Machine configuration

1. Cordon. The MCO marks the node as not schedulable for additional workloads.
2. Drain. The MCO terminates all running workloads on the node, causing the workloads to be rescheduled onto other nodes.
3. Apply. The MCO writes the new configuration to the nodes as needed.
4. Reboot. The MCO restarts the node.
5. Uncordon. The MCO marks the node as schedulable for workloads.

Procedure

1. To see the number of MCO-managed nodes available on your cluster for each machine config pool (MCP), run the following command:

   $ oc get machineconfigpool

   Example output

   NAME      CONFIG                    UPDATED  UPDATING   DEGRADED  MACHINECOUNT  READYMACHINECOUNT  UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT  AGE
   master    rendered-master-06c9c4…   True     False      False     3             3                  3                   0                     4h42m
   worker    rendered-worker-f4b64…    False    True       False     3             2                  2                   0                     4h42m

   where:

   UPDATED

   The True status indicates that the MCO has applied the current machine config to the nodes in that MCP. The current machine config is specified in the STATUS field in the oc get mcp output. The False status indicates a node in the MCP is updating.

   UPDATING

   The True status indicates that the MCO is applying the desired machine config, as specified in the MachineConfigPool custom resource, to at least one of the nodes in that MCP. The desired machine config is the new, edited machine config. Nodes that are updating might not be available for scheduling. The False status indicates that all nodes in the MCP are updated.

   DEGRADED

   A True status indicates the MCO is blocked from applying the current or desired machine config to at least one of the nodes in that MCP, or the configuration is failing. Nodes that are degraded might not be available for scheduling. A False status indicates that all nodes in the MCP are ready.

   MACHINECOUNT

   Indicates the total number of machines in that MCP.

   READYMACHINECOUNT

   Indicates the number of machines that are both running the current machine config and are ready for scheduling. This count is always less than or equal to the UPDATEDMACHINECOUNT number.

   UPDATEDMACHINECOUNT

   Indicates the total number of machines in that MCP that have the current machine config.

   DEGRADEDMACHINECOUNT

   Indicates the total number of machines in that MCP that are marked as degraded or unreconcilable.

   In the previous output, there are three control plane (master) nodes and three worker nodes. The control plane MCP and the associated nodes are updated to the current machine config. The nodes in the worker MCP are being updated to the desired machine config. Two of the nodes in the worker MCP are updated and one is still updating, as indicated by the UPDATEDMACHINECOUNT being 2. There are no issues, as indicated by the DEGRADEDMACHINECOUNT being 0 and DEGRADED being False.

   While the nodes in the MCP are updating, the machine config listed under CONFIG is the current machine config, which the MCP is being updated from. When the update is complete, the listed machine config is the desired machine config, which the MCP was updated to.

   Note

   If a node is being cordoned, that node is not included in the READYMACHINECOUNT, but is included in the MACHINECOUNT. Also, the MCP status is set to UPDATING. Because the node has the current machine config, it is counted in the UPDATEDMACHINECOUNT total:

   Example output

   NAME      CONFIG                    UPDATED  UPDATING   DEGRADED  MACHINECOUNT  READYMACHINECOUNT  UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT  AGE
   master    rendered-master-06c9c4…   True     False      False     3             3                  3                   0                     4h42m
   worker    rendered-worker-c1b41a…   False    True       False     3             2                  3                   0                     4h42m

2. To check the status of the nodes in an MCP by examining the MachineConfigPool custom resource, run the following command: :

   $ oc describe mcp worker

   Example output

   ...
     Degraded Machine Count:     0
     Machine Count:              3
     Observed Generation:        2
     Ready Machine Count:        3
     Unavailable Machine Count:  0
     Updated Machine Count:      3
   Events:                       <none>

   Note

   If a node is being cordoned, the node is not included in the Ready Machine Count. It is included in the Unavailable Machine Count:

   Example output

   ...
     Degraded Machine Count:     0
     Machine Count:              3
     Observed Generation:        2
     Ready Machine Count:        2
     Unavailable Machine Count:  1
     Updated Machine Count:      3

3. To see each existing MachineConfig object, run the following command:

   $ oc get machineconfigs

   Example output

   NAME                             GENERATEDBYCONTROLLER          IGNITIONVERSION  AGE
   00-master                        2c9371fbb673b97a6fe8b1c52...   3.5.0            5h18m
   00-worker                        2c9371fbb673b97a6fe8b1c52...   3.5.0            5h18m
   01-master-container-runtime      2c9371fbb673b97a6fe8b1c52...   3.5.0            5h18m
   01-master-kubelet                2c9371fbb673b97a6fe8b1c52…     3.5.0            5h18m
   ...
   rendered-master-dde...           2c9371fbb673b97a6fe8b1c52...   3.5.0            5h18m
   rendered-worker-fde...           2c9371fbb673b97a6fe8b1c52...   3.5.0            5h18m

   Note that the MachineConfig objects listed as rendered are not meant to be changed or deleted.

4. To view the contents of a particular machine config (in this case, 01-master-kubelet), run the following command:

   $ oc describe machineconfigs 01-master-kubelet

   The output from the command shows that this MachineConfig object contains both configuration files (cloud.conf and kubelet.conf) and a systemd service (Kubernetes Kubelet):

   Example output

   Name:         01-master-kubelet
   ...
   Spec:
     Config:
       Ignition:
         Version:  3.5.0
       Storage:
         Files:
           Contents:
             Source:   data:,
           Mode:       420
           Overwrite:  true
           Path:       /etc/kubernetes/cloud.conf
           Contents:
             Source:   data:,kind%3A%20KubeletConfiguration%0AapiVersion%3A%20kubelet.config.k8s.io%2Fv1beta1%0Aauthentication%3A%0A%20%20x509%3A%0A%20%20%20%20clientCAFile%3A%20%2Fetc%2Fkubernetes%2Fkubelet-ca.crt%0A%20%20anonymous...
           Mode:       420
           Overwrite:  true
           Path:       /etc/kubernetes/kubelet.conf
       Systemd:
         Units:
           Contents:  [Unit]
   Description=Kubernetes Kubelet
   Wants=rpc-statd.service network-online.target crio.service
   After=network-online.target crio.service
   
   ExecStart=/usr/bin/hyperkube \
       kubelet \
         --config=/etc/kubernetes/kubelet.conf \ ...

Procedure

1. Create a Butane config including the contents of the chrony.conf file. For example, to configure chrony on worker nodes, create a 99-worker-chrony.bu file.

