diff --git a/installing/installing_bare_metal/installing-bare-metal-network-customizations.adoc b/installing/installing_bare_metal/installing-bare-metal-network-customizations.adoc index 84e4cef22d8f..199e04fa228b 100644 --- a/installing/installing_bare_metal/installing-bare-metal-network-customizations.adoc +++ b/installing/installing_bare_metal/installing-bare-metal-network-customizations.adoc @@ -113,6 +113,8 @@ include::modules/registry-removed.adoc[leveloffset=+2] include::modules/installation-registry-storage-config.adoc[leveloffset=+2] +include::modules/installation-registry-storage-block-recreate-rollout-bare-metal.adoc[leveloffset=+2] + include::modules/installation-complete-user-infra.adoc[leveloffset=+1] == Next steps diff --git a/installing/installing_bare_metal/installing-bare-metal.adoc b/installing/installing_bare_metal/installing-bare-metal.adoc index b3617546cb4b..77a347610b9e 100644 --- a/installing/installing_bare_metal/installing-bare-metal.adoc +++ b/installing/installing_bare_metal/installing-bare-metal.adoc @@ -125,6 +125,8 @@ include::modules/registry-configuring-storage-baremetal.adoc[leveloffset=+3] include::modules/installation-registry-storage-non-production.adoc[leveloffset=+3] +include::modules/installation-registry-storage-block-recreate-rollout-bare-metal.adoc[leveloffset=+3] + include::modules/installation-complete-user-infra.adoc[leveloffset=+1] == Next steps diff --git a/installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc b/installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc index 7bed568cb2f8..b06bd2b74097 100644 --- a/installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc +++ b/installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc @@ -131,6 +131,8 @@ include::modules/registry-configuring-storage-baremetal.adoc[leveloffset=+3] include::modules/installation-registry-storage-non-production.adoc[leveloffset=+3] +include::modules/installation-registry-storage-block-recreate-rollout-bare-metal.adoc[leveloffset=+3] + include::modules/installation-complete-user-infra.adoc[leveloffset=+1] == Next steps diff --git a/modules/installation-registry-storage-block-recreate-rollout-bare-metal.adoc b/modules/installation-registry-storage-block-recreate-rollout-bare-metal.adoc new file mode 100644 index 000000000000..72d9ef5cd21c --- /dev/null +++ b/modules/installation-registry-storage-block-recreate-rollout-bare-metal.adoc @@ -0,0 +1,32 @@ +// Module included in the following assemblies: +// +// * installing/installing_bare_metal/installing-bare-metal.adoc +// * installing/installing_baremetal/installing-bare-metal-network-customizations.adoc +// * installing/installing_baremetal/installing-restricted-networks-bare-metal.adoc +// * registry/configuring_registry_storage/configuring-registry-storage-baremetal.adoc + +[id="installation-registry-storage-block-recreate-rollout-bare-metal_{context}"] += Configuring block registry storage for bare metal + +To allow the image registry to use block storage types during upgrades as a cluster administrator, you can use the `Recreate` rollout strategy. + +[IMPORTANT] +==== +Block storage volumes are supported but not recommended for use with the image +registry on production clusters. An installation where the registry is +configured on block storage is not highly available because the registry cannot +have more than one replica. +==== + +.Procedure + +. To set the image registry storage as a block storage type, patch the registry so that it uses the `Recreate` rollout strategy and runs with only one (`1`) replica: ++ +[source,terminal] +---- +$ oc patch config.imageregistry.operator.openshift.io/cluster --type=merge -p '{"spec":{"rolloutStrategy":"Recreate","replicas":1}}' +---- ++ +. Provision the PV for the block storage device, and create a PVC for that volume. The requested block volume uses the ReadWriteOnce (RWO) access mode. ++ +. Edit the registry configuration so that it references the correct PVC. diff --git a/modules/registry-configuring-storage-baremetal.adoc b/modules/registry-configuring-storage-baremetal.adoc index c3d535277924..13f7b7ca3500 100644 --- a/modules/registry-configuring-storage-baremetal.adoc +++ b/modules/registry-configuring-storage-baremetal.adoc @@ -2,7 +2,7 @@ // // * installing/installing_bare_metal/installing-bare-metal.adoc // * installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc -// * registry/configuring_registry_storage-baremetal +// * registry/configuring_registry_storage/configuring-registry-storage-baremetal // * installing/installing_ibm_z/installing-ibm-z.adoc // * virt/virtual_machines/importing_vms/virt-importing-vmware-vm.adoc @@ -16,9 +16,13 @@ registry to use storage. * Cluster administrator permissions. * A cluster on bare metal. -* Provisioned persistent storage -for your cluster, such as Red Hat OpenShift Container Storage. To deploy a private image registry, your storage must provide -ReadWriteMany access mode. +* Persistent storage provisioned for your cluster, such as Red Hat OpenShift Container Storage. ++ +[IMPORTANT] +==== +{product-title} supports `ReadWriteOnce` access for image registry storage when you have only one replica. To deploy an image registry that supports high availability with two or more replicas, `ReadWriteMany` access is required. +==== + * Must have "100Gi" capacity. .Procedure @@ -28,10 +32,10 @@ the `configs.imageregistry/cluster` resource. + [NOTE] ==== -When using shared storage such as NFS, it is strongly recommended to use the `supplementalGroups` strategy, which dictates the allowable supplemental groups for the Security Context, rather than the `fsGroup` ID. Refer to the NFS *Group IDs* documentation for details. +When using shared storage, review your security settings to prevent outside access. ==== -. Verify you do not have a registry Pod: +. Verify that you do not have a registry Pod: + [source,terminal] ---- @@ -40,30 +44,7 @@ $ oc get pod -n openshift-image-registry + [NOTE] ===== -* If the storage type is `emptyDIR`, the replica number cannot be greater than `1`. -* If the storage type is `NFS`, you must enable the `no_wdelay` and `root_squash` mount options. For example: -+ -[source,terminal] ----- -# cat /etc/exports ----- -+ -.Example output -[source,terminal] ----- -/mnt/data *(rw,sync,no_wdelay,root_squash,insecure,fsid=0) ----- -+ -[source,terminal] ----- -sh-4.2# exportfs -rv ----- -+ -.Example output -[source,terminal] ----- -exporting *:/mnt/data ----- +If the storage type is `emptyDIR`, the replica number cannot be greater than `1`. ===== + . Check the registry configuration: @@ -73,7 +54,7 @@ exporting *:/mnt/data $ oc edit configs.imageregistry.operator.openshift.io ---- + -.Example registry configuration +.Example output [source,yaml] ---- storage: diff --git a/modules/registry-configuring-storage-vsphere.adoc b/modules/registry-configuring-storage-vsphere.adoc index eaa3c8f2ea06..fb51cfdebd0f 100644 --- a/modules/registry-configuring-storage-vsphere.adoc +++ b/modules/registry-configuring-storage-vsphere.adoc @@ -10,20 +10,17 @@ [id="registry-configuring-storage-vsphere_{context}"] = Configuring registry storage for VMware vSphere -As a cluster administrator, following installation you must configure your -registry to use storage. +As a cluster administrator, following installation you must configure your registry to use storage. .Prerequisites * Cluster administrator permissions. * A cluster on VMware vSphere. -* Provision persistent storage for your cluster. To deploy a private image registry, your storage must provide -ReadWriteMany access mode. +* Persistent storage provisioned for your cluster, such as Red Hat OpenShift Container Storage. + [IMPORTANT] ==== -vSphere volumes do not support the `ReadWriteMany` access mode. You must use -a different storage backend, such as object storage, to configure the registry storage for high-availability. +{product-title} supports `ReadWriteOnce` access for image registry storage when you have only one replica. To deploy an image registry that supports high availability with two or more replicas, `ReadWriteMany` access is required. ==== + * Must have "100Gi" capacity. @@ -43,15 +40,14 @@ components. .Procedure -. To configure your registry to use storage, change the `spec.storage.pvc` in the -`configs.imageregistry/cluster` resource. +. To configure your registry to use storage, change the `spec.storage.pvc` in the `configs.imageregistry/cluster` resource. + [NOTE] ==== -When using shared storage such as NFS, it is strongly recommended to use the `supplementalGroups` strategy, which dictates the allowable supplemental groups for the Security Context, rather than the `fsGroup` ID. Refer to the NFS *Group IDs* documentation for details. +When using shared storage, review your security settings to prevent outside access. ==== -. Verify you do not have a registry Pod: +. Verify that you do not have