[VSPHERE] [IPI] Upgrade for 4.15 FCOS to 4.16 SCOS worker nodes are not updated to non-secure boot #2049
Replies: 3 comments 9 replies
-
|
Update: I installed a new 4.16 cluster (same version) and I was able to add a new worker node with no issues. So something in the upgrade process is not being updated correctly to disable secure boot on new worker nodes |
Beta Was this translation helpful? Give feedback.
-
|
its only set in the installer to disable secureboot if enabled, for an upgrade you would need to change existing template |
Beta Was this translation helpful? Give feedback.
-
|
4.15 we were still using terraform
4.16 uses capi,capv The only solution for 4.15 clusters wanting to upgrade to 4.16 scos will be to update the template disabling secure boot |
Beta Was this translation helpful? Give feedback.
-
|
capi,capv doesn't have the capability to disable secure boot on vm creation? |
Beta Was this translation helpful? Give feedback.
-
|
So really, what is needed is a tool that does all the "pre-upgrade" tasks that need to be done prior to the upgrade.
Will the workaround described in https://github.com/okd-project/okd-web/pull/22/files be fixed prior to a stable 4.16 release? or is this not fixable |
Beta Was this translation helpful? Give feedback.
-
Nope, which is why I implemented it the way I did. This is only an issue in OKD and FCOS, OCP and RHCOS do not have secureboot enabled.
Sounds like that would be fairly trivial with powercli or govc, do you want to give that a shot?
You may want to ask this on the PR you linked. |
Beta Was this translation helpful? Give feedback.
-
I'll take a look at at... The complexity is the cordon/drain/shutdown processing... probably need to do it by machine sets and make sure we follow the max number of nodes down constraints.
right... |
Beta Was this translation helpful? Give feedback.
-
|
Initial stab at an upgrade script. |
Beta Was this translation helpful? Give feedback.
-
After doing a new 4.15 FCOS IPI install successfully and doing the workaround in https://github.com/okd-project/okd-web/pull/22/files I had some slight issues:
Worker nodes were not updated to disable secure boot setting. Once secure boot was disabled worker nodes updated successfully. Control-plane nodes had no issues.
New worker nodes after upgrade still had secure boot enabled. Once secure boot was disabled worker was created successfully.
Other than the kind of ugly workaround above and the secure boot issues the upgrade seemed clean... I have a lot more testing to do as we use a lot of add-ins like Ceph and Istio and I need to see how those upgrades do. I have worries about Kernel versions dependencies.
4.15 version: 4.15.0-0.okd-2024-02-10-035534 (Stable)
4.16 version: 4.16.0-0.okd-scos-2024-10-28-025401 (Nightly but mirrored)
As a side note, a new install for 4.16.0-0.okd-scos-2024-10-28-025401 worked fine for both control-plane and worker nodes. I did not test adding a new worker node.
Beta Was this translation helpful? Give feedback.
All reactions