   Note

   The Butane version you specify in the config file should match the OpenShift Container Platform version and always ends in 0. For example, 4.22.0. See "Creating machine configs with Butane" for information about Butane.

   variant: openshift
   version: 4.22.0
   metadata:
     name: 99-worker-chrony
     labels:
       machineconfiguration.openshift.io/role: worker
   storage:
     files:
     - path: /etc/chrony.conf
       mode: 0644
       overwrite: true
       contents:
         inline: |
           pool 0.rhel.pool.ntp.org iburst
           driftfile /var/lib/chrony/drift
           makestep 1.0 3
           rtcsync
           logdir /var/log/chrony

   • name: 99-worker-chrony - Specify a name for the machine config file. On control plane nodes, substitute master for worker.
   • machineconfiguration.openshift.io/role: worker - On control plane nodes, substitute master for worker.
   • mode: 0644 - Specify an octal value mode for the mode field in the machine config file. After creating the file and applying the changes, the mode is converted to a decimal value. You can check the YAML file with the command oc get mc <mc-name> -o yaml.
   • pool 0.rhel.pool.ntp.org iburst - Specify any valid, reachable time source, such as the one provided by your DHCP server.
   Note

   For all-machine to all-machine communication, the Network Time Protocol (NTP) on UDP is port 123. If an external NTP time server is configured, you must open UDP port 123.

   Alternatively, you can specify any of the following NTP servers: 1.rhel.pool.ntp.org, 2.rhel.pool.ntp.org, or 3.rhel.pool.ntp.org. When you use NTP with your DHCP server, you must set the sourcedir /run/chrony-dhcp parameter in the chrony.conf file.

2. Use Butane to generate a MachineConfig object file, 99-worker-chrony.yaml, containing the configuration to be delivered to the nodes:

   $ butane 99-worker-chrony.bu -o 99-worker-chrony.yaml

3. Apply the configurations in one of two ways:

   • If the cluster is not running yet, after you generate manifest files, add the MachineConfig object file to the <installation_directory>/openshift directory, and then continue to create the cluster.

   • If the cluster is already running, apply the file:

     $ oc apply -f ./99-worker-chrony.yaml

Procedure

1. Create the MachineConfig CR that disables chronyd for the specified node role.

   1. Save the following YAML in the disable-chronyd.yaml file:

      apiVersion: machineconfiguration.openshift.io/v1
      kind: MachineConfig
      metadata:
        labels:
          machineconfiguration.openshift.io/role: <node_role> 

      1

      
        name: disable-chronyd
      spec:
        config:
          ignition:
            version: 3.5.0
          systemd:
            units:
              - contents: |
                  [Unit]
                  Description=NTP client/server
                  Documentation=man:chronyd(8) man:chrony.conf(5)
                  After=ntpdate.service sntp.service ntpd.service
                  Conflicts=ntpd.service systemd-timesyncd.service
                  ConditionCapability=CAP_SYS_TIME
                  [Service]
                  Type=forking
                  PIDFile=/run/chrony/chronyd.pid
                  EnvironmentFile=-/etc/sysconfig/chronyd
                  ExecStart=/usr/sbin/chronyd $OPTIONS
                  ExecStartPost=/usr/libexec/chrony-helper update-daemon
                  PrivateTmp=yes
                  ProtectHome=yes
                  ProtectSystem=full
                  [Install]
                  WantedBy=multi-user.target
                enabled: false
                name: "chronyd.service"
              - name: "kubelet-dependencies.target"
                contents: |
                  [Unit]
                  Description=Dependencies necessary to run kubelet
                  Documentation=https://github.com/openshift/machine-config-operator/
                  Requires=basic.target network-online.target
                  Wants=NetworkManager-wait-online.service crio-wipe.service
                  Wants=rpc-statd.service

      1 1

      Node role where you want to disable chronyd, for example, master.

   2. Create the MachineConfig CR by running the following command:

      $ oc create -f disable-chronyd.yaml

Procedure

1. List existing MachineConfig objects for your OpenShift Container Platform cluster to determine how to label your machine config:

   $ oc get MachineConfig

   Example output

   NAME                                               GENERATEDBYCONTROLLER                      IGNITIONVERSION   AGE
   00-master                                          52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.5.0             33m
   00-worker                                          52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.5.0             33m
   01-master-container-runtime                        52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.5.0             33m
   01-master-kubelet                                  52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.5.0             33m
   01-worker-container-runtime                        52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.5.0             33m
   01-worker-kubelet                                  52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.5.0             33m
   99-master-generated-registries                     52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.5.0             33m
   99-master-ssh                                                                                 3.2.0             40m
   99-worker-generated-registries                     52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.5.0             33m
   99-worker-ssh                                                                                 3.2.0             40m
   rendered-master-23e785de7587df95a4b517e0647e5ab7   52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.5.0             33m
   rendered-worker-5d596d9293ca3ea80c896a1191735bb1   52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.5.0             33m

2. Create a MachineConfig object file that identifies the kernel argument (for example, 05-worker-kernelarg-selinuxpermissive.yaml)

   apiVersion: machineconfiguration.openshift.io/v1
   kind: MachineConfig
   metadata:
     labels:
       machineconfiguration.openshift.io/role: worker
     name: 05-worker-kernelarg-selinuxpermissive
   spec:
     kernelArguments:
       - enforcing=0

   where:

   machineconfiguration.openshift.io/role

   Specifies a label to apply changes to specific nodes.

   name

   Specifies a name to identify where it fits among the machine configs (05) and what it does (adds a kernel argument to configure SELinux permissive mode).

   kernelArguments

   Specifies the exact kernel argument as enforcing=0.

3. Create the new machine config:

   $ oc create -f 05-worker-kernelarg-selinuxpermissive.yaml

4. Check the machine configs to see that the new one was added:

   $ oc get MachineConfig

   Example output

   NAME                                               GENERATEDBYCONTROLLER                      IGNITIONVERSION   AGE
   00-master                                          52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.5.0             33m
   00-worker                                          52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.5.0             33m
   01-master-container-runtime                        52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.5.0             33m
   01-master-kubelet                                  52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.5.0             33m
   01-worker-container-runtime                        52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.5.0             33m
   01-worker-kubelet                                  52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.5.0             33m
   05-worker-kernelarg-selinuxpermissive                                                         3.5.0             105s
   99-master-generated-registries                     52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.5.0             33m
   99-master-ssh                                                                                 3.2.0             40m
   99-worker-generated-registries                     52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.5.0             33m
   99-worker-ssh                                                                                 3.2.0             40m
   rendered-master-23e785de7587df95a4b517e0647e5ab7   52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.5.0             33m
   rendered-worker-5d596d9293ca3ea80c896a1191735bb1   52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.5.0             33m

5. Check the nodes:

   $ oc get nodes

   Example output

   NAME                           STATUS                     ROLES    AGE   VERSION
   ip-10-0-136-161.ec2.internal   Ready                      worker   28m   v1.35.4
   ip-10-0-136-243.ec2.internal   Ready                      master   34m   v1.35.4
   ip-10-0-141-105.ec2.internal   Ready,SchedulingDisabled   worker   28m   v1.35.4
   ip-10-0-142-249.ec2.internal   Ready                      master   34m   v1.35.4
   ip-10-0-153-11.ec2.internal    Ready                      worker   28m   v1.35.4
   ip-10-0-153-150.ec2.internal   Ready                      master   34m   v1.35.4

   You can see that scheduling on each worker node is disabled as the change is being applied.

