1877448 – Allow installing OS extensions on FCOS

Bug 1877448 - Allow installing OS extensions on FCOS

Summary: Allow installing OS extensions on FCOS

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Machine Config Operator
Sub Component:
Version:	4.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	4.6.0
Assignee:	Antonio Murdaca
QA Contact:	Micah Abbott
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-09-09 16:21 UTC by Vadim Rutkovsky
Modified:	2020-10-27 16:39 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-10-27 16:38:53 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift machine-config-operator pull 2060	0	None	closed	Bug 1877448: pkg/daemon/update: allow installing os-extensions on FCOS	2020-10-13 03:49:15 UTC
Red Hat Product Errata	RHBA-2020:4196	0	None	None	None	2020-10-27 16:39:12 UTC

Description Vadim Rutkovsky 2020-09-09 16:21:44 UTC

Currently MCO applies OS extensions on RHCOS nodes only. In OKD we'd like to allow installing any package on FCOS nodes too

Comment 4 Micah Abbott 2020-10-01 15:45:22 UTC

Verified with 4.6.0-0.okd-2020-10-01-092556

```
$ oc get clusterversion                                                                                                                                                                                                                                           
NAME      VERSION                         AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.6.0-0.okd-2020-10-01-092556   True        False         117s    Cluster version is 4.6.0-0.okd-2020-10-01-092556

$ oc get nodes                                                                                     
NAME                                         STATUS   ROLES    AGE   VERSION                                                                                   
ip-10-0-137-226.us-east-2.compute.internal   Ready    master   29m   v1.19.0-rc.2+beb741b-1062                  
ip-10-0-150-113.us-east-2.compute.internal   Ready    worker   12m   v1.19.0-rc.2+beb741b-1062                  
ip-10-0-174-33.us-east-2.compute.internal    Ready    master   29m   v1.19.0-rc.2+beb741b-1062                  
ip-10-0-185-82.us-east-2.compute.internal    Ready    worker   16m   v1.19.0-rc.2+beb741b-1062                  
ip-10-0-198-181.us-east-2.compute.internal   Ready    worker   15m   v1.19.0-rc.2+beb741b-1062
ip-10-0-230-16.us-east-2.compute.internal    Ready    master   33m   v1.19.0-rc.2+beb741b-1062

$ cat machineConfigs/extensions.yaml                                                                
apiVersion: machineconfiguration.openshift.io/v1              
kind: MachineConfig                             
metadata:                                                                                                                                                      
  labels:
    machineconfiguration.openshift.io/role: worker                                                                                                             
  name: 90-worker-extensions                                  
spec:                                           
  config:                                                                                                                                                      
    ignition:
      version: 3.1.0
  extensions:
    - usbguard

$ oc apply -f machineConfigs/extensions.yaml                                                        
machineconfig.machineconfiguration.openshift.io/90-worker-extensions created

$ oc get mc
NAME                                               GENERATEDBYCONTROLLER                      IGNITIONVERSION   AGE
00-master                                          522f0fa36cc7b952c6e98e120c58c66e6d795544   3.1.0             34m
00-worker                                          522f0fa36cc7b952c6e98e120c58c66e6d795544   3.1.0             34m
01-master-container-runtime                        522f0fa36cc7b952c6e98e120c58c66e6d795544   3.1.0             34m
01-master-kubelet                                  522f0fa36cc7b952c6e98e120c58c66e6d795544   3.1.0             34m
01-worker-container-runtime                        522f0fa36cc7b952c6e98e120c58c66e6d795544   3.1.0             34m
01-worker-kubelet                                  522f0fa36cc7b952c6e98e120c58c66e6d795544   3.1.0             34m
90-worker-extensions                                                                          3.1.0             8m15s
99-master-disable-mitigations                                                                 3.1.0             47m
99-master-generated-registries                     522f0fa36cc7b952c6e98e120c58c66e6d795544   3.1.0             34m
99-master-okd-extensions                                                                      3.1.0             47m
99-master-ssh                                                                                 3.1.0             47m
99-worker-disable-mitigations                                                                 3.1.0             47m
99-worker-generated-registries                     522f0fa36cc7b952c6e98e120c58c66e6d795544   3.1.0             34m
99-worker-okd-extensions                                                                      3.1.0             47m
99-worker-ssh                                                                                 3.1.0             47m
rendered-master-3d2cf2e9d7e5f1e69fbdf0fadf7bc6a6   522f0fa36cc7b952c6e98e120c58c66e6d795544   3.1.0             34m
rendered-worker-4b584955d33a070f05fd74d9c17cff5e   522f0fa36cc7b952c6e98e120c58c66e6d795544   3.1.0             8m10s
rendered-worker-d96c08402d7c5f492bb4563475b73c7d   522f0fa36cc7b952c6e98e120c58c66e6d795544   3.1.0             34m

$ oc debug node/ip-10-0-198-181.us-east-2.compute.internal
Starting pod/ip-10-0-198-181us-east-2computeinternal-debug ...
To use host binaries, run `chroot /host`
Pod IP: 10.0.198.181
If you don't see a command prompt, try pressing enter.
sh-4.4# chroot /host
sh-5.0# rpm-ostree status
State: idle
Deployments:
* pivot://registry.svc.ci.openshift.org/origin/4.6-2020-10-01-092556@sha256:10362d0ff3bfcfdc8dbe20a5b5e084551a78236e0ddcf9444333d4bdacad809a
              CustomOrigin: Managed by machine-config-operator
                 Timestamp: 2020-09-30T05:20:01Z
           LayeredPackages: NetworkManager-ovs glusterfs glusterfs-fuse open-vm-tools usbguard

  pivot://registry.svc.ci.openshift.org/origin/4.6-2020-10-01-092556@sha256:10362d0ff3bfcfdc8dbe20a5b5e084551a78236e0ddcf9444333d4bdacad809a
              CustomOrigin: Managed by machine-config-operator
                 Timestamp: 2020-09-30T05:20:01Z
           LayeredPackages: NetworkManager-ovs glusterfs glusterfs-fuse open-vm-tools
sh-5.0# exit
exit
sh-4.4# exit
exit

Removing debug pod ...
```

Comment 6 errata-xmlrpc 2020-10-27 16:38:53 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196

Note You need to log in before you can comment on or make changes to this bug.