Paul Bastide

Category: OpenShift

  • Things for the Week

    This week I learned a few things of interest:

    In close collaboration with Red Hat the IBM Power Ecosystem team has continued efforts to enable and advance products running on the Power platform. Click here to review the new releases in February: https://community.ibm.com/community/user/powerdeveloper/blogs/ashwini-sule/2023/03/02/red-hat-products-february-2023-releases

    IBM Power Developer Exchange

    I found the list helpful when using the Power architecture and OpenShift.

    Want to develop applications with Red Hat OpenShift Dev Spaces but don’t know where to start? This blog outlines the step-by-step process for installing OpenShift Dev Spaces on the Red Hat OpenShift Container Platform on IBM Power: https://community.ibm.com/community/user/powerdeveloper/blogs/sachin-itagi/2023/03/03/developing-net-applications-on-ibm-power-using-vis 

    IBM Power Developer Exchange

    I haven’t stayed current on all the cool things in OpenShift, I thought this one held the most promise for end-to-end devops.

    I needed to figure out why my Worker’s networking was disconnected from the network:

    oc get nodes
ssh core@osa21-worker-1.sslip.io
nmcli device
nmcli con reload env3
nslookup quay.io

    After the restart the networking worked. It told me there was something wrong with the local networking, so I checked the DNS Operator. I had to restart the operator and make some changes to a DNS server that was actually up.

    If you hit some networking issues, the above will help.

    You can solve the multi-architecture multi-image problem when automating and sharing images across IBM Power and x86 with container manifests. Learn how here: https://community.ibm.com/community/user/powerdeveloper/viewdocument/build-multi-architecture-container?CommunityKey=2d4070a1-ca52-4e83-8efb-02b41c42459e&tab=librarydocuments 

    IBM Power Developer Exchange

    If you need to build manifest images the above is very helpful.

  • How to grab ignition files

    I was helping a colleague grab the latest ignition files for his OpenShift Container Platform workers.

    1. Connect to the bastion
    ❯ ssh root@<hostname>
    1. List the master nodes and select a master node
    ❯ oc get nodes -lnode-role.kubernetes.io/master=
NAME                                                        STATUS   ROLES                  AGE     VERSION
master-0.ocp-power.xyz   Ready    control-plane,master   5d19h   v1.25.2+7dab57f
master-1.ocp-power.xyz   Ready    control-plane,master   5d19h   v1.25.2+7dab57f
master-2.ocp-power.xyz   Ready    control-plane,master   5d19h   v1.25.2+7dab57f
    1. Get the IP address
    ❯ oc get nodes master-2.ocp-power.xyz -o json | jq -r .status.addresses
[
  {
    "address": "192.168.100.240",
    "type": "InternalIP"
  },
  {
    "address": "master-2.ocp-power.xyz",
    "type": "Hostname"
  }
]
    1. The Machine Config Server has the latest igntion file
    ❯ curl https://192.168.100.240:22623/config/worker -k -H "Accept: application/vnd.coreos.ignition+json;version=3.2.0" | jq -r . > worker-$(date +%Y-%m-%d).ign

    worker can be replaced with master or any other MachineConfigPool

    The machine-config-server is hosted on each of the master nodes and the bootstrap node.

    Note, this makes it download ignition version 3.2.0.

    1. Download the ignition file
    ❯ scp root@<hostname>:'~'/worker-$(date +%Y-%m-%d).ign .
worker-2023-03-02.ign                          100%  357KB 249.3KB/s   00:01

    You can use this file for your work with worker ignition.

    Refer to https://github.com/openshift/machine-config-operator/blob/e39fea2d5c1d6991df4f7dd526b6292238f2ecfc/pkg/server/api.go#L196

  • Interesting Things of the Week for February 17, 2023

    Security Implementation with Red Hat OpenShift on IBM Power Systems

    …As with any production system, it is important to ensure the security of an OpenShift deployment. This includes secure deployment and configuration of the OpenShift components, as well as ongoing maintenance and monitoring to ensure the continued security of the environment. This Redpaper publication provides a comprehensive overview of the security best practices for deploying Red Hat OpenShift on IBM Power systems…

    IBM Redpaper: https://www.redbooks.ibm.com/redpieces/abstracts/redp5690.html

    The IBM RedPaper is pretty comprehensive on Securing OpenShift (note it’s a draft).

    Power Developer Exchange: Installing single node OpenShift to PowerVM

    CHONGSHI ZHANG shows how to install a SNO (single node OpenShift) to a PowerVM instance. It’s very powerful for development and other purposes.

    IBM Power Developer Exchange: https://community.ibm.com/community/user/powerdeveloper/blogs/chongshi-zhang/2023/02/09/installing-sno-to-powervm

    The Power Developer Exchange has a detailed approach to Single Node OpenShift.

    A script to rotate Encryption keys for etcd

    oc patch kubeapiserver cluster --type merge -p "
spec:
  unsupportedConfigOverrides:
    encryption:
      reason: force KAS rotation `date`
"
    Rotating Encryption Keys on OpenShift etcd https://patch-diff.githubusercontent.com/raw/ocp-power-automation/ocp4-playbooks-extras/pull/45.patch

    The above code is super handy for rotating the etcd encryption keys.

    Red Hat updated the oc-compliance kubectl plugin.

    RHEA-2023:0797 https://access.redhat.com/errata/RHEA-2023:0797

    oc-compliance is now updated.

    Error: creating build container: copying system image from manifest list: Source image rejected: None of the signatures were accepted

    [2/2] STEP 1/4: FROM registry.access.redhat.com/ubi8/ubi:8.7-1054.1675788412
Trying to pull registry.access.redhat.com/ubi8/ubi:8.7-1054.1675788412...
Error: creating build container: copying system image from manifest list: Source image rejected: None of the signatures were accepted, reasons: open /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta: no such file or directory; open /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta: no such file or directory; open /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta: no such file or directory; open /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta: no such file or directory; open /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta: no such file or directory; open /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta: no such file or directory

    You can then override the trust

    # podman image trust set -t reject default
# podman image trust set -f /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release -t signedBy registry.access.redhat.com
# podman image trust show
    https://access.redhat.com/solutions/5525441

    The latest podman runs into some issues with trusting sources.

    Error: error copying image "78b2869b282bf2f28a5e873d6ade079e83d77765223c7bcd180b77cbc8fe4751": Source image rejected: Running image containers-storage:[overlay@/var/lib/containers/storage+/var/run/containers/storage:overlay.mountopt=nodev,metacopy=on]@78b2869b282bf2f28a5e873d6ade079e83d77765223c7bcd180b77cbc8fe4751 is rejected by policy.

    In podman, you might hit the above, and need to switch to insecureAcceptAnything when you do a podman push.

    You’ll want to modify /etc/containers/policy.json default from type reject to insecureAcceptAnything

        "default": [
        {
            "type": "insecureAcceptAnything"
        }

  • Interesting Things for the Week Ending 10 Feb 2023

    During the week, I accumulate a lot of links/information that I want to come back to over and over again. I find it helpful to blog about them. Here are some of things I found interesting this week, and frankly helpful.

    Build multi-arch images on GitHub Actions with Buildx 

    If you have ever wondered how to build multi-arch containers to run on ppc64le, x86, ARM, and/or s390x with GitHub Actions, then this article is for you. GitHub Actions is a continuous integration … 

    https://community.ibm.com/community/user/powerdeveloper/blogs/siddhesh-ghadi/2023/02/08/build-multi-arch-images-on-github-actions-with-bui

    A comprehensive article on using docker buildx to generate manifest listed builds.

    Routing Via Host with OVNKuberenetes 

    OVN-Kuberenetes is the default network provider for OpenShift Container Platform. OVN-Kubernetes is based on Open Virtual Network (OVN) and provides an overlay-based networking implementation. OVN-Kubernetes … 

    https://community.ibm.com/community/user/powerdeveloper/blogs/mick-tarsel/2023/01/26/routingviahost-with-ovnkuberenetes

    The background and why we use OVN-Kubernetes is superb. Mick did a bang up job on it.

