Getting ready to install MicroShift
Plan for your MicroShift installation and learn about important configurations
Abstract
Chapter 1. Getting ready to install MicroShift
Plan for your MicroShift installation and complete host configuration steps as needed.
1.1. System requirements for installing MicroShift
The following conditions must be met prior to installing MicroShift:
- A compatible version of Red Hat Enterprise Linux (RHEL). For more information, see Compatibility table.
- AArch64 or x86_64 system architecture.
- 2 CPU cores.
- 2 GB RAM. Installing from the network (UEFI HTTPs or PXE boot) requires 3 GB RAM for RHEL.
- 10 GB of storage.
- You have an active MicroShift subscription on your Red Hat account. If you do not have a subscription, contact your sales representative for more information.
- if your workload requires Persistent Volumes (PVs), you have a Logical Volume Manager (LVM) Volume Group (VG) with sufficient free capacity for the workloads.
These requirements are the minimum system requirements for MicroShift and Red Hat Enterprise Linux (RHEL). Add the system requirements for the workload you plan to run.
For example, if an IoT gateway solution requires 4 GB of RAM, your system needs to have at least 2 GB for Red Hat Enterprise Linux (RHEL) and MicroShift, plus 4 GB for the workloads. 6 GB of RAM is required in total.
It is recommended to allow for extra capacity for future needs if you are deploying physical devices in remote locations. If you are uncertain of the RAM required and if the budget permits, use the maximum RAM capacity the device can support.
Ensure you configure secure access to the system to be able to manage it accordingly. For more information, see Using secure communications between two systems with OpenSSH.
1.2. Compatibility table
Plan to pair a supported version of RHEL for Edge with the MicroShift version you are using as described in the following compatibility table:
Red Hat Device Edge release compatibility matrix
Red Hat Enterprise Linux (RHEL) and MicroShift work together as a single solution for device-edge computing. You can update each component separately, but the product versions must be compatible. Supported configurations of Red Hat Device Edge use verified releases for each together as listed in the following table:
| RHEL Version(s) | MicroShift Version | Supported MicroShift Version → Version Updates |
|---|---|---|
| 9.4 | 4.17 | 4.17.1 → 4.17.z |
| 9.4 | 4.16 | 4.16.0 → 4.16.z, 4.16 → 4.17 |
| 9.2, 9.3 | 4.15 | 4.15.0 → 4.15.z, 4.15 → 4.16 on RHEL 9.4 |
| 9.2, 9.3 | 4.14 | 4.14.0 → 4.14.z, 4.14 → 4.15 or 4.14 → 4.16 on RHEL 9.4 |
Chapter 2. Using FIPS mode with MicroShift
You can use FIPS mode with RPM-based installations of MicroShift on Red Hat Enterprise Linux (RHEL) 9.
- To enable FIPS mode in MicroShift containers, the worker machine kernel must be enabled to run in FIPS mode before the machine starts.
- Using FIPS with Red Hat Enterprise Linux for Edge (RHEL for Edge) images is not supported.
- Using FIPS with image mode for RHEL is not supported.
2.1. FIPS mode with RHEL RPM-based installations
Using FIPS with MicroShift requires enabling the cryptographic module self-checks in your Red Hat Enterprise Linux (RHEL) installation. After the host operating system has been configured to start with the FIPS modules, MicroShift containers are automatically enabled to run in FIPS mode.
- When RHEL is started in FIPS mode, MicroShift core components use the RHEL cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 validation on only the x86_64 architectures.
You must enable FIPS mode when you install RHEL 9 on the machines that you plan to use as worker machines.
ImportantBecause FIPS must be enabled before the operating system that your cluster uses starts for the first time, you cannot enable FIPS after you deploy a cluster.
- MicroShift uses a FIPS-compatible Golang compiler.
- FIPS is supported in the CRI-O container runtime.
2.1.1. Limitations
- TLS implementation FIPS support is not complete.
- The FIPS implementation does not offer a single function that both computes hash functions and validates the keys that are based on that hash. This limitation continues to be evaluated for improvement in future MicroShift releases.
