diff --git a/installing/installing_bare_metal/installing-bare-metal-network-customizations.adoc b/installing/installing_bare_metal/installing-bare-metal-network-customizations.adoc index 92535ad09466..c07c9cda8d91 100644 --- a/installing/installing_bare_metal/installing-bare-metal-network-customizations.adoc +++ b/installing/installing_bare_metal/installing-bare-metal-network-customizations.adoc @@ -77,6 +77,8 @@ include::modules/registry-removed.adoc[leveloffset=+2] include::modules/installation-registry-storage-config.adoc[leveloffset=+2] +include::modules/installation-registry-storage-block-recreate-rollout-bare-metal.adoc[leveloffset=+2] + include::modules/installation-complete-user-infra.adoc[leveloffset=+1] == Next steps diff --git a/installing/installing_bare_metal/installing-bare-metal.adoc b/installing/installing_bare_metal/installing-bare-metal.adoc index 0c45ed8e0e7c..87ea8d39c434 100644 --- a/installing/installing_bare_metal/installing-bare-metal.adoc +++ b/installing/installing_bare_metal/installing-bare-metal.adoc @@ -91,6 +91,8 @@ include::modules/registry-configuring-storage-baremetal.adoc[leveloffset=+3] include::modules/installation-registry-storage-non-production.adoc[leveloffset=+3] +include::modules/installation-registry-storage-block-recreate-rollout-bare-metal.adoc[leveloffset=+3] + include::modules/installation-complete-user-infra.adoc[leveloffset=+1] == Next steps diff --git a/installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc b/installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc index 0c03f7cbb8b7..8547702a73d7 100644 --- a/installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc +++ b/installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc @@ -104,6 +104,8 @@ include::modules/registry-configuring-storage-baremetal.adoc[leveloffset=+3] include::modules/installation-registry-storage-non-production.adoc[leveloffset=+3] +include::modules/installation-registry-storage-block-recreate-rollout-bare-metal.adoc[leveloffset=+3] + include::modules/installation-complete-user-infra.adoc[leveloffset=+1] == Next steps diff --git a/modules/installation-registry-storage-block-recreate-rollout-bare-metal.adoc b/modules/installation-registry-storage-block-recreate-rollout-bare-metal.adoc new file mode 100644 index 000000000000..72d9ef5cd21c --- /dev/null +++ b/modules/installation-registry-storage-block-recreate-rollout-bare-metal.adoc @@ -0,0 +1,32 @@ +// Module included in the following assemblies: +// +// * installing/installing_bare_metal/installing-bare-metal.adoc +// * installing/installing_baremetal/installing-bare-metal-network-customizations.adoc +// * installing/installing_baremetal/installing-restricted-networks-bare-metal.adoc +// * registry/configuring_registry_storage/configuring-registry-storage-baremetal.adoc + +[id="installation-registry-storage-block-recreate-rollout-bare-metal_{context}"] += Configuring block registry storage for bare metal + +To allow the image registry to use block storage types during upgrades as a cluster administrator, you can use the `Recreate` rollout strategy. + +[IMPORTANT] +==== +Block storage volumes are supported but not recommended for use with the image +registry on production clusters. An installation where the registry is +configured on block storage is not highly available because the registry cannot +have more than one replica. +==== + +.Procedure + +. To set the image registry storage as a block storage type, patch the registry so that it uses the `Recreate` rollout strategy and runs with only one (`1`) replica: ++ +[source,terminal] +---- +$ oc patch config.imageregistry.operator.openshift.io/cluster --type=merge -p '{"spec":{"rolloutStrategy":"Recreate","replicas":1}}' +---- ++ +. Provision the PV for the block storage device, and create a PVC for that volume. The requested block volume uses the ReadWriteOnce (RWO) access mode. ++ +. Edit the registry configuration so that it references the correct PVC. diff --git a/modules/registry-configuring-storage-baremetal.adoc b/modules/registry-configuring-storage-baremetal.adoc index ac0c977239d7..7109025cbca8 100644 --- a/modules/registry-configuring-storage-baremetal.adoc +++ b/modules/registry-configuring-storage-baremetal.adoc @@ -2,7 +2,7 @@ // // * installing/installing_bare_metal/installing-bare-metal.adoc // * installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc -// * registry/configuring_registry_storage-baremetal +// * registry/configuring_registry_storage/configuring-registry-storage-baremetal // * installing/installing_ibm_z/installing-ibm-z.adoc // * virt/virtual_machines/importing_vms/virt-importing-vmware-vm.adoc @@ -16,9 +16,13 @@ registry to use storage. * Cluster administrator permissions. * A cluster on bare metal. -* Provision persistent storage -for your cluster, such as Red Hat OpenShift Container Storage. To deploy a private image registry, your storage must provide -ReadWriteMany access mode. +* Persistent storage provisioned for your cluster, such as Red Hat OpenShift Container Storage. ++ +[IMPORTANT] +==== +{product-title} supports `ReadWriteOnce` access for image registry storage when you have only one replica. To deploy an image registry that supports high availability with two or more replicas, `ReadWriteMany` access is required. +==== + * Must have "100Gi" capacity. .Procedure @@ -28,10 +32,10 @@ the `configs.imageregistry/cluster` resource. + [NOTE] ==== -When using shared storage such as NFS, it is strongly recommended to use the `supplementalGroups` strategy, which dictates the allowable supplemental groups for the Security Context, rather than the `fsGroup` ID. Refer to the NFS *Group IDs* documentation for details. +When using shared storage, review your security settings to prevent outside access. ==== -. Verify you do not have a registry Pod: +. Verify that you do not have a registry Pod: + ---- $ oc get pod -n openshift-image-registry @@ -39,22 +43,18 @@ $ oc get pod -n openshift-image-registry + [NOTE] ===== -* If the storage type is `emptyDIR`, the replica number cannot be greater than `1`. -* If the storage type is `NFS`, you must enable the `no_wdelay` and `root_squash` mount options. For example: -+ ----- -# cat /etc/exports -/mnt/data *(rw,sync,no_wdelay,root_squash,insecure,fsid=0) -sh-4.2# exportfs -rv -exporting *:/mnt/data ----- +If the storage type is `emptyDIR`, the replica number cannot be greater than `1`. ===== + . Check the registry configuration: + ---- $ oc edit configs.imageregistry.operator.openshift.io - +---- ++ +.Example output +[source,yaml] +---- storage: pvc: claim: diff --git a/modules/registry-configuring-storage-vsphere.adoc b/modules/registry-configuring-storage-vsphere.adoc index 33ccbb8fe1ba..b4e3994cd263 100644 --- a/modules/registry-configuring-storage-vsphere.adoc +++ b/modules/registry-configuring-storage-vsphere.adoc @@ -10,20 +10,17 @@ [id="registry-configuring-storage-vsphere_{context}"] = Configuring registry storage for VMware vSphere -As a cluster administrator, following installation you must configure your -registry to use storage. +As a cluster administrator, following installation you must configure your registry to use storage. .Prerequisites * Cluster administrator permissions. * A cluster on VMware vSphere. -* Provision persistent storage for your cluster. To deploy a private image registry, your storage must provide -ReadWriteMany access mode. +* Persistent storage provisioned for your cluster, such as Red Hat OpenShift Container Storage. + [IMPORTANT] ==== -vSphere volumes do not support the `ReadWriteMany` access mode. You must use -a different storage backend, such as object storage, to configure the registry storage for high-availability. +{product-title} supports `ReadWriteOnce` access for image registry storage when you have only one replica. To deploy an image registry that supports high availability with two or more replicas, `ReadWriteMany` access is required. ==== + * Must have "100Gi" capacity. @@ -43,15 +40,14 @@ components. .Procedure -. To configure your registry to use storage, change the `spec.storage.pvc` in the -`configs.imageregistry/cluster` resource. +. To configure your registry to use storage, change the `spec.storage.pvc` in the `configs.imageregistry/cluster` resource. + [NOTE] ==== -When using shared storage such as NFS, it is strongly recommended to use the `supplementalGroups` strategy, which dictates the allowable supplemental groups for the Security Context, rather than the `fsGroup` ID. Refer to the NFS *Group IDs* documentation for details. +When