From 9263c36eb3931db043eed83c7513209bcdc2ad97 Mon Sep 17 00:00:00 2001 From: Bob Furu Date: Tue, 4 Aug 2020 18:05:46 -0400 Subject: [PATCH] Cherry Picked 788ed2c from PR24276 --- ...egistry-configuring-storage-baremetal.adoc | 63 +++++-------------- .../registry-configuring-storage-vsphere.adoc | 19 ++++-- ...rage-persistent-storage-nfs-group-ids.adoc | 5 +- ...onfiguring-registry-storage-baremetal.adoc | 4 +- .../configuring-registry-storage-vsphere.adoc | 4 +- 5 files changed, 37 insertions(+), 58 deletions(-) diff --git a/modules/registry-configuring-storage-baremetal.adoc b/modules/registry-configuring-storage-baremetal.adoc index 77b4e79082a1..ac0c977239d7 100644 --- a/modules/registry-configuring-storage-baremetal.adoc +++ b/modules/registry-configuring-storage-baremetal.adoc @@ -4,31 +4,10 @@ // * installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc // * registry/configuring_registry_storage-baremetal // * installing/installing_ibm_z/installing-ibm-z.adoc -// * cnv/cnv_virtual_machines/cnv_importing_vms/cnv-importing-vmware-vm.adoc - -ifeval::["{context}" == "installing-ibm-z"] -:ibm-z: -endif::[] -ifeval::["{context}" == "installing-restricted-networks-ibm-z"] -:ibm-z: -endif::[] -ifeval::["{context}" == "installing-ibm-power"] -:ibm-power: -endif::[] -ifeval::["{context}" == "installing-restricted-networks-ibm-power"] -:ibm-power: -endif::[] +// * virt/virtual_machines/importing_vms/virt-importing-vmware-vm.adoc [id="registry-configuring-storage-baremetal_{context}"] -ifndef::ibm-z,ibm-power[] = Configuring registry storage for bare metal -endif::ibm-z,ibm-power[] -ifdef::ibm-z[] -= Configuring registry storage for IBM Z -endif::ibm-z[] -ifdef::ibm-power[] -= Configuring registry storage for IBM Power -endif::ibm-power[] As a cluster administrator, following installation you must configure your registry to use storage. @@ -36,14 +15,9 @@ registry to use storage. .Prerequisites * Cluster administrator permissions. -* A cluster on -ifndef::ibm-z,ibm-power[bare metal.] -ifdef::ibm-z[IBM Z.] -ifdef::ibm-power[IBM Power.] -* Provision persistent storage for your cluster, such as -ifndef::ibm-z[Red Hat OpenShift Container Storage.] -ifdef::ibm-z[NFS.] -To deploy a private image registry, your storage must provide +* A cluster on bare metal. +* Provision persistent storage +for your cluster, such as Red Hat OpenShift Container Storage. To deploy a private image registry, your storage must provide ReadWriteMany access mode. * Must have "100Gi" capacity. @@ -52,6 +26,11 @@ ReadWriteMany access mode. . To configure your registry to use storage, change the `spec.storage.pvc` in the `configs.imageregistry/cluster` resource. + +[NOTE] +==== +When using shared storage such as NFS, it is strongly recommended to use the `supplementalGroups` strategy, which dictates the allowable supplemental groups for the Security Context, rather than the `fsGroup` ID. Refer to the NFS *Group IDs* documentation for details. +==== + . Verify you do not have a registry Pod: + ---- @@ -60,13 +39,14 @@ $ oc get pod -n openshift-image-registry + [NOTE] ===== -If the storage type is `emptyDIR`, the replica number cannot be greater than `1`. -If the storage type is `NFS`, and you want to scale up the registry Pod by setting -`replica>1` you must enable the `no_wdelay` mount option. For example: - +* If the storage type is `emptyDIR`, the replica number cannot be greater than `1`. +* If the storage type is `NFS`, you must enable the `no_wdelay` and `root_squash` mount options. For example: ++ ---- # cat /etc/exports -/var/nfsshare *(rw,sync,no_root_squash) +/mnt/data *(rw,sync,no_wdelay,root_squash,insecure,fsid=0) +sh-4.2# exportfs -rv +exporting *:/mnt/data ---- ===== + @@ -88,16 +68,3 @@ Leave the `claim` field blank to allow the automatic creation of an ---- $ oc get clusteroperator image-registry ---- - -ifeval::["{context}" == "installing-ibm-z"] -:!ibm-z: -endif::[] -ifeval::["{context}" == "installing-restricted-networks-ibm-z"] -:!ibm-z: -endif::[] -ifeval::["{context}" == "installing-ibm-power"] -:!ibm-power: -endif::[] -ifeval::["{context}" == "installing-restricted-networks-ibm-power"] -:!ibm-power: -endif::[] diff --git a/modules/registry-configuring-storage-vsphere.adoc b/modules/registry-configuring-storage-vsphere.adoc index 0fb4a3bf8d01..6799f7d9e5a5 100644 --- a/modules/registry-configuring-storage-vsphere.adoc +++ b/modules/registry-configuring-storage-vsphere.adoc @@ -2,7 +2,10 @@ // // * installing/installing_vsphere/installing-restricted-networks-vsphere.adoc // * installing/installing_vsphere/installing-vsphere.adoc -// * registry/configuring_registry_storage-vsphere.adoc +// * installing/installing_vsphere/installing-vsphere-installer-provisioned.adoc +// * installing/installing_vsphere/installing-vsphere-installer-provisioned-network-customizations.adoc +// * installing/installing_vsphere/installing-vsphere-installer-provisioned-customizations.adoc +// * registry/configuring_registry_storage/configuring-registry-storage-vsphere.adoc [id="registry-configuring-storage-vsphere_{context}"] = Configuring registry storage for VMware vSphere @@ -31,6 +34,11 @@ a different storage backend, such as `NFS`, to configure the registry storage. . To