    Making a OpenShift Container Platform StorageClass the default

    I had to recollect how to set the StorageClass as the default. You can check the current storageclass setting

    ❯ oc get storageclass
NAME                   PROVISIONER                                   RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
nfs-client             k8s-sigs.io/nfs-subdir-external-provisioner   Delete          Immediate           false                  18m

    Patch the storageclass name – nfs-client

    ❯ oc patch storageclass nfs-client -p '{"metadata": {"annotations": {"storageclass.kubernetes.io/is-default-class": "true"}}}'

    Check the storage class is now the default

    ❯ oc get storageclass
NAME                   PROVISIONER                                   RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
nfs-client (default)   k8s-sigs.io/nfs-subdir-external-provisioner   Delete          Immediate           false                  18m

    References

    1. Changing the default storage class

    The above is a fast way to set the StorageClass default.

    Setting Namespace Security Labels

    In case you need to set it for a specific namespace such as nfs-provisioner.

    oc label namespace/nfs-provisioner security.openshift.io/scc.podSecurityLabelSync=false --overwrite=true
oc label namespace/nfs-provisioner pod-security.kubernetes.io/enforce=privileged --overwrite=true
oc label namespace/nfs-provisioner pod-security.kubernetes.io/audit=privileged --overwrite=true
oc label namespace/nfs-provisioner pod-security.kubernetes.io/warn=privileged --overwrite=true

    The above is a quick macro for setting it for a given namespace so you can get privileged access.

  • Compliance Operator Quick Notes

    If you’re processing Credit Card Payments on the OpenShift Container Platform, the Payment Card Industry and the Data Security Standard is a must on your cluster.

    With Red Hat’s release of the Compliance Operator v0.1.59, they added support for IBM Power Systems.

    I wanted to share a couple of notes about the Compliance Operator:

    1. The Compliance Operator supports the ocp4-cisocp4-cis-nodeocp4-pci-dss-node and ocp4-pci-dss profiles.
    2. The Compliance Operator sources the profiles which have a set of rules from ComplianceAsCode/content. For instance, you can see the OpenShift profiles at products/ocp4/profiles/.
    3. The Compliance Operator PCI-DSS profiles support v3.2.1.
    4. If you see a profile with a postfix of -node, it’s focus is on the Operating System.
    5. If you see no -node on the profile name, it’s focus is on the Kubernetes and OpenShift platform.

    Clarification 2023-FEB-07 I learned the -node and node were actually there due to limitations in oscap, together they represent the same profile and are expected to be applied together.

    I hope this quick notes help you.

    References
    1. Medium/Aditi Jadhav: Using the Compliance Operator to support PCI-DSS on OpenShift Container Platform on Power
    2. Power Developer Exchange: OpenShift Compliance Operator 0.1.59 now supports PCI-DSS on Power
    3. PCI-DSS v3.2.1 Standard
    4. Supported compliance profiles

  • My MachineConfigPool is … Stuck

    My teammate was investigating an SSHD config change and hit a stuck MachineConfigPool. Here are some steps we followed to get it unstuck.

