mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
76 lines
2.6 KiB
Plaintext
76 lines
2.6 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * hosted_control_planes/hcp-troubleshooting.adoc
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="agent-service-failure_{context}"]
|
|
= Agent service failures and agents not joining the cluster
|
|
|
|
In some cases, agents might fail to join the cluster after booting the machines with the boot artifacts. You can confirm this issue by checking the `agent.service` logs for the following error:
|
|
|
|
----
|
|
Error: copying system image from manifest list: Source image rejected: A signature was required, but no signature exists
|
|
----
|
|
|
|
[NOTE]
|
|
====
|
|
This issue occurs because image signature verification fails when no signature is present.
|
|
As a workaround, you can disable signature verification by modifying the container policy.
|
|
====
|
|
|
|
.Procedure
|
|
|
|
. Add the `ignitionConfigOverride` field in the `InfraEnv` manifest to override the `/etc/containers/policy.json` file. This disables signature verification for container images.
|
|
|
|
. Replace the base64-encoded content in the `ignitionConfigOverride` with the required `/etc/containers/policy.json` configuration according to your image registries.
|
|
|
|
+
|
|
.Example
|
|
[source,json]
|
|
----
|
|
{
|
|
"default": [
|
|
{
|
|
"type": "insecureAcceptAnything"
|
|
}
|
|
],
|
|
"transports": {
|
|
"docker": {
|
|
"<REGISTRY1>": [
|
|
{
|
|
"type": "insecureAcceptAnything"
|
|
}
|
|
],
|
|
"REGISTRY2": [
|
|
{
|
|
"type": "insecureAcceptAnything"
|
|
}
|
|
]
|
|
},
|
|
"docker-daemon": {
|
|
"": [
|
|
{
|
|
"type": "insecureAcceptAnything"
|
|
}
|
|
]
|
|
}
|
|
}
|
|
}
|
|
----
|
|
|
|
+
|
|
.Example InfraEnv manifest with `ignitionConfigOverride`
|
|
[source,yaml]
|
|
----
|
|
apiVersion: agent-install.openshift.io/v1beta1
|
|
kind: InfraEnv
|
|
metadata:
|
|
name: <hosted_cluster_name>
|
|
namespace: <hosted_control_plane_namespace>
|
|
spec:
|
|
cpuArchitecture: s390x
|
|
pullSecretRef:
|
|
name: pull-secret
|
|
sshAuthorizedKey: <ssh_public_key>
|
|
ignitionConfigOverride: '{"ignition":{"version":"3.2.0"},"storage":{"files":[{"path":"/etc/containers/policy.json","mode":420,"overwrite":true,"contents":{"source":"data:text/plain;charset=utf-8;base64,ewogICAgImRlZmF1bHQiOiBbCiAgICAgICAgewogICAgICAgICAgICAidHlwZSI6ICJpbnNlY3VyZUFjY2VwdEFueXRoaW5nIgogICAgICAgIH0KICAgIF0sCiAgICAidHJhbnNwb3J0cyI6CiAgICAgICAgewogICAgICAgICAgICAiZG9ja2VyLWRhZW1vbiI6CiAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgIiI6IFt7InR5cGUiOiJpbnNlY3VyZUFjY2VwdEFueXRoaW5nIn1dCiAgICAgICAgICAgICAgICB9CiAgICAgICAgfQp9"}}]}}'
|
|
---- |