the `MachineOSBuild` object is `READY`. When the `SUCCEEDED` value is `True`, the build is complete.
-+
-[source,terminal]
-----
-$ oc get machineosbuild
-----
-+
-.Example output showing that the `MachineOSBuild` object is ready
-[source,terminal]
-----
-NAME                                               PREPARED   BUILDING   SUCCEEDED   INTERRUPTED   FAILED
-layered-ad5a3cad36303c363cf458ab0524e7c0-builder   False      False      True        False         False
-----
-
-.. Edit the nodes where you want to deploy the custom layered image by adding a label for the machine config pool you specified in the `MachineOSConfig` object:
-+
-[source,terminal]
-----
-$ oc label node <node_name> 'node-role.kubernetes.io/<mcp_name>='
-----
-+
---
-where:
-
-node-role.kubernetes.io/<mcp_name>=:: Specifies a node selector that identifies the nodes to deploy the custom layered image. 
---
-+
-When you save the changes, the MCO drains, cordons, and reboots the nodes. After the reboot, the node will be using the new custom layered image.
-
-.Verification
-
-. Verify that the new pods are ready by running the following command:
-+
-[source,terminal]
-----
-$ oc get pods -n openshift-machine-config-operator
-----
-+
-.Example output
-[source,terminal]
-----
-NAME                                                              READY   STATUS    RESTARTS   AGE
-build-layered-ad5a3cad36303c363cf458ab0524e7c0-hxrws              2/2     Running   0          2m40s # <1>
-# ...
-machine-os-builder-6fb66cfb99-zcpvq                               1/1     Running   0          2m42s # <2>
-----
-<1> This is the build pod where the custom layered image is building, named in the `build-<MachineOSConfig_CR_name>-<hash>` format.
-<2> This pod can be used for troubleshooting.
-
-. Verify that the `MachineOSConfig` object contains a reference to the new custom layered image by running the following command:
-+
-[source,terminal]
-----
-$ oc get machineosbuilds
-----
-+
-.Example output
-[source,terminal]
-----
-NAME                                       PREPARED   BUILDING   SUCCEEDED   INTERRUPTED   FAILED
-layered-ad5a3cad36303c363cf458ab0524e7c0   False      True       False       False         False <1>
-----
-<1> The `MachineOSBuild` is named in the `<MachineOSConfig_CR_name>-<hash>` format.
-
-. Verify that the `MachineOSBuild` object contains a reference to the new custom layered image by running the following command:
-+
-[source,terminal]
-----
-$ oc describe machineosbuild <object_name>
-----
-+
-.Example output
-[source,yaml]
-----
-Name:         layered-ad5a3cad36303c363cf458ab0524e7c0
-# ...
-API Version:  machineconfiguration.openshift.io/v1
-Kind:         MachineOSBuild
-# ...
-Spec:
-  Config Generation:  1
-  Desired Config:
-    Name:  rendered-layered-ad5a3cad36303c363cf458ab0524e7c0
-  Machine OS Config:
-    Name:                   layered
-  Rendered Image Pushspec:  image-registry.openshift-image-registry.svc:5000/openshift-machine-config-operator/os-images:layered-ad5a3cad36303c363cf458ab0524e7c0
-# ...
-    Last Transition Time:  2025-02-12T19:21:28Z
-    Message:               Build Ready
-    Reason:                Ready
-    Status:                True
-    Type:                  Succeeded
-  Final Image Pullspec:    image-registry.openshift-image-registry.svc:5000/openshift-machine-config-operator/os-images@sha256:312e48825e074b01a913deedd6de68abd44894ede50b2d14f99d722f13cda04b <1>
-----
-<1> Digested image pull spec for the new custom layered image.
-
-. Verify that the appropriate nodes are using the new custom layered image:
-
-.. Start a debug session as root for a control plane node:
-+
-[source,terminal]
-----
-$ oc debug node/<node_name>
-----
-
-.. Set `/host` as the root directory within the debug shell:
-+
-[source,terminal]
-----
-sh-4.4# chroot /host
-----
-
-.. Run the `rpm-ostree status` command to view that the custom layered image is in use:
-+
-[source,terminal]
-----
-sh-5.1# rpm-ostree status
-----
-+
-.Example output
-[source,terminal]
-----
-# ...
-Deployments:
-* ostree-unverified-registry:image-registry.openshift-image-registry.svc:5000/openshift-machine-config-operator/os-images@sha256:312e48825e074b01a913deedd6de68abd44894ede50b2d14f99d722f13cda04b
-                   Digest: sha256:312e48825e074b01a913deedd6de68abd44894ede50b2d14f99d722f13cda04b <1>
-                  Version: 418.94.202502100215-0 (2025-02-12T19:20:44Z)
-----
-<1> Digested image pull spec for the new custom layered image.
+* The images used in creating custom layered images take up space in your push registry. Always be aware of the free space in your registry and prune the images as needed. You can automatically remove an on-cluster custom layered image from the repository by deleting the `MachineOSBuild` object that created the image. Note that the credentials provided by the registry push secret must also grant permission to delete an image from the registry. For more information, see "Removing an on-cluster custom layered image".