    Steps

    1. Verify that the MachineConfigPool is stuck updating
    ❯ oc get mcp
NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
master   rendered-master-0de63bfa1c0db0777031adddb3286fbc   False     True       True       3              0                   0                     3                      9d
worker   rendered-worker-38e4049eaf0b7fca848408378092e607   True      False      False      3              3                   3                     0                      9d
    1. Find out for one of your nodes in the mcp that is stuck (for instance, master-0)
    ❯ oc get pods -n openshift-machine-config-operator --field-selector spec.nodeName=master-0
NAME                          READY   STATUS    RESTARTS   AGE
machine-config-daemon-t8x8j   2/2     Running   2          35h
machine-config-server-kfx8n   1/1     Running   1          35h
    1. Check the logs and grab the rendered-master
    ❯ oc logs pod/machine-config-daemon-tgnss -n openshift-machine-config-operator
...
E0124 07:19:26.746977  780508 on_disk_validation.go:208] content mismatch for file "/etc/ssh/sshd_config" (-want +got):
  bytes.Join({
-       "\n#\t",
+       "#       ",
        "$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $\n\n# Th",
        "is is the sshd server system-wide configuration file.  See\n# ssh",
        ... // 1437 identical bytes
        "keys and .ssh/authorized_keys2\n# but this is overridden so insta",
        "llations will only check .ssh/authorized_keys\nAuthorizedKeysFile",
-       `       `,
+       "      ",
        ".ssh/authorized_keys\n\n#AuthorizedPrincipalsFile none\n\n#Authorize",
        "dKeysCommand none\n#AuthorizedKeysCommandUser nobody\n\n# For this ",
        ... // 2258 identical bytes
        "E LC_MEASUREMENT\nAcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE\nAcc",
...
+       "\n",
  }, "")
E0124 07:19:26.747042  780508 writer.go:200] Marking Degraded due to: unexpected on-disk state validating against rendered-master-0de63bfa1c0db0777031adddb3286fbc: content mismatch for file "/etc/ssh/sshd_config"
I0124 07:19:28.973484  780508 daemon.go:1248] Current+desired config: rendered-master-0de63bfa1c0db0777031adddb3286fbc
...
    1. OK, this looks like a problem with the whitespace, and inspect the URL decoded version’s whites pace vim :set list
    > oc get mc rendered-master-0de63bfa1c0db0777031adddb3286fbc -o yaml > out.yaml

    You may have to update the white space.

    1. Check the reasons for the failure if the whitespace doesn’t fix it.
    > oc describe mcp master

Message:
    Node master-0 is reporting: 
        "unexpected on-disk state validating against rendered-master-0de63bfa1c0db0777031adddb3286fbc: 
        mode mismatch for file: \"/etc/ssh/sshd_config\"; 
        expected: -rw-------/384/0600; received: -rw-r--r--/420/0644", 
        Node master-1 is reporting: "unexpected on-disk state validating 
        against rendered-master-0de63bfa1c0db0777031adddb3286fbc: content 
        mismatch for file \"/etc/ssh/sshd_config\"", Node master-2 is reporting:
        "unexpected on-disk state validating against 
        rendered-master-0de63bfa1c0db0777031adddb3286fbc: content mismatch for file 
        \"/etc/ssh/sshd_config\""

    In this case, the local files were edited while preparing the ideal sshd_config and needed a forced update.

    1. Force the machine-config to refresh files.
    > touch /run/machine-config-daemon-force
    1. You should see the states change after the node reboots.
    Events:
  Type    Reason            Age    From                                    Message
  ----    ------            ----   ----                                    -------
  Normal  AnnotationChange  5m19s  machineconfigcontroller-nodecontroller  Node master-0 now has machineconfiguration.openshift.io/state=Done

  degradedMachineCount: 2
  machineCount: 3
  observedGeneration: 500
  readyMachineCount: 0
  unavailableMachineCount: 2
  updatedMachineCount: 0

    If you need to select a file from the rendered config:

    > oc get mc rendered-master-0de63bfa1c0db0777031adddb3286fbc -o yaml | yq -r '.spec.config[].files[] | select(.path == "/etc/ssh/sshd_config").contents.source'
data:,%0A%23%09$OpenBSD:%20sshd_config%2Cv%201.103
...

    References

  • How to use OpenScap Scanner on a Mac

    For those, not yet using openscap-scanner on their systems, OpenSCAP is an security auditing framework that utilizes the Extensible Configuration Checklist Description Format (XCCDF) and the openscap-scanner executes over the security profile on a target system.

    One gotcha, I have a Mac, and the tool is not natively supported on the Mac. I decided to use it through a fedora container running in Podman.

    Here are the steps to running on a Mac with complianceascode/content‘s release.

