Add Troubleshooting SUSE Edge documentation section (suse-edge#678)

* Add Troubleshooting SUSE Edge documentation section

* first round of review comments

* Update troubleshooting-directed-network-provisioning.adoc

updated "BMH trigger information"

* removed Nessie content

* second review comments

Author: ranjinimn

asciidoc/edge-book/edge.adoc

@@ -125,6 +125,7 @@ include::../guides/clusterclass.adoc[leveloffset=+1]
 // Tips and Tricks
 //--------------------------------------------
 
+[#tips-and-tricks]
 = Tips and Tricks
 
 [partintro]
@@ -192,6 +193,28 @@ include::../product/atip-lifecycle.adoc[]
 // Observability / Terminology
 //--------------------------------------------
 
+= Troubleshooting
+
+[partintro]
+This section provides guidance to diagnose and resolve common issues with SUSE Edge deployments and operations. It covers various topics, offering component-specific troubleshooting steps, key tools, and relevant log locations.
+
+include::../troubleshooting/general-troubleshooting-principles.adoc[]
+
+include::../troubleshooting/troubleshooting-kiwi.adoc[]
+
+include::../troubleshooting/troubleshooting-edge-image-builder.adoc[]
+
+include::../troubleshooting/troubleshooting-edge-networking.adoc[]
+
+include::../troubleshooting/troubleshooting-phone-home-scenarios.adoc[]
+
+include::../troubleshooting/troubleshooting-directed-network-provisioning.adoc[]
+
+include::../troubleshooting/troubleshooting-other-components.adoc[]
+
+include::../troubleshooting/collecting-diagnostics-for-support.adoc[]
+
+
 = Appendix
 
 //--------------------------------------------

asciidoc/quickstart/eib.adoc

@@ -136,6 +136,7 @@ operatingSystem:
 It's also possible to add additional users, create the home directories, set user-id's, add ssh-key authentication, and modify group information. Please refer to the {link-eib-building-images}[upstream building images guide] for further examples.
 ====
 
+[#configuring-os-time]
 === Configuring OS time
 
 The `time` section is optional but it is highly recommended to be configured to avoid potential issues with certificates and clock skew. EIB will configure chronyd and `/etc/localtime` depending on the parameters here.

asciidoc/quickstart/metal3.adoc

@@ -267,6 +267,7 @@ Also note that `ignition.platform.id=openstack` is mandatory - without this argu
 The `time` section is optional but it is highly recommended to be configured to avoid potential issues with certificates and clock skew. The values provided in this example are for illustrative purposes only. Please adjust them to fit your specific requirements.
 ====
 
+[#growfs-script]
 ===== Growfs script
 
 Currently, a custom script (`custom/scripts/01-fix-growfs.sh`) is required to grow the file system to match the disk size on first-boot after provisioning. The `01-fix-growfs.sh` script contains the following information:
@@ -812,6 +813,7 @@ metal3-ironic:
     type: NodePort
 ----
 
+[#disabling-tls-for-virtualmedia-iso-attachment]
 === Disabling TLS for virtualmedia ISO attachment
 
 Some server vendors verify the SSL connection when attaching virtual-media ISO images to the BMC, which can cause a problem because the generated

