OSDOCS:14467 [GA] Pin and preload images

Author: Michael Burke

_topic_maps/_topic_map.yml

@@ -2352,6 +2352,8 @@ Topics:
   File: machine-config-node-disruption
 - Name: Configuring MCO-related custom resources
   File: machine-configs-custom
+- Name: About preloading and pinning images
+  File: machine-config-pin-preload-images-about
 - Name: Updated boot images
   File: mco-update-boot-images
 - Name: Managing unused rendered machine configs

machine_configuration/machine-config-pin-preload-images-about.adoc

@@ -0,0 +1,33 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="machine-config-pin-preload-images-about"]
+= About pinning and preloading images
+include::_attributes/common-attributes.adoc[]
+:context: machine-config-operator
+
+toc::[]
+
+Slow and unreliable connections to an image registry can interfere with operations that require pulling images, such as updating a cluster or deploying an application. This can include clusters that have low bandwidth, clusters with unreliable internet connectivity, or clusters in a disconnected environment. 
+
+For example, a cluster update might require pulling more than one hundred images. Failure to pull those images could cause retries that can interfere with the update process and might cause the update to fail. One way to improve that is to _preload_ the required images by pulling them in advance, before they are actually needed. Then, by _pinning_ them to a machine config pool, you ensure that the images are available when needed. Pinning and preloading images can provide a more consistent update, which is important when scheduling updates into maintenance windows.
+
+Pinning and preloading images also ensures that the images are available when deploying applications, which allows you to deploy in a predictable time. Another benefit to pinning and preloading images is that image garbage collection does not remove the pinned images.
+
+You can pin and preload images by using a a `PinnedImageSet` custom resource (CR) as described in the following section. Pinned images are stored on the nodes in the `/etc/crio/crio.conf.d/50-pinned-images` file. The contents of the file appear similar to the following example:
+
+[source,terminal]
+----
+[crio]
+  [crio.image]
+    pinned_images = ["quay.io/openshift-release-dev/ocp-release@sha256:4198606580b69c8335ad7ae531c3a74e51aee25db5faaf368234e8c8dae5cbea", "quay.io/openshift-release-dev/ocp-release@sha256:513cf1028aa1a021fa73d0601427a0fbcf6d212b88aaf9d76d4e4841a061e44e", "quay.io/openshift-release-dev/ocp-release@sha256:61eae2d261e54d1b8a0e05f6b5326228b00468364563745eed88460af04f909b"]
+----
+
+Before pulling the images, the Machine Config Operator (MCO) verifies that there is enough space available on each affected node to store the images. If the node has sufficient space, the MCO creates the pinned image file, pulls the images, and reloads CRI-O. If there is not sufficient space, the MCO does not pull the images and presents an error message. 
+
+include::modules/machine-config-pin-preload-images.adoc[leveloffset=+1]
+
+////
+Add link to machine config nodes when available
+[role="_additional-resources"]
+.Additional resources
+* xref:
+////