    Steps

    1. Download the Docker File
    2. Build the Image
    $ podman build -f Dockerfile -t ocp-power.xyz/compliance/openscap-wrapper:latest
...
    1. Download the content files scap-security-guide-0.1.65.zip
    $ curl -O -L https://github.com/ComplianceAsCode/content/releases/download/v0.1.65/scap-security-guide-0.1.65.zip
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  130M  100  130M    0     0  2752k      0  0:00:48  0:00:48 --:--:-- 5949k
    1. Unzip the scap-security-guide-0.1.65.zip file.
    $ unzip scap-security-guide-0.1.65.zip
    1. Rename the directory scap-security-guide-0.1.65 to scap
    $ mv scap-security-guide-0.1.65 scap
    1. List the profiles in a specific XML.
    $ podman run --rm -v ./scap:/scap ocp-power.xyz/compliance/openscap-wrapper:latest oscap info --profiles /scap/ssg-ocp4-ds.xml
xccdf_org.ssgproject.content_profile_cis-node:CIS Red Hat OpenShift Container Platform 4 Benchmark
xccdf_org.ssgproject.content_profile_cis:CIS Red Hat OpenShift Container Platform 4 Benchmark
xccdf_org.ssgproject.content_profile_e8:Australian Cyber Security Centre (ACSC) Essential Eight
xccdf_org.ssgproject.content_profile_high-node:NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Node level
xccdf_org.ssgproject.content_profile_high:NIST 800-53 High-Impact Baseline for Red Hat OpenShift - Platform level
xccdf_org.ssgproject.content_profile_moderate-node:NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Node level
xccdf_org.ssgproject.content_profile_moderate:NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Platform level
xccdf_org.ssgproject.content_profile_nerc-cip-node:North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for the  Red Hat OpenShift Container Platform - Node level
xccdf_org.ssgproject.content_profile_nerc-cip:North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for the  Red Hat OpenShift Container Platform - Platform level
xccdf_org.ssgproject.content_profile_pci-dss-node:PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Platform 4
xccdf_org.ssgproject.content_profile_pci-dss:PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Platform 4
    1. Details on the profile
    $ podman run --rm  -v ./scap:/scap ocp-power.xyz/compliance/openscap-wrapper:latest oscap info --profile xccdf_org.ssgproject.content_profile_cis-node /scap/ssg-ocp4-ds.xml
Document type: Source Data Stream
Imported: 2022-12-02T19:09:36

Stream: scap_org.open-scap_datastream_from_xccdf_ssg-ocp4-xccdf.xml
Generated: (null)
Version: 1.3
Profile
        Title: CIS Red Hat OpenShift Container Platform 4 Benchmark
        Id: xccdf_org.ssgproject.content_profile_cis-node

        Description: This profile defines a baseline that aligns to the Center for Internet Security® Red Hat OpenShift Container Platform 4 Benchmark™, V1.1.  This profile includes Center for Internet Security® Red Hat OpenShift Container Platform 4 CIS Benchmarks™ content.  Note that this part of the profile is meant to run on the Operating System that Red Hat OpenShift Container Platform 4 runs on top of.  This profile is applicable to OpenShift versions 4.6 and greater.
    1. Now, I can run more advanced commands on the profiles on my Mac.
    $ podman run --rm  -v ./scap:/scap ocp-power.xyz/compliance/openscap-wrapper:latest oscap oval generate report /scap/ssg-ocp4-ds.xml 2>&1

    References

    1. OpenScap Downloads
    2. OpenScap source code
    3. OpenScap Manual Source
    4. OpenScap Manual Published

    Notes

    Note, I found I had to do the following on my Mac to get the volume to mount.

    $ podman machine stop
$ podman machine set --rootful
$ podman machine start
$ sudo /opt/homebrew/Cellar/podman/4.3.1/bin/podman-mac-helper install
$ podman machine stop; podman machine start

  • Access to Power Systems for Development

    Linda, a colleague on IBM Power Systems development, assembled a nice compendium of resources for developing solutions on IBM Power (ppc64le) architecture. To read more click on the link, and review the details

    Want access to IBM Power Hardware for development efforts? We have compiled a list of cloud, emulation, and on-prem options for you to choose from. Click the link to access all the tools you need to get started. 

