Update OKD-based CRC build (2022-02) #1123
Comments
|
cc @cgruver |
|
@justkrys Fully understand your frustration. The OKD build of CRC hasn't been getting much attention since it's all volunteer, and for a while I've been the sole volunteer... :-) If it helps, you can get the official CRC free of charge, and it does not require a 30 day trial. It does require that you sign up for a Red Hat developer account to get a pull secret, but that's also free and gets you access to some nice free books and other resources. The CRC install does not limit you to a 30 day trial. |
|
So is okd crc officially dead and only redhat crc is an option? |
|
OKD CRC isn't dead, it just doesn't have a community invested in it yet. OKD has a vibrant community around it, so it's not going anywhere. But, that really is the difference. There's enough interest in OKD, and users of OKD that there are folks both in and out of Red Hat who spend time contributing to it. CRC just hasn't found that level of interest. I built and maintained the first few releases of CRC for OKD as a favor. But I have never been a user of it. Thus, if I have to choose where to invest my FOSS community contributions, it's going to be on projects that I am actively using. This is just the nature of FOSS. I really would encourage @everflux and @justkrys, if you have some time, we'd love for you to join the OKD community. There are a few other folks who have expressed interest in getting a CRC group formed to maintain it. They'd love for you to join them. https://github.com/openshift/community#okd-working-group-meetings I've published some info on how to build CRC for OKD. My forks of crc and snc are likely out of date now, but it might get you started. https://upstreamwithoutapaddle.com/home-lab/okd-crc/ Cheers |
|
Thanks very much for the information and alternative path. I will check that out as a starting point. Also thank you for your invitation to join the community. :) Unfortunately, I leaned long ago that I do not have the right personality type for any sustained engagement with any community. But I will check things out. Who knows, things change. Anyway, thanks again for the help. :D |
|
One thought, though, if OKD CRC is not getting the love it needs, maybe a word about that in the install docs might be in order. Perhaps an open invitation for help. Just so people are not surprised and confused. Thanks again! |
|
@justkrys It takes all types of personalities to make a community. Come on over. :-) |
This issue comes from the upstream OpenShift release that prevents certificates to exist longer than 30 days. We from @code-ready/crc-team have tried to resolve this for a long time, but has been denied |
|
@cgruver, could you work with @praveenkumar to create an okd bundle that can be used with the new crc? We might be able to add a preset to test okd as an option. Let's see what can be done to unify this. |
|
My proposal is as follows:
The recent addition of presets to @cgruver, it would be important for us to understand what specific changes have been made to use this bundle instead of the regular OCP based one. |
|
@gbraad Let me get some time set aside for this, and I'll work with @praveenkumar. |
|
If the OKD based CRC is no longer useable, it should be taken offline to not confuse and frustrate potential users. |
|
I’ve been asking for a volunteer to do a fresh build. So far no takers. At the WG Docs Subcommittee meeting Tuesday, I’ll add this topic to the agenda. |
|
The certificate renewal process should work. Please delete and retry start. If this remains this needs to be looked into soon. Ideally we want to make automated images for okd-crc, but need access to the location to store these.
…________________________________
From: Jaime Magiera ***@***.***>
Sent: Saturday, April 16, 2022 2:50:52 AM
To: openshift/okd ***@***.***>
Cc: Gerard Braad ***@***.***>; Mention ***@***.***>
Subject: Re: [openshift/okd] Update OKD-based CRC build (2022-02) (Issue #1123)
I’ve been asking for a volunteer to do a fresh build. So far no takers. At the WG Docs Subcommittee meeting Tuesday, I’ll add this topic to the agenda.
—
Reply to this email directly, view it on GitHub<#1123 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAAAOZW753GN3P4WZYPXIK3VFG3AZANCNFSM5PNJEQFA>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
@JaimeMagiera can the volunteer reach out to us? getting the preset working and let us do part of the upstream releases will solve the problem long-term |
|
Hey guys, apologies that I'm MIA here. #DayJob has consumed everything. @JaimeMagiera Did you get a volunteer? |
|
@JaimeMagiera I may be able to set aside some time over in the next couple of weeks. I'll keep you posted. |
|
It is not a thing you do in just a few mins. We are still in the process to automate some stuff. We might pick this up also soon. Any assistance is welcomed. Currently we are looking into enabling upstream bundles in our regular builds... This could become a replacement for the okd-crc fork. |
|
It seems OpenShift CodeReady is now OpenShift Local... |
|
OpenShift Local is a rebrand of CodeReady Containers, but the command and project are still named You will see Does this answer your question? |
Spot on ..l just started exploring Openshift and I am extremly confused if I should use OKD or CRC but hanging here and there to be honest |
|
hi, can anyone explain the root cause of the issue and provide a possible workaround? I started with the latest crc that supposedly contains openshift 4.10 and then wanted to try out crc OKD. I removed the machines and ~/.crc and got the certificate renewal error. Is the cause that the 'older' installer has certificates that are no longer valid for some reason? Any workarounds are appreciated, thank you. I get: Failed to renew TLS certificates: please check if a newer CodeReady Containers release is available: Temporary error: certificate /var/lib/kubelet/pki/kubelet-server-current.pem still expired (x57) If I use the newer crc binary from openshift 4.10 I get : Looks like a repackaging of the image with the new crc could fix it, I just do not know how to do that. Would be more convenient if the image was not hardcoded. [update] seems this made it work ( after running setup with old binary and using new one to start): |
|
Yes. That is the overall issue. The certificate expires and the installer needs to be recreated. We (the OKD Working Group) are looking for a volunteer to build a fresh installer. We just don't have the cycles. |
|
I made it work with the workaround, but happy to build it. Any instructions
to follow, access needed? Can pm me
Den tors 23 juni 2022 11:41Jaime Magiera ***@***.***> skrev:
… Yes. That is the overall issue. The certificate expires and the installer
needs to be recreated. We (the OKD Working Group) are looking for a
volunteer to build a fresh installer. We just don't have the cycles.
—
Reply to this email directly, view it on GitHub
<#1123 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAGB3CPL76OQ4ZBLO3WMJ33VQQWLNANCNFSM5PNJEQFA>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
As part of crc-2.x we have decoupled the bundle from the crc binary and as part of setup we download it. It will allow us to generate the bundle adhoc fashion and upload it publicly and renew the bundle when cert expire. Bundle generation happen from https://github.com/code-ready/snc/ and have instruction about how to create an OKD bundle. Our (crc team) near term goal is to put more document/how-to for bundle creation and also update the bundle to latest okd release sooner. We are working on having those bundles as part of container image which will allow us to upload those quickly to quay.io than waiting for any internal/fedora infra. |
|
thanks, docs are appreciated. the latest crc binary with oc 4.10 "just works" on my ubuntu 22.04 now, when I tried to follow instructions for snc I got into all kind of redhat related things to get libvirt and other stuff installed. |
|
crc-org/blog#6 |
|
One of the next steps is to describe the automated generation flow. Perhaps a terraform or pulumi definition of the setup might help. |
|
|
Awesome! Too bad I can't Circle/TravisCI this for https://app.circleci.com/pipelines/github/kaovilai/reliable-ci/15/workflows/e65e2e00-0e06-44da-9598-a0d1a0e593a3/jobs/22 |
|
We need to update the info on https://www.okd.io/crc/ any idea where we can propose these changes? |
|
@praveenkumar is a longer term cert extension possible for the OKD bundle too or is this already published? |
|
The site content is here: https://github.com/okd-project/okd.io Those images are almost a year old too. It's the last CRC for OKD that I built manually. I'll bring it up in the next OKD working group meeting. For now, that content should probably just be removed until we have an automated process to build OKD bundles. |
|
Are you sure it is worth investing scarce manpower into CRC for OKD? The CRC from Red Hat based on OCP is basically free to use, too (you just need a free Red Hat developer account). |
|
I think it is, people run OKD for a reason. The idea of the image decoupled
is better too. I would made an attempt if there was documentation that made
the workings and packaging clearer. I see no reason why CRC cannot be
improved to just point to an image for OKD or Openshift, have certificate
rotation or have them valid for 20 years.
Up to day I have still not run OKD locally to test it because of this.
Thank you
…On Sat, Oct 8, 2022, 19:24 kai-uwe-rommel ***@***.***> wrote:
Are you sure it is worth investing scarce manpower into CRC for OKD? The
CRC from Red Hat based on OCP is basically free to use, too (you just need
a free Red Hat developer account).
—
Reply to this email directly, view it on GitHub
<#1123 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAGB3CO2BICFFB3RVCVUI2TWCGU45ANCNFSM5PNJEQFA>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
Good news, this has been resolved in CRC itself. Now it has |
No, I still have to figure out this for OKD bundles. I will discuss that internally with @vrutkovs next week and try to create next bundle with cert validity of 1 year. |
|
Great. Why not make it 30 years? Or have a refresh mechanism.
…On Wed, Oct 12, 2022, 08:58 Praveen Kumar ***@***.***> wrote:
@praveenkumar <https://github.com/praveenkumar> is a longer term cert
extension possible for the OKD bundle too or is this already published?
No, I still have to figure out this for OKD bundles. I will discuss that
internally with @vrutkovs <https://github.com/vrutkovs> next week and try
to create next bundle with cert validity of 1 year.
—
Reply to this email directly, view it on GitHub
<#1123 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAGB3CNNNQSEQBJNDJSK73LWCZOSVANCNFSM5PNJEQFA>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
@VGerris cert refresh mechanism already present and rotation happen successfully, it just take more time (extra for cert rotation) than usual. |
|
hi, ok, how does one do that? |
@VGerris End user doesn't have to do anything, it just happen automatic when cert expire. |
Describe the bug
Same issue as #636. OKD CRC certificates are expired.
Also, an observation in the hope it helps:
This is my OKD/OpenShift "What the heck is it" first experience. The minimal commitment for me is CRC. Oops, it's out of date and broken. :(
I wonder if either longer cert expiry or an automated monthly build of OKD CRC would make for a better first time experience.
As it stands now, I either have to signup for a Redhat 30-day Trial or commit to a full OKD install (say on AWS or whatever) just to be able to do some hands on exploring. Either path is less palatable than a working OKD CRC.
Not to mention that I only find this out after several Gib of downloads.
Anyway, hope you take this in the kind spirit it is offered. :)
Version
4.9.15, I guess.
How reproducible
100%. Certs expire every 30 days. The CRC is dated Nov 2021.
Log bundle
The text was updated successfully, but these errors were encountered: