diff --git a/modules/registry-configuring-storage-baremetal.adoc b/modules/registry-configuring-storage-baremetal.adoc index b658807c9268..ac0c977239d7 100644 --- a/modules/registry-configuring-storage-baremetal.adoc +++ b/modules/registry-configuring-storage-baremetal.adoc @@ -6,31 +6,8 @@ // * installing/installing_ibm_z/installing-ibm-z.adoc // * virt/virtual_machines/importing_vms/virt-importing-vmware-vm.adoc -ifeval::["{context}" == "installing-ibm-z"] -:ibm-z: -endif::[] -ifeval::["{context}" == "installing-restricted-networks-ibm-z"] -:ibm-z: -:restricted: -endif::[] -ifeval::["{context}" == "installing-ibm-power"] -:ibm-power: -endif::[] -ifeval::["{context}" == "installing-restricted-networks-ibm-power"] -:ibm-power: -:restricted: -endif::[] - [id="registry-configuring-storage-baremetal_{context}"] -ifndef::ibm-z,ibm-power[] = Configuring registry storage for bare metal -endif::ibm-z,ibm-power[] -ifdef::ibm-z[] -= Configuring registry storage for IBM Z -endif::ibm-z[] -ifdef::ibm-power[] -= Configuring registry storage for IBM Power -endif::ibm-power[] As a cluster administrator, following installation you must configure your registry to use storage. @@ -38,14 +15,9 @@ registry to use storage. .Prerequisites * Cluster administrator permissions. -* A cluster on -ifndef::ibm-z,ibm-power[bare metal.] -ifdef::ibm-z[IBM Z.] -ifdef::ibm-power[IBM Power.] -* Provision persistent storage for your cluster, such as -ifndef::ibm-z[Red Hat OpenShift Container Storage.] -ifdef::ibm-z[NFS.] -To deploy a private image registry, your storage must provide +* A cluster on bare metal. +* Provision persistent storage +for your cluster, such as Red Hat OpenShift Container Storage. To deploy a private image registry, your storage must provide ReadWriteMany access mode. * Must have "100Gi" capacity. @@ -54,6 +26,11 @@ ReadWriteMany access mode. . To configure your registry to use storage, change the `spec.storage.pvc` in the `configs.imageregistry/cluster` resource. + +[NOTE] +==== +When using shared storage such as NFS, it is strongly recommended to use the `supplementalGroups` strategy, which dictates the allowable supplemental groups for the Security Context, rather than the `fsGroup` ID. Refer to the NFS *Group IDs* documentation for details. +==== + . Verify you do not have a registry Pod: + ---- @@ -62,25 +39,15 @@ $ oc get pod -n openshift-image-registry + [NOTE] ===== -If the storage type is `emptyDIR`, the replica number cannot be greater than `1`. -If the storage type is `NFS`, and you want to scale up the registry Pod by setting -`replica>1` you must enable the `no_wdelay` mount option. For example: - -ifndef::ibm-power+restricted[] +* If the storage type is `emptyDIR`, the replica number cannot be greater than `1`. +* If the storage type is `NFS`, you must enable the `no_wdelay` and `root_squash` mount options. For example: ++ ---- # cat /etc/exports -/mnt/data *(rw,sync,no_wdelay,no_root_squash,insecure,fsid=0) +/mnt/data *(rw,sync,no_wdelay,root_squash,insecure,fsid=0) sh-4.2# exportfs -rv exporting *:/mnt/data ---- -endif::ibm-power+restricted[] - -ifdef::ibm-power+restricted[] ----- -# cat /etc/exports -/var/nfsshare *(rw,sync,no_root_squash) ----- -endif::ibm-power+restricted[] ===== + . Check the registry configuration: @@ -101,38 +68,3 @@ Leave the `claim` field blank to allow the automatic creation of an ---- $ oc get clusteroperator image-registry ---- -+ -. Ensure that your registry is set to managed to enable building and pushing of images. -+ -* Run: -+ ----- -$ oc edit configs.imageregistry/cluster ----- -+ -Then, change the line -+ ----- -managementState: Removed ----- -+ -to -+ ----- -managementState: Managed ----- - -ifeval::["{context}" == "installing-ibm-z"] -:!ibm-z: -endif::[] -ifeval::["{context}" == "installing-restricted-networks-ibm-z"] -:!ibm-z: -:!restricted: -endif::[] -ifeval::["{context}" == "installing-ibm-power"] -:!ibm-power: -endif::[] -ifeval::["{context}" == "installing-restricted-networks-ibm-power"] -:!ibm-power: -:!restricted: -endif::[] diff --git a/modules/registry-configuring-storage-vsphere.adoc b/modules/registry-configuring-storage-vsphere.adoc index 460c735aa7a8..6799f7d9e5a5 100644 --- a/modules/registry-configuring-storage-vsphere.adoc +++ b/modules/registry-configuring-storage-vsphere.adoc @@ -34,6 +34,11 @@ a different storage backend, such as `NFS`, to configure the registry storage. . To configure your registry to use storage, change the `spec.storage.pvc` in the `configs.imageregistry/cluster` resource. + +[NOTE] +==== +When using shared storage such as NFS, it is strongly recommended to use the `supplementalGroups` strategy, which dictates the allowable supplemental groups for the Security Context, rather than the `fsGroup` ID. Refer to the NFS *Group IDs* documentation for