6. Check that the kernel argument worked by going to one of the worker nodes and listing the kernel command-line arguments (in /proc/cmdline on the host):

   $ oc debug node/ip-10-0-141-105.ec2.internal

   Example output

   Starting pod/ip-10-0-141-105ec2internal-debug ...
   To use host binaries, run `chroot /host`
   
   sh-4.2# cat /host/proc/cmdline
   BOOT_IMAGE=/ostree/rhcos-... console=tty0 console=ttyS0,115200n8
   rootflags=defaults,prjquota rw root=UUID=fd0... ostree=/ostree/boot.0/rhcos/16...
   coreos.oem.id=qemu coreos.oem.id=ec2 ignition.platform.id=ec2 enforcing=0
   
   sh-4.2# exit

   You should see the enforcing=0 argument added to the other kernel arguments.

Procedure

1. To enable multipathing postinstallation on control plane nodes:

   • Create a machine config file, such as 99-master-kargs-mpath.yaml, that instructs the cluster to add the master label and that identifies the multipath kernel argument, for example:

     apiVersion: machineconfiguration.openshift.io/v1
     kind: MachineConfig
     metadata:
       labels:
         machineconfiguration.openshift.io/role: "master"
       name: 99-master-kargs-mpath
     spec:
       kernelArguments:
         - 'rd.multipath=default'
         - 'root=/dev/disk/by-label/dm-mpath-root'

2. To enable multipathing postinstallation on worker nodes:

   • Create a machine config file, such as 99-worker-kargs-mpath.yaml, that instructs the cluster to add the worker label and that identifies the multipath kernel argument, for example:

     apiVersion: machineconfiguration.openshift.io/v1
     kind: MachineConfig
     metadata:
       labels:
         machineconfiguration.openshift.io/role: "worker"
       name: 99-worker-kargs-mpath
     spec:
       kernelArguments:
         - 'rd.multipath=default'
         - 'root=/dev/disk/by-label/dm-mpath-root'

3. Create the new machine config by using either the master or worker YAML file you previously created:

   $ oc create -f ./99-worker-kargs-mpath.yaml

4. Check the machine configs to see that the new one was added:

   $ oc get MachineConfig

   Example output

   NAME                                               GENERATEDBYCONTROLLER                      IGNITIONVERSION   AGE
   00-master                                          52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.5.0             33m
   00-worker                                          52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.5.0             33m
   01-master-container-runtime                        52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.5.0             33m
   01-master-kubelet                                  52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.5.0             33m
   01-worker-container-runtime                        52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.5.0             33m
   01-worker-kubelet                                  52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.5.0             33m
   99-master-generated-registries                     52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.5.0             33m
   99-master-ssh                                                                                 3.2.0             40m
   99-worker-generated-registries                     52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.5.0             33m
   99-worker-kargs-mpath                              52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.5.0             105s
   99-worker-ssh                                                                                 3.2.0             40m
   rendered-master-23e785de7587df95a4b517e0647e5ab7   52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.5.0             33m
   rendered-worker-5d596d9293ca3ea80c896a1191735bb1   52dd3ba6a9a527fc3ab42afac8d12b693534c8c9   3.5.0             33m

5. Check the nodes:

   $ oc get nodes

   Example output

   NAME                           STATUS                     ROLES    AGE   VERSION
   ip-10-0-136-161.ec2.internal   Ready                      worker   28m   v1.35.4
   ip-10-0-136-243.ec2.internal   Ready                      master   34m   v1.35.4
   ip-10-0-141-105.ec2.internal   Ready,SchedulingDisabled   worker   28m   v1.35.4
   ip-10-0-142-249.ec2.internal   Ready                      master   34m   v1.35.4
   ip-10-0-153-11.ec2.internal    Ready                      worker   28m   v1.35.4
   ip-10-0-153-150.ec2.internal   Ready                      master   34m   v1.35.4

   You can see that scheduling on each worker node is disabled as the change is being applied.

6. Check that the kernel argument worked by going to one of the worker nodes and listing the kernel command-line arguments (in /proc/cmdline on the host):

   $ oc debug node/ip-10-0-141-105.ec2.internal

   Example output

   Starting pod/ip-10-0-141-105ec2internal-debug ...
   To use host binaries, run `chroot /host`
   
   sh-4.2# cat /host/proc/cmdline
   ...
   rd.multipath=default root=/dev/disk/by-label/dm-mpath-root
   ...
   
   sh-4.2# exit

   You should see the added kernel arguments.

Procedure

1. Create a machine config for the real-time kernel: Create a YAML file (for example, 99-worker-realtime.yaml) that contains a MachineConfig object for the realtime kernel type. This example tells the cluster to use a real-time kernel for all worker nodes:

   $ cat << EOF > 99-worker-realtime.yaml
   apiVersion: machineconfiguration.openshift.io/v1
   kind: MachineConfig
   metadata:
     labels:
       machineconfiguration.openshift.io/role: "worker"
     name: 99-worker-realtime
   spec:
     kernelType: realtime
   EOF

2. Add the machine config to the cluster. Type the following to add the machine config to the cluster:

   $ oc create -f 99-worker-realtime.yaml

3. Check the real-time kernel: Once each impacted node reboots, log in to the cluster and run the following commands to make sure that the real-time kernel has replaced the regular kernel for the set of nodes you configured:

   $ oc get nodes

   Example output

   NAME                                        STATUS  ROLES    AGE   VERSION
   ip-10-0-143-147.us-east-2.compute.internal  Ready   worker   103m  v1.35.4
   ip-10-0-146-92.us-east-2.compute.internal   Ready   worker   101m  v1.35.4
   ip-10-0-169-2.us-east-2.compute.internal    Ready   worker   102m  v1.35.4

   $ oc debug node/ip-10-0-143-147.us-east-2.compute.internal

   Example output

   Starting pod/ip-10-0-143-147us-east-2computeinternal-debug ...
   To use host binaries, run `chroot /host`
   
   sh-4.4# uname -a
   Linux <worker_node> 4.18.0-147.3.1.rt24.96.el8_1.x86_64 #1 SMP PREEMPT RT
           Wed Nov 27 18:29:55 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

   The kernel name contains rt and text “PREEMPT RT” indicates that this is a real-time kernel.

