diff --git a/docs/en/docs/KubeOS/usage-instructions.md b/docs/en/docs/KubeOS/usage-instructions.md
index 4e115b388212ff76f7fcb39a8b055f246baa76a0..85331159aa414b338a349a2546a33d53cc3b53e4 100644
--- a/docs/en/docs/KubeOS/usage-instructions.md
+++ b/docs/en/docs/KubeOS/usage-instructions.md
@@ -59,27 +59,27 @@ Create a custom object of the OS type in the cluster and set the corresponding f
- In serial execution mode, `timeinterval` represents the delay between the completion of one batch of nodes (upgraded/configured serially) and the dispatch of the next upgrade/configuration task. Within a batch, the interval between individual nodes remains 15 seconds.
- Any update to fields of an OS instance will immediately trigger the operator.
- | Parameter |Type | Description | Usage Notes | Mandatory |
- | -------------- | ------ | ------------------------------------------------------------ | ----- | ---------------- |
- | `imagetype` | string | Type of image used for the upgrade | The value can be `docker`, `containerd`, or `disk` and is valid only for upgrades. **Note:** When the value is `containerd`, the agent prioritizes the `crictl` tool for pulling images. If `crictl` is unavailable, it uses the `ctr` command. When `ctr` is used to pull images from a private repository, configure the repository host information in the **/etc/containerd/certs.d** directory according to the [containerd official documentation](https://github.com/containerd/containerd/blob/main/docs/hosts.md). | Yes |
- | `opstype` | string | Operation type (upgrade, configuration, or rollback) | The value can be `upgrade`, `config`, or `rollback`. | Yes |
- | `osversion` | string | Target version for the upgrade or rollback | `osversion` must match the target OS version of the nodes (specified in the `PRETTY_NAME` field in the **/etc/os-release** file or the OS version detected by Kubernetes). For example: `KubeOS 1.0.0`. | Yes |
- | `maxunavailable`| int | Maximum number of nodes undergoing upgrade/configuration/rollback concurrently | If `maxunavailable` exceeds the actual number of nodes, the operation proceeds with the actual number of nodes. | Yes |
- | `containerimage` | string | Container image used for the upgrade | This parameter is only applicable when `imagetype` is a container type. The value can be one of the three container image address formats: `repository/name`, `repository/name@sha256:xxxx`, and `repository/name:tag`. | Yes |
- | `imageurl` | string | URL of the drive image used for the upgrade | `imageurl` must include the protocol and supports only `http` or `https`. Example: `https://192.168.122.15/update.img`. Valid only for upgrades using drive images. | Yes |
- | `checksum` | string | Checksum (SHA-256) of the drive image used for the upgrade or the digests of the container image | This parameter is valid only for upgrades. | Yes |
- | `flagSafe` | bool | Whether the address specified by `imageurl` is safe when the `http` protocol is used | The value must be `true` or `false`. This parameter is valid only when `imageurl` uses the `http` protocol. | Yes |
- | `mtls` | bool | Whether the connection to `imageurl` uses two-way HTTPS authentication | The value must be `true` or `false`. This parameter is valid only when `imageurl` uses the `https` protocol. | Yes |
- | `cacert` | string | Root certificate file used for HTTPS or two-way HTTPS authentication | This parameter is valid only when `imageurl` uses the `https` protocol. | Required when `imageurl` uses `https` |
- | `clientcert` | string | Client certificate file used for two-way HTTPS authentication | This parameter is valid only when two-way HTTPS authentication is used. | Required when `mtls` is `true` |
- | `clientkey` | string | Client private key file used for two-way HTTPS authentication | This parameter is valid only when two-way HTTPS authentication is used. | Required when `mtls` is `true` |
- | `evictpodforce` | bool | Whether to forcibly evict pods during upgrade/rollback | Must be `true` or `false`. This parameter is valid only for upgrades or rollbacks. | Yes |
- | `sysconfigs` | / | Configuration settings | 1. When `opstype` is `config`, only configuration is performed.
