+ == Configure Baremetal PXE-UEFI Boot

+ A high level overview of how a baremetal node in the Fedora Infra gets booted via UEFI is as follows.

+ 

+ - Server powered on

+ - Gets ip via dhcp

+ - DHCP server uses `next-server` command to point the Server to next contact the tftpboot server and retrieve `grub.cfg`

+ - tftpboot serves `grub.cfg`

+ - Sysadmin manually chooses the correct UEFI menu to boot

+ - tftpboot serves kernel and initramfs to the server

+ - Server boots with kernel and initramfs, and retrieves ingition file from `os-control01`

+ 

+ === Resources

+ 

+ - [1] https://pagure.io/fedora-infra/ansible/blob/main/f/roles/dhcp_server[Ansible Role DHCP Server]

+ - [2] https://pagure.io/fedora-infra/ansible/blob/main/f/roles/tftp_server[Ansible Role tftpboot server]

+ 

+ === UEFI Configuration

+ The configuration for UEFI booting is contained in the `grub.cfg` config which is not currently under source control. It is located on the `batcave01` at: `/srv/web/infra/bigfiles/tftpboot2/uefi/grub.cfg`.

+ 

+ The following is a sample configuration to install a baremetal OCP4 worker in the Staging cluster.

+ 

+ ----

+ menuentry 'RHCOS 4.8 worker staging' {

+   linuxefi images/RHCOS/4.8/x86_64/rhcos-4.8.2-x86_64-live-kernel-x86_64 ip=dhcp nameserver=10.3.163.33 coreos.inst.install_dev=/dev/sda coreos.live.rootfs_url=http://10.3.166.50/rhcos/rhcos-4.8.2-x86_64-live-rootfs.x86_64.img coreos.inst.ignition_url=http://10.3.166.50/rhcos/worker.ign

+   initrdefi images/RHCOS/4.8/x86_64/rhcos-4.8.2-x86_64-live-initramfs.x86_64.img

+ }

+ ----

+ 

+ Any new changes must be made here. Writing to this file requires one to be a member of the `sysadmin-main` group, so best to instead create a ticket in the Fedora Infra issue tracker with patch request. See the following https://pagure.io/fedora-infrastructure/issue/10213[PR] for inspiration.

+ 

+ === Pushing new changes out to the tftpboot server

+ To push out changes made to the `grub.cfg` the following playbook should be run, which requires `sysadmin-noc` group permissions:

+ 

+ ----

+ sudo rbac-playbook groups/noc.yml -t 'tftp_server,dhcp_server'

+ ----

+ 

+ On the `noc01` instance the `grub.cfg` file is located at `/var/lib/tftpboot/uefi/grub.cfg`

+ 

+ If particular changes to OS images for example, are required, they should be made on the `noc01` instance directly at `/var/lib/tftpboot/images/`. This will require users to be in the `sysadmin-noc` group.

+ == SOP Configure the Image Registry Operator

+ 

+ === Resources

+ - [1] https://docs.openshift.com/container-platform/4.8/registry/configuring_registry_storage/configuring-registry-storage-baremetal.html#configuring-registry-storage-baremetal[Configuring Registry Storage Baremetal]

+ 

+ 

+ === Enable the image registry operator

+ For detailed instructions please refer to the official documentation for the particular version of Openshift [1].

+ 

+ From the `os-control01` node we can enable the Image Registry Operator set it to a `Managed` state like so via the CLI.:

+ 

+ ----

+ oc patch configs.imageregistry.operator.openshift.io cluster --type merge --patch '{"spec":{"managementState":"Managed"}}'

+ ----

+ 

+ Next edit the configuration for the Image Registry operator like so:

+ 

+ ----

+ oc edit configs.imageregistry.operator.openshift.io

+ ----

+ 

+ Add the following to replace the `storage: {}`:

+ 

+ ----

+ ...

+ storage:

+   pvc:

+     claim:

+ ...

+ ----

+ 

+ Save the config.

+ 

+ The Image registry will automatically claim a 100G sized PV if available. It is best to open a ticket with Fedora Infra and have a 100G NFS share be created.

+ 

+ Use the following template for inspiration, populate the particular values to match the newly created NFS Share.

+ 

+ ----

+ kind: PersistentVolume

+ apiVersion: v1

+ metadata:

+   name: ocp-image-registry-volume

+ spec:

+   capacity:

+     storage: 100Gi

+   nfs:

+     server: 10.3.162.11

+     path: /ocp_prod_registry

+   accessModes:

+     - ReadWriteMany

+   persistentVolumeReclaimPolicy: Retain

+   volumeMode: Filesystem

+ ----

+ 

+ To create this new PV, create a persisent volume template file like above and apply it using the Openshift client tool like so:

+ 

+ ----

+ oc apply -f image-registry-pv.yaml

+ ----

+ == Configure the Local Storage Operator

+ 

+ === Resources

+ - [1] https://access.redhat.com/documentation/en-us/red_hat_openshift_container_storage/4.7/html/deploying_openshift_container_storage_using_bare_metal_infrastructure/deploy-using-local-storage-devices-bm

+ - [2] https://github.com/centosci/ocp4-docs/blob/master/sops/localstorage/installation.md

+ 

+ 

+ === Installation

+ For installation instructions visit the official docs at: [1]. The CentOS CI SOP at [2] also has more context but it is now slightly dated.

+ 

+ - From the webconsole, click on the `Operators` option, then `OperatorHub`

+ - Search for `Local Storage`

+ - Click install

+ - Make sure the `Update Channel` matches the major.minor version of your OCP4 install

+ - Choose `A specific namespace on this cluster`

+ - Choose `Operator recommended namespace`

+ - Update approval set to automatic

+ - Click install

+ 

+ === Configuration

+ A prerequisite to this step is to have all volumes on the nodes already formatted and available prior to this step. This can be done via a machineconfig/ignition file during installation time, or alternatively SSH onto the boxes and manually create / format the volumes.

+ 

+ - Create a `LocalVolumeDiscovery` and configured it to target the disks on all nodes

+ - When that process is complete, it creates `LocalVolumeDiscoveryResult` objects which you can search the type for, then examine to see if it has found the correct disks and if they are showing as available.

+ - Create a `LocalVolumeSet`: name `local-block` storage class `local-block` type all, devicetypes disk, part, filter disks by, choose the selected nodes worker01-03, volume mode block. Create.

+ - After a period of time check the newly created LocalVolumeSet `local-block` object's yaml definition, it should show the correct number of volumes listed in the `totalProvisionedDeviceCount` field.

+ 

+ == SOP Configure oauth Authentication via IPA/Noggin

+ 

+ 

+ === Resources

+ 

+ - [1] https://pagure.io/fedora-infra/ansible/blob/main/f/files/communishift/objects[Example Config from Communishift]

+ 

+ 

+ === OIDC Setup

+ The first step is to request that a secret be created for this environment, please open a ticket with Fedora Infra. Once the secret has been made available we can add it to an Openshift Secret in the cluster like so:

+ 

+ ----

+ oc create secret generic fedoraidp-clientsecret --from-literal=clientSecret=<client-secret> -n openshift-config

+ ----

+ 

+ Next we can update the oauth configuration on the cluster and add the config for ipa/noggin/ipsilon. See the following snippet for inspiration:

+ 

+ ----

+ apiVersion: config.openshift.io/v1

+ kind: OAuth

+ metadata:

+   name: cluster

+ spec:

+   identityProviders:

+ ...

+   - name: fedoraidp

+     login: true

+     challenge: false

+     mappingMethod: claim

+     type: OpenID

+     openID:

+       clientID: ocp

+       clientSecret:

+         name: fedoraidp-clientsecret

+       extraScopes:

+       - email

+       - profile

+       claims:

+         preferredUsername:

+         - nickname

+         name:

+         - name

+         email:

+         - email

+       issuer: https://id.fedoraproject.org

+ ----

+ 

+ This config already exists in the cluster so you need to edit or patch it, you can't just `oc apply -f template.yaml`.

+ == Configure the Openshift Container Storage Operator

+ 

+ 

+ === Resources

+ 

+ - [1] https://docs.openshift.com/container-platform/4.8/storage/persistent_storage/persistent-storage-ocs.html[Official Docs]

+ - [2] https://github.com/red-hat-storage/ocs-operator[Github]

+ 

+ === Installation

+ Important: before following this SOP, please ensure that you have already followed the SOP to install the Local Storage Operator first, as this is a requirement for the OCS operator.

+ 

+ For full detailed instructions please refer to the official docs at: [1]. For general instructions see below:

+ 

+ - In the webconsole, click the Operators menu

+ - Click the OperatorHub menu

+ - Search for `OpenShift Container Storage`

+ - Click install

+ - Choose the update channel to match the major.minor version of the cluster itself.

+ - Installation mode, A specified namespace on the cluster

+ - Installed namespace, Operator Recommended

+ - Update approval, automatic

+ - Click install

+ 

+ 

+ === Configuration

+ When the operator is finished installing, we can continue, please ensure that a minimum of 3 nodes are available.