4. To go back to the regular kernel, delete the MachineConfig object:

   $ oc delete -f 99-worker-realtime.yaml

Procedure

1. Create a Butane config file, 40-worker-custom-journald.bu, that includes an /etc/systemd/journald.conf file with the required settings.

   Note

   The Butane version you specify in the config file should match the OpenShift Container Platform version and always ends in 0. For example, 4.22.0. See "Creating machine configs with Butane" for information about Butane.

   variant: openshift
   version: 4.22.0
   metadata:
     name: 40-worker-custom-journald
     labels:
       machineconfiguration.openshift.io/role: worker
   storage:
     files:
     - path: /etc/systemd/journald.conf
       mode: 0644
       overwrite: true
       contents:
         inline: |
           # Disable rate limiting
           RateLimitInterval=1s
           RateLimitBurst=10000
           Storage=volatile
           Compress=no
           MaxRetentionSec=30s

2. Use Butane to generate a MachineConfig object file, 40-worker-custom-journald.yaml, containing the configuration to be delivered to the worker nodes:

   $ butane 40-worker-custom-journald.bu -o 40-worker-custom-journald.yaml

3. Apply the machine config to the pool:

   $ oc apply -f 40-worker-custom-journald.yaml

4. Check that the new machine config is applied and that the nodes are not in a degraded state. It might take a few minutes. The worker pool will show the updates in progress, as each node successfully has the new machine config applied:

   $ oc get machineconfigpool

   Example output

   NAME   CONFIG             UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE
   master rendered-master-35 True    False    False    3            3                 3                   0                    34m
   worker rendered-worker-d8 False   True     False    3            1                 1                   0                    34m

5. To check that the change was applied, you can log in to a worker node:

   $ oc get node | grep worker

   Example output

   ip-10-0-0-1.us-east-2.compute.internal   Ready    worker   39m   v0.0.0-master+$Format:%h$

   $ oc debug node/ip-10-0-0-1.us-east-2.compute.internal

   Example output

   Starting pod/ip-10-0-141-142us-east-2computeinternal-debug ...
   ...
   sh-4.2# chroot /host
   sh-4.4# cat /etc/systemd/journald.conf
   # Disable rate limiting
   RateLimitInterval=1s
   RateLimitBurst=10000
   Storage=volatile
   Compress=no
   MaxRetentionSec=30s
   sh-4.4# exit

Procedure

1. Create a machine config for extensions: Create a YAML file (for example, 80-extensions.yaml) that contains a MachineConfig extensions object. This example tells the cluster to add the usbguard extension.

   $ cat << EOF > 80-extensions.yaml
   apiVersion: machineconfiguration.openshift.io/v1
   kind: MachineConfig
   metadata:
     labels:
       machineconfiguration.openshift.io/role: worker
     name: 80-worker-extensions
   spec:
     config:
       ignition:
         version: 3.5.0
     extensions:
       - usbguard
   EOF

2. Add the machine config to the cluster. Type the following to add the machine config to the cluster:

   $ oc create -f 80-extensions.yaml

   This sets all worker nodes to have rpm packages for usbguard installed.

3. Check that the extensions were applied:

   $ oc get machineconfig 80-worker-extensions

   Example output

   NAME                 GENERATEDBYCONTROLLER IGNITIONVERSION AGE
   80-worker-extensions                       3.5.0           57s

4. Check that the new machine config is now applied and that the nodes are not in a degraded state. It may take a few minutes. The worker pool will show the updates in progress, as each machine successfully has the new machine config applied:

   $ oc get machineconfigpool

   Example output

   NAME   CONFIG             UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE
   master rendered-master-35 True    False    False    3            3                 3                   0                    34m
   worker rendered-worker-d8 False   True     False    3            1                 1                   0                    34m

5. Check the extensions. To check that the extension was applied, run:

   $ oc get node | grep worker

   Example output

   NAME                                        STATUS  ROLES    AGE   VERSION
   ip-10-0-169-2.us-east-2.compute.internal    Ready   worker   102m  v1.35.4

   $ oc debug node/ip-10-0-169-2.us-east-2.compute.internal

   Example output

   ...
   To use host binaries, run `chroot /host`
   sh-4.4# chroot /host
   sh-4.4# rpm -q usbguard
   usbguard-0.7.4-4.el8.x86_64.rpm

Procedure

1. Create a Butane config file, 98-worker-firmware-blob.bu, that updates the search path so that it is root-owned and writable to local storage. The following example places the custom blob file from your local workstation onto nodes under /var/lib/firmware.

   Note

   The Butane version you specify in the config file should match the OpenShift Container Platform version and always ends in 0. For example, 4.22.0. See "Creating machine configs with Butane" for information about Butane.

   Butane config file for custom firmware blob

   variant: openshift
   version: 4.22.0
   metadata:
     labels:
       machineconfiguration.openshift.io/role: worker
     name: 98-worker-firmware-blob
   storage:
     files:
     - path: /var/lib/firmware/<package_name> 

   1

   
       contents:
         local: <package_name> 

   2

   
       mode: 0644 

   3

   
   openshift:
     kernel_arguments:
       - 'firmware_class.path=/var/lib/firmware' 

   4

   1

   Sets the path on the node where the firmware package is copied to.

   2

   Specifies a file with contents that are read from a local file directory on the system running Butane. The path of the local file is relative to a files-dir directory, which must be specified by using the --files-dir option with Butane in the following step.

   3

   Sets the permissions for the file on the RHCOS node. It is recommended to set 0644 permissions.

   4

   The firmware_class.path parameter customizes the kernel search path of where to look for the custom firmware blob that was copied from your local workstation onto the root file system of the node. This example uses /var/lib/firmware as the customized path.

2. Run Butane to generate a MachineConfig object file that uses a copy of the firmware blob on your local workstation named 98-worker-firmware-blob.yaml. The firmware blob contains the configuration to be delivered to the nodes. The following example uses the --files-dir option to specify the directory on your workstation where the local file or files are located:

   $ butane 98-worker-firmware-blob.bu -o 98-worker-firmware-blob.yaml --files-dir <directory_including_package_name>

3. Apply the configurations to the nodes in one of two ways:

   • If the cluster is not running yet, after you generate manifest files, add the MachineConfig object file to the <installation_directory>/openshift directory, and then continue to create the cluster.

   • If the cluster is already running, apply the file:

     $ oc apply -f 98-worker-firmware-blob.yaml

     A MachineConfig object YAML file is created for you to finish configuring your machines.

4. Save the Butane config in case you need to update the MachineConfig object in the future.

Procedure

1. Using a tool that is supported by your operating system, create a hashed password. For example, create a hashed password using mkpasswd by running the following command:

   $ mkpasswd -m SHA-512 testpass

   Example output

   $ $6$CBZwA6s6AVFOtiZe$aUKDWpthhJEyR3nnhM02NM1sKCpHn9XN.NPrJNQ3HYewioaorpwL3mKGLxvW0AOb4pJxqoqP4nFX77y0p00.8.

2. Create a machine config file that contains the core username and the hashed password:

   apiVersion: machineconfiguration.openshift.io/v1
   kind: MachineConfig
   metadata:
     labels:
       machineconfiguration.openshift.io/role: worker
     name: set-core-user-password
   spec:
     config:
       ignition:
         version: 3.5.0
       passwd:
         users:
         - name: core 

   1

   
           passwordHash: <password> 

   2

   1

   This must be core.

   2

   The hashed password to use with the core account.

3. Create the machine config by running the following command:

   $ oc create -f <file-name>.yaml

   The nodes do not reboot and should become available in a few moments. You can use the oc get mcp to watch for the machine config pools to be updated, as shown in the following example:

   NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
   master   rendered-master-d686a3ffc8fdec47280afec446fce8dd   True      False      False      3              3                   3                     0                      64m
   worker   rendered-worker-4605605a5b1f9de1d061e9d350f251e5   False     True       False      3              0                   0                     0                      64m

Verification

1. After the nodes return to the UPDATED=True state, start a debug session for a node by running the following command:

   $ oc debug node/<node_name>

2. Set /host as the root directory within the debug shell by running the following command:

   sh-4.4# chroot /host

3. Check the contents of the /etc/shadow file:

   Example output

   ...
   core:$6$2sE/010goDuRSxxv$o18K52wor.wIwZp:19418:0:99999:7:::
   ...

   The hashed password is assigned to the core user.

Procedure

1. Edit the MachineConfiguration object by using the following command:

   $ oc edit machineconfiguration

2. Add the irreconcilableValidationOverrides stanza to the MachineConfiguration object.

   apiVersion: operator.openshift.io/v1
   kind: MachineConfiguration
   # ...
   spec:
     irreconcilableValidationOverrides:
       storage:
       - Disks
       - Raid
       - FileSystems
   # ...

   where:

   spec.irreconcilableValidationOverrides.storage.Disks

   Allows you to modify the installed storage disk configuration to be used with new nodes. This field is optional.

   spec.irreconcilableValidationOverrides.storage.Raid

   Allows you to modify the installed RAID configuration to be used with new nodes. This field is optional.

   spec.irreconcilableValidationOverrides.storage.FileSystems

   Allows you to modify the installed file system configuration to be used with new nodes. This field is optional.

3. Create a YAML file for a MachineConfig object with the changes that you need, similar to the following:

   apiVersion: machineconfiguration.openshift.io/v1
   kind: MachineConfig
   metadata:
     labels:
       machineconfiguration.openshift.io/role: worker
     name: extra-disks
   spec:
     config:
       ignition:
         version: "3.5.0"
       storage:
         disks:
         - device: "/dev/sdb"
           wipeTable: true
           partitions:
           - label: raid.1.1
             number: 1
             sizeMiB: 1024
             startMiB: 0
         - device: "/dev/sdc"
           wipeTable: true
           partitions:
           - label: raid.1.2
             number: 1
             sizeMiB: 1024
             startMiB: 0
         raid:
         - devices:
           - "/dev/disk/by-partlabel/raid.1.1"
           - "/dev/disk/by-partlabel/raid.1.2"
           level: stripe
           name: data
         filesystems:
         - device: "/dev/md/data"
           path: "/var/lib/data"
           format: ext4
           label: DATA

   where:

   spec.config.storage.disks

   Specifies changes to the installed storage disk configuration in Ignition format. This field is optional.

   spec.config.storage.raid

   Specifies changes to the installed RAID configuration in Ignition format. This field is optional.

   spec.config.storage.filesystems

   Specifies changes to the installed file system configuration in Ignition format. This field is optional.

4. Create the MachineConfig object by using a command similar to the following:

   $ oc create -f <file_name>.yaml

   When you create a new node from a machine set with the associated label, the new configurations are applied to the node.

Procedure

1. Edit the machineconfigurations.operator.openshift.io object to define the node disruption policy:

   $ oc edit MachineConfiguration cluster -n openshift-machine-config-operator

2. Add a node disruption policy similar to the following:

   apiVersion: operator.openshift.io/v1
   kind: MachineConfiguration
   metadata:
     name: cluster
   # ...
   spec:
     nodeDisruptionPolicy: 

   1

   
       files: 

   2

   
       - actions: 

   3

   
         - restart: 

   4

   
             serviceName: chronyd.service 

   5

   
           type: Restart
         path: /etc/chrony.conf 

   6

   
       sshkey: 

   7

   
         actions:
         - type: Drain
         - reload:
             serviceName: crio.service
           type: Reload
         - type: DaemonReload
         - restart:
             serviceName: crio.service
           type: Restart
       units: 

   8

   
       - actions:
         - type: Drain
         - reload:
             serviceName: crio.service
           type: Reload
         - type: DaemonReload
         - restart:
             serviceName: crio.service
           type: Restart
         name: test.service

   1

   Specifies the node disruption policy.

   2

   Specifies a list of machine config file definitions and actions to take to changes on those paths. This list supports a maximum of 50 entries.

   3

   Specifies the series of actions to be executed upon changes to the specified files. Actions are applied in the order that they are set in this list. This list supports a maximum of 10 entries.

   4

   Specifies that the listed service is to be reloaded upon changes to the specified files.

   5

   Specifies the full name of the service to be acted upon.

   6

   Specifies the location of a file that is managed by a machine config. The actions in the policy apply when changes are made to the file in path.

   7

   Specifies a list of service names and actions to take upon changes to the SSH keys in the cluster.

   8

   Specifies a list of systemd unit names and actions to take upon changes to those units.

Prerequisites

1. Obtain the label associated with the static MachineConfigPool CR for the type of node you want to configure. Perform one of the following steps:

   1. View the machine config pool:

      $ oc describe machineconfigpool <name>

      For example:

      $ oc describe machineconfigpool worker

      Example output

      apiVersion: machineconfiguration.openshift.io/v1
      kind: MachineConfigPool
      metadata:
        creationTimestamp: 2019-02-08T14:52:39Z
        generation: 1
        labels:
          custom-kubelet: set-kubelet-config 

      1

      1

      If a label has been added it appears under labels.

   2. If the label is not present, add a key/value pair:

      $ oc label machineconfigpool worker custom-kubelet=set-kubelet-config

Procedure

1. View the available machine configuration objects that you can select:

   $ oc get machineconfig

   By default, the two kubelet-related configs are 01-master-kubelet and 01-worker-kubelet.

2. Check the current value for the maximum pods per node:

   $ oc describe node <node_name>

   For example:

   $ oc describe node ci-ln-5grqprb-f76d1-ncnqq-worker-a-mdv94

   Look for value: pods: <value> in the Allocatable stanza:

   Example output

   Allocatable:
    attachable-volumes-aws-ebs:  25
    cpu:                         3500m
    hugepages-1Gi:               0
    hugepages-2Mi:               0
    memory:                      15341844Ki
    pods:                        250

3. Configure the worker nodes as needed:

   1. Create a YAML file similar to the following that contains the kubelet configuration:

      Important

      Kubelet configurations that target a specific machine config pool also affect any dependent pools. For example, creating a kubelet configuration for the pool containing worker nodes will also apply to any subset pools, including the pool containing infrastructure nodes. To avoid this, you must create a new machine config pool with a selection expression that only includes worker nodes, and have your kubelet configuration target this new pool.

      apiVersion: machineconfiguration.openshift.io/v1
      kind: KubeletConfig
      metadata:
        name: set-kubelet-config
      spec:
        machineConfigPoolSelector:
          matchLabels:
            custom-kubelet: set-kubelet-config 

      1

      
        kubeletConfig: 

      2

      
            podPidsLimit: 8192
            containerLogMaxSize: 50Mi
            maxPods: 500

      1

      Enter the label from the machine config pool.

      2

      Add the kubelet configuration. For example:

      • Use podPidsLimit to set the maximum number of PIDs in any pod.
      • Use containerLogMaxSize to set the maximum size of the container log file before it is rotated.

      • Use maxPods to set the maximum pods per node.

        Note

        The rate at which the kubelet talks to the API server depends on queries per second (QPS) and burst values. The default values, 50 for kubeAPIQPS and 100 for kubeAPIBurst, are sufficient if there are limited pods running on each node. It is recommended to update the kubelet QPS and burst rates if there are enough CPU and memory resources on the node.

        apiVersion: machineconfiguration.openshift.io/v1
        kind: KubeletConfig
        metadata:
          name: set-kubelet-config
        spec:
          machineConfigPoolSelector:
            matchLabels:
              custom-kubelet: set-kubelet-config
          kubeletConfig:
            maxPods: <pod_count>
            kubeAPIBurst: <burst_rate>
            kubeAPIQPS: <QPS>

   2. Update the machine config pool for workers with the label:

      $ oc label machineconfigpool worker custom-kubelet=set-kubelet-config

   3. Create the KubeletConfig object:

      $ oc create -f change-maxPods-cr.yaml

Verification

1. Verify that the KubeletConfig object is created:

   $ oc get kubeletconfig

   Example output

   NAME                      AGE
   set-kubelet-config        15m

   Depending on the number of worker nodes in the cluster, wait for the worker nodes to be rebooted one by one. For a cluster with 3 worker nodes, this could take about 10 to 15 minutes.

2. Verify that the changes are applied to the node:

   1. Check on a worker node that the maxPods value changed:

      $ oc describe node <node_name>

   2. Locate the Allocatable stanza:

       ...
      Allocatable:
        attachable-volumes-gce-pd:  127
        cpu:                        3500m
        ephemeral-storage:          123201474766
        hugepages-1Gi:              0
        hugepages-2Mi:              0
        memory:                     14225400Ki
        pods:                       500 

      1

      
       ...

      1

      In this example, the pods parameter should report the value you set in the KubeletConfig object.

3. Verify the change in the KubeletConfig object:

   $ oc get kubeletconfigs set-kubelet-config -o yaml

   This should show a status of True and type:Success, as shown in the following example:

   spec:
     kubeletConfig:
       containerLogMaxSize: 50Mi
       maxPods: 500
       podPidsLimit: 8192
     machineConfigPoolSelector:
       matchLabels:
         custom-kubelet: set-kubelet-config
   status:
     conditions:
     - lastTransitionTime: "2021-06-30T17:04:07Z"
       message: Success
       status: "True"
       type: Success

1. Create a YAML file for the ContainerRuntimeConfig CR:

   apiVersion: machineconfiguration.openshift.io/v1
   kind: ContainerRuntimeConfig
   metadata:
    name: overlay-size
   spec:
    machineConfigPoolSelector:
      matchLabels:
        pools.operator.machineconfiguration.openshift.io/worker: '' 

   1

   
    containerRuntimeConfig: 

   2

   
      logLevel: debug
      overlaySize: 8G
      defaultRuntime: "runc"

   1

   Specify a label for the machine config pool that you want you want to modify.

   2

   Set the parameters as needed.

2. Create the ContainerRuntimeConfig CR:

   $ oc create -f <file_name>.yaml

3. Verify that the CR is created:

   $ oc get ContainerRuntimeConfig

   Example output

   NAME           AGE
   overlay-size   3m19s

4. Check that a new containerruntime machine config is created:

   $ oc get machineconfigs | grep containerrun

   Example output

   99-worker-generated-containerruntime   2c9371fbb673b97a6fe8b1c52691999ed3a1bfc2  3.5.0  31s

5. Monitor the machine config pool until all are shown as ready:

   $ oc get mcp worker

   Example output

   NAME    CONFIG               UPDATED  UPDATING  DEGRADED  MACHINECOUNT  READYMACHINECOUNT  UPDATEDMACHINECOUNT  DEGRADEDMACHINECOUNT  AGE
   worker  rendered-worker-169  False    True      False     3             1                  1                    0                     9h

6. Verify that the settings were applied in CRI-O:

   1. Open an oc debug session to a node in the machine config pool and run chroot /host.

      $ oc debug node/<node_name>

      sh-4.4# chroot /host

   2. Verify the changes in the crio.conf file:

      sh-4.4# crio config | grep 'log_level'

      Example output

      log_level = "debug"

   3. Verify the changes in the storage.conf file:

      sh-4.4# head -n 7 /etc/containers/storage.conf

      Example output

      [storage]
        driver = "overlay"
        runroot = "/var/run/containers/storage"
        graphroot = "/var/lib/containers/storage"
        [storage.options]
          additionalimagestores = []
          size = "8G"

   4. Verify the changes in the crio/crio.conf.d/01-ctrcfg-defaultRuntime file:

      sh-5.1# cat /etc/crio/crio.conf.d/01-ctrcfg-defaultRuntime

      Example output

      [crio]
        [crio.runtime]
          default_runtime = "runc"

Verification

1. After the nodes return to a ready state, open an oc debug session to a node by running the following command:

   $ oc debug node/<node_name>

2. Set /host as the root directory within the debug shell by running the following command:

   sh-5.1# chroot /host

3. Check the container runtime by using the following command:

   sh-5.1# crio status config | grep default_runtime

   Example output

   INFO[2026-01-27 23:09:18.413462914Z] Starting CRI-O, version: 1.30.14-6.rhaos4.17.gitfa27f6f.el9, git: unknown(clean)
       default_runtime = "runc"

   The default_runtime parameter specifies the container runtime that OpenShift Container Platform uses for new workloads on this node, either crun or runc, depending on what you have configured.

Procedure

1. Create the configuration object:

   $ oc apply -f overlaysize.yml

2. To apply the new CRI-O configuration to your worker nodes, edit the worker machine config pool:

   $ oc edit machineconfigpool worker

3. Add the custom-crio label based on the matchLabels name you set in the ContainerRuntimeConfig CRD:

   apiVersion: machineconfiguration.openshift.io/v1
   kind: MachineConfigPool
   metadata:
     creationTimestamp: "2020-07-09T15:46:34Z"
     generation: 3
     labels:
       custom-crio: overlay-size
       machineconfiguration.openshift.io/mco-built-in: ""

4. Save the changes, then view the machine configs:

   $ oc get machineconfigs

   New 99-worker-generated-containerruntime and rendered-worker-xyz objects are created:

   Example output

   99-worker-generated-containerruntime  4173030d89fbf4a7a0976d1665491a4d9a6e54f1   3.5.0             7m42s
   rendered-worker-xyz                   4173030d89fbf4a7a0976d1665491a4d9a6e54f1   3.5.0             7m36s

5. After those objects are created, monitor the machine config pool for the changes to be applied:

   $ oc get mcp worker

   The worker nodes show UPDATING as True, as well as the number of machines, the number updated, and other details:

   Example output

   NAME   CONFIG              UPDATED   UPDATING   DEGRADED  MACHINECOUNT  READYMACHINECOUNT  UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
   worker rendered-worker-xyz False True False     3             2                   2                    0                      20h

   When complete, the worker nodes transition back to UPDATING as False, and the UPDATEDMACHINECOUNT number matches the MACHINECOUNT:

   Example output

   NAME   CONFIG              UPDATED   UPDATING   DEGRADED  MACHINECOUNT  READYMACHINECOUNT  UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
   worker   rendered-worker-xyz   True      False      False      3         3            3             0           20h

   Looking at a worker machine, you see that the new 8 GB max size configuration is applied to all of the workers:

   Example output

   head -n 7 /etc/containers/storage.conf
   [storage]
     driver = "overlay"
     runroot = "/var/run/containers/storage"
     graphroot = "/var/lib/containers/storage"
     [storage.options]
       additionalimagestores = []
       size = "8G"

   Looking inside a container, you see that the root partition is now 8 GB:

   Example output

   ~ $ df -h
   Filesystem                Size      Used Available Use% Mounted on
   overlay                   8.0G      8.0K      8.0G   0% /

Procedure

1. Create a YAML file that defines the PinnedImageSet object, similar to the following example:

   apiVersion: machineconfiguration.openshift.io/v1
   kind: PinnedImageSet
   metadata:
     labels: 

   1

   
       machineconfiguration.openshift.io/role: worker
     name: worker-pinned-images
   spec:
     pinnedImages: 

   2

   
      - name: quay.io/openshift-release-dev/ocp-release@sha256:513cf1028aa1a021fa73d0601427a0fbcf6d212b88aaf9d76d4e4841a061e44e
      - name: quay.io/openshift-release-dev/ocp-release@sha256:61eae2d261e54d1b8a0e05f6b5326228b00468364563745eed88460af04f909b

   where:

   labels

   Specifies an optional node selector to specify the machine config pool to pin the images to. If not specified, the images are pinned to all nodes in the cluster.

   pinnedImages

   Specifies a list of one or more images to pre-load.

2. Create the PinnedImageSet object by running the following command:

   $ oc create -f <file_name>.yaml

Procedure

1. Edit the MachineConfiguration object, named cluster, by using the following command:

   $ oc edit MachineConfiguration cluster

2. Enable the boot image management feature for some or all of your machine sets:

   • Enable the boot image management feature for all machine sets:

     apiVersion: operator.openshift.io/v1
     kind: MachineConfiguration
     metadata:
       name: cluster
     spec:
     # ...
       managedBootImages:
         machineManagers:
         - apiGroup: machine.openshift.io
           resource: controlplanemachinesets
           selection:
             mode: All
         - apiGroup: machine.openshift.io
           resource: machinesets
           selection:
             mode: All

     where:

     spec.managedBootImages

     Configures the boot image management feature.

     spec.managedBootImages.machineManagers.apiGroup

     Specifies the API group. This must be machine.openshift.io.

     spec.managedBootImages.machineManagers.resource

     Specifies the resource within the specified API group to apply the change. Use one or both of the following parameters. You must add the full stanza, as shown, if you want to enable the feature for control plane and worker machine sets.

     • controlplanemachinesets: Enables boot image management for control plane machine sets.
     • machinesets: Enables boot image management for worker machine sets.

     spec.managedBootImages.machineManagers.selection.mode

     Specifies that the feature is enabled for all machine sets in the cluster.

   • Enable the boot image management feature for specific worker machine sets:

     apiVersion: operator.openshift.io/v1
     kind: MachineConfiguration
     metadata:
       name: cluster
     spec:
     # ...
       managedBootImages:
         machineManagers:
         - apiGroup: machine.openshift.io
           resource: machinesets
           selection:
             mode: Partial
             partial:
               machineResourceSelector:
                 matchLabels:
                   region: "east"

     where:

     spec.managedBootImages

     Configures the boot image management feature.

     spec.managedBootImages.machineManagers.apiGroup

     Specifies the API group. This must be machine.openshift.io.

     spec.managedBootImages.machineManagers.resource

     Specifies the resource within the specified API group to apply the change. This must be machinesets. Partial boot image management for control plane machine sets is not supported.

     spec.managedBootImages.machineManagers.selection.mode

     Specifies that the feature is enabled for specific machine sets in the cluster. This must be Partial.

     spec.managedBootImages.machineManagers.selection.partial

     Specifies that the feature is enabled for machine sets with the specified label in their MachineSet object.

Verification

1. View the current state of the boot image management feature by using the following command to view the machine configuration object:

   $ oc get machineconfiguration cluster -o yaml

   Example machine set with the boot image reference

   kind: MachineConfiguration
   metadata:
     name: cluster
   # ...
   status:
     conditions:
     - lastTransitionTime: "2025-05-01T20:11:49Z"
       message: Reconciled 2 of 4 MAPI MachineSets | Reconciled 0 of 0 CAPI MachineSets
         | Reconciled 0 of 0 CAPI MachineDeployments
       reason: BootImageUpdateConfigurationUpdated
       status: "True"
       type: BootImageUpdateProgressing
     - lastTransitionTime: "2025-05-01T19:30:13Z"
       message: 0 Degraded MAPI MachineSets | 0 Degraded CAPI MachineSets | 0 CAPI MachineDeployments
       reason: BootImageUpdateConfigurationUpdated
       status: "False"
       type: BootImageUpdateDegraded
     managedBootImagesStatus:
       machineManagers:
       - apiGroup: machine.openshift.io
         resource: controlplanemachinesets
         selection:
           mode: All
       - apiGroup: machine.openshift.io
         resource: machinesets
         selection:
           mode: All

   where:

   status.managedBootImagesStatus.machineManagers.selection.mode

   Specifies that the boot image management feature is enabled when set to All.

2. Scale a machine set to create a new node by using a command similar to the following. The boot image is updated only for new nodes.

   $ oc scale --replicas=2 machinesets.machine.openshift.io <machineset> -n openshift-machine-api

3. If your cluster was using an older boot image version, you can see the new boot image version when the new node reaches the READY state. View the Red Hat Enterprise Linux CoreOS (RHCOS) version on a nodes:

   1. Log in to the node by using a command similar to the following:

      $ oc debug node/<node_name>

   2. Set /host as the root directory within the debug shell by using the following command:

      sh-5.1# chroot /host

   3. View the /sysroot/.coreos-aleph-version.json file by using a command similar to the following:

      sh-5.1# cat /sysroot/.coreos-aleph-version.json

      Example output

      {
      # ...
          "ref": "docker://ostree-image-signed:oci-archive:/rhcos-9.6.20251015-1-ostree.x86_64.ociarchive",
          "version": "9.6.20251015-1"
      }

      where:

      <version>

      Specifies the boot image version.

Procedure

1. Edit the MachineConfiguration object, named cluster, by using the following command::

   $ oc edit MachineConfiguration cluster

2. Disable the feature for some or all of your machine sets by making one or both of the following changes:

   • Disable the feature for nodes in the worker machine sets by adding the following parameters:

     apiVersion: operator.openshift.io/v1
     kind: MachineConfiguration
     metadata:
       name: cluster
     spec:
     # ...
       managedBootImages:
         machineManagers:
         - apiGroup: machine.openshift.io
           resource: machinesets
           selection:
             mode: None

     where:

     spec.managedBootImages

     Specifies the parameters for the boot image management feature.

     spec.managedBootImages.machineManagers.apiGroup

     Specifies the API group. This must be machine.openshift.io.

     spec.managedBootImages.machineManagers.resource

     Specifies that the selection.mode parameter applies to worker nodes when a value of machinesets is set.

     spec.managedBootImages.machineManagers.selection.mode

     When None, specifies that the feature is disabled for the specified machine sets.

   • Disable the feature for nodes in the control plane machine sets by adding the following parameters:

     apiVersion: operator.openshift.io/v1
     kind: MachineConfiguration
     metadata:
       name: cluster
     spec:
     # ...
       managedBootImages:
         machineManagers:
         - apiGroup: machine.openshift.io
           resource: controlplanemachinesets
           selection:
             mode: None

     where:

     spec.managedBootImages

     Specifies the parameters for the boot image management feature.

     spec.managedBootImages.machineManagers.apiGroup

     Specifies the API group. This must be machine.openshift.io.

     spec.managedBootImages.machineManagers.resource

     Specifies that the selection.mode parameter applies to control plane nodes when a value of controlplanemachinesets is set.

     spec.managedBootImages.machineManagers.selection.mode

     When None, specifies that the feature is disabled for the specified machine sets.

Procedure

1. For manual mode, you can obtain the current boot image on a node by using the following command:

   $ oc debug node/<new-node> -- chroot /host cat /sysroot/.coreos-aleph-version.json

   Example output

   # ...
       "ref": "docker://ostree-image-signed:oci-archive:/rhcos-9.6.20251023-0-ostree.x86_64.ociarchive",
       "version": "9.6.20251023-0"

   You should use the newest node on the cluster, because the boot image might have been updated after the older nodes were created. Ideally, test the newest node from each machine set and use the oldest boot image among them.

2. Specify the boot image skew enforcement mode and set the boot image version as needed:

   apiVersion: operator.openshift.io/v1
   kind: MachineConfiguration
   metadata:
     name: cluster
   spec:
   # ...
     bootImageSkewEnforcement:
       mode: Manual
       manual:
         mode: RHCOSVersion
         rhcosVersion: 9.6.20251023-0
   # ...

   where:

   spec.bootImageSkewEnforcement.mode

   Specifies the boot image enforcement mode, one of the following values:

   • Manual. Specifies that boot image skew management is in manual mode. You must specify the spec.bootImageSkewEnforcement.manual parameters.
   • None. Specifies that boot image skew management is disabled. You do not need to specify the spec.bootImageSkewEnforcement.manual parameters.

   spec.bootImageSkewEnforcement.manual.mode

   Specifies the version you want to represent the current boot image, either OCPVersion or RHCOSVersion. You must include one of the following parameters:

   • For RHCOSVersion, use spec.bootImageSkewEnforcement.manual.rhcosVersion to specify the RHCOS version that is being used as a boot image in the [major].[minor].[datestamp(YYYYMMDD)]-[buildnumber] or [major].[minor].[timestamp(YYYYMMDDHHmm)]-[buildnumber] format. This field must be between 14 and 21 characters.
   • For OCPVersion, use spec.bootImageSkewEnforcement.manual.ocpVersion to specify the OpenShift Container Platform version associated with the boot image that is being used in the x.y.z format. This field must be between 5 and 10 characters.

Procedure

1. If necessary, obtain the RHCOS or OpenShift Container Platform version of the current boot image on an updated node by using one of the following commands:

   • Obtain the RHCOS version by running the following command:

     $ oc debug node/<new-node> -- chroot /host cat /sysroot/.coreos-aleph-version.json

     Example output

     # ...
         "ref": "docker://ostree-image-signed:oci-archive:/rhcos-9.6.20251023-0-ostree.x86_64.ociarchive",
         "version": "9.6.20251023-0"

   • Obtain the OpenShift Container Platform version by running the following command:

     $ openshift-install version

     Ensure that you use the same openshift-install binary that you used when updating the boot image.

     Example output

     openshift-install 4.22.0

2. Specify the boot image version in the MachineConfiguration object with either the RHCOS or OpenShift Container Platform version:

   • Update the MachineConfiguration object with the RHCOS version:

     apiVersion: operator.openshift.io/v1
     kind: MachineConfiguration
     metadata:
       name: cluster
     # ