Switch to rhel-coreos-9

Dockerfile

@@ -14,12 +14,12 @@ COPY install /manifests
 
 RUN if [[ "${TAGS}" == "fcos" ]] || [[ "${TAGS}" == "scos" ]]; then \
     # comment out non-base/extensions image-references entirely for fcos/scos
-    sed -i '/- name: rhel-coreos-8-/,+3 s/^/#/' /manifests/image-references && \
+    sed -i '/- name: rhel-coreos-[89]-/,+3 s/^/#/' /manifests/image-references && \
     # also remove extensions from the osimageurl configmap (if we don't, oc won't rewrite it, and the placeholder value will survive and get used)
     sed -i '/baseOSExtensionsContainerImage:/ s/^/#/' /manifests/0000_80_machine-config-operator_05_osimageurl.yaml; fi && \
     # rewrite image names for fcos/scos
-    if [[ "${TAGS}" == "fcos" ]]; then sed -i 's/rhel-coreos-8/fedora-coreos/g' /manifests/*; \
-    elif [[ "${TAGS}" == "scos" ]]; then sed -i 's/rhel-coreos-8/centos-stream-coreos-9/g' /manifests/*; fi && \
+    if [[ "${TAGS}" == "fcos" ]]; then sed -i 's/rhel-coreos-9/fedora-coreos/g' /manifests/*; \
+    elif [[ "${TAGS}" == "scos" ]]; then sed -i 's/rhel-coreos-9/centos-stream-coreos-9/g' /manifests/*; fi && \
     if ! rpm -q util-linux; then yum install -y util-linux && yum clean all && rm -rf /var/cache/yum/*; fi
 COPY templates /etc/mcc/templates
 ENTRYPOINT ["/usr/bin/machine-config-operator"]

cmd/machine-config-operator/bootstrap.go

@@ -79,8 +79,8 @@ func init() {
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapOpts.haproxyImage, "haproxy-image", "", "Image for haproxy.")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapOpts.baremetalRuntimeCfgImage, "baremetal-runtimecfg-image", "", "Image for baremetal-runtimecfg.")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapOpts.oauthProxyImage, "oauth-proxy-image", "", "Image for origin oauth proxy.")
-	bootstrapCmd.PersistentFlags().StringVar(&bootstrapOpts.baseOSContainerImage, "baseos-image", "", "Image for rhel-coreos-8")
-	bootstrapCmd.PersistentFlags().StringVar(&bootstrapOpts.baseOSExtensionsContainerImage, "baseos-extensions-image", "", "Image for rhel-coreos-8-extensions")
+	bootstrapCmd.PersistentFlags().StringVar(&bootstrapOpts.baseOSContainerImage, "baseos-image", "", "ostree-bootable container image reference")
+	bootstrapCmd.PersistentFlags().StringVar(&bootstrapOpts.baseOSExtensionsContainerImage, "baseos-extensions-image", "", "Image with extensions")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapOpts.imageReferences, "image-references", "", "File containing imagestreams (from cluster-version-operator)")
 	bootstrapCmd.PersistentFlags().StringVar(&bootstrapOpts.cloudProviderCAFile, "cloud-provider-ca-file", "", "path to cloud provider CA certificate")
 
@@ -114,7 +114,7 @@ func runBootstrapCmd(cmd *cobra.Command, args []string) {
 	// To help debugging, immediately log version
 	glog.Infof("Version: %+v (%s)", version.Raw, version.Hash)
 
-	baseOSContainerImageTag := "rhel-coreos-8"
+	baseOSContainerImageTag := "rhel-coreos-9"
 	if version.IsFCOS() {
 		baseOSContainerImageTag = "fedora-coreos"
 	} else if version.IsSCOS() {

docs/UsingLayering.md

@@ -8,8 +8,8 @@ Layering lets you "layer" additional content on top of a Base OS Image using "co
 
 As of 4.12:
 
-- The MCO uses the `rhel-coreos-8` [native format](https://coreos.github.io/rpm-ostree/container/) base OS image by default instead of `machine-os-content`
-- You can "layer" user content on top of that `rhel-coreos-8` image using a container build, and that content will be applied during a rebase
+- The MCO uses the `rhel-coreos-8` [native format](https://coreos.github.io/rpm-ostree/container/) base OS image by default instead of `machine-os-content` (and in 4.13+, the image is `rhel-coreos-9`)
+- You can "layer" user content on top of that `rhel-coreos-9` image using a container build, and that content will be applied during a rebase
 - The MCO will allow `OSImageURL` to be overridden *on a per-pool basis* with such an layered image
 
 While layering is powerful, it's also an "advanced" use of the MCO, and it comes with some trade-offs.
@@ -36,13 +36,13 @@ Nothing will stop you at this point from using a completely arbitrary image, but
 #### On an existing cluster
 
 ```bash
-oc adm release info --image-for rhel-coreos-8
+oc adm release info --image-for rhel-coreos-9
 ```
 
 #### Or before you build your cluster
 
 ```bash
-oc adm release info --image-for rhel-coreos-8 quay.io/openshift-release-dev/ocp-release:your_release_here
+oc adm release info --image-for rhel-coreos-9 quay.io/openshift-release-dev/ocp-release:your_release_here
 ```
 
 ### 2. "Layer" Some Content On Top Of It

install/0000_80_machine-config-operator_05_osimageurl.yaml

@@ -11,8 +11,8 @@ data:
   releaseVersion: 0.0.1-snapshot
   # This (will eventually) replace the below when https://github.com/openshift/enhancements/pull/1032
   # progresses towards the default.
-  baseOSContainerImage: "placeholder.url.oc.will.replace.this.org/placeholdernamespace:rhel-coreos-8"
-  baseOSExtensionsContainerImage: "placeholder.url.oc.will.replace.this.org/placeholdernamespace:rhel-coreos-8-extensions"
+  baseOSContainerImage: "placeholder.url.oc.will.replace.this.org/placeholdernamespace:rhel-coreos-9"
+  baseOSExtensionsContainerImage: "placeholder.url.oc.will.replace.this.org/placeholdernamespace:rhel-coreos-9-extensions"
   # The OS payload used for 4.10 and below; more information in
   # https://github.com/openshift/machine-config-operator/blob/master/docs/OSUpgrades.md
   # (The original issue was  https://github.com/openshift/machine-config-operator/issues/183 )

install/image-references

@@ -23,14 +23,14 @@ spec:
     from:
       kind: DockerImage
       name: placeholder.url.oc.will.replace.this.org/placeholdernamespace:machine-os-content
-  - name: rhel-coreos-8
+  - name: rhel-coreos-9
     from:
       kind: DockerImage
-      name: placeholder.url.oc.will.replace.this.org/placeholdernamespace:rhel-coreos-8
-  - name: rhel-coreos-8-extensions
+      name: placeholder.url.oc.will.replace.this.org/placeholdernamespace:rhel-coreos-9
+  - name: rhel-coreos-9-extensions
     from:
       kind: DockerImage
-      name: placeholder.url.oc.will.replace.this.org/placeholdernamespace:rhel-coreos-8-extensions
+      name: placeholder.url.oc.will.replace.this.org/placeholdernamespace:rhel-coreos-9-extensions
   - name: keepalived-ipfailover
     from:
       kind: DockerImage

pkg/daemon/constants/constants.go

@@ -84,4 +84,13 @@ const (
 
 	// changes to registries.conf will cause a crio reload and require extra logic about whether to drain
 	ContainerRegistryConfPath = "/etc/containers/registries.conf"
+
+	// SSH Keys for user "core" will only be written at /home/core/.ssh
+	CoreUserSSHPath = "/home/" + CoreUserName + "/.ssh"
+
+	// SSH keys in RHCOS 8 will be written to /home/core/.ssh/authorized_keys
+	RHCOS8SSHKeyPath = CoreUserSSHPath + "/authorized_keys"
+
+	// SSH keys in RHCOS 9 / FCOS / SCOS will be written to /home/core/.ssh/authorized_keys.d/ignition
+	RHCOS9SSHKeyPath = CoreUserSSHPath + "/authorized_keys.d/ignition"
 )

pkg/daemon/daemon.go

@@ -1499,6 +1499,71 @@ func removeIgnitionArtifacts() error {
 	return nil
 }
 
+// When we move from RHCOS 8 -> RHCOS 9, the SSH keys do not get written to the
+// new location before the node reboots into RHCOS 9 because:
+//
+// 1. When the upgrade configs are written to the node, it is still running
+// RHCOS 8, so the keys are not being written to the new location since the
+// location is inferred from the currently booted OS.
+// 2. The node reboots into RHCOS 9 to complete the upgrade.
+// 3. The "are we on the latest config" functions detect that we are indeed on
+// the latest config and so it does not attempt to perform an update.
+//
+// To work around that check on bootup if the we should use the new SSH key
+// path and if the old SSH key path exists, we know that we need to migrate tot
+// he new key path by calling dn.updateSSHKeyLocation().
+func (dn *Daemon) isSSHKeyLocationUpdateRequired() (bool, error) {
+	if !dn.useNewSSHKeyPath() {
+		// Return early because we're not using the new SSH key path.
+		return false, nil
+	}
+
+	oldKeyExists, err := fileExists(constants.RHCOS8SSHKeyPath)
+	if err != nil {
+		return false, err
+	}
+
+	newKeyExists, err := fileExists(constants.RHCOS9SSHKeyPath)
+	if err != nil {
+		return false, err
+	}
+
+	// If the old key exists and the new key does not, we need to update.
+	return oldKeyExists && !newKeyExists, nil
+}
+
+// Decode the Ignition config and perform the SSH key update.
+func (dn *Daemon) updateSSHKeyLocation(cfg *mcfgv1.MachineConfig) error {
+	glog.Infof("SSH key location update required. Moving SSH keys from %q to %q.", constants.RHCOS8SSHKeyPath, constants.RHCOS9SSHKeyPath)
+
+	ignConfig, err := ctrlcommon.ParseAndConvertConfig(cfg.Spec.Config.Raw)
+	if err != nil {
+		return fmt.Errorf("ignition failure when updating SSH key location: %w", err)
+	}
+
+	if err := dn.updateSSHKeys(ignConfig.Passwd.Users); err != nil {
+		return fmt.Errorf("could not write SSH keys to new location: %w", err)
+	}
+
+	return nil
+}
+
+// Determines if we need to update the SSH key location and performs the
+// necessary update if so.
+func (dn *Daemon) updateSSHKeyLocationIfNeeded(cfg *mcfgv1.MachineConfig) error {
+	sshKeyLocationUpdateRequired, err := dn.isSSHKeyLocationUpdateRequired()
+	if err != nil {
+		return fmt.Errorf("unable to determine if SSH key location update is required: %w", err)
+	}
+
+	if !sshKeyLocationUpdateRequired {
+		glog.Infof("SSH key location (%q) up-to-date!", constants.RHCOS9SSHKeyPath)
+		return nil
+	}
+
+	return dn.updateSSHKeyLocation(cfg)
+}
+
 // checkStateOnFirstRun is a core entrypoint for our state machine.
 // It determines whether we're in our desired state, or if we're
 // transitioning between states, and whether or not we need to update
@@ -1651,6 +1716,13 @@ func (dn *Daemon) checkStateOnFirstRun() error {
 		return dn.triggerUpdateWithMachineConfig(state.currentConfig, state.desiredConfig)
 	}
 
+	// When upgrading the OS, it is possible that the SSH key location will
+	// change. We should detect whether that is the case and update before we
+	// check for any config drift.
+	if err := dn.updateSSHKeyLocationIfNeeded(expectedConfig); err != nil {
+		return err
+	}
+
 	if err := dn.validateOnDiskState(expectedConfig); err != nil {
 		wErr := fmt.Errorf("unexpected on-disk state validating against %s: %w", expectedConfig.GetName(), err)
 		dn.nodeWriter.Eventf(corev1.EventTypeWarning, "OnDiskStateValidationFailed", wErr.Error())