    IBM #PowerSystems #IBMCloud #OpenSourceSoftware #IT Infrastructure #PDeX

    https://community.ibm.com/community/user/powerdeveloper/blogs/linda-alkire-kinnunen/2022/08/08/accelerate-your-open-source-development-with-acces 

    Note: for most of what I work on QEMU turns out to be sufficient.

  • Using Ghost on OpenShift Container Platform

    To demonstrate a multi-tiered web application, I used ghost, the microblogging platform to deploy the application using kustomize. Kustomize is a higher-level orchestration of the steps to deploy an application with environment specific overlays.

    Steps

    1. Clone the repository
    git clone https://github.com/prb112/openshift-demo.git
    1. Install kustomize
    $ brew install kustomize

    1. Login to your cluster using oc.

    2. Generate a randomized password

    $ ENV_PASS=$(openssl rand -hex 10)
$ echo ${ENV_PASS}

    Note, save the output…

    1. Generate the working url for the cluster/ghost app.
    $ export WEB_DOMAIN=https://web-route-ghost.apps.$(oc get ingress.config.openshift.io cluster -o yaml | grep domain | awk '{print $NF}')
$ echo ${WEB_DOMAIN}

    1. Change to the ghost/deploy directory using cd openshift-demo/ghost/deploy

    2. Create the secret for the database

    $ cat secrets/01_db_secret.yml | sed "s|ENV_PASS|${ENV_PASS}|" | oc apply -f -
    1. Create the configmap for the Ghost app URL.
    $ cat secrets/02_web_cm.yml | sed "s|WEB_DOMAIN|${WEB_DOMAIN}|" | oc apply -f -
    1. Create the deployment for the website
    $ oc apply -k overlays/dev
namespace/ghost configured
service/db-service unchanged
service/web unchanged
persistentvolumeclaim/db-pvc unchanged
persistentvolumeclaim/web-content unchanged
deployment.apps/ghost-db unchanged
deployment.apps/web unchanged
route.route.openshift.io/web-route unchanged
    1. To clean it up you can run…
    $ oc delete -k overlays/dev
namespace "ghost" deleted
service "db-service" deleted
service "web" deleted
persistentvolumeclaim "db-pvc" deleted
persistentvolumeclaim "web-content" deleted
deployment.apps "ghost-db" deleted
deployment.apps "web" deleted
route.route.openshift.io "web-route" deleted
    1. To see your website URL, you can grab the config map.
    $ oc get cm -o yaml
    1. Navigate to the URL, such as https://web-route-ghost.apps.xyz.zzz.zyz.com/ghost/ to start setting up your site.

    Note, if I had time, I would have generated a non-privileged user for MySQL and used that on the MySQL instance.

    References

    1. https://elixm.com/how-to-deploy-ghost-blog-with-kubernetes/
    2. https://hub.docker.com/_/ghost
    3. https://hub.docker.com/_/mysql
    4. https://github.com/openshift-cs/ghost-example/blob/master/ghost_template.yaml

  • Support for detecting nx-gzip coprocessor feature in Node Feature Discovery

    The Kubernetes add-on Node Feature Discovery is enhanced with a new coprocessor feature and support for detecting the NX-GZIP on Power 10. This work supports the use of libnxz/power-gzip feature.

    We setup Kubernetes 1.25 on a Power10 RHEL 9.1 PowerVM. We built the feature and submitted the PR on behalf of IBM. You’ll need RHEL 9.1 as an operating system on Power 10.

    When the Worker or Control Plane node has Node Feature Discovery enabled on a Power 10 PowerVM with Red Hat Enterprise Linux 9.1 or higher, the label coprocessor.nx_gzip is present on the node. You can see more details in the PR 956