Merge pull request #87486 from mburke5678/mco-on-cluster-layering-ga

OSDOCS:13346 On Cluster Layering: Phase 3 (GA)

Author: mburke5678

machine_configuration/mco-coreos-layering.adoc

@@ -30,11 +30,6 @@ As soon as you apply the custom layered image to your cluster, you effectively _
 There are two methods for deploying a custom layered image onto your nodes:
 
 On-cluster layering:: With xref:../machine_configuration/mco-coreos-layering.adoc#coreos-layering-configuring-on_mco-coreos-layering[on-cluster layering], you create a `MachineOSConfig` object where you include the Containerfile and other parameters. The build is performed on your cluster and the resulting custom layered image is automatically pushed to your repository and applied to the machine config pool that you specified in the `MachineOSConfig` object. The entire process is performed completely within your cluster.
-+
---
-:FeatureName: On-cluster image layering
-include::snippets/technology-preview.adoc[]
---
 
 Out-of-cluster layering:: With xref:../machine_configuration/mco-coreos-layering.adoc#coreos-layering-configuring_mco-coreos-layering[out-of-cluster layering], you create a Containerfile that references an {product-title} image and the RPM that you want to apply, build the layered image in your own environment, and push the image to your repository. Then, in your cluster, create a `MachineConfig` object for the targeted node pool that points to the new image. The Machine Config Operator overrides the base {op-system} image, as specified by the `osImageURL` value in the associated machine config, and boots the new image.
 
@@ -182,9 +177,11 @@ It is strongly recommended that you test your images outside of your production
 include::modules/coreos-layering-configuring-on.adoc[leveloffset=+1]
 
 .Additional resources
-* xref:../nodes/clusters/nodes-cluster-enabling-features.adoc#nodes-cluster-enabling[Enabling features using feature gates]
-* xref:../updating/updating_a_cluster/update-using-custom-machine-config-pools.adoc#update-using-custom-machine-config-pools-pause_update-using-custom-machine-config-pools[Pausing the machine config pools]
 * xref:../machine_configuration/mco-coreos-layering.adoc#coreos-layering-configuring-on-remove_mco-coreos-layering[Removing an on-cluster custom layered image]
+* xref:../updating/updating_a_cluster/update-using-custom-machine-config-pools.adoc#update-using-custom-machine-config-pools-pause_update-using-custom-machine-config-pools[Pausing the machine config pools]
+* xref:../machine_configuration/mco-coreos-layering.adoc#coreos-layering-configuring-on-rebuild_mco-coreos-layering[Rebuilding an on-cluster custom layered image]
+* xref:../openshift_images/managing_images/using-image-pull-secrets.adoc#images-update-global-pull-secret_using-image-pull-secrets[Updating the global cluster pull secret]
+* xref:../machine_configuration/mco-coreos-layering.adoc#coreos-layering-configuring-on-modifying_mco-coreos-layering[Modifying a custom layered image]
 
 include::modules/coreos-layering-configuring-on-modifying.adoc[leveloffset=+2]
 
@@ -200,8 +197,7 @@ include::modules/coreos-layering-configuring-on-extensions.adoc[leveloffset=+2]
 * xref:../updating/updating_a_cluster/update-using-custom-machine-config-pools.adoc#update-using-custom-machine-config-pools-pause_update-using-custom-machine-config-pools[Pausing the machine config pools]
 ////
 
