New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature request: Support airgapped setup on vSphere, make pause image location configurable/prepull pause image #579
Comments
There does not seem to be any problems to me in the workaround you have tried and outlined. Glad to hear Windows containers ran without issue. Air-gapped environment support is still something that is not officially supported, until we fully test and add documentation around it ourselves. I have created a few stories (WINC-662 & WINC-663) to put this work on our radar; the team will work to prioritize these soon. |
@saifshaikh48 @philipp1992 |
we used the unattend.xml provided in the docs minus the product-key section by the way, since we are talking about the documentation and golden image, we found many errors within this documentation. 1: Install-Module -Force OpenSSHUtils -> this module is deprecated and can't be installed as described. also its not needed anymore 2: the way the ssh authorized_keys is supposed to be placed in the Administrators homedir does not work at all, because the users homedir will be wiped by sysprep. the docs mention, that this should be prevented by the provided unattend.xml, but there is no such mechanism in the xml. so we had to put the authorized_keys files outside of the homedir and modify the sshd_config accordingly. 3: another thing that bothers me is, that the provided unattend.xml enabled auto-logon. this means anyone with console access to the vm can access the operating system without logging in first. useful for troubleshooting not so nice security wise. Can you please explain, if this is really needed? 4: also the ssh key pair didn't work, when creating it on linux with ssh-keygen, so I had to create it on the windows machine with the same command and use the private key from the windows machine for the operator secret. didn't further investigate into this. |
@jrvaldes please address @philipp1992's questions regarding the golden image creation process. |
Dear @philipp1992, thanks for sharing your notes; there is an ongoing effort to correct the documentation around the golden image creation process, please refer to c8ff886 and 48fbd2e.
Corrected in Set up SSH section. OpenShift documentation will be updated soon.
Corrected in Deploying the public key section. OpenShift documentation will be updated soon.
That's a good question and yes it's a security risk to leave an Administrator' terminal open. I need to run few more tests to identify if is "really needed". However, to mitigate this, you can tune the LogonCount value to specify the number of times that you can log on to the computer by using AutoLogon. Be aware of the LogonCount known issue.
Glad you found a workaround to this issue. can you provide a set of instructions to replicate it? Looks like need further investigation in a separate issue, since is not related with the golden image creation process. |
As a follow-up see 90d680d, you're right the |
Include instructions to pre-pull the Pause Image into the golden image during the creation process, to support disconnected network environments. Follow-up for openshift#579
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
Stale issues rot after 30d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle rotten |
Rotten issues close after 30d of inactivity. Reopen the issue by commenting /close |
@openshift-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Hi,
as of #141 (comment)
the only reason, why airgapped OCP installations with Windows Containers are not supported seems to be that the pause image must be pulled from the internet.
Because we must provide our customers support for Windows Containers in production we are definitely interested to get support for this from RH.
An idea to mitigate this problem (as we did it in our own OCP Windows container test setup):
In our setup everything works great with Windows containers, no problems in our airgapped environment.
The second option would be to make the hard coded pause image configurable (environment variable of WMCO operator?) so OCP users can store the pause image in an airgapped registry on premises. This should also be rather simple.
In our opinion airgapped clusters are very convenient with OCP intalled on vSphere. So this feature definitely should be support or at least the workaround with prepulled pause images on the golden Windows VM should be supported.
Could you have a look on that, please? It's very important for us.
Thanks and greetings,
Josef
The text was updated successfully, but these errors were encountered: