FAQs

See the subsequent sections for answers to frequently asked questions about the OpenShift Container Platform accelerator.

1. **What version of OpenShift Container Platform is supported by IBM Cloud Pak® System V2.3.2.0? **

   OpenShift Container Platform V4.3.1 and V4.2.18.

2. **Using OpenShift Container Platform accelerator V4.3.1, can I deploy OpenShift Container Platform V4.2.18? **

   To deploy 4.2.x, use the accelerator version 1.0.3.1 or clone the V4.3.1 accelerator and change the OVA file. For more information, see FAQ section of OpenShift Container Platform accelerator version V1.0.3.1.

3. **Where can I learn more about the DNS requirements for accessing the cluster? **

   Add the following wildcard entries to your DNS server to access the OpenShift web console, apps and APIs:

   <helper_node_floating_ip> *.<cluster_name>.<base_domain>
   <helper_node_floating_ip> *.apps.<cluster_name>.<base_domain>
   

   For testing purposes, add these entries to your /etc/hosts to access the OpenShift web console:

   <helper_node_floating_ip> console-openshift-console.apps.<cluster_name>.<base_domain>
   <helper_node_floating_ip> oauth-openshift.apps.<cluster_name>.<base_domain>
   

   Add the following entry to your DNS server or /etc/hosts to access the OpenShift APIs:

   <helper_node_floating_ip> api.<cluster_name>.<base_domain>
   

   To learn more about the OpenShift 4.3 DNS requirements, see User-provisioned DNS requirements .

4. Where can I learn more about the general install process used for OpenShift Container Platform 4.x on IBM Cloud Pak System?

   OpenShift Container Platform 4.x is deployed using Ansible automation. For more information about the steps, see Installing a cluster on vSphere in a restricted network process in Installing a cluster on vSphere in a restricted network .

5. Can I install a newer version of OpenShift Container Platform 4.x, for example, V4.4?

   Yes, it is possible to install a newer version of OpenShift Container Platform, however, newer versions might not be certified by IBM Cloud Pak System. To install a newer version of OpenShift Container Platform follow these steps:

   1. Mirror a newer version of the OpenShift Container Platform images to your image registry. For the instructions, see Mirroring the OpenShift Container Platform image repository .

      Note:

      • Only versions up to V4.3.1 are tested.
      • You can also use podman (not docker) to mirror the contents into a tgz that you can use for a fully offline load of the docker image registry. For more information about using the process, see Airgap/Disconnected Installation .

   2. Download the specific version of the openshift-install-linux-4.x.x.tar.gz and openshift-client-linux-4.x.x.tar.gz CLI from RedHat that you want to install. For more information, see Index of /pub/openshift-v4/clients/ocp .

   3. Go to Catalog > Script Packages. Clone the "OpenShift Helper Node" script package. Download the script package, extract the script package, and add the new openshift-install-linux-4.x.x.tar.gz and openshift-client-linux-4.x.x.tar.gz CLI to the /deps folder. Compress the file and upload it back to your new cloned script package.

   4. From the following Red Hat link, download the specific version of the Red Hat CoreOS image that you want to install - https://mirror.openshift.com/pub/openshift-v4/dependencies/rhcos/.

   5. Create an image. For the actual steps, see Creating an IBM Cloud Pak System image from Red Hat Enterprise Linux CoreOS OVA.

   6. Clone or modify your accelerator.

   7. Select the new script package that you cloned.

   8. Optionally, update the default value of the OpenShift Version field and update the image to a new Red Hat CoreOS version.

   9. When you deploy the accelerator, enter the new version of OpenShift Container Platform that you want to deploy.

6. Is a Red Hat Satellite Six Shared Service instance required in the same cloud group and environment profile for the OpenShift accelerator instance to deploy successfully?

   Yes, Red Hat Satellite Six Shared Service must be deployed before you deploy OpenShift accelerator in the cloud group or environment profile. The following packages are required and used by the Helper Node only:

   • rhel-7-server-rpms
   • rhel-7-server-extras-rpms

   Note: OpenShift Container Platform 4.x no longer requires OpenShift Container Platform packages on the Red Hat Satellite Server. All OpenShift images are now on the docker private registry.

7. **Can I upload images to the internal image registry after the OpenShift Container Platform install is complete? **

   If you want to access the OpenShift Container Platform 4.x internal image registry from outside the cluster, then manually enable it after installation. For more information about the instructions, see Installing a cluster on vSphere in a restricted network .

8. **Can I add podman to the Helper Node? **

   Yes, podman is already installed on the Helper Node, but when you attempt to run podman commands as root user you may get the following error message:

   Error: could not get runtime: kernel does not support overlay fs: overlay: the backing xfs filesystem is formatted without d_type support, which leads to incorrect behavior. 
   Reformat the filesystem with ftype=1 to enable d_type support. Running without d_type is not supported.: driver not supported
   

   Podman default storage driver does not support the base OS image. For the podman to run correctly without errors, add an additional disk to the Helper Node and mount the disk to /var/lib/containers/storage directory (formatted with either ext3 or ext4). If the Helper Node is already deployed, you can run the following commands as a workaround by using the space from the mount disk that was setup for internal OpenShift Container Platform 4.x registry storage:

   sudo su - root         
   mkdir -p /export/var/lib/containers/storage
   mv /var/lib/containers/storage /export/var/lib/containers/.
   ln -s /export/var/lib/containers/storage /var/lib/containers/storage
   reboot now ( may or may not be needed)  
   

   After making the directory relocation, run the following command as a root user if you want to enable podman for non-root user:

   echo 10000 > /proc/sys/user/max_user_namespaces
   

   By default, max_user_namespaces is set to 0 and so it is disabled. The following error message is displayed before enabling namespaces:

   cannot clone: Invalid argument
   user namespaces are not enabled in /proc/sys/user/max_user_namespaces
   Error: could not get runtime: cannot re-exec process
   

9. **Can I modify a disconnected OpenShift Container Platform 4.x cluster installation to connect to standard external sources? **

   During the accelerator deployment of the OpenShift Container Platform 4.x cluster, the "Cloud Pak Docker Private Registry" pull secret is only set up. To update the cluster configuration so as to go to the following OpenShift Container Platform standard external sites, update global cluster pull secret. :

   • quay.io
   • registry.connect.redhat.com
   • registry.redhat.io

   Note: For more information about the procedure and prerequisites, see [Updating the global cluster pull secret ]https://docs.openshift.com/container-platform/4.3/openshift_images/managing_images/using-image-pull-secrets.html#images-update-global-pull-secret_using-image-pull-secrets){: new_window}.

   Do the following steps to create the pull secret Json file that still includes "Cloud Pak Docker Private Registry" pull secret:

   1. Download your pull secret from https://cloud.redhat.com/openshift/install/pull-secret.

   2. Run the following command to pull secret that is in text format to Json:

      cat ./pull-secret.text | jq .  > <path>/<pull-secret-file>
      

   3. You must append the "Cloud Pak Docker Private Registry" auth to this new file so that you still have access to it.

   4. To locate the current "Cloud Pak Docker Private Registry", log in to the cluster console and navigate to https://<console_hostame>/k8s/ns/openshift-config/secrets/pull-secret/yaml.

   5. Run the following command to locate the value for data: .dockerconfigjson: and Base64 decode the value:

      echo <value> | base64 --decode   
      

   6. Add the decode value to the end of the pull-secret.json file created in step 2. For similar steps, see Creating a mirror registry for installation in a restricted network .

   7. To update global pull secret, run the following command:

      oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=<pull-secret-location>
      

10. Can I enable online connectivity for OpenShift Container Platform 4.3 offline installation updates?

    During OpenShift Container Platform 4.3.x installation, the private offline Docker registry pulls the OpenShift Container Platform 4.2.18 or 4.3.1 installation files. The pull secret only includes the credentials for the private offline registry and Image Content Sources that redirect quay.io calls to the offline registry. You can find this information on the Primary Helper node in the /ocp-helper/artifacts/install-config.yaml file. In the following example, the bold text highlight the components that are used to connect to offline registry:

 apiVersion: v1
 baseDomain: rtp.raleigh.ibm.com
 compute:
 -hyperthreading: Enabled
   name: worker
   replicas: 0
 controlPlane:
   hyperthreading: Enabled
   name: master
   replicas: 3
 metadata:
   name: cps-r81-9-46-123-200
 platform:
   none: {}
 **pullSecret: '{"auths": {"cps-r81-9-46-123-72.rtp.raleigh.ibm.com:443": {"auth": ""}}}'**
 sshKey: 'ssh-rsa 
 AAAAB3NzaC1yc2EAAAADAQABAAACAQDfx0KqNlr6TuBHIXZcDtuigGI4MqGPiF5cvfqxR6XtqVIr... 
 admin@us.ibm.com'
 **additionalTrustBundle: |
   -----BEGIN CERTIFICATE-----
 MIIFNzCCAx+gAwIBAgIJAMVUhyxIwhfNMA0GCSqGSIb3DQEBCwUAMDIxM
 DAuBgNVBAMMJ2Nwcy1yODEtOS00Ni0xMjMtNzIucnRwLnJhbGVpZ2guaWJ
 tLmNvbTAeFw0yMDAzMTcxNDEwMTlaFw0zMDAzMTUxNDEwMTlaMDIxMDAuB
 gNVBAMMJ2Nwcy1yODEt...
   -----END CERTIFICATE-----
 imageContentSources:
 -mirrors:
   -cps-r81-9-46-123-72.rtp.raleigh.ibm.com:443/ocp4/openshift4
   source: quay.io/openshift-release-dev/ocp-release
 -mirrors:
   -cps-r81-9-46-123-72.rtp.raleigh.ibm.com:443/ocp4/openshift4
   source: quay.io/openshift-release-dev/ocp-v4.0-art-dev **

During a traditional (online/connected) installation of OpenShift Container Platform 4.x, the installer provides a full pull secret that include credentials to cloud.openshift.com, quay.io, registry.connect.redhat.com, and registry.redhat.io. For a text version of the installers pull secret, see https://cloud.redhat.com/openshift/install/pull-secret . You must have a valid Red Hat account. Use the following command to covert the Pull secret text file to Json on a Linux system (like the Helper node) that has jq installed:

cat ./pull-secret.text | jq . > <path>/pull-secret.json 

The following example is an output of a cat command:

    {
 "auths": {
   "cloud.openshift.com": {
      "auth": "bbbbbbFwdXNpYm1jb20xcW53ZXR3bDY1d21...",
       "email": "abc@us.ibm.com"
 },
 "quay.io": {
    "auth": "bbbbbbWZmbWFwdXNpYm1jb20xcW53ZXR3bDY1d21...",
    "email": "abc@us.ibm.com"
 },
 "registry.connect.redhat.com": {
   "auth": "nnnnNjVXTWx3VWlxT3FEMG9lUzJNUzpleUpoYkdjaU...",
   "email": "abc@us.ibm.com"
 },
 "registry.redhat.io": {
   "auth": "bbbTFRTndFdFdMNjVXTWx3VWlxT3FEMG9lUzJNUzpleUpoYkdlV...",
   "email": "abc@us.ibm.com"
   }
  }
 }

If you want to continue to leverage the offline registry of the previous installation, append the pull secret used in the install-config.yaml to the pull-secret Json file that got created earlier. The following code block is an example of append. Here, the bold text highlight the appended text:

{
 "auths": {
   "cloud.openshift.com": {
      "auth": "bbbbbbFwdXNpYm1jb20xcW53ZXR3bDY1d21...",
       "email": "abc@us.ibm.com"
 },
 "quay.io": {
    "auth": "bbbbbbWZmbWFwdXNpYm1jb20xcW53ZXR3bDY1d21...",
    "email": "abc@us.ibm.com"
 },
 "registry.connect.redhat.com": {
   "auth": "nnnnNjVXTWx3VWlxT3FEMG9lUzJNUzpleUpoYkdjaU...",
   "email": "abc@us.ibm.com"
 },
 "registry.redhat.io": {
   "auth": "bbbTFRTndFdFdMNjVXTWx3VWlxT3FEMG9lUzJNUzpleUpoYkdlV...",
   "email": "abc@us.ibm.com"
   }
  **"cps-r81-9-46-123-72.rtp.raleigh.ibm.com:443": {
   "auth": ""**
   }
  }

Save updated file as pull-secret-2.json.

Run the following command to update the default global secret, used for the environment, with the saved pull secret Json file:

oc set data secret/pull-secret -n openshift-config \
--from-file=.dockerconfigjson=<path>/pull-secret-2.json 

If you want to go to a complete online/connected environment, do the following steps to remove the offline registry mirror configuration that got set up during install:

1. In the following command, use only the default pull secret Json file that got downloaded directly from Red Hat.

   oc set data secret/pull-secret -n openshift-config \
   --from-file=.dockerconfigjson=<path>/pull-secret.json
   

2. Run the following oc commands to delete the Image Content source policies that redirect OpenShift Container Platform 4.x quay.io request to local offline registry:

   oc delete ImageContentSourcePolicy image-policy-0
   oc delete ImageContentSourcePolicyimage-policy-1
   

3. **Can I install OpenShift Container Storage on top of OpenShift Container Platform? **

Yes. To know more about how to install OpenShift Container Storage on OpenShift Container Platform, see Installing OpenShift Container Storage on IBM Cloud Pak System .

12. How to upgrade Docker version to 17 or above on primary helper?

For the steps to upgrade, see https://docs.docker.com/engine/install/ .