Create a machineconfig for IPI pointer ignition customizations #4413
Conversation
hardys
force-pushed
the
ignition-update-check
branch
from
d135ce0 to
31f7713
Compare
hardys
force-pushed
the
ignition-update-check
branch
from
31f7713 to
df309ea
Compare
hardys
force-pushed
the
ignition-update-check
branch
2 times, most recently
from
484c6b2 to
9ce7539
Compare
|
/retest |
There was a problem hiding this comment.
- Is the expectation at this point that the user-modified ignition config will still be the one placed on the machine? I assume that the fields in the MachineConfig duplicating the user-supplied fields of the ignition config will just merge together without issue.
- There is an outstanding bug regarding worker machines coming up with only some of the MachineConfigs, specifically without the MachineConfig for the image content sources. This can cause the worker machines to get stuck and never completing. Do you think that moving user-supplied configuration to a MachineConfig will exacerbate this issue?
|
Thanks for the review @staebler - I'll address the name/Load issues, reply to questions below:
Initially yes, the existing pointer ignition will be used as before, and yes my testing indicates any duplicate fields get merged together by the MCO ignition merge logic without issue. The plan is for baremetal IPI to switch to consuming the rendered config instead and no longer use the pointer config - see #4427 Also I'm expecting the work that was reverted around the MCO managed pointer ignition to be restored (not sure if that's on the radar for 4.7 though @runcom ?) ref #4228 - then any user customizations would only be provided via the MachineConfig, since the MCO pointer config is statically templated.
Yes this could potentially be an issue, since we'll read the rendered config slightly earlier (in the machine API actuator just before building the machine, vs after the first-boot of the machine) openshift/cluster-api-provider-baremetal#127 We'll have to test and confirm if that race impacts things, and potentially we could add some workaround to poll for a stable rendered config in the actuator until that bug gets fixed. I don't think that needs to block this PR but thanks for the info - I was not aware of that bug yet. |
In the case where an IPI user customizes the pointer config, this config is only persisted via the user-data secret, which was an issue when moving to an MCO templated pointer config: openshift#4228 It was also a problem for attempts for IPI baremetal to consume the MCO rendered config directly, with the aim of enabling network configuration via MachineConfig: openshift#3589 With this new approach, we detect the case where a change has been made to the pointer config by the user, and in that case it is stored via a MachineConfig manifest, such that any customizations are reflected in the MCO rendered config. Implements: openshift/enhancements#540 Co-Authored-By: Steven Hardy <[email protected]>
hardys
force-pushed
the
ignition-update-check
branch
from
9ce7539 to
c976be9
Compare
|
/retest |
There was a problem hiding this comment.
The code changes look fine.
My last concern is around the user experience with an installed cluster. Since we are pushing the user-supplied changes as MachineConfigs, it may give the user the impression that they can then edit or remove those MachineConfigs. However, with the changes still present in the pointer ignition configs, removing the MachineConfigs will have no effect.
Yes that's true, but my understanding is that when the MCO managed pointer ignition changes are restored (ref #4228 and openshift/machine-config-operator#2126) we won't expect these customizations to exist in pointer configs, since it's a static template managed via the MCO. In that model IMO it's clearer to have any customizations reflected via MachineConfigs, and in fact some changes to those configs would be possible day-2 without the "hidden" config that potentially exists in the user-data secret today? In the enhancement discussions @cgwalters mentioned that for IPI deployments we shouldn't support manually customizing the Ignition config, only injecting MachineConfig - I see this solution as a step towards that, e.g it happens internally now, then if we want to we can warn users to use MachineConfig directly in future? It'd be good to get some feedback from @runcom and @cgwalters to confirm my understanding above. |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: staebler The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
Yeah, I think this is going to effectively only be used by current baremetal IPI. Does BMIPI currently wrap
That's a good point. I think in practice though the users won't want to change or delete this stuff because it's e.g. core networking bonding configuration. |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
1 similar comment
|
/retest Please review the full test history for this PR and help us cut down flakes. |
We don’t wrap it. Users can just invoke the installer. There’s a separate baremetal installer as part of the release payload, but only because we have to currently build it with libvirt and cgo. |
|
@hardys: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
We don't wrap the installer, and IMO this does provide value beyond BM IPI - it's a requirement for restoring the MCO managed pointer config work from @runcom so we don't break ignition customizations for IPI users on any platform, was there some other plan to deal with that as it wasn't mentioned on the enhancement? |
there wasn't afaict, the reverted work that I did isn't required for this tho (I want to mention it because it seemed we're doing that in order to restore that but this can go w/o that) |
I don't think we need to extensively debate this in a closed PR but bigger picture, I don't agree that we need this for MCO managed pointer config. Broadly speaking I still see just two classes of usage for the pointer config:
In particular the "completely managed by MCO" case is necessary for things like openshift/enhancements#443 as well as openshift/enhancements#201 It's just current BMIPI which is creating this special case of "edited by user in IPI scenario" I think. |
I missed updating this in openshift#4413 which introduced a new asset Generated via: bin/openshift-install graph | dot -Tsvg >docs/design/resource_dep.svg
This restores the work which was previously done via openshift#3276 but then reverted via openshift#3589 due to breaking users who customized the pointer ignition config in IPI deployments. A solution to that has been proposed via openshift#4413 - see openshift/enhancements#540 for more details. Note that some additional changes beyond the initial implementation were required due to the MCO now supporting multiple ignition versions, thus this depends on openshift-metal3/terraform-provider-ironic#46 Co-Authored-By: Steven Hardy <[email protected]>
|
Hmm I just did a libvirt 4.7 install and I see this show up. I definitely didn't hand-edit the pointer configs, and it's basically empty: |
|
Yeah this is happening across the board, digging into e.g. this 4.7 nightly in the e2e logs for a stock AWS IPI install I see:
|
Thanks @cgwalters evidently we need a better test e.g https://github.com/openshift/installer/blob/master/pkg/asset/ignition/machine/master_ignition_customizations.go#L48 /cc @kirankt Unless it's causing issues for other platforms, should we raise a bz to track that and we'll find a fix ASAP? |
|
Yep, a BZ sounds fine, I don't think we need to revert or anything. There shouldn't be any harm from this, but let's get it fixed for 4.7 final. |
I pushed #4455 - will raise a bz if it doesn't merge before FF so we can be sure it's resolved before final 4.7 |
An issue was spotted after openshift#4413 landed, the config comparison always evaluates to true, so we're generating empty machineconfig objects even when no customization has happened. Update to compare a json representation of the configs, and add a test to confirm all works as expected.
In the case where an IPI user customizes the pointer config, this
config is only persisted via the user-data secret, which was an
issue when moving to an MCO templated pointer config:
#4228
It was also a problem for attempts for IPI baremetal to consume
the MCO rendered config directly, with the aim of enabling
network configuration via MachineConfig:
#3589
With this new approach, we detect the case where a change has
been made to the pointer config by the user, and in that case
it is stored via a MachineConfig manifest, such that any
customizations are reflected in the MCO rendered config.
Implements: openshift/enhancements#540
Co-Authored-By: Steven Hardy [email protected]