2. When `opstype` is `upgrade/rollback`, it indicates post-upgrade/rollback configuration, meaning it takes effect after the upgrade/rollback and subsequent reboot. For detailed field descriptions, see the [Settings](#settings). | Required when `opstype` is `config` |
- | `upgradeconfigs`| / | Configuration settings to apply before an upgrade. | This parameter is valid for upgrades or rollbacks and takes effect before the upgrade or rollback operation. For detailed field descriptions, see the [Settings](#settings). | Optional |
- | `nodeselector` | string | Label of the nodes targeted for the upgrade/configuration/rollback | This parameter is used to perform operations on nodes with specific labels, rather than all worker nodes in the cluster. The nodes targeted for the operation need to have a label with the `upgrade.openeuler.org/node-selector` key. The `nodeselector` parameter should be set to the value of this label. **Notes:** 1. When this parameter is not set or is set to `no-label`, operations are performed on nodes that do not have the `upgrade.openeuler.org/node-selector` label.
2. When this parameter is set to `""` (an empty string), operations are performed on nodes that have the `upgrade.openeuler.org/node-selector=""` label.
3. To ignore labels and perform operations on all nodes, set this parameter to `all-label`. | Optional |
- | `timewindow` | / | Time window during which the upgrade/configuration/rollback can take place. | 1. When specifying a time window, both `starttime` and `endtime` must be specified. That is, they should either both be empty or both be non-empty.
1. Both `starttime` and `endtime` are strings and should be in the `YYYY-MM-DD HH:MM:SS` or `HH:MM:SS` format, and both should follow the same format.
2. When in `HH:MM:SS` format, if `starttime` is less than `endtime`, it is assumed that `starttime` refers to that time on the next day.
3. When `timewindow` is not specified, it defaults to no time window restrictions. | Optional |
- | `timeinterval` | int | The time interval between each batch of tasks for the upgrade/configuration/rollback operation. | This parameter is in seconds and defines the time interval between the operator dispatching tasks. If the Kubernetes cluster is busy and cannot immediately respond to the operator's request, the actual interval may be longer than the specified time. | Optional |
- | `executionmode` | string | The mode in which the upgrade/configuration/rollback operation is executed. | The value can be `serial` or `parallel`. If this parameter is not set, the operation defaults to parallel mode. | Optional |
+ | Parameter | Type | Description | Usage Notes | Mandatory |
+ | ---------------- | ------ | ------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- |
+ | `imagetype` | string | Type of image used for the upgrade | The value can be `docker`, `containerd`, or `disk` and is valid only for upgrades. **Note:** When the value is `containerd`, the agent prioritizes the `crictl` tool for pulling images. If `crictl` is unavailable, it uses the `ctr` command. When `ctr` is used to pull images from a private repository, configure the repository host information in the **/etc/containerd/certs.d** directory according to the [containerd official documentation](https://github.com/containerd/containerd/blob/main/docs/hosts.md). | Yes |
+ | `opstype` | string | Operation type (upgrade, configuration, or rollback) | The value can be `upgrade`, `config`, or `rollback`. | Yes |
+ | `osversion` | string | Target version for the upgrade or rollback | `osversion` must match the target OS version of the nodes (specified in the `PRETTY_NAME` field in the **/etc/os-release** file or the OS version detected by Kubernetes). For example: `KubeOS 1.0.0`. | Yes |
+ | `maxunavailable` | int | Maximum number of nodes undergoing upgrade/configuration/rollback concurrently | If `maxunavailable` exceeds the actual number of nodes, the operation proceeds with the actual number of nodes. | Yes |
+ | `containerimage` | string | Container image used for the upgrade | This parameter is only applicable when `imagetype` is a container type. The value can be one of the three container image address formats: `repository/name`, `repository/name@sha256:xxxx`, and `repository/name:tag`. | Yes |
+ | `imageurl` | string | URL of the drive image used for the upgrade | `imageurl` must include the protocol and supports only `http` or `https`. Example: `https://192.168.122.15/update.img`. Valid only for upgrades using drive images. | Yes |