details. +==== + . Verify you do not have a registry Pod: + ---- @@ -42,13 +47,12 @@ $ oc get pod -n openshift-image-registry + [NOTE] ===== -If the storage type is `emptyDIR`, the replica number cannot be greater than `1`. -If the storage type is `NFS`, and you want to scale up the registry Pod by setting -`replica>1` you must enable the `no_wdelay` mount option. For example: - +* If the storage type is `emptyDIR`, the replica number cannot be greater than `1`. +* If the storage type is `NFS`, you must enable the `no_wdelay` and `root_squash` mount options. For example: ++ ---- # cat /etc/exports -/mnt/data *(rw,sync,no_wdelay,no_root_squash,insecure,fsid=0) +/mnt/data *(rw,sync,no_wdelay,root_squash,insecure,fsid=0) sh-4.2# exportfs -rv exporting *:/mnt/data ---- diff --git a/modules/storage-persistent-storage-nfs-group-ids.adoc b/modules/storage-persistent-storage-nfs-group-ids.adoc index 8fcd20038e2c..6379502a45f2 100644 --- a/modules/storage-persistent-storage-nfs-group-ids.adoc +++ b/modules/storage-persistent-storage-nfs-group-ids.adoc @@ -1,7 +1,9 @@ // Module included in the following assemblies: // // * storage/persistent_storage/persistent-storage-nfs.adoc +// * storage/registry/configuring_registry_storage/configuring-registry-storage-baremetal.adoc +[id=storage-persistent-storage-nfs-group-ids_{context}] = Group IDs The recommended way to handle NFS access, assuming it is not an option to @@ -13,8 +15,7 @@ Pod's `securityContext`. [NOTE] ==== -It is generally preferable to use supplemental group IDs to gain access to -persistent storage versus using user IDs. +To gain access to persistent storage, it is generally preferable to use supplemental group IDs versus user IDs. ==== Because the group ID on the example target NFS directory diff --git a/registry/configuring_registry_storage/configuring-registry-storage-baremetal.adoc b/registry/configuring_registry_storage/configuring-registry-storage-baremetal.adoc index 6110e4ffc4b9..3aec85982c1a 100644 --- a/registry/configuring_registry_storage/configuring-registry-storage-baremetal.adoc +++ b/registry/configuring_registry_storage/configuring-registry-storage-baremetal.adoc @@ -12,10 +12,12 @@ include::modules/installation-registry-storage-config.adoc[leveloffset=+1] include::modules/registry-configuring-storage-baremetal.adoc[leveloffset=+1] +See xref:../../storage/persistent_storage/persistent-storage-nfs.adoc#storage-persistent-storage-nfs-group-ids_persistent-storage-nfs[Group IDs] for additional details about using supplemental groups to handle NFS access. + include::modules/installation-registry-storage-non-production.adoc[leveloffset=+1] [id="configuring-registry-storage-baremetal-addtl-resources"] == Additional resources -For more details on configuring registry storage for bare metal, see xref:../../scalability_and_performance/optimizing-storage.adoc#recommended-configurable-storage-technology_persistent-storage[Recommended configurable storage technology]. +For more details about configuring registry storage for bare metal, see xref:../../scalability_and_performance/optimizing-storage.adoc#recommended-configurable-storage-technology_persistent-storage[Recommended configurable storage technology]. diff --git a/registry/configuring_registry_storage/configuring-registry-storage-vsphere.adoc b/registry/configuring_registry_storage/configuring-registry-storage-vsphere.adoc index 0ad97db60f01..80b2daf2ad56 100644 --- a/registry/configuring_registry_storage/configuring-registry-storage-vsphere.adoc +++ b/registry/configuring_registry_storage/configuring-registry-storage-vsphere.adoc @@ -12,6 +12,8 @@ include::modules/installation-registry-storage-config.adoc[leveloffset=+2] include::modules/registry-configuring-storage-vsphere.adoc[leveloffset=+1] +See xref:../../storage/persistent_storage/persistent-storage-nfs.adoc#storage-persistent-storage-nfs-group-ids_persistent-storage-nfs[Group IDs] for additional details about using supplemental groups to handle NFS access. + include::modules/installation-registry-storage-non-production.adoc[leveloffset=+1] include::modules/installation-registry-storage-block-recreate-rollout.adoc[leveloffset=+1] @@ -21,4 +23,4 @@ For instructions about configuring registry storage so that it references the co [id="configuring-registry-storage-vsphere-addtl-resources"] == Additional resources -For more details on configuring registry storage for vSphere, see xref:../../scalability_and_performance/optimizing-storage.adoc#recommended-configurable-storage-technology_persistent-storage[Recommended configurable storage technology]. +For more details about configuring registry storage for vSphere, see xref:../../scalability_and_performance/optimizing-storage.adoc#recommended-configurable-storage-technology_persistent-storage[Recommended configurable storage technology].