configure your registry to use storage, change the `spec.storage.pvc` in the `configs.imageregistry/cluster` resource. + +[NOTE] +==== +When using shared storage such as NFS, it is strongly recommended to use the `supplementalGroups` strategy, which dictates the allowable supplemental groups for the Security Context, rather than the `fsGroup` ID. Refer to the NFS *Group IDs* documentation for details. +==== + . Verify you do not have a registry Pod: + ---- @@ -39,13 +47,12 @@ $ oc get pod -n openshift-image-registry + [NOTE] ===== -If the storage type is `emptyDIR`, the replica number cannot be greater than `1`. -If the storage type is `NFS`, and you want to scale up the registry Pod by setting -`replica>1` you must enable the `no_wdelay` mount option. For example: - +* If the storage type is `emptyDIR`, the replica number cannot be greater than `1`. +* If the storage type is `NFS`, you must enable the `no_wdelay` and `root_squash` mount options. For example: ++ ---- # cat /etc/exports -/mnt/data *(rw,sync,no_wdelay,no_root_squash,insecure,fsid=0) +/mnt/data *(rw,sync,no_wdelay,root_squash,insecure,fsid=0) sh-4.2# exportfs -rv exporting *:/mnt/data ---- diff --git a/modules/storage-persistent-storage-nfs-group-ids.adoc b/modules/storage-persistent-storage-nfs-group-ids.adoc index 8fcd20038e2c..6379502a45f2 100644 --- a/modules/storage-persistent-storage-nfs-group-ids.adoc +++ b/modules/storage-persistent-storage-nfs-group-ids.adoc @@ -1,7 +1,9 @@ // Module included in the following assemblies: // // * storage/persistent_storage/persistent-storage-nfs.adoc +// * storage/registry/configuring_registry_storage/configuring-registry-storage-baremetal.adoc +[id=storage-persistent-storage-nfs-group-ids_{context}] = Group IDs The recommended way to handle NFS access, assuming it is not an option to @@ -13,8 +15,7 @@ Pod's `securityContext`. [NOTE] ==== -It is generally preferable to use supplemental group IDs to gain access to -persistent storage versus using user IDs. +To gain access to persistent storage, it is generally preferable to use supplemental group IDs versus user IDs. ==== Because the group ID on the example target NFS directory diff --git a/registry/configuring_registry_storage/configuring-registry-storage-baremetal.adoc b/registry/configuring_registry_storage/configuring-registry-storage-baremetal.adoc index 6110e4ffc4b9..3aec85982c1a 100644 --- a/registry/configuring_registry_storage/configuring-registry-storage-baremetal.adoc +++ b/registry/configuring_registry_storage/configuring-registry-storage-baremetal.adoc @@ -12,10 +12,12 @@ include::modules/installation-registry-storage-config.adoc[leveloffset=+1] include::modules/registry-configuring-storage-baremetal.adoc[leveloffset=+1] +See xref:../../storage/persistent_storage/persistent-storage-nfs.adoc#storage-persistent-storage-nfs-group-ids_persistent-storage-nfs[Group IDs] for additional details about using supplemental groups to handle NFS access. + include::modules/installation-registry-storage-non-production.adoc[leveloffset=+1] [id="configuring-registry-storage-baremetal-addtl-resources"] == Additional resources -For more details on configuring registry storage for bare metal, see xref:../../scalability_and_performance/optimizing-storage.adoc#recommended-configurable-storage-technology_persistent-storage[Recommended configurable storage technology]. +For more details about configuring registry storage for bare metal, see xref:../../scalability_and_performance/optimizing-storage.adoc#recommended-configurable-storage-technology_persistent-storage[Recommended configurable storage technology]. diff --git a/registry/configuring_registry_storage/configuring-registry-storage-vsphere.adoc b/registry/configuring_registry_storage/configuring-registry-storage-vsphere.adoc index 0ad97db60f01..80b2daf2ad56 100644 --- a/registry/configuring_registry_storage/configuring-registry-storage-vsphere.adoc +++ b/registry/configuring_registry_storage/configuring-registry-storage-vsphere.adoc @@ -12,6 +12,8 @@ include::modules/installation-registry-storage-config.adoc[leveloffset=+2] include::modules/registry-configuring-storage-vsphere.adoc[leveloffset=+1] +See xref:../../storage/persistent_storage/persistent-storage-nfs.adoc#storage-persistent-storage-nfs-group-ids_persistent-storage-nfs[Group IDs] for additional details about using supplemental groups to handle NFS access. + include::modules/installation-registry-storage-non-production.adoc[leveloffset=+1] include::modules/installation-registry-storage-block-recreate-rollout.adoc[leveloffset=+1] @@ -21,4 +23,4 @@ For instructions about configuring registry storage so that it references the co [id="configuring-registry-storage-vsphere-addtl-resources"] == Additional resources -For more details on configuring registry storage for vSphere, see xref:../../scalability_and_performance/optimizing-storage.adoc#recommended-configurable-storage-technology_persistent-storage[Recommended configurable storage technology]. +For more details about configuring registry storage for vSphere, see xref:../../scalability_and_performance/optimizing-storage.adoc#recommended-configurable-storage-technology_persistent-storage[Recommended configurable storage technology].