+ 

+ - A `StorageCluster` is required to complete this installation, click the Create StorageCluster.

+ - At the top, choose the `internal - attached devices` mode.

+ - In the storageclass choose the `local-block` from the list.

+ - The compute/worker nodes with available storage appear in the list

+ - It automatically calculates the possible storage amount

+ - Click next

+ - On the `Security and Network` section just click next.

+ - Click create.

+ 

+ 

+ == Installation of the Openshift Virtualisation Operator

+ 

+ === Resources

+ - [1] https://alt.fedoraproject.org/cloud/[Fedora Images]

+ - [2] https://github.com/kubevirt/kubevirt/blob/main/docs/container-register-disks.md[Kubevirt Importing Containers of VMI Images]

+ 

+ 

+ === Installation

+ From the web console, choose the `Operators` menu, and choose `OperatorHub`.

+ 

+ Search for `Openshift Virtualization`

+ 

+ Click install.

+ 

+ When the installation of the Operator is completed, create a `HyperConverged` object and follow the wizard, the default options should be fine, click next through the menus.

+ 

+ Next create a `HostPathProvisioner` object the default options should be fine, click next through the menus.

+ 

+ 

+ === Verification

+ To verify that the installation of the Operator is successful, we can attempt to create a VM.

+ 

+ From the [1] location download the Fedora34 `Cloud Base image for Openstack` image with the `qcow2` format locally.

+ 

+ Create a `Dockerfile` with the following contents:

+ 

+ ----

+ FROM scratch

+ ADD fedora34.qcow2 /disk/

+ ----

+ 

+ Build the contianer:

+ 

+ ----

+ podman build -t fedora34:latest .

+ ----

+ 

+ Push the container to your username at quay.io.

+ 

+ ----

+ podman push quay.io/<USER>/fedora34:latest

+ ----

+ 

+ In the web console, visit the Workloads, then Virtualization menu.

+ 

+ Create a VirtualMachine with Wizard

+ 

+ Choose Fedora and click next

+ 

+ From the boot source dropdown menu, select import via Registry

+ 

+ In the container image, you can add the one prepared earlier. eg `quay.io/dkirwan/fedora34`

+ 

+ Click the `Advanced Storage settings`, change the storageclass to `oc-storagecluster-ceph-rbd` and click next and done.

+ 

+ Once the VM is created and booted, the console is available from the top right drop down menu.

+ == Enable User Workload Monitoring Stack

+ 

+ === Resources

+ - [1] https://docs.openshift.com/container-platform/4.8/monitoring/enabling-monitoring-for-user-defined-projects.html[Official Docs]

+ - [2] https://docs.openshift.com/container-platform/4.8/monitoring/enabling-monitoring-for-user-defined-projects.html#granting-users-permission-to-monitor-user-defined-projects_enabling-monitoring-for-user-defined-projects[Providing Access to the UWMS features]

+ - [3] https://docs.openshift.com/container-platform/4.8/monitoring/enabling-monitoring-for-user-defined-projects.html#granting-user-permissions-using-the-web-console_enabling-monitoring-for-user-defined-projects[Providing Access to the UWMS dashboard]

+ - [4] https://docs.openshift.com/container-platform/4.8/monitoring/configuring-the-monitoring-stack.html#configuring-persistent-storage[Configure Monitoring Stack]

+ 

+ === Configuration

+ To enable the stack edit the `cluster-monitoring` ConfigMap like so:

+ 

+ ----

+ oc -n openshift-monitoring edit configmap cluster-monitoring-config

+ ----

+ 

+ Set the `enableUserWorkload` to `true` like so:

+ 

+ ----

+ apiVersion: v1

+ kind: ConfigMap

+ metadata:

+   name: cluster-monitoring-config

+   namespace: openshift-monitoring

+ data:

+   config.yaml: |

+     enableUserWorkload: true

+     prometheusK8s:

+       retention: 30d

+       volumeClaimTemplate:

+         spec:

+           storageClassName: ocs-storagecluster-ceph-rbd

+           resources:

+             requests:

+               storage: 100Gi

+     alertmanagerMain:

+       volumeClaimTemplate:

+         spec:

+           storageClassName: ocs-storagecluster-ceph-rbd

+           resources:

+             requests:

+               storage: 50Gi

+ ----

+ 

+ Save the configmap changes. Monitor the rollout progress of the User Workload Monitoring Stack with the following:

+ 

+ ----

+ oc -n openshift-user-workload-monitoring get pod

+ NAME                                   READY   STATUS        RESTARTS   AGE

+ prometheus-operator-6f7b748d5b-t7nbg   2/2     Running       0          3h

+ prometheus-user-workload-0             4/4     Running       1          3h

+ prometheus-user-workload-1             4/4     Running       1          3h

+ thanos-ruler-user-workload-0           3/3     Running       0          3h

+ thanos-ruler-user-workload-1           3/3     Running       0          3h

+ ----

+ 

+ At this point we can create a `ConfigMap` to configure the User Workload Monitoring stack in the `openshift-user-workload-monitoring` namespace.

+ 

+ ----

+ oc create configmap user-workload-monitoring-config -n openshift-user-workload-monitoring

+ ----

+ 

+ Then edit this ConfigMap:

+ 

+ ----

+ oc -n openshift-user-workload-monitoring edit configmap user-workload-monitoring-config

+ ----

+ 

+ Save the following configuration

+ 

+ ----

+ apiVersion: v1

+ kind: ConfigMap

+ metadata:

+   name: user-workload-monitoring-config

+   namespace: openshift-user-workload-monitoring

+ data:

+   config.yaml: |

+     prometheus:

+       retention: 30d

+       volumeClaimTemplate:

+         spec:

+           storageClassName: ocs-storagecluster-ceph-rbd

+           resources:

+             requests:

+               storage: 100Gi

+     thanosRuler:

+       volumeClaimTemplate:

+         spec:

+           storageClassName: ocs-storagecluster-ceph-rbd

+           resources:

+             requests:

+               storage: 50Gi

+ ----

+ 

+ To provide access to users to create `PrometheusRule` and `ServiceMonitor` and `PodMonitor` objects see [2]. To allow access to the User Workload Monitoring Stack dashboard see [3].

+ == Cordoning Nodes and Draining Pods

+ This SOP should be followed in the following scenarios:

+ 

+ - If maintenance is scheduled to be carried out on an Openshift node.

+ 

+ 

+ === Steps

+ 

+ 1. Connect to the `os-control01` host associated with this ENV. Become root `sudo su -`.

+ 

+ 2. Mark the node as unschedulable:

+ 

+ ----

+ nodes=$(oc get nodes -o name  | sed -E "s/node\///")

+ echo $nodes

+ 

+ for node in ${nodes[@]}; do oc adm cordon $node; done

+ node/<node> cordoned

+ ----

+ 

+ 3. Check that the node status is `NotReady,SchedulingDisabled`

+ 

+ ----

+ oc get node <node1>

+ NAME        STATUS                        ROLES     AGE       VERSION

+ <node1>     NotReady,SchedulingDisabled   worker    1d        v1.18.3

+ ----

+ 

+ Note: It might not switch to `NotReady` immediately, there maybe many pods still running.

+ 

+ 

+ 4. Evacuate the Pods from **worker nodes** using one of the following methods

+ This will drain node `<node1>`, delete any local data, and ignore daemonsets, and give a period of 60 seconds for pods to drain gracefully.

+ 

+ ----

+ oc adm drain <node1> --delete-emptydir-data=true --ignore-daemonsets=true --grace-period=15

+ ----

+ 

+ 5. Perform the scheduled maintenance on the node

+ Do what ever is required in the scheduled maintenance window

+ 

+ 

+ 6. Once the node is ready to be added back into the cluster

+ We must uncordon the node. This allows it to be marked scheduleable once more.

+ 

+ ----

+ nodes=$(oc get nodes -o name  | sed -E "s/node\///")

+ echo $nodes

+ 

+ for node in ${nodes[@]}; do oc adm uncordon $node; done

+ ----

+ 

+ 

+ ===  Resources

+ 

+ - [1] [Nodes - working with nodes](https://docs.openshift.com/container-platform/4.8/nodes/nodes/nodes-nodes-working.html)

+ == Create MachineConfigs to Configure RHCOS

+ 

+ === Resources

+ 

+ - [1] https://coreos.github.io/butane/getting-started/[Butane Getting Started]

+ - [2] https://docs.openshift.com/container-platform/4.8/post_installation_configuration/machine-configuration-tasks.html#installation-special-config-chrony_post-install-machine-configuration-tasks[OCP4 Post Installation Configuration]

+ 

+ === Butane

+ "Butane (formerly the Fedora CoreOS Config Transpiler) is a tool that consumes a Butane Config and produces an Ignition Config, which is a JSON document that can be given to a Fedora CoreOS machine when it first boots." [1]

+ 

+ Butane is available in a container image, we can pull the latest version locally like so:

+ 

+ ----

+ # Pull the latest release

+ podman pull quay.io/coreos/butane:release

+ 

+ # Run butane using standard in and standard out

+ podman run -i --rm quay.io/coreos/butane:release --pretty --strict < your_config.bu > transpiled_config.ign

+ 

+ # Run butane using files.