modules/machine-config-pin-preload-images.adoc

@@ -0,0 +1,139 @@
+// Module included in the following assemblies:
+//
+// * machine_configuration/machine-config-pin-preload-images-about.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="machine-config-pin-preload-images_{context}"]
+= Pinning and preloading images
+
+You can pin and preload images by using a `PinnedImageSet` custom resource (CR). The pinned image set defines the list of images to preload and the machine config pool to which the images should be pinned. 
+
+The images are stored in the the `/etc/crio/crio.conf.d/50-pinned-images` file on the nodes. 
+
+.Procedure
+
+. Create a YAML file that defines the `PinnedImageSet` similar to the following example:
++
+[source,yaml]
+----
+apiVersion: machineconfiguration.openshift.io/v1
+kind: PinnedImageSet
+metadata:
+  labels: <1>
+    machineconfiguration.openshift.io/role: worker
+  name: worker-pinned-images
+spec:
+  pinnedImages: <2>
+   - name: quay.io/openshift-release-dev/ocp-release@sha256:513cf1028aa1a021fa73d0601427a0fbcf6d212b88aaf9d76d4e4841a061e44e
+   - name: quay.io/openshift-release-dev/ocp-release@sha256:61eae2d261e54d1b8a0e05f6b5326228b00468364563745eed88460af04f909b
+----
++
+where:
++
+--
+`labels`:: Specifies an optional node selector to specify the machine config pool to pin the images to. If not specified, the images are pinned to all nodes in the cluster.
+`pinnedImages`:: Specifies a list of one or more images to preload.
+--
+
+. Create the `PinnedImageSet` object by running the following command:
++
+[source,terminal]
+----
+$ oc create -f <file_name>.yaml
+----
+
+.Verification
+
+* Check that the pinned image set is reported in the machine config node object for the affected machine config pool by running the following command:
++
+[source,terminal]
+----
+$ oc describe machineconfignode <machine_confignode_name>
+----
++
+.Example command
+[source,terminal]
+----
+$ oc describe machineconfignode ci-ln-25hlkvt-72292-jrs48-worker-a-2bdj
+----
++
+.Example output for a successful image pull and pin
++
+[source,terminal]
+----
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfigNode
+metadata:
+  creationTimestamp: "2025-04-28T18:40:29Z"
+  generation: 3
+  name: <machine_config_node_name>
+# ...
+status
+  pinnedImageSets:
+  - currentGeneration: 1
+    desiredGeneration: 1
+    name: worker-pinned-images
+----
++
+Any failures or error messages would appear in the `MachineConfigNode` object status fields, as shown in the following example:
++
+.Example output for a failed image pull and pin
++
+[source,terminal]
+----
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfigNode
+metadata:
+  creationTimestamp: "2025-04-28T18:40:29Z"
+  generation: 3
+  name: <machine_config_node_name>
+# ...
+  - lastTransitionTime: "2025-04-29T19:37:23Z"
+    message: One or more PinnedImageSet is experiencing an error. See PinnedImageSet
+      list for more details
+    reason: PrefetchFailed
+    status: "True"
+    type: PinnedImageSetsDegraded
+  configVersion:
+    current: rendered-worker-cef1b52c532e19a20add12e369261fba
+    desired: rendered-worker-cef1b52c532e19a20add12e369261fba
+  observedGeneration: 3
+  pinnedImageSets:
+  - desiredGeneration: 1
+    lastFailedGeneration: 1
+    lastFailedGenerationError: 'failed to execute podman manifest inspect for "quay.io/rh-ee/machine-config-operator@sha256:65d3a308767b1773b6e3499dde6ef085753d7e20e685f78841079":
+      exit status 125'
+    name: worker-pinned-images
+----
+
+* Check that the pinned image file is created and contains the correct images. The contents of the file appear similar to the following example:
+
+.. Start a debug session for a node by running the following command:
++
+[source,terminal]
+----
+$ oc debug node/<node_name>
+----
+
+.. Set `/host` as the root directory within the debug shell by running the following command:
++
+[source,terminal]
+----
+sh-5.1# chroot /host
+----
+
+.. Verify the contents of the pinned image file  by running the following command:
++
+[source,terminal]
+----
+$ cat /etc/crio/crio.conf.d/50-pinned-images
+----
++
+.Example output
++
+[source,terminal]
+----
+[crio]
+  [crio.image]
+    pinned_images = ["quay.io/openshift-release-dev/ocp-release@sha256:4198606580b69c8335ad7ae531c3a74e51aee25db5faaf368234e8c8dae5cbea", "quay.io/openshift-release-dev/ocp-release@sha256:513cf1028aa1a021fa73d0601427a0fbcf6d212b88aaf9d76d4e4841a061e44e", "quay.io/openshift-release-dev/ocp-release@sha256:61eae2d261e54d1b8a0e05f6b5326228b00468364563745eed88460af04f909b"]
+----