Red Hat SummitDieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 15. Preflight validation for Kernel Module Management (KMM) Modules
Before performing an upgrade on the cluster with applied KMM modules, the administrator must verify that kernel modules installed using KMM are able to be installed on the nodes after the cluster upgrade and possible kernel upgrade. Preflight attempts to validate every
ModuleModuleModule15.1. Validation kickoff
Preflight validation is triggered by creating a
PreflightValidationOCPtype PreflightValidationOCPSpec struct {
// releaseImage describes the OCP release image that all Modules need to be checked against.
// +kubebuilder:validation:Required
ReleaseImage string `json:"releaseImage"`
// Boolean flag that determines whether images build during preflight must also
// be pushed to a defined repository
// +optional
PushBuiltImage bool `json:"pushBuiltImage"`
}15.2. Validation lifecycle
Preflight validation attempts to validate every module loaded in the cluster. Preflight will stop running validation on a
ModuleIf you want to run Preflight validation for an additional kernel, then you should create another
PreflightValidationOCPPreflightValidationOCP15.3. Validation status
Preflight reports the status and progress of each module in the cluster that it attempts to validate.
type CRStatus struct {
// Status of Module CR verification: true (verified), false (verification failed),
// error (error during verification process), unknown (verification has not started yet)
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:Enum=True;False
VerificationStatus string `json:"verificationStatus"`
// StatusReason contains a string describing the status source.
// +optional
StatusReason string `json:"statusReason,omitempty"`
// Current stage of the verification process:
// image (image existence verification), build(build process verification)
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:Enum=Image;Build;Sign;Requeued;Done
VerificationStage string `json:"verificationStage"`
// LastTransitionTime is the last time the CR status transitioned from one status to another.
// This should be when the underlying status changed. If that is not known, then using the time when the API field changed is acceptable.
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:Type=string
// +kubebuilder:validation:Format=date-time
LastTransitionTime metav1.Time `json:"lastTransitionTime" protobuf:"bytes,4,opt,name=lastTransitionTime"`
}The following fields apply to each module:
15.4. Preflight validation stages per Module
Preflight runs the following validations on every KMM Module present in the cluster:
- Image validation stage
- Build validation stage
- Sign validation stage
15.4.1. Image validation stage
Image validation is always the first stage of the preflight validation to be executed. If image validation is successful, no other validations are run on that specific module.
Image validation consists of two stages:
- Image existence and accessibility. The code tries to access the image defined for the upgraded kernel in the module and get its manifests.
-
Verify the presence of the kernel module defined in the in the correct path for future
Moduleexecution. The correct path ismodprobe.<dirname>/lib/modules/<upgraded_kernel>/
If this validation is successful, it probably means that the kernel module was compiled with the correct Linux headers.
15.4.2. Build validation stage
Build validation is executed only when image validation has failed and there is a
buildModuleYou must specify the kernel version when running
depmod$ RUN depmod -b /opt ${KERNEL_VERSION}If the
PushBuiltImagePreflightValidationOCPcontainerImageModuleIf the
signcontainerImageModule15.4.3. Sign validation stage
Sign validation is executed only when image validation has failed, there is a
signModulebuildModuleIf the
PushBuiltImagePreflightValidationOCPThe resulting image is always the image defined in the
containerImageModuleUnsignedImageIf a
buildsignbuildsignPushBuiltImagePreflightValidationOCP15.5. Example PreflightValidationOCP resource
This section shows an example of the
PreflightValidationOCPThe example verifies all the currently present modules against the upcoming kernel version included in the OpenShift Container Platform release 4.11.18, which the following release image points to:
quay.io/openshift-release-dev/ocp-release@sha256:22e149142517dfccb47be828f012659b1ccf71d26620e6f62468c264a7ce7863Because
.spec.pushBuiltImagetrueapiVersion: kmm.sigs.x-k8s.io/v1beta1
kind: PreflightValidationOCP
metadata:
name: preflight
spec:
releaseImage: quay.io/openshift-release-dev/ocp-release@sha256:22e149142517dfccb47be828f012659b1ccf71d26620e6f62468c264a7ce7863
pushBuiltImage: true
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}