asciidoc/troubleshooting/collecting-diagnostics-for-support.adoc

@@ -0,0 +1,66 @@
+[#collecting-diagnostics-for-support]
+== Collecting Diagnostics for Support
+:experimental:
+
+ifdef::env-github[]
+:imagesdir: ../images/
+:tip-caption: :bulb:
+:note-caption: :information_source:
+:important-caption: :heavy_exclamation_mark:
+:caution-caption: :fire:
+:warning-caption: :warning:
+endif::[]
+
+When contacting SUSE Support, providing comprehensive diagnostic information is crucial.
+
+.Essential Information to Collect
+
+* *Detailed problem description*: What happened, when did it happen, what were you doing, what is the expected behavior, and what is the actual behavior?
+* *Steps to reproduce*: Can you reliably reproduce the issue? If so, list the exact steps.
+* *Component versions*: SUSE Edge version, components versions (RKE2/K3, EIB, Metal^3^, Elemental,..).
+* *Relevant logs*: 
+** `journalctl` output (filtered by service if possible, or full boot logs).
+** Kubernetes pod logs (kubectl logs).
+** Metal³/Elemental component logs.
+** EIB build logs and other logs
+* *System information*:
+** `uname -a`
+** `df -h`
+** `ip a`
+** `/etc/os-release`
+* *Configuration files*: Relevant configuration files for Elemental, Metal^3^, EIB such as helm chart values, configmaps, etc.
+* *Kubernetes information*: Nodes, Services, Deployments, etc.
+* *Kubernetes objects affected*: BMH, MachineRegistration, etc.
+
+.How to collect
+
+* *For logs*: Redirect command output to files (for example, `journalctl -u k3s > k3s_logs.txt`).
+* *For Kubernetes resources*: Use `kubectl get <resource> -o yaml > <resource_name>.yaml` to get detailed YAML definitions.
+* *For system information*: Collect output of the commands listed above.
+* *For SL Micro*: Check the https://documentation.suse.com/sle-micro/5.5/html/SLE-Micro-all/cha-adm-support-slemicro.html[SUSE Linux Micro Troubleshooting Guide] documentation on how to gather system information for support with `supportconfig`.
+* *For RKE2/Rancher*: Check the https://www.suse.com/support/kb/doc/?id=000020191[The Rancher v2.x Linux log collector script] article to run The Rancher v2.x Linux log collector script.
+
+////
+
+* *Nessie*: Nessie is a powerful diagnostic tool designed to collect logs and configuration data from SUSE Edge environments. It gathers comprehensive information from both the host system and Kubernetes clusters, making it invaluable for troubleshooting and support. To collect logs from a SUSE Edge cluster, connect to any of the control plane nodes and run:
++
+[,shell]
+----
+podman run --privileged \
+  -v /etc/rancher/k3s/k3s.yaml:/etc/rancher/k3s/k3s.yaml:ro \
+  -v /var/log/journal:/var/log/journal:ro \
+  -v /run/systemd:/run/systemd:ro \
+  -v /etc/machine-id:/etc/machine-id:ro \
+  -v /tmp/nessie-logs:/tmp/cluster-logs \
+  ghcr.io/gagrio/nessie
+----
++
+[NOTE]
+====
+Adjust the paths of the `k3s.yaml/rke2.yaml` file if needed. See https://github.com/suse-edge/support-tools/blob/main/nessie/README.md[Nessie] for more information.
+====
+
+////
+
+.Contact Support
+Please check the article available at https://www.suse.com/support/kb/doc/?id=000019452[How-to effectively work with SUSE Technical Support] and the support handbook located at https://www.suse.com/support/handbook/[SUSE Technical Support Handbook] for more details on how to contact SUSE support.

asciidoc/troubleshooting/general-troubleshooting-principles.adoc

@@ -0,0 +1,26 @@
+[#general-troubleshooting-principles]
+== General Troubleshooting Principles
+:experimental:
+
+ifdef::env-github[]
+:imagesdir: ../images/
+:tip-caption: :bulb:
+:note-caption: :information_source:
+:important-caption: :heavy_exclamation_mark:
+:caution-caption: :fire:
+:warning-caption: :warning:
+endif::[]
+
+Before diving into component-specific issues, consider these general principles:
+
+* *Check logs*: Logs are the primary source of information. Most of the times the errors are self explanatory and contain hints on what failed.
+* *Check clocks*: Having clock differences between systems can lead to all kinds of different errors. Ensure clocks are in sync. EIB can be instructed to force clock sync at boot time, see <<quickstart-eib,Configuring OS Time>>.
+* *Boot Issues*: If the system is stuck during boot, note down the last messages displayed. Access the console (physical or via BMC) to observe boot messages.
+* *Network Issues*: Verify network interface configuration (`ip a`), routing table (`ip route`), test connectivity from/to other nodes and external services (`ping`, `nc`). Ensure firewall rules are not blocking necessary ports.
+* *Verify component status*: Use `kubectl get` and `kubectl describe` for Kubernetes resources. Use `kubectl get events --sort-by='.lastTimestamp' -n <namespace>` to see the events on a particular Kubernetes namespace.
+* *Verify services status*: Use `systemctl status <service>` for systemd services.
+* *Check syntax*: Software expects certain structure and syntax on configuration files. For yaml files, for example, use `yamllint` or similar tools to verify the proper syntax.
+* *Isolate the problem*: Try to narrow down the issue to a specific component or layer (for example, network, storage, OS, Kubernetes, Metal^3^, Ironic,...).
+* *Documentation*: Always refer to the official https://documentation.suse.com/suse-edge/[SUSE Edge documentation] and also upstream documentation for detailed information.
+* *Versions*: SUSE Edge is an opinionated and thorough tested version of different SUSE components. he versions of each component per SUSE Edge release can be observed in the https://documentation.suse.com/suse-edge/support-matrix/html/support-matrix/index.html[SUSE Edge support matrix].
+* *Known issues*: For each SUSE Edge release there is a “Known issues” section on the release notes that contains information of issues that will be fixed on future releases but can affect the current one.

asciidoc/troubleshooting/troubleshooting-directed-network-provisioning.adoc

@@ -0,0 +1,129 @@
+[#troubleshooting-directed-network-provisioning]
+== Troubleshooting Directed-network provisioning
+:experimental:
+
+ifdef::env-github[]
+:imagesdir: ../images/
+:tip-caption: :bulb:
+:note-caption: :information_source:
+:important-caption: :heavy_exclamation_mark:
+:caution-caption: :fire:
+:warning-caption: :warning:
+endif::[]
+
+Directed-network provisioning scenarios involve using Metal^3^ and CAPI elements to provision the Downstream cluster. It also includes EIB to create an OS image. Issues can happen when the host is being booted for the first time or during the inspection or provisioning processes.
+
+.Common Issues
+
+* *Old firmware*: Verify all the different firmware on the physical hosts being used are up to date. This includes the BMC firmware as some times Metal^3^ https://book.metal3.io/bmo/supported_hardware#redfish-and-its-variants[requires specific/updated ones].
+* *Provisioning failed with SSL errors*: If the webserver serving the images uses https, Metal^3^ needs to be configured to inject and trust the certificate on the IPA image. See <<mgmt-cluster-kubernetes-folder,Kubernetes folder>> on how to include a `ca-additional.crt` file to the Metal^3^ chart.
+* *Certificates issues when booting the hosts with IPA*: Some server vendors verify the SSL connection when attaching virtual-media ISO images to the BMC, which can cause a problem because the generated certificates for the Metal3 deployment are self-signed. It can happen that the host is being booted but it drops to an UEFI shell. See <<disabling-tls-for-virtualmedia-iso-attachment, Disabling TLS for virtualmedia ISO attachment>> on how to fix it.
+* *Wrong name or label reference*: If the cluster references a node by the wrong name or label, the cluster results as deployed but the BMH remains as “Available”. Double-check the references on the involved objects for the BMHs.
+* *BMC communication issues*: Ensure the Metal^3^ pods running on the management cluster can reach the BMC of the hosts being provisioned (usually the BMC network is very restricted).
+* *Incorrect bare metal host state*: The BMH object goes to different states (inspecting, preparing, provisioned, etc.) during its lifetime https://book.metal3.io/bmo/state_machine[Lifetime of State machine]. If detected an incorrect state, check the `status` field of the BMH object as it contains more information as `kubectl get bmh <name> -o jsonpath=’{.status}’| jq`.
+* *Host not being deprovisioned*: In the event of a host being intended to be deprovisioned fails, the removal can be attempted after adding the “detached” annotation to the BMH object as:  `kubectl annotate bmh/<BMH> baremetalhost.metal3.io/detached=””`.
+* *Image errors*: Verify the image being built with EIB for the downstream cluster is available, has a proper checksum and it is not too large to decompress or too large for disk.
+* *Disk size mismatch*: By default, the disk would not expand to fill the whole disk. As explained in the <<growfs-script, Growfs script>> section, a growfs script needs to be included in the image being built with EIB for the downstream cluster hosts. 
+* *Cleaning process stuck*: The cleaning process is retried several times. If due to a problem with the host cleaning is no longer possible, disable cleaning first by setting the `automatedCleanMode` field to `disabled` on the BMH object.
++
+[WARNING]
+====
+It is not recommended to manually remove the finalizer when the cleaning process is taking longer than desired or is failing. Doing so, removes the host record from Kubernetes but leave it in Ironic. The currently running action continues in the background, and an attempt to add the host again may fail because of the conflict.
+====
+* *Metal3/Rancher Turtles/CAPI pods issues*: The deployment flow for all the required components is:
++
+** The Rancher Turtles controller deploys the CAPI operator controller.
+** The CAPI operator controller then deploys the provider controllers (CAPI core, CAPM3 and RKE2 controlplane/bootstrap).
+
+Verify all the pods are running correctly and check the logs otherwise.
+
+
+.Logs
+* *Metal^3^ logs*:Check logs for the different pods.
++
+[,shell]
+----
+kubectl logs -n metal3-system -l app.kubernetes.io/component=baremetal-operator
+kubectl logs -n metal3-system -l app.kubernetes.io/component=ironic
+----
++
+[NOTE]
+====
+The metal3-ironic pod contains at least 4 different containers (`ironic-httpd`,` ironic-log-watch`, `ironic` & `ironic-ipa-downloader` (init)) on the same pod. Use the `-c`  flag when using `kubectl logs` to verify the logs of each of the containers.
+====
++
+[NOTE]
+====
+The `ironic-log-watch` container exposes console logs from the hosts after inspection/provisioning, provided network connectivity enables sending these logs back to the management cluster. This can be useful in cases where there are provisioning errors but you do not have direct access to the BMC console logs.
