MCO-1331: Install extensions via Containerfile for OCL

[umohnani8]

- What I did
Add logic to the Containerfile used to build the new OS image to be able to install extensions when using OCL. Extensions are installed via rpm-ostree and commited to the container image.

- How to verify it
Enable OCL and create a MC with to install extensions, wait for the image to build and roll out and the extensions installed should be installed on the nodes.

- Description for the changelog
Install extension via Containerfile when using OCL.

[openshift-ci-robot]

@umohnani8: This pull request references MCO-1331 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set.

In response to this:

- What I did
Add logic to the Containerfile used to build the new OS image to be able to install extensions when using OCL. Extensions are installed via rpm-ostree and commited to the container image.

- How to verify it
Enable OCL and create a MC with to install extensions, wait for the image to build and roll out and the extensions installed should be installed on the nodes.

- Description for the changelog
Install extension via Containerfile when using OCL.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[cheesesashimi]

Looks great overall! I just have a few minor suggestions.

[umohnani8]

/retest

[ptalgulk01]

Pre-merge verified :
Verified using IPI based GCP cluster

• Enable the OCL
• Apply the MOSC

oc create -f - << EOF
apiVersion: machineconfiguration.openshift.io/v1alpha1
kind: MachineOSConfig
metadata:
  name: worker-mosc
spec:
  machineConfigPool:
    name: worker
  buildOutputs:
    currentImagePullSecret:
      name: $(oc get -n openshift-machine-config-operator sa default -ojsonpath='{.secrets[0].name}')
  buildInputs:
    imageBuilder:
      imageBuilderType: PodImageBuilder
    baseImagePullSecret:
      name: $(oc get secret -n openshift-config pull-secret -o json | jq "del(.metadata.namespace, .metadata.creationTimestamp, .metadata.resourceVersion, .metadata.uid, .metadata.name)" | jq '.metadata.name="pull-copy"' | oc -n openshift-machine-config-operator create -f - &> /dev/null; echo -n "pull-copy")
    renderedImagePushSecret:
      name: $(oc get -n openshift-machine-config-operator sa builder -ojsonpath='{.secrets[0].name}')
    renderedImagePushspec: "image-registry.openshift-image-registry.svc:5000/openshift-machine-config-operator/ocb-image:latest"
EOF

• After Build is successfully applied apply the MC with extension

 oc create -f - << EOF
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: worker
  name: change-workers-extension-usbguard
spec:
  config:
    ignition:
      version: 3.2.0
  extensions:
    - usbguard     
EOF

• wait for mcp worker to get updated

oc debug node/ppt-2011a-mvnkh-worker-a-hqxwt -- chroot /host rpm -q usbguard
Starting pod/ppt-2011a-mvnkh-worker-a-hqxwt-debug-r9d8r ...
To use host binaries, run `chroot /host`
usbguard-1.0.0-15.el9.x86_64

• For MC with wrong extension applied the MOSB is failed with below error logs in build pod

Enabled rpm-md repositories: coreos-extensions
Importing rpm-md...done
rpm-md repo 'coreos-extensions' (cached); generated: 2024-11-14T19:57:55Z solvables: 84
error: Packages not found: zsh
subprocess exited with status 1
subprocess exited with status 1

For rhel-etitlement based MOSB it is failing and have created a ticket here OCPBUGS-44862

/label qe-approved

[openshift-ci-robot]

@umohnani8: This pull request references MCO-1331 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.18.0" version, but no target version was set.

In response to this:

- What I did
Add logic to the Containerfile used to build the new OS image to be able to install extensions when using OCL. Extensions are installed via rpm-ostree and commited to the container image.

- How to verify it
Enable OCL and create a MC with to install extensions, wait for the image to build and roll out and the extensions installed should be installed on the nodes.

- Description for the changelog
Install extension via Containerfile when using OCL.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[cheesesashimi]

/lgtm
/approve
/label acknowledge-critical-fixes-only

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 9856ad1 and 2 for PR HEAD 0ce0cbc in total

[umohnani8]

/retest

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 9a8ee32 and 1 for PR HEAD 0ce0cbc in total

[LorbusChris]

We need to ensure we cover cases where an extensions resolves to multiple RPMs

[LorbusChris]

On RHCOS and SCOS one extension may resolve to multiple RPMs, or an RPM with a different name, which I don't think is currently accounted for, see

machine-config-operator/pkg/daemon/update.go

Lines 1765 to 1780 in 9a8ee32

	func getSupportedExtensions() map[string][]string {
	// In future when list of extensions grow, it will make
	// more sense to populate it in a dynamic way.
	// These are RHCOS supported extensions.
	// Each extension keeps a list of packages required to get enabled on host.
	return map[string][]string{
	"wasm": {"crun-wasm"},
	"ipsec": {"NetworkManager-libreswan", "libreswan"},
	"usbguard": {"usbguard"},
	"kerberos": {"krb5-workstation", "libkadm5"},
	"kernel-devel": {"kernel-devel", "kernel-headers"},
	"sandboxed-containers": {"kata-containers"},
	"sysstat": {"sysstat"},
	}
	}

and

machine-config-operator/pkg/daemon/update.go

Lines 1734 to 1739 in 9a8ee32

	extensions := getSupportedExtensions()
	for _, ext := range added {
	for _, pkg := range extensions[ext] {
	extArgs = append(extArgs, "--install", pkg)
	}
	}

On FCOS, the relationship is 1:1, but I'm not sure whether we still need to handle that now that OKD is moving to SCOS.

[cheesesashimi]

I opened #4714 whose commits we could cherry-pick into this.

[umohnani8]

Thanks @cheesesashimi, I have cherry-picked those commits here

[LorbusChris]

usbguard is one of the more trivial extensions that contains only one RPM with the same name. Could we use e.g. the ipsec extension (which resolves to NetworkManager-libreswan and libreswan RPMs) for the test case instead?

[LorbusChris]

/hold

[LorbusChris]

I'm not sure if any extensions adds users. If that's the case, we're likely at risk of running into containers/bootc#673 here too.

[LorbusChris]

/hold cancel
/lgtm
with the caveat mentioned in #4705 (comment) for which we don't currently have a solution

[cheesesashimi]

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cheesesashimi, LorbusChris, umohnani8

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [LorbusChris,cheesesashimi,umohnani8]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@umohnani8: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-azure-ovn-upgrade-out-of-change	fee1b99	link	false	/test e2e-azure-ovn-upgrade-out-of-change
ci/prow/okd-scos-e2e-aws-ovn	fee1b99	link	false	/test okd-scos-e2e-aws-ovn

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-bot]

[ART PR BUILD NOTIFIER]

Distgit: ose-machine-config-operator
This PR has been included in build ose-machine-config-operator-container-v4.18.0-202411222306.p0.gc761b7c.assembly.stream.el9.
All builds following this will include this PR.