a registry Pod: + [source,terminal] ---- @@ -60,30 +56,7 @@ $ oc get pod -n openshift-image-registry + [NOTE] ===== -* If the storage type is `emptyDIR`, the replica number cannot be greater than `1`. -* If the storage type is `NFS`, you must enable the `no_wdelay` and `root_squash` mount options. For example: -+ -[source,terminal] ----- -# cat /etc/exports ----- -+ -.Example output -[source,terminal] ----- -/mnt/data *(rw,sync,no_wdelay,root_squash,insecure,fsid=0) ----- -+ -[source,terminal] ----- -sh-4.2# exportfs -rv ----- -+ -.Example output -[source,terminal] ----- -exporting *:/mnt/data ----- +If the storage type is `emptyDIR`, the replica number cannot be greater than `1`. ===== + . Check the registry configuration: @@ -93,93 +66,16 @@ exporting *:/mnt/data $ oc edit configs.imageregistry.operator.openshift.io ---- + -.Example registry configuration +.Example output [source,yaml] ---- storage: pvc: - claim: ----- -+ -Leave the `claim` field blank to allow the automatic creation of an -`image-registry-storage` PVC. - -. Optional: Add a new storage class to a PV: -.. Create the PV: -+ -[source,terminal] ----- -$ oc create -f - ----- -+ -[source,yaml] ----- - -apiVersion: v1 -kind: PersistentVolume -metadata: - name: image-registry-pv -spec: - accessModes: - - ReadWriteMany - capacity: - storage: 100Gi - nfs: - path: /registry - server: 172.16.231.181 - persistentVolumeReclaimPolicy: Retain - storageClassName: nfs01 + claim: <1> ---- + -[source,terminal] ----- -$ oc get pv ----- +<1> Leave the `claim` field blank to allow the automatic creation of an `image-registry-storage` PVC. -.. Create the PVC: -+ -[source,terminal] ----- -$ oc create -n openshift-image-registry -f - ----- -+ -[source,yaml] ----- -apiVersion: "v1" -kind: "PersistentVolumeClaim" -metadata: - name: "image-registry-pvc" -spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 100Gi - storageClassName: nfs01 - volumeMode: Filesystem ----- -+ -[source,terminal] ----- -$ oc get pvc -n openshift-image-registry ----- -+ -Finally, add the name of your PVC: -+ -[source,terminal] ----- -$ oc edit configs.imageregistry.operator.openshift.io -o yaml ----- -+ -[source,yaml] ----- -storage: - pvc: - claim: image-registry-pvc <1> ----- -<1> Creating a custom PVC allows you to leave the `claim` field blank for default automatic creation of an `image-registry-storage` PVC. - -+ . Check the `clusteroperator` status: + [source,terminal] diff --git a/registry/configuring_registry_storage/configuring-registry-storage-baremetal.adoc b/registry/configuring_registry_storage/configuring-registry-storage-baremetal.adoc index 3aec85982c1a..a7ebe8c2366b 100644 --- a/registry/configuring_registry_storage/configuring-registry-storage-baremetal.adoc +++ b/registry/configuring_registry_storage/configuring-registry-storage-baremetal.adoc @@ -12,10 +12,10 @@ include::modules/installation-registry-storage-config.adoc[leveloffset=+1] include::modules/registry-configuring-storage-baremetal.adoc[leveloffset=+1] -See xref:../../storage/persistent_storage/persistent-storage-nfs.adoc#storage-persistent-storage-nfs-group-ids_persistent-storage-nfs[Group IDs] for additional details about using supplemental groups to handle NFS access. - include::modules/installation-registry-storage-non-production.adoc[leveloffset=+1] +include::modules/installation-registry-storage-block-recreate-rollout-bare-metal.adoc[leveloffset=+1] + [id="configuring-registry-storage-baremetal-addtl-resources"] == Additional resources diff --git a/registry/configuring_registry_storage/configuring-registry-storage-vsphere.adoc b/registry/configuring_registry_storage/configuring-registry-storage-vsphere.adoc index 4423c94cace3..5c8370b15e8e 100644 --- a/registry/configuring_registry_storage/configuring-registry-storage-vsphere.adoc +++ b/registry/configuring_registry_storage/configuring-registry-storage-vsphere.adoc @@ -12,8 +12,6 @@ include::modules/installation-registry-storage-config.adoc[leveloffset=+2] include::modules/registry-configuring-storage-vsphere.adoc[leveloffset=+1] -See xref:../../storage/persistent_storage/persistent-storage-nfs.adoc#storage-persistent-storage-nfs-group-ids_persistent-storage-nfs[Group IDs] for additional details about using supplemental groups to handle NFS access. - include::modules/installation-registry-storage-non-production.adoc[leveloffset=+1] include::modules/installation-registry-storage-block-recreate-rollout.adoc[leveloffset=+1]