+ podman run --rm -v /path/to/your_config.bu:/config.bu:z quay.io/coreos/butane:release --pretty --strict /config.bu > transpiled_config.ign

+ ----

+ 

+ We can create a CLI alias to make running the Butane container much easier like so:

+ 

+ ----

+ alias butane='podman run --rm --tty --interactive \

+               --security-opt label=disable        \

+               --volume ${PWD}:/pwd --workdir /pwd \

+               quay.io/coreos/butane:release'

+ ----

+ 

+ For more detailed information on how to structure your Butane file see [1]. Once created you can convert the butane config to an igntion file like so:

+ 

+ ----

+ butane master_chrony_machineconfig.bu -o master_chrony_machineconfig.yaml

+ butane worker_chrony_machineconfig.bu -o worker_chrony_machineconfig.yaml

+ ----

+ == SOP Disable `self-provisioners` Role

+ 

+ === Resources

+ 

+ - [1] https://docs.openshift.com/container-platform/4.4/applications/projects/configuring-project-creation.html#disabling-project-self-provisioning_configuring-project-creation

+ 

+ 

+ === Disabling self-provisioners role

+ By default, when a user authenticates with Openshift via Oauth, it is part of the `self-provisioners` group. This group provides the ability to create new projects. On CentOS CI we do not want users to be able to create their own projects, as we have a system in place where we create a project and control the administrators of that project.

+ 

+ To disable the self-provisioner role do the following as outlined in the documentation[1].

+ 

+ ----

+ oc describe clusterrolebinding.rbac self-provisioners

+ 

+ Name:		self-provisioners

+ Labels:		<none>

+ Annotations:	rbac.authorization.kubernetes.io/autoupdate=true

+ Role:

+   Kind:	ClusterRole

+   Name:	self-provisioner

+ Subjects:

+   Kind	Name				Namespace

+   ----	----				---------

+   Group	system:authenticated:oauth

+ ----

+ 

+ Remove the subjects that the self-provisioners role applies to.

+ 

+ ----

+ oc patch clusterrolebinding.rbac self-provisioners -p '{"subjects": null}'

+ ----

+ 

+ Verify the change occurred successfully

+ 

+ ----

+ oc describe clusterrolebinding.rbac self-provisioners

+ Name:         self-provisioners

+ Labels:       <none>

+ Annotations:  rbac.authorization.kubernetes.io/autoupdate: true

+ Role:

+   Kind:  ClusterRole

+   Name:  self-provisioner

+ Subjects:

+   Kind  Name  Namespace

+   ----  ----  ---------

+ ----

+ 

+ When the cluster is updated to a new version, unless we mark the role appropriately, the permissions will be restored after the update is complete.

+ 

+ Verify that the value is currently set to be restored after an update:

+ 

+ ----

+ oc get clusterrolebinding.rbac self-provisioners -o yaml

+ ----

+ 

+ ----

+ apiVersion: authorization.openshift.io/v1

+ kind: ClusterRoleBinding

+ metadata:

+   annotations:

+     rbac.authorization.kubernetes.io/autoupdate: "true"

+   ...

+ ----

+ 

+ We wish to set this `rbac.authorization.kubernetes.io/autoupdate` to `false`. To patch this do the following.

+ 

+ ----

+ oc patch clusterrolebinding.rbac self-provisioners -p '{ "metadata": { "annotations": { "rbac.authorization.kubernetes.io/autoupdate": "false" } } }'

+ ----

+ == Create etcd backup

+ This SOP should be followed in the following scenarios:

+ 

+ - When the need exists to create an etcd backup.

+ - When shutting a cluster down gracefully.

+ 

+ === Resources

+ 

+ - [1] https://docs.openshift.com/container-platform/4.8/backup_and_restore/backing-up-etcd.html[Creating an etcd backup]

+ 

+ === Take etcd backup

+ 

+ 1. Connect to the `os-control01` node associated with the ENV.

+ 

+ 2. Use the `oc` tool to make a debug connection to a controlplane node

+ 

+ ----

+ oc debug node/<node_name>

+ ----

+ 

+ 3. Chroot to the /host directory on the containers filesystem

+ 

+ ----

+ sh-4.2# chroot /host

+ ----

+ 

+ 4. Run the cluster-backup.sh script and pass in the location to save the backup to

+ 

+ ----

+ sh-4.4# /usr/local/bin/cluster-backup.sh /home/core/assets/backup

+ ----

+ 

+ 5. Chown the backup files to be owned by user `core` and group `core`

+ 

+ ----

+ chown -R core:core /home/core/assets/backup

+ ----

+ 

+ 6. From the admin machine, see inventory group: `ocp-ci-management`, become the Openshift service account, see the inventory hostvars for the host identified in the previous step and note the `ocp_service_account` variable.

+ 

+ ----

+ ssh <host>

+ sudo su - <ocp_service_account>

+ ----

+ 

+ 7. Copy the files down to the `os-control01` machine.

+ 

+ ----

+ scp -i <ssh_key> core@<node_name>:/home/core/assets/backup/* ocp_backups/

+ ----

+ == Graceful Shutdown of an Openshift 4 Cluster

+ This SOP should be followed in the following scenarios:

+ 

+ - Graceful full shut down of the Openshift 4 cluster is required.

+ 

+ === Steps

+ 

+ Prequisite steps:

+ - Follow the SOP for cordoning and draining the nodes.

+ - Follow the SOP for creating an `etcd` backup.

+ 

+ 

+ 1. Connect to the `os-control01` host associated with this ENV. Become root `sudo su -`.

+ 

+ 2. Get a list of the nodes

+ 

+ ----

+ nodes=$(oc get nodes -o name  | sed -E "s/node\///")

+ ----

+ 

+ 3. Shutdown the nodes from the administration box associated with the cluster `ENV` eg production/staging.

+ 

+ ----

+ for node in ${nodes[@]}; do ssh -i /root/ocp4/ocp-<ENV>/ssh/id_rsa core@$node sudo shutdown -h now; done

+ ----

+ 

+ 

+ ==== Resources

+ 

+ - [1] https://docs.openshift.com/container-platform/4.5/backup_and_restore/graceful-cluster-shutdown.html[Graceful Cluster Shutdown]

+ == Graceful Startup of an Openshift 4 Cluster

+ This SOP should be followed in the following scenarios:

+ 

+ - Graceful start up of an Openshift 4 cluster.

+ 

+ === Steps

+ Prequisite steps:

+ 

+ 

+ ==== Start the VM Control Plane instances

+ Ensure that the control plane instances start first.

+ 

+ ----

+ # Virsh command to start the VMs

+ ----

+ 

+ 

+ ==== Start the physical nodes

+ To connect to `idrac`, you must be connected to the Red Hat VPN. Next find the management IP associated with each node.

+ 

+ On the `batcave01` instance, in the dns configuration, the following bare metal machines make up the production/staging OCP4 worker nodes.

+ 

+ ----

+ oshift-dell01             IN        A     10.3.160.180  # worker01 prod

+ oshift-dell02             IN        A     10.3.160.181  # worker02 prod

+ oshift-dell03             IN        A     10.3.160.182  # worker03 prod

+ oshift-dell04             IN        A     10.3.160.183  # worker01 staging

+ oshift-dell05             IN        A     10.3.160.184  # worker02 staging

+ oshift-dell06             IN        A     10.3.160.185  # worker03 staging

+ ----

+ 

+ Login to the `idrac` interface that corresponds with each worker, one at a time. Ensure the node is booting via harddrive, then power it on.

+ 

+ ==== Once the nodes have been started they must be uncordoned if appropriate

+ 

+ ----

+ oc get nodes

+ NAME                       STATUS                     ROLES    AGE    VERSION

+ dumpty-n1.ci.centos.org    Ready,SchedulingDisabled   worker   77d    v1.18.3+6c42de8

+ dumpty-n2.ci.centos.org    Ready,SchedulingDisabled   worker   77d    v1.18.3+6c42de8

+ dumpty-n3.ci.centos.org    Ready,SchedulingDisabled   worker   77d    v1.18.3+6c42de8

+ dumpty-n4.ci.centos.org    Ready,SchedulingDisabled   worker   77d    v1.18.3+6c42de8

+ dumpty-n5.ci.centos.org    Ready,SchedulingDisabled   worker   77d    v1.18.3+6c42de8

+ kempty-n10.ci.centos.org   Ready,SchedulingDisabled   worker   106d   v1.18.3+6c42de8