2.2. Additional resources
Chapter 3. The greenboot health check framework
Greenboot is the generic health check framework for the systemd service on rpm-ostree systems such as Red Hat Enterprise Linux for Edge (RHEL for Edge). This framework is included in MicroShift installations with the microshift-greenboot and greenboot-default-health-checks RPM packages.
Greenboot health checks run at various times to assess system health and automate a rollback on rpm-ostree systems to the last healthy state in cases of software trouble, for example:
- Default health check scripts run each time the system starts.
- In addition the to the default health checks, you can write, install, and configure application health check scripts to also run every time the system starts.
- Greenboot can reduce your risk of being locked out of edge devices during updates and prevent a significant interruption of service if an update fails.
-
When a failure is detected, the system boots into the last known working configuration using the
rpm-ostreerollback capability. This feature is especially useful automation for edge devices where direct serviceability is either limited or non-existent.
A MicroShift application health check script is included in the microshift-greenboot RPM. The greenboot-default-health-checks RPM includes health check scripts verifying that DNS and ostree services are accessible. You can create your own health check scripts for the workloads you are running. You can write one that verifies that an application has started, for example.
3.1. How greenboot uses directories to run scripts
Health check scripts run from four /etc/greenboot directories. These scripts run in alphabetical order. Keep this in mind when you configure the scripts for your workloads.
When the system starts, greenboot runs the scripts in the required.d and wanted.d directories. Depending on the outcome of those scripts, greenboot continues the startup or attempts a rollback as follows:
-
System as expected: When all of the scripts in the
required.ddirectory are successfully run, greenboot runs any scripts present in the/etc/greenboot/green.ddirectory. -
System trouble: If any of the scripts in the
required.ddirectory fail, greenboot runs any prerollback scripts present in thered.ddirectory, then restarts the system.
Greenboot redirects script and health check output to the system log. When you are logged in, a daily message provides the overall system health output.
3.1.1. Greenboot directories details
Returning a nonzero exit code from any script means that script has failed. Greenboot restarts the system a few times to retry the scripts before attempting to roll back to the previous version.
/etc/greenboot/check/required.dcontains the health checks that must not fail.-
If the scripts fail, greenboot retries them three times by default. You can configure the number of retries in the
/etc/greenboot/greenboot.conffile by setting theGREENBOOT_MAX_BOOTSparameter to the desired number of retries. - After all retries fail, greenboot automatically initiates a rollback if one is available. If a rollback is not available, the system log output shows that manual intervention is required.
-
The
40_microshift_running_check.shhealth check script for MicroShift is installed into this directory.
-
If the scripts fail, greenboot retries them three times by default. You can configure the number of retries in the
/etc/greenboot/check/wanted.dcontains health scripts that are allowed to fail without causing the system to be rolled back.- If any of these scripts fail, greenboot logs the failure but does not initiate a rollback.
-
/etc/greenboot/green.dcontains scripts that run after greenboot has declared the start successful. -
/etc/greenboot/red.dcontains scripts that run after greenboot has declared the startup as failed, including the40_microshift_pre_rollback.shprerollback script. This script is executed right before a system rollback. The script performs MicroShift pod and OVN-Kubernetes cleanup to avoid potential conflicts after the system is rolled back to a previous version.
If you customize the values of any environment variable in the /etc/greenboot/greenboot.conf file, these changes can be lost when the greenboot RPM package is updated or downgraded.
-
To retain customizations when building system images with MicroShift, add the
greenboot.conffile to a blueprint. -
To retain customizations when using an RPM installation, apply changes to the
greenboot.conffile after you install MicroShift and greenboot RPMs.
3.2. The MicroShift health check script
The 40_microshift_running_check.sh health check script only performs validation of core MicroShift services. Install your customized workload health check scripts in the greenboot directories to ensure successful application operations after system updates. Scripts run in alphabetical order.
MicroShift health checks are listed in the following table:
| Validation | Pass | Fail |
|---|---|---|
|
Check that the script runs with | Next |
|
|
Check that the | Next |
|
|
Wait for the | Next |
|
| Wait for Kubernetes API health endpoints to be working and receiving traffic | Next |
|
| Wait for any pod to start | Next |
|
| For each core namespace, wait for images to be pulled | Next |
|
| For each core namespace, wait for pods to be ready | Next |
|
| For each core namespace, check if pods are not restarting |
|
|
3.2.1. Validation wait period
The wait period in each validation is five minutes by default. After the wait period, if the validation has not succeeded, it is declared a failure. This wait period is incrementally increased by the base wait period after each boot in the verification loop.
-
You can override the base-time wait period by setting the
MICROSHIFT_WAIT_TIMEOUT_SECenvironment variable in the/etc/greenboot/greenboot.confconfiguration file. For example, you can change the wait time to three minutes by resetting the value to 180 seconds, such asMICROSHIFT_WAIT_TIMEOUT_SEC=180.
3.3. Enabling systemd journal service data persistency
The default configuration of the systemd journal service stores the data in the volatile /run/log/journal directory. To view system logs across system starts and restarts, you must enable log persistence and set limits on the maximal journal data size.
Procedure
Make the directory by running the following command:
$ sudo mkdir -p /etc/systemd/journald.conf.d
Create the configuration file by running the following command:
cat <<EOF | sudo tee /etc/systemd/journald.conf.d/microshift.conf &>/dev/null [Journal] Storage=persistent SystemMaxUse=1G RuntimeMaxUse=1G EOF
- Edit the configuration file values for your size requirements.
Additional resources
3.4. Updates and third-party workloads
Health checks are especially useful after an update. You can examine the output of greenboot health checks and determine whether the update was declared valid. This health check can help you determine if the system is working properly.
Health check scripts for updates are installed into the /etc/greenboot/check/required.d directory and are automatically executed during each system start. Exiting scripts with a nonzero status means the system start is declared as failed.
Wait until after an update is declared valid before starting third-party workloads. If a rollback is performed after workloads start, you can lose data. Some third-party workloads create or update data on a device before an update is complete. Upon rollback, the file system reverts to its state before the update.
3.5. Checking the results of an update
After a successful start, greenboot sets the variable boot_success= to 1 in GRUB. You can view the overall status of system health checks after an update in the system log by using the following procedure.
Procedure
To access the overall status of system health checks, run the following command:
$ sudo grub2-editenv - list | grep ^boot_success
Example output for a successful system start
boot_success=1
3.6. Accessing health check output in the system log
You can manually access the output of health checks in the system log by using the following procedure.
Procedure
To access the results of a health check, run the following command:
$ sudo journalctl -o cat -u greenboot-healthcheck.service
Example output of a failed health check
... ... Running Required Health Check Scripts... STARTED GRUB boot variables: boot_success=0 boot_indeterminate=0 boot_counter=2 ... ... Waiting 300s for MicroShift service to be active and not failed FAILURE ... ...
3.7. Accessing prerollback health check output in the system log
You can access the output of health check scripts in the system log. For example, check the results of a prerollback script using the following procedure.
Procedure
To access the results of a prerollback script, run the following command:
$ sudo journalctl -o cat -u redboot-task-runner.service
Example output of a prerollback script
...
...
Running Red Scripts...
STARTED
GRUB boot variables:
boot_success=0
boot_indeterminate=0
boot_counter=0
The ostree status:
* rhel c0baa75d9b585f3dd989a9cf05f647eb7ca27ee0dbd4b94fe8c93ed3a4b9e4a5.0
Version: 9.1
origin: <unknown origin type>
rhel 6869c1347b0e0ba1bbf0be750cdf32da5138a1fcbc5a4c6325ab9eb647b64663.0 (rollback)
Version: 9.1
origin refspec: edge:rhel/9/x86_64/edge
System rollback imminent - preparing MicroShift for a clean start
Stopping MicroShift services
Removing MicroShift pods
Killing conmon, pause and OVN processes
Removing OVN configuration
Finished greenboot Failure Scripts Runner.
Cleanup succeeded
Script '40_microshift_pre_rollback.sh' SUCCESS
FINISHED
redboot-task-runner.service: Deactivated successfully.
3.8. Checking updates with a health check script
Access the output of greenboot health check scripts in the system log after an update by using the following procedure.
Procedure
To access the result of update checks, run the following command:
$ sudo grub2-editenv - list | grep ^boot_success
Example output for a successful update
boot_success=1
If your command returns boot_success=0, either the greenboot health check is still running, or the update is a failure.
