Red Hat SummitChapter 6. Boot image management
For Google Cloud and Amazon Web Services (AWS) clusters, by default the Machine Config Operator (MCO) manages and updates the boot image that is used to scale up your nodes. This means that by default, the MCO updates the boot images whenever you upgrade your cluster.
For VMware vSphere, you can enable boot image management as a Technology Preview feature.
For all other platforms, the MCO does not update the boot image with each cluster update.
Boot image management on vSphere is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
6.1. About boot image management
By default, for Google Cloud and Amazon Web Services (AWS) clusters, the Machine Config Operator (MCO) updates the boot image in the machine sets in your cluster whenever you update your cluster.
For VMware vSphere, you can enable boot image management as a Technology Preview feature. For information on how to enable this feature, see "Enabling boot image management".
Boot image management on vSphere is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
You can disable the boot image management feature, if needed. When the feature is disabled, the boot image no longer updates with the cluster. For example, with the feature disabled, if your cluster was originally created with OpenShift Container Platform 4.16, the boot image that the MCO would use to create nodes is the same 4.16 version, even if your cluster is at a later version.
However, using an older boot image could cause the following issues:
- Extra time to start nodes
- Certificate expiration issues
- Version skew issues
For information on how to disable this feature, see "Disabling boot image management". If you disable this feature, you can re-enable the feature at any time. For information, see "Enabling boot image management".
The ability to configure boot image management is available for only Google Cloud and AWS clusters. It is not supported for clusters managed by the Cluster CAPI Operator.
How the cluster behaves after disabling or re-enabling the feature, depends upon when you made the change, including the following scenarios:
If you disable the feature before updating to a new OpenShift Container Platform version:
- The boot image version used by the machine sets remains the same OpenShift Container Platform version as when the feature was disabled.
- When you scale up nodes, the new nodes use that same OpenShift Container Platform version.
If you disable the feature after updating to a new OpenShift Container Platform version:
- The boot image version used by the machine sets is updated to match the updated OpenShift Container Platform version.
- When you scale up nodes, the new nodes use the updated OpenShift Container Platform version.
- If you update to a later OpenShift Container Platform version, the boot image version in the machine sets remains at the current version and is not updated with the cluster.
If you enable the feature after disabling:
- The boot image version used by the machine sets is updated to the current OpenShift Container Platform version, if different.
- When you scale up nodes, the new nodes use the current OpenShift Container Platform version in the cluster.
Because a boot image is used only when a node is scaled up, this feature has no effect on existing nodes.
To view the current boot image used in your cluster, use one of the following methods, based on your platform:
For Google Cloud and AWS, you can examine a machine set.
NoteThe location and format of the boot image within the machine set differs, based on the platform. However, the boot image is always listed in the
spec.template.spec.providerSpec.parameter.Example Google Cloud machine set with the boot image reference
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- This boot image is the same as the originally-installed OpenShift Container Platform version, in this example OpenShift Container Platform 4.12, regardless of the current version of the cluster. The way that the boot image is represented in the machine set depends on the platform, as the structure of the
providerSpecfield differs from platform to platform.
Example AWS machine set with the boot image reference
Copy to Clipboard Copied! Toggle word wrap Toggle overflow For VMware vSphere, examine an affected node by opening an
oc debugsession to the node and using therpm-ostree statuscommand.rpm-ostree status
sh-5.1# rpm-ostree statusCopy to Clipboard Copied! Toggle word wrap Toggle overflow Example AWS node with the boot image reference
State: idle Deployments: * ostree-unverified-registry:quay.io/my-registry/... Digest: sha256:...State: idle Deployments: * ostree-unverified-registry:quay.io/my-registry/... Digest: sha256:...Copy to Clipboard Copied! Toggle word wrap Toggle overflow
If any of the machine sets for which you want to enable boot image management use a *-user-data secret that is based on Ignition version 2.2.0, the Machine Config Operator converts the Ignition version to 3.4.0 when you enable the feature. OpenShift Container Platform versions 4.5 and lower use Ignition version 2.2.0. If this conversion fails, the MCO or your cluster could degrade. An error message that includes err: converting ignition stub failed: failed to parse Ignition config is added to the output of the oc get ClusterOperator machine-config command. You can use the following general steps to correct the problem:
- Disable the boot image management feature. For information, see "Disabling boot image management".
-
Manually update the
*-user-datasecret to use Ignition version to 3.2.0. - Enable the boot image management feature. For information, see "Enabling boot image management".
6.2. Disabling boot image management
By default, for Google Cloud and Amazon Web Services (AWS) clusters, the Machine Config Operator (MCO) manages and updates the boot image in the machine sets in your cluster whenever you update your cluster. For VMware vSphere, you can enable boot image management as a Technology Preview feature.
You can disable the boot image management feature for your cluster by editing the MachineConfiguration object. When disabled, the Machine Config Operator (MCO) no longer manages the boot image in your cluster and no longer updates the boot image with each cluster update.
Disabling this feature does not rollback the nodes or machine sets to the originally-installed boot image. The machine sets retain the boot image version that was present when the feature was disabled and is not updated if the cluster is upgraded to a new OpenShift Container Platform version in the future. This feature has no effect on existing nodes.
After disabling the feature, you can re-enable the feature at any time. For more information, see "Enabling updated boot images".
Procedure
Edit the
MachineConfigurationobject to disable the boot image management feature for some or all of your machine sets:oc edit MachineConfiguration cluster
$ oc edit MachineConfiguration clusterCopy to Clipboard Copied! Toggle word wrap Toggle overflow Optional: Disable the feature for all machine sets:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
When the affected nodes return to the
READYstate, view the current state of the boot image management feature by viewing the machine configuration object:oc get machineconfiguration cluster -o yaml
$ oc get machineconfiguration cluster -o yamlCopy to Clipboard Copied! Toggle word wrap Toggle overflow Example machine set with the boot image reference
Copy to Clipboard Copied! Toggle word wrap Toggle overflow When the affected nodes return to the
READYstate, check the current boot image by using one of the following methods:For Google Cloud and AWS, get the boot image version by running the following command. The location and format of the boot image within the machine set differs, based on the platform. However, the boot image is always listed in the
spec.template.spec.providerSpec.parameter.oc get machinesets <machineset_name> -n openshift-machine-api -o yaml
$ oc get machinesets <machineset_name> -n openshift-machine-api -o yamlCopy to Clipboard Copied! Toggle word wrap Toggle overflow Example machine set with the boot image reference
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- This boot image is the same as the current OpenShift Container Platform version.
For VMware vSphere, get the boot image version from an affected node:
Open an
oc debugsession to the node by running a command similar to the following:oc debug node/<node_name>
$ oc debug node/<node_name>Copy to Clipboard Copied! Toggle word wrap Toggle overflow Set
/hostas the root directory within the debug shell by running the following command:chroot /host
sh-5.1# chroot /hostCopy to Clipboard Copied! Toggle word wrap Toggle overflow Run the
rpm-ostree statuscommand to view that the custom layered image is in use:rpm-ostree status
sh-5.1# rpm-ostree statusCopy to Clipboard Copied! Toggle word wrap Toggle overflow Example output
State: idle Deployments: * ostree-unverified-registry:quay.io/my-registry/... Digest: sha256:...State: idle Deployments: * ostree-unverified-registry:quay.io/my-registry/... Digest: sha256:...Copy to Clipboard Copied! Toggle word wrap Toggle overflow
6.3. Enabling boot image management
By default, for Google Cloud and Amazon Web Services (AWS) clusters, the Machine Config Operator (MCO) updates the boot image in the machine sets in your cluster whenever you update your cluster.
If you disabled the boot image management feature, so that the boot images are not updated, you can re-enable the feature by editing the MachineConfiguration object.
For VMware vSphere, you can enable boot image management as a Technology Preview feature.
Boot image management on vSphere is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
Enabling the feature updates the boot image to the current OpenShift Container Platform version. If the cluster is again updated to a new OpenShift Container Platform version in the future, the boot image is updated again. New nodes created after enabling the feature use the updated boot image. This feature has no effect on existing nodes.
Prerequisites
For vSphere, enable the
TechPreviewNoUpgradefeature set on the cluster. For more information, see "Enabling features using feature gates".NoteEnabling the
TechPreviewNoUpgradefeature set cannot be undone and prevents minor version updates. These feature sets are not recommended on production clusters.Wait until the
managedBootImagesStatusstanza displays in theMachineConfigurationobject.Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Procedure
Edit the
MachineConfigurationobject, namedcluster, to enable the boot image management feature for some or all of your machine sets:oc edit MachineConfiguration cluster
$ oc edit MachineConfiguration clusterCopy to Clipboard Copied! Toggle word wrap Toggle overflow Optional: Enable the boot image management feature for all machine sets:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Optional: Enable the boot image management feature for specific machine sets:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow TipIf an appropriate label is not present on the machine set, add a key-value pair by running a command similar to following:
oc label machineset.machine ci-ln-hmy310k-72292-5f87z-worker-a region="east" -n openshift-machine-api
$ oc label machineset.machine ci-ln-hmy310k-72292-5f87z-worker-a region="east" -n openshift-machine-apiCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
When the affected nodes return to the
READYstate, view the current state of the boot image management feature by viewing the machine configuration object:oc get machineconfiguration cluster -o yaml
$ oc get machineconfiguration cluster -o yamlCopy to Clipboard Copied! Toggle word wrap Toggle overflow Example machine set with the boot image reference
Copy to Clipboard Copied! Toggle word wrap Toggle overflow When the affected nodes return to the
READYstate, check the current boot image by using one of the following methods:For Google Cloud and AWS, get the boot image version by running the following command. The location and format of the boot image within the machine set differs, based on the platform. However, the boot image is always listed in the
spec.template.spec.providerSpec.parameter.oc get machinesets <machineset_name> -n openshift-machine-api -o yaml
$ oc get machinesets <machineset_name> -n openshift-machine-api -o yamlCopy to Clipboard Copied! Toggle word wrap Toggle overflow Example machine set with the boot image reference
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- This boot image is the same as the current OpenShift Container Platform version.
For VMware vSphere, get the boot image version from an affected node:
Open an
oc debugsession to the node by running a command similar to the following:oc debug node/<node_name>
$ oc debug node/<node_name>Copy to Clipboard Copied! Toggle word wrap Toggle overflow Set
/hostas the root directory within the debug shell by running the following command:chroot /host
sh-5.1# chroot /hostCopy to Clipboard Copied! Toggle word wrap Toggle overflow Run the
rpm-ostree statuscommand to view that the custom layered image is in use:rpm-ostree status
sh-5.1# rpm-ostree statusCopy to Clipboard Copied! Toggle word wrap Toggle overflow Example output
State: idle Deployments: * ostree-unverified-registry:quay.io/my-registry/... Digest: sha256:...State: idle Deployments: * ostree-unverified-registry:quay.io/my-registry/... Digest: sha256:...Copy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}