+ kempty-n11.ci.centos.org   Ready,SchedulingDisabled   worker   106d   v1.18.3+6c42de8

+ kempty-n12.ci.centos.org   Ready,SchedulingDisabled   worker   106d   v1.18.3+6c42de8

+ kempty-n6.ci.centos.org    Ready,SchedulingDisabled   master   106d   v1.18.3+6c42de8

+ kempty-n7.ci.centos.org    Ready,SchedulingDisabled   master   106d   v1.18.3+6c42de8

+ kempty-n8.ci.centos.org    Ready,SchedulingDisabled   master   106d   v1.18.3+6c42de8

+ kempty-n9.ci.centos.org    Ready,SchedulingDisabled   worker   106d   v1.18.3+6c42de8

+ 

+ nodes=$(oc get nodes -o name  | sed -E "s/node\///")

+ 

+ for node in ${nodes[@]}; do oc adm uncordon $node; done

+ node/dumpty-n1.ci.centos.org uncordoned

+ node/dumpty-n2.ci.centos.org uncordoned

+ node/dumpty-n3.ci.centos.org uncordoned

+ node/dumpty-n4.ci.centos.org uncordoned

+ node/dumpty-n5.ci.centos.org uncordoned

+ node/kempty-n10.ci.centos.org uncordoned

+ node/kempty-n11.ci.centos.org uncordoned

+ node/kempty-n12.ci.centos.org uncordoned

+ node/kempty-n6.ci.centos.org uncordoned

+ node/kempty-n7.ci.centos.org uncordoned

+ node/kempty-n8.ci.centos.org uncordoned

+ node/kempty-n9.ci.centos.org uncordoned

+ 

+ oc get nodes

+ NAME                       STATUS   ROLES    AGE    VERSION

+ dumpty-n1.ci.centos.org    Ready    worker   77d    v1.18.3+6c42de8

+ dumpty-n2.ci.centos.org    Ready    worker   77d    v1.18.3+6c42de8

+ dumpty-n3.ci.centos.org    Ready    worker   77d    v1.18.3+6c42de8

+ dumpty-n4.ci.centos.org    Ready    worker   77d    v1.18.3+6c42de8

+ dumpty-n5.ci.centos.org    Ready    worker   77d    v1.18.3+6c42de8

+ kempty-n10.ci.centos.org   Ready    worker   106d   v1.18.3+6c42de8

+ kempty-n11.ci.centos.org   Ready    worker   106d   v1.18.3+6c42de8

+ kempty-n12.ci.centos.org   Ready    worker   106d   v1.18.3+6c42de8

+ kempty-n6.ci.centos.org    Ready    master   106d   v1.18.3+6c42de8

+ kempty-n7.ci.centos.org    Ready    master   106d   v1.18.3+6c42de8

+ kempty-n8.ci.centos.org    Ready    master   106d   v1.18.3+6c42de8

+ kempty-n9.ci.centos.org    Ready    worker   106d   v1.18.3+6c42de8

+ ----

+ 

+ 

+ === Resources

+ 

+ - [1] https://docs.openshift.com/container-platform/4.5/backup_and_restore/graceful-cluster-restart.html[Graceful Cluster Startup]

+ - [2] https://docs.openshift.com/container-platform/4.5/backup_and_restore/disaster_recovery/scenario-2-restoring-cluster-state.html#dr-restoring-cluster-state[Cluster disaster recovery]

+ == SOP Installation/Configuration of OCP4 on Fedora Infra

+ 

+ === Resources

+ 

+ - [1]: https://docs.openshift.com/container-platform/4.8/installing/installing_bare_metal/[Official OCP4 Installation Documentation]

+ 

+ === Install

+ To install OCP4 on Fedora Infra, one must be apart of the following groups:

+ 

+ - `sysadmin-openshift`

+ - `sysadmin-noc`

+ 

+ 

+ ==== Prerequisites

+ Visit the https://console.redhat.com/openshift/install/metal/user-provisioned[OpenShift Console] and download the following OpenShift tools:

+ 

+ * A Red Hat Access account is required

+ * OC client tools https://access.redhat.com/downloads/content/290/ver=4.8/rhel---8/4.8.10/x86_64/product-software[Here]

+ * OC installation tool https://access.redhat.com/downloads/content/290/ver=4.8/rhel---8/4.8.10/x86_64/product-software[Here]

+ * Ensure the downloaded tools are available on the `PATH`

+ * A valid OCP4 subscription is required to complete the installation configuration, by default you have a 60 day trial.

+ * Take a copy of your pull secret file you will need to put this in the `install-config.yaml` file in the next step.

+ 

+ 

+ ==== Generate install-config.yaml file

+ We must create a `install-config.yaml` file, use the following example for inspiration, alternatively refer to the documentation[1] for more detailed information/explainations.

+ 

+ ----

+ apiVersion: v1

+ baseDomain: stg.fedoraproject.org

+ compute:

+ - hyperthreading: Enabled

+   name: worker

+   replicas: 0

+ controlPlane:

+   hyperthreading: Enabled

+   name: master

+   replicas: 3

+ metadata:

+   name: 'ocp'

+ networking:

+   clusterNetwork:

+   - cidr: 10.128.0.0/14

+     hostPrefix: 23

+   networkType: OpenShiftSDN

+   serviceNetwork:

+   - 172.30.0.0/16

+ platform:

+   none: {}

+ fips: false

+ pullSecret: 'PUT PULL SECRET HERE'

+ sshKey: 'PUT SSH PUBLIC KEY HERE kubeadmin@core'

+ ----

+ 

+ * Login to the `os-control01` corresponding with the environment

+ * Make a directory to hold the installation files: `mkdir ocp4-<ENV>`

+ * Enter this newly created directory: `cd ocp4-<ENV>`

+ * Generate a fresh SSH keypair: `ssh-keygen -f ./ocp4-<ENV>-ssh`

+ * Create a `ssh` directory and place this keypair into it.

+ * Put the contents of the public key in the `sshKey` value in the `install-config.yaml` file

+ * Put the contents of your Pull Secret in the `pullSecret` value in the `install-config.yaml`

+ * Take a backup of the `install-config.yaml` to `install-config.yaml.bak`, as running the next steps consumes this file, having a backup allows you to recover from mistakes quickly.

+ 

+ 

+ ==== Create the Installation Files

+ Using the `openshift-install` tool we can generate the installation files. Make sure that the `install-config.yaml` file is in the `/path/to/ocp4-<ENV>` location before attempting the next steps.

+ 

+ ===== Create the Manifest Files

+ The manifest files are human readable, at this stage you can put any customisations required before the installation begins.

+ 

+ * Create the manifests: `openshift-install create manifests --dir=/path/to/ocp4-<ENV>`

+ * All configuration for RHCOS must be done via MachineConfigs configuration. If there is known configuration which must be performed, such as NTP, you can copy the MachineConfigs into the `/path/to/ocp4-<ENV>/openshift` directory now.

+ * The following step should be performed at this point, edit the `/path/to/ocp4-<ENV>/manifests/cluster-scheduler-02-config.yml` change the `mastersSchedulable` value to `false`.

+ 

+ 

+ ===== Create the Ignition Files

+ The ignition files have been generated from the manifests and MachineConfig files to generate the final installation files for the three roles: `bootstrap`, `master`, `worker`. In Fedora we prefer not to use the term `master` here, we have renamed this role to `controlplane`.

+ 

+ * Create the ignition files: `openshift-install create ignition-configs --dir=/path/to/ocp4-<ENV>`

+ * At this point you should have the following three files: `bootstrap.ign`, `master.ign` and `worker.ign`.

+ * Rename the `master.ign` to `controlplane.ign`.

+ * A directory has been created, `auth`. This contains two files: `kubeadmin-password` and `kubeconfig`. These allow `cluster-admin` access to the cluster.

+ 

+ 

+ ==== Copy the Ignition files to the `batcave01` server

+ On the `batcave01` at the following location: `/srv/web/infra/bigfiles/openshiftboot/`:

+ 

+ * Create a directory to match the environment: `mkdir /srv/web/infra/bigfiles/openshiftboot/ocp4-<ENV>`

+ * Copy the ignition files, the ssh files and the auth files generated in previous steps, to this newly created directory. Users with `sysadmin-openshift` should have the necessary permissions to write to this location.

+ * when this is complete it should look like the following:

+ ----

+     ├── <ENV>

+     │   ├── auth

+     │   │   ├── kubeadmin-password

+     │   │   └── kubeconfig

+     │   ├── bootstrap.ign

+     │   ├── controlplane.ign

+     │   ├── ssh

+     │   │   ├── id_rsa

+     │   │   └── id_rsa.pub

+     │   └── worker.ign

+ ----

+ 

+ 

+ ==== Update the ansible inventory

+ The ansible inventory/hostvars/group vars should be updated with the new hosts information.

+ 

+ For inspiration see the following https://pagure.io/fedora-infra/ansible/pull-request/765[PR] where we added the ocp4 production changes.