using shared storage, review your security settings to prevent outside access. ==== -. Verify you do not have a registry Pod: +. Verify that you do not have a registry Pod: + ---- $ oc get pod -n openshift-image-registry @@ -59,101 +55,25 @@ $ oc get pod -n openshift-image-registry + [NOTE] ===== -* If the storage type is `emptyDIR`, the replica number cannot be greater than `1`. -* If the storage type is `NFS`, you must enable the `no_wdelay` and `root_squash` mount options. For example: -+ ----- -# cat /etc/exports -/mnt/data *(rw,sync,no_wdelay,root_squash,insecure,fsid=0) -sh-4.2# exportfs -rv -exporting *:/mnt/data ----- +If the storage type is `emptyDIR`, the replica number cannot be greater than `1`. ===== + . Check the registry configuration: + ---- $ oc edit configs.imageregistry.operator.openshift.io - -storage: - pvc: - claim: ----- -+ -Leave the `claim` field blank to allow the automatic creation of an -`image-registry-storage` PVC. - -. Optional: Add a new storage class to a PV: -.. Create the PV: -+ ----- -$ oc create -f - ----- -+ -[source,yaml] ----- - -apiVersion: v1 -kind: PersistentVolume -metadata: - name: image-registry-pv -spec: - accessModes: - - ReadWriteMany - capacity: - storage: 100Gi - nfs: - path: /registry - server: 172.16.231.181 - persistentVolumeReclaimPolicy: Retain - storageClassName: nfs01 ----- -+ ----- -$ oc get pv ----- - -.. Create the PVC: -+ ----- -$ oc create -n openshift-image-registry -f - ----- -+ -[source,yaml] ----- -apiVersion: "v1" -kind: "PersistentVolumeClaim" -metadata: - name: "image-registry-pvc" -spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 100Gi - storageClassName: nfs01 - volumeMode: Filesystem ----- -+ ----- -$ oc get pvc -n openshift-image-registry ----- -+ -Finally, add the name of your PVC: -+ ----- -$ oc edit configs.imageregistry.operator.openshift.io -o yaml ---- + +.Example output [source,yaml] ---- storage: pvc: - claim: image-registry-pvc <1> + claim: <1> ---- -<1> Creating a custom PVC allows you to leave the `claim` field blank for default automatic creation of an `image-registry-storage` PVC. - + +<1> Leave the `claim` field blank to allow the automatic creation of an `image-registry-storage` PVC. + . Check the `clusteroperator` status: + ---- diff --git a/registry/configuring_registry_storage/configuring-registry-storage-baremetal.adoc b/registry/configuring_registry_storage/configuring-registry-storage-baremetal.adoc index 3aec85982c1a..a7ebe8c2366b 100644 --- a/registry/configuring_registry_storage/configuring-registry-storage-baremetal.adoc +++ b/registry/configuring_registry_storage/configuring-registry-storage-baremetal.adoc @@ -12,10 +12,10 @@ include::modules/installation-registry-storage-config.adoc[leveloffset=+1] include::modules/registry-configuring-storage-baremetal.adoc[leveloffset=+1] -See xref:../../storage/persistent_storage/persistent-storage-nfs.adoc#storage-persistent-storage-nfs-group-ids_persistent-storage-nfs[Group IDs] for additional details about using supplemental groups to handle NFS access. - include::modules/installation-registry-storage-non-production.adoc[leveloffset=+1] +include::modules/installation-registry-storage-block-recreate-rollout-bare-metal.adoc[leveloffset=+1] + [id="configuring-registry-storage-baremetal-addtl-resources"] == Additional resources diff --git a/registry/configuring_registry_storage/configuring-registry-storage-vsphere.adoc b/registry/configuring_registry_storage/configuring-registry-storage-vsphere.adoc index 80b2daf2ad56..01ff403538df 100644 --- a/registry/configuring_registry_storage/configuring-registry-storage-vsphere.adoc +++ b/registry/configuring_registry_storage/configuring-registry-storage-vsphere.adoc @@ -12,8 +12,6 @@ include::modules/installation-registry-storage-config.adoc[leveloffset=+2] include::modules/registry-configuring-storage-vsphere.adoc[leveloffset=+1] -See xref:../../storage/persistent_storage/persistent-storage-nfs.adoc#storage-persistent-storage-nfs-group-ids_persistent-storage-nfs[Group IDs] for additional details about using supplemental groups to handle NFS access. - include::modules/installation-registry-storage-non-production.adoc[leveloffset=+1] include::modules/installation-registry-storage-block-recreate-rollout.adoc[leveloffset=+1]