+====
+
+* *Rancher Turtles logs*: Check logs for the different pods.
++
+[,shell]
+----
+kubectl logs -n rancher-turtles-system -l control-plane=controller-manager 
+kubectl logs -n rancher-turtles-system -l app.kubernetes.io/name=cluster-api-operator
+kubectl logs -n rke2-bootstrap-system -l cluster.x-k8s.io/provider=bootstrap-rke2
+kubectl logs -n rke2-control-plane-system -l cluster.x-k8s.io/provider=control-plane-rke2
+kubectl logs -n capi-system -l cluster.x-k8s.io/provider=cluster-api
+kubectl logs -n capm3-system -l cluster.x-k8s.io/provider=infrastructure-metal3
+----
+
+* *BMC logs*: Usually BMCs have a UI where most of the interaction can be done. There is usually a “logs” section that can be observed for potential issues (not being able to reach the image, hardware failures, etc.).
+
+* *Console logs*: Connect to the BMC console (via the BMC webui, serial, etc.) and check for errors on the logs being written.
+
+.Troubleshooting steps
+
+. *Check `BareMetalHost` status*:
+
+* `kubectl get bmh -A` shows the current state. Look for `provisioning`, `ready`, `error`, `registering`.
+* `kubectl describe bmh -n <namespace> <bmh_name>` provides detailed events and conditions explaining why a BMH might be stuck.
+
+. *Test RedFish connectivity*:
+
+* Use `curl` from the Metal^3^ control plane to test connectivity to the BMCs via redfish.
+* Ensure correct BMC credentials are provided in the `BareMetalHost-Secret` definition.
+
+. *Verify turtles/CAPI/metal3 pod status*: Ensure the containers on the management cluster are up and running: `kubectl get pods -n metal3-system` and `kubectl get pods -n rancher-turtles-system` (also see `capi-system`, `capm3-system`, `rke2-bootstrap-system` and `rke2-control-plane-system`).
+
+. *Verify the ironic endpoint is reachable from the host being provisioned*: The host being provisioned needs to be able to reach out the Ironic endpoint to report back to Metal^3^. Check the IP with `kubectl get svc -n metal3-system metal3-metal3-ironic` and try to reach it via `curl/nc`.
+
+. *Verify the IPA image is reachable from the BMC*: IPA is being served by the Ironic endpoint and it needs to be reachable from the BMC as it is being used as a virtual CD.
+
+. *Verify the OS image is reachable from the host being provisioned*: The image being used to provision the host needs to be reachable from the host itself (when running IPA) as it will be downloaded temporarily and written to the disk.
+
+. *Examine Metal^3^ component logs*: See above.
+
+. *Retrigger BMH Insepction*:  If an inspection failed or the hardware of an available host changed, a new inspection process can be triggered by annotating the BMH object with `inspect.metal3.io: ""`. See the https://book.metal3.io/bmo/inspect_annotation[Metal^3^ Controlling inspection] guide for more information.
+
+. *Bare metal IPA console*: To troubleshoot IPA issues a couple of alternatives exist:
+
+* Enable “autologin”. This enables the root user to be logged automatically when connecting to the IPA console.
++
+[WARNING]
+====
+This is only for debug purposes as it gives full access to the host.
+====
++
+To enable autologin, the Metal3 helm `global.ironicKernelParams` value should look like: `console=ttyS0 suse.autologin=ttyS0` (depending on the console, `ttyS0` can be changed). Then a redeployment of the Metal^3^ chart should be performed. (Note `ttyS0` is an example, this should match the actual terminal e.g may be `tty1` in many cases on bare metal, this can be verified by looking at the console output from the IPA ramdisk on boot where `/etc/issue` prints the console name).
++
+Another way to do it is by changing the `IRONIC_KERNEL_PARAMS` parameter on the `ironic-bmo` configmap on the `metal3-system` namespace. This can be easier as it can be done via `kubectl` edit but it will be overwritten when updating the chart. Then the Metal^3^ pod needs to be restarted with `kubectl delete pod -n metal3-system -l app.kubernetes.io/component=ironic`.
+
+* Inject an ssh key for the root user on the IPA.
++ 
+[WARNING]
+====
+This is only for debug purposes as it gives full access to the host.
+====
++
+To inject the ssh key for the root user, the Metal^3^ helm `debug.ironicRamdiskSshKey` value should be used. Then a redeployment of the Metal^3^ chart should be performed.
++
+Another way to do it is by changing the `IRONIC_RAMDISK_SSH_KEY` parameter on the `ironic-bmo configmap` on the `metal3-system` namespace. This can be easier as it can be done via `kubectl` edit but it will be overwritten when updating the chart. Then the Metal^3^ pod needs to be restarted with `kubectl delete pod -n metal3-system -l app.kubernetes.io/component=ironic`
+
+
+[NOTE]
+====
+Check the https://cluster-api.sigs.k8s.io/user/troubleshooting[CAPI troubleshooting] and https://book.metal3.io/troubleshooting[Metal^3^ troubleshooting] guides.
+====
+