OKD documentation mentions OS extensions, needs to be reworked to use repos instead

Describe the bug

(This is honestly more of a call for help than a formal bug report, since I have a feeling that I'm missing a logical step somewhere.)

I cannot install usbguard according to documentation. When nodes are restarting after machine config change, they will not come back up. The journal states that the package cannot be found.

rpm-ostree[5653]: client(id:machine-config-operator dbus:1.91 unit:crio-951c19688366e10d58fa19067d28da9da5c6a4e1296e97c3d0ca68232451dfa4.scope uid:0) added; new total=1
rpm-ostree[5653]: Locked sysroot
rpm-ostree[5653]: Initiated txn UpdateDeployment for client(id:machine-config-operator dbus:1.91 unit:crio-951c19688366e10d58fa19067d28da9da5c6a4e1296e97c3d0ca68232451dfa4.scope uid:0): /org/projectatomic/rpmostree1/fedora_coreos
rpm-ostree[5653]: Process [pid: 6230 uid: 0 unit: crio-951c19688366e10d58fa19067d28da9da5c6a4e1296e97c3d0ca68232451dfa4.scope] connected to transaction progress
rpm-ostree[5653]: Librepo version: 1.14.4 with CURL_GLOBAL_ACK_EINTR support (libcurl/7.82.0 OpenSSL/3.0.5 zlib/1.2.11 brotli/1.0.9 libidn2/2.3.3 libpsl/0.21.1 (+libidn2/2.3.2) libssh/0.9.6/openssl/zlib nghttp2/1.46.0 OpenLDAP/2.6.3)
rpm-ostree[5653]: Preparing pkg txn; enabled repos: ['coreos-extensions'] solvables: 0
rpm-ostree[5653]: Txn UpdateDeployment on /org/projectatomic/rpmostree1/fedora_coreos failed: Packages not found: usbguard
rpm-ostree[5653]: Unlocked sysroot
rpm-ostree[5653]: Process [pid: 6230 uid: 0 unit: crio-951c19688366e10d58fa19067d28da9da5c6a4e1296e97c3d0ca68232451dfa4.scope] disconnected from transaction progress
rpm-ostree[5653]: client(id:machine-config-operator dbus:1.91 unit:crio-951c19688366e10d58fa19067d28da9da5c6a4e1296e97c3d0ca68232451dfa4.scope uid:0) vanished; remaining=0
rpm-ostree[5653]: In idle state; will auto-exit in 64 seconds
rpm-ostree[5653]: client(id:machine-config-operator dbus:1.92 unit:crio-951c19688366e10d58fa19067d28da9da5c6a4e1296e97c3d0ca68232451dfa4.scope uid:0) added; new total=1
rpm-ostree[5653]: Locked sysroot
rpm-ostree[5653]: Initiated txn Cleanup for client(id:machine-config-operator dbus:1.92 unit:crio-951c19688366e10d58fa19067d28da9da5c6a4e1296e97c3d0ca68232451dfa4.scope uid:0): /org/projectatomic/rpmostree1/fedora_coreos
rpm-ostree[5653]: Process [pid: 6246 uid: 0 unit: crio-951c19688366e10d58fa19067d28da9da5c6a4e1296e97c3d0ca68232451dfa4.scope] connected to transaction progress
rpm-ostree[5653]: Txn Cleanup on /org/projectatomic/rpmostree1/fedora_coreos successful
rpm-ostree[5653]: Unlocked sysroot
rpm-ostree[5653]: Process [pid: 6246 uid: 0 unit: crio-951c19688366e10d58fa19067d28da9da5c6a4e1296e97c3d0ca68232451dfa4.scope] disconnected from transaction progress
rpm-ostree[5653]: client(id:machine-config-operator dbus:1.92 unit:crio-951c19688366e10d58fa19067d28da9da5c6a4e1296e97c3d0ca68232451dfa4.scope uid:0) vanished; remaining=0
rpm-ostree[5653]: In idle state; will auto-exit in 60 seconds

Version Bare metal installation. Last tested with 4.11.0-0.okd-2022-10-15-073651 but I've never gotten it to work with 4.10 or 4.11.

How reproducible Every time.

Log bundle must-gather.local.3609476246868615740.zip

More information I honestly don't understand how I'm supposed to install usbguard. The OKD docs instructs to add the extension usbguard via machine config. Even the example in Bugzilla 1877448 includes usbguard. It seems the FCOS folks think they have done their part.

The only strange thing I can find in the log is that the only enabled repo is coreos-extensions but there is no such repo under /etc/yum.repos.d, which I've gotten the impression rpmtree uses and that "extensions" in a machine config really is a rpmtree install command. Please correct me if I'm all wrong.

Since the same dokumentation works nicely on OpenShift, perhaps the OKD documentation is a copy of the OCP docs but missing something OKD-specific?

okd-project / okd

OKD documentation mentions OS extensions, needs to be reworked to use repos instead #1371