+ | `checksum` | string | Checksum (SHA-256) of the drive image used for the upgrade or the digests of the container image | This parameter is valid only for upgrades. | Yes |
+ | `flagSafe` | bool | Whether the address specified by `imageurl` is safe when the `http` protocol is used | The value must be `true` or `false`. This parameter is valid only when `imageurl` uses the `http` protocol. | Yes |
+ | `mtls` | bool | Whether the connection to `imageurl` uses two-way HTTPS authentication | The value must be `true` or `false`. This parameter is valid only when `imageurl` uses the `https` protocol. | Yes |
+ | `cacert` | string | Root certificate file used for HTTPS or two-way HTTPS authentication | This parameter is valid only when `imageurl` uses the `https` protocol. | Required when `imageurl` uses `https` |
+ | `clientcert` | string | Client certificate file used for two-way HTTPS authentication | This parameter is valid only when two-way HTTPS authentication is used. | Required when `mtls` is `true` |
+ | `clientkey` | string | Client private key file used for two-way HTTPS authentication | This parameter is valid only when two-way HTTPS authentication is used. | Required when `mtls` is `true` |
+ | `evictpodforce` | bool | Whether to forcibly evict pods during upgrade/rollback | Must be `true` or `false`. This parameter is valid only for upgrades or rollbacks. | Yes |
+ | `sysconfigs` | / | Configuration settings | 1. When `opstype` is `config`, only configuration is performed. 2. When `opstype` is `upgrade/rollback`, it indicates post-upgrade/rollback configuration, meaning it takes effect after the upgrade/rollback and subsequent reboot. For detailed field descriptions, see the [Settings](#settings). | Required when `opstype` is `config` |
+ | `upgradeconfigs` | / | Configuration settings to apply before an upgrade. | This parameter is valid for upgrades or rollbacks and takes effect before the upgrade or rollback operation. For detailed field descriptions, see the [Settings](#settings). | Optional |
+ | `nodeselector` | string | Label of the nodes targeted for the upgrade/configuration/rollback | This parameter is used to perform operations on nodes with specific labels, rather than all worker nodes in the cluster. The nodes targeted for the operation need to have a label with the `upgrade.openeuler.org/node-selector` key. The `nodeselector` parameter should be set to the value of this label. **Notes:** 1. When this parameter is not set or is set to `no-label`, operations are performed on nodes that do not have the `upgrade.openeuler.org/node-selector` label. 2. When this parameter is set to `""` (an empty string), operations are performed on nodes that have the `upgrade.openeuler.org/node-selector=""` label. 3. To ignore labels and perform operations on all nodes, set this parameter to `all-label`. | Optional |
+ | `timewindow` | / | Time window during which the upgrade/configuration/rollback can take place. | 1. When specifying a time window, both `starttime` and `endtime` must be specified. That is, they should either both be empty or both be non-empty.1. Both `starttime` and `endtime` are strings and should be in the `YYYY-MM-DD HH:MM:SS` or `HH:MM:SS` format, and both should follow the same format. 2. When in `HH:MM:SS` format, if `starttime` is less than `endtime`, it is assumed that `starttime` refers to that time on the next day. 3. When `timewindow` is not specified, it defaults to no time window restrictions. | Optional |
+ | `timeinterval` | int | The time interval between each batch of tasks for the upgrade/configuration/rollback operation. | This parameter is in seconds and defines the time interval between the operator dispatching tasks. If the Kubernetes cluster is busy and cannot immediately respond to the operator's request, the actual interval may be longer than the specified time. | Optional |
+ | `executionmode` | string | The mode in which the upgrade/configuration/rollback operation is executed. | The value can be `serial` or `parallel`. If this parameter is not set, the operation defaults to parallel mode. | Optional |
## Upgrade
@@ -109,7 +109,7 @@ Create a custom object of the OS type in the cluster and set the corresponding f
```
- Upgrade using a container image
- - Before you can upgrade using a container image, you need to create a container image specifically for the upgrade process. For detailed instructions on how to create this image, see [KubeOS OCI ιεεΆδ½](./kubeos-image-creation.md#creating-a-kubeos-oci-image) in [KubeOS Image Creation](./kubeos-image-creation.md).