-// Not in 4.18; maybe 4.19
-// include::modules/coreos-layering-configuring-on-rebuild.adoc[leveloffset=+2] 
+include::modules/coreos-layering-configuring-on-rebuild.adoc[leveloffset=+2]
 
 include::modules/coreos-layering-configuring-on-revert.adoc[leveloffset=+2]
 

modules/coreos-layering-configuring-on-modifying.adoc

@@ -24,42 +24,37 @@ include::snippets//coreos-layering-configuring-on-pause.adoc[]
 +
 [source,yaml]
 ----
-apiVersion: machineconfiguration.openshift.io/v1alpha1
+apiVersion: machineconfiguration.openshift.io/v1
 kind: MachineOSConfig
 metadata:
-  name: layered
+  name: layered-image
 spec:
   machineConfigPool:
     name: worker
-  buildInputs:
-    containerFile:
-    - containerfileArch: noarch
-      content: |- <1>
-        FROM configs AS final
-
-        RUN rpm-ostree install rng-tools && \
-            systemctl enable rngd && \
-            rpm-ostree cleanup -m && \
-            ostree container commit
-
-        RUN rpm-ostree install tree && \
-            ostree container commit
-    imageBuilder:
-      imageBuilderType: PodImageBuilder
-    baseImagePullSecret:
-      name: global-pull-secret-copy <2>
-    renderedImagePushspec: image-registry.openshift-image-registry.svc:5000/openshift-machine-config-operator/os-images:latest <3>
-    renderedImagePushSecret:  <4>
-      name: new-secret-name
-  buildOutputs:
-    currentImagePullSecret:
-      name: new-secret-name <5>
+  containerFile:
+  - containerfileArch: noarch
+    content: |- <1>
+      FROM configs AS final
+
+      RUN rpm-ostree install rng-tools && \
+          systemctl enable rngd && \
+          rpm-ostree cleanup -m && \
+          ostree container commit
+
+      RUN rpm-ostree install tree && \
+          ostree container commit
+  imageBuilder:
+    imageBuilderType: PodImageBuilder
+  baseImagePullSecret:
+    name: global-pull-secret-copy <2>
+  renderedImagePushspec: image-registry.openshift-image-registry.svc:5000/openshift-machine-config-operator/os-images:latest <3>
+  renderedImagePushSecret:  <4>
+    name: new-secret-name
 ----
 <1> Optional: Modify the Containerfile, for example to add or remove packages.
 <2> Optional: Update the secret needed to pull the base operating system image from the registry.
 <3> Optional: Modify the image registry to push the newly built custom layered image to.
 <4> Optional: Update the secret needed to push the newly built custom layered image to the registry.
-<5> Optional: Update the secret needed to pull the newly built custom layered image from the registry.
 +
 When you save the changes, the MCO drains, cordons, and reboots the nodes. After the reboot, the node uses the cluster base {op-system-first} image. If your changes modify a secret only, no new build is triggered and no reboot is performed.
 
@@ -75,9 +70,9 @@ $ oc get machineosbuild
 .Example output
 [source,terminal]
 ----
-NAME                                       PREPARED   BUILDING   SUCCEEDED   INTERRUPTED   FAILED
-layered-a5457b883f5239cdcb71b57e1a30b6ef   False      False      True        False         False
-layered-f91f0f5593dd337d89bf4d38c877590b   False      True       False       False         False <1>
+NAME                                             PREPARED   BUILDING   SUCCEEDED   INTERRUPTED   FAILED   AGE
+layered-image-a5457b883f5239cdcb71b57e1a30b6ef   False      False      True        False         False    4d17h
+layered-image-f91f0f5593dd337d89bf4d38c877590b   False      True       False       False         False    2m41s <1>
 ----
 <1> The value `True` in the `BUILDING` column indicates that the `MachineOSBuild` object is building. When the `SUCCEEDED` column reports `True`, the build is complete.
 

modules/coreos-layering-configuring-on-rebuild.adoc

@@ -0,0 +1,78 @@
+// Module included in the following assemblies:
+//
+// * machine_configuration/coreos-layering.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="coreos-layering-configuring-on-rebuild_{context}"]
+= Rebuilding an on-cluster custom layered image
+
+In situations where you want to rebuild a custom layered image, you can either modify your `MachineOSConfig` object or add an annotation to the `MachineOSConfig` object. Both of these actions trigger an automatic rebuild of the object. For example, you could perform a rebuild if the you change the Containerfile or need to update the `osimageurl` location in a machine config.
+
+After you add the annotation, the Machine Config Operator (MCO) deletes the current `MachineOSBuild` object and creates a new one in its place. When the build process is complete, the MCO automatically removes the annotation.
+
+.Prerequisites
+
+* You have opted-in to on-cluster layering by creating a `MachineOSConfig` object.
+
+.Procedure
+
+* Edit the `MachineOSConfig` object to add the `machineconfiguration.openshift.io/rebuild` annotation by using the following command:
++
+[source,terminal]
+----
+$ oc edit MachineOSConfig <object_name>
+----
++
+.Example `MachineOSConfig` object
++
+[source,yaml]
+----
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineOSConfig
+metadata:
+  annotations:
+    machineconfiguration.openshift.io/current-machine-os-build: layering-c26d4a003432df70ee66c83981144cfa
+    machineconfiguration.openshift.io/rebuild: "" <1>
+# ...
+  name: layered-image
+# ...
+----
+<1> Add this annotation to trigger a rebuild of the custom layered image.
+
+.Verification
+
+* Check that the `MachineOSBuild` object is building by using the following command:
++
+[source,terminal]
+----
+$ oc get machineosbuild
+----
++
+.Example output
+[source,terminal]
+----
+NAME                                             PREPARED   BUILDING   SUCCEEDED   INTERRUPTED   FAILED   AGE
+layered-image-d6b929a29c6dbfa8e4007c8069a2fd08   False      True       False       False         False    2m41s <1>
+----
+<1> The value `True` in the `BUILDING` column indicates that the `MachineOSBuild` object is building.
+
+* Edit the `MachineOSConfig` object to verify that the MCO removed the `machineconfiguration.openshift.io/rebuild` annotation by using the following command:
++
+[source,terminal]
+----
+$ oc edit MachineOSConfig <object_name>
+----
++
+.Example `MachineOSConfig` object
++
+[source,yaml]
+----
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineOSConfig
+metadata:
+  annotations:
+    machineconfiguration.openshift.io/current-machine-os-build: layering-c26d4a003432df70ee66c83981144cfa
+# ...
+  name: layered-image
+# ...
+----

modules/coreos-layering-configuring-on-revert.adoc

@@ -6,18 +6,19 @@
 [id="coreos-layering-configuring-on-revert_{context}"]
 = Reverting an on-cluster custom layered image
 
-You can revert an on-cluster custom layered image from nodes by removing the label for the machine config pool (MCP) that you specified in the `MachineOSConfig` object. After you remove the label, the Machine Config Operator (MCO) reboots the nodes in that MCP with the cluster base {op-system-first} image, along with any previously-made machine config changes, overriding the custom layered image. 
+If you applied an on-cluster layered image to a node in a custom machine config pool (MCP), you can remove the custom layered image from the node and revert to the base image. 
+
+To revert the node, remove the node from the custom MCP by removing the custom machine config pool label from the node. After you remove the label, the Machine Config Operator (MCO) reboots the node with the cluster base {op-system-first} image, overriding the custom layered image.
 
 [IMPORTANT]
 ====
-If the node where the custom layered image is deployed uses a custom machine config pool, before you remove the label, make sure the node is associated with a second MCP.
+Before you remove the label, make sure the node is associated with another MCP.
 ====
 
-You can reapply the custom layered image to the node by using the `oc label node/<node_name> 'node-role.kubernetes.io/<mcp_name>='` label.
-
 .Prerequisites
 
-* You have opted in to on-cluster layering by creating a `MachineOSConfig` object.
+* You have opted-in to on-cluster layering by creating a `MachineOSConfig` object.
+* You have applied a `MachineOSConfig` object to a node in a custom machine config pool.
 
 .Procedure
 
@@ -32,9 +33,9 @@ When you save the changes, the MCO drains, cordons, and reboots the nodes. After
 
 .Verification
 
-You can verify that the custom layered image is removed by performing the following checks:
+* Verify that the custom layered image is removed by performing any of the following checks:
 
-. Check that the worker machine config pool is updating with the previous machine config:
+** Check that the worker machine config pool is updating with the previous machine config:
 +
 [source,terminal]
 ----
@@ -45,12 +46,14 @@ $ oc get mcp
 [source,terminal]
 ----
 NAME      CONFIG                                              UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
-master    rendered-master-8332482204e0b76002f15ecad15b6c2d    True      False      False      3              3                   3                     0                      5h26m
-worker    rendered-worker-bde4e4206442c0a48b1a1fb35ba56e85    False     True       False      3              2                   2                     0                      5h26m <1>
+layered   rendered-layered-e8c8bc1de69777325003e80bc0c04b82   True      False      False      0              0                   0                     0                      4h20m <1>
+master    rendered-master-50d7bc27ee8b9ca2250383f0647ade7f    True      False      False      3              3                   3                     0                      5h39m
+worker    rendered-worker-e8c8bc1de69777325003e80bc0c04b82    True      False      False      3              3                   3                     0                      5h39m <2>
 ----
-<1> The value `FALSE` in the `UPDATED` column indicates that the `MachineOSBuild` object is building. When the `UPDATED` column reports `FALSE`, the base image has rolled out to the nodes.
+<1> The custom machine config pool no longer has any nodes.
+<2> When the `UPDATING` field is `True`, the machine config pool is updating with the previous machine config. When the field becomes `False`, the worker machine config pool has rolled out to the previous machine config.
 
-. Check the nodes to see that scheduling on the nodes is disabled. This indicates that the change is being applied:
+** Check the nodes to see that scheduling on the nodes is disabled. This indicates that the change is being applied:
 +
 [source,terminal]
 ----
@@ -69,36 +72,35 @@ ip-10-0-211-49.us-west-1.compute.internal    Ready                      control-
 ip-10-0-218-151.us-west-1.compute.internal   Ready                      worker                 31m   v1.32.3
 ----
 
-. When the node is back in the `Ready` state, check that the node is using the base image:
-
-.. Open an `oc debug` session to the node. For example:
+** When the node is back in the `Ready` state, check that the node is using the base image:
++
+. Open an `oc debug` session to the node. For example:
 +
 [source,terminal]
 ----
-$ oc debug node/<node_name>
+$ oc debug node/ip-10-0-155-125.us-west-1.compute.internal
 ----
-
-.. Set `/host` as the root directory within the debug shell:
++
+. Set `/host` as the root directory within the debug shell:
 +
 [source,terminal]
 ----
-sh-5.1# chroot /host
+sh-4.4# chroot /host
 ----
 
-.. Run an `rpm-ostree status` command to view that the base image is in use:
+. Run the `rpm-ostree status` command to view that the base image is in use:
 +
 [source,terminal]
 ----
-sh-5.1# rpm-ostree status
+sh-4.4# rpm-ostree status
 ----
 +
 .Example output
 +
-[source,terminal]
 ----
 State: idle
 Deployments:
-* ostree-unverified-image:containers-storage:quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:76721c875a2b79688be46b1dca654c2c6619a6be28b29a2822cd86c3f9d8e3c1
-                   Digest: sha256:76721c875a2b79688be46b1dca654c2c6619a6be28b29a2822cd86c3f9d8e3c1
-                  Version: 418.94.202501300706-0 (2025-01-30T07:10:58Z)
+* ostree-unverified-registry:registry.build05.ci.openshift.org/ci-ln-qd0hmqk/stable@sha256:a8bd32573f787f6d1c23e1d669abbefd1e31339826d06e750c0ca632ad6c414f
+                   Digest: sha256:a8bd32573f787f6d1c23e1d669abbefd1e31339826d06e750c0ca632ad6c414f
+                  Version: 419.96.202501202201-0 (2025-01-20T22:06:13Z)
 ----