+ - Before you can upgrade using a container image, you need to create a container image specifically for the upgrade process. For detailed instructions on how to create this image, see [Creating a KubeOS OCI Image](./kubeos-image-creation.md#creating-a-kubeos-oci-image) in [KubeOS Image Creation](./kubeos-image-creation.md).
``` yaml
apiVersion: upgrade.openeuler.org/v1alpha1
@@ -361,42 +361,43 @@ Create a custom object of the OS type in the cluster and set the corresponding f
- You can use the rollback tool in two ways:
1. Rollback mode: reverts to the previous version.
2. Upgrade mode: re-upgrades to the previous version.
+
- Manual rollback instructions
- Restart the VM and select the second boot option in the GRUB boot menu to roll back to the previous version.
+
- Rollback tool instructions
- Rolling back to any version
- 1. Modify the YAML configuration file of the OS CR instance (for example, **upgrade_v1alpha1_os.yaml**). Set the relevant fields to the image information of the desired version. The OS category originates from the CRD object created in the installation and deployment document. Refer to the upgrade instructions in the previous section for field descriptions and examples.
-
- 2. After modifying the YAML file, execute the update command. Nodes will then roll back according to the configured field information.
+ 1. Modify the YAML configuration file of the OS CR instance (for example, **upgrade_v1alpha1_os.yaml**). Set the relevant fields to the image information of the desired version. The OS category originates from the CRD object created in the installation and deployment document. Refer to the upgrade instructions in the previous section for field descriptions and examples.
+ 2. After modifying the YAML file, execute the update command. Nodes will then roll back according to the configured field information.
- ```shell
- kubectl apply -f upgrade_v1alpha1_os.yaml
- ```
+ ```shell
+ kubectl apply -f upgrade_v1alpha1_os.yaml
+ ```
- - Rolling back to the previous version
- - To roll back to the previous OS version, modify the **upgrade_v1alpha1_os.yaml** file. Set `osversion` to the previous version and `opstype` to `rollback` to roll back to the previous version (that is, switch to the previous partition). Example YAML file:
+ - Rolling back to the previous version
+ - To roll back to the previous OS version, modify the **upgrade_v1alpha1_os.yaml** file. Set `osversion` to the previous version and `opstype` to `rollback` to roll back to the previous version (that is, switch to the previous partition). Example YAML file:
- ```yaml
- apiVersion: upgrade.openeuler.org/v1alpha1
- kind: OS
- metadata:
- name: os-sample
- spec:
- imagetype: ""
- opstype: rollback
- osversion: KubeOS pervious version
- maxunavailable: 2
- containerimage: ""
- evictpodforce: true/false
- imageurl: ""
- checksum: ""
- flagSafe: false
- mtls: true
- ```
+ ```yaml
+ apiVersion: upgrade.openeuler.org/v1alpha1
+ kind: OS
+ metadata:
+ name: os-sample
+ spec:
+ imagetype: ""
+ opstype: rollback
+ osversion: KubeOS previous version
+ maxunavailable: 2
+ containerimage: ""
+ evictpodforce: true/false
+ imageurl: ""
+ checksum: ""
+ flagSafe: false
+ mtls: true
+ ```
- - To roll back to the previous configuration version (note that already configured parameters cannot be rolled back), modify the `upgrade_v1alpha1_os.yaml` file. Set `version` of `sysconfigs/upgradeconfigs` to the previous version. Example YAML file:
+ - To roll back to the previous configuration version (note that already configured parameters cannot be rolled back), modify the `upgrade_v1alpha1_os.yaml` file. Set `version` of `sysconfigs/upgradeconfigs` to the previous version. Example YAML file:
- ```yaml
+ ```yaml
apiVersion: upgrade.openeuler.org/v1alpha1
kind: OS
metadata:
@@ -428,15 +429,14 @@ Create a custom object of the OS type in the cluster and set the corresponding f
value: kernel param value3
```
- 3. After modifying the YAML file and executing the update command, the nodes will roll back based on the configured information.
+ - After modifying the YAML file and executing the update command, the nodes will roll back based on the configured information.
- ```shell
- kubectl apply -f upgrade_v1alpha1_os.yaml
- ```
+ ```shell
+ kubectl apply -f upgrade_v1alpha1_os.yaml
+ ```
- 4. Verify that the rollback was successful.
- - To check the container OS version (for OS version rollback), verify container OS version of the node.
- - To check the configuration version (for configuration rollback), verify the node configuration version and that the node status is `idle`.
+ - Verify that the rollback was successful.
+ - To check the container OS version (for OS version rollback), verify container OS version of the node. To check the configuration version (for configuration rollback), verify the node configuration version and that the node status is `idle`.
```shell
kubectl get osinstances -o custom-columns='NAME:.metadata.name,NODESTATUS:.spec.nodestatus,SYSCONFIG:status.sysconfigs.version,UPGRADECONFIG:status.upgradeconfigs.version'
diff --git a/docs/en/docs/SecHarden/system-services.md b/docs/en/docs/SecHarden/system-services.md
index 42d306874f89c881439ec7b762c39856c9a0270e..6a6cf763da4bd696e7c85bcb314afec350d54956 100644
--- a/docs/en/docs/SecHarden/system-services.md
+++ b/docs/en/docs/SecHarden/system-services.md
@@ -288,8 +288,8 @@ To harden a client, perform the following steps:
- > **NOTE:**
- >By default, the messages displayed before and after SSH login are saved in the **/etc/issue.net** file. The default information in the **/etc/issue.net** file is **Authorized users only.** **All activities may be monitored and reported.**
+ >  **NOTE:**
+ > By default, the messages displayed before and after SSH login are saved in the **/etc/issue.net** file. The default information in the **/etc/issue.net** file is **Authorized users only.** **All activities may be monitored and reported.**
- Client hardening policies
@@ -329,8 +329,8 @@ To harden a client, perform the following steps:
- > **NOTE:**
- >Third-party clients and servers that use the Diffie-Hellman algorithm are required to allow at least 2048-bit connection.
+ >  **NOTE:**
+ > Third-party clients and servers that use the Diffie-Hellman algorithm are required to allow at least 2048-bit connection.
### Other Security Suggestions
@@ -362,8 +362,8 @@ To harden a client, perform the following steps:
SFTP is a secure FTP designed to provide secure file transfer over SSH. Users can only use dedicated accounts to access SFTP for file upload and download, instead of SSH login. In addition, directories that can be accessed over SFTP are limited to prevent directory traversal attacks. The configuration process is as follows:
- > **NOTE:**
- >In the following configurations, **sftpgroup** is an example user group name, and **sftpuser** is an example username.
+ >  **NOTE:**
+ > In the following configurations, **sftpgroup** is an example user group name, and **sftpuser** is an example username.
1. Create an SFTP user group.
@@ -421,21 +421,21 @@ To harden a client, perform the following steps:
#Subsystem sftp /usr/libexec/openssh/sftp-server -l INFO -f AUTH
Subsystem sftp internal-sftp -l INFO -f AUTH
...
-
+
Match Group sftpgroup
ChrootDirectory /sftp/%u
ForceCommand internal-sftp
```
- > **NOTE:**
- >- **%u** is a wildcard character. Enter **%u** to represent the username of the current SFTP user.
- >- The following content must be added to the end of the **/etc/ssh/sshd\_config** file:
- >
- > ```text
- > Match Group sftpgroup
- > ChrootDirectory /sftp/%u
- > ForceCommand internal-sftp
- > ```
+ >  **NOTE:**
+ - **%u** is a wildcard character. Enter **%u** to represent the username of the current SFTP user.
+ - The following content must be added to the end of the **/etc/ssh/sshd\_config** file:
+
+ ```text
+ Match Group sftpgroup
+ ChrootDirectory /sftp/%u
+ ForceCommand internal-sftp
+ ```
9. Restart the SSH service.
@@ -451,5 +451,5 @@ To harden a client, perform the following steps:
ssh -t testuser@192.168.1.100 su
```
- > **NOTE:**
- >**192.168.1.100** is an example IP address, and **testuser** is an example username.
+ >  **NOTE:**
+ > **192.168.1.100** is an example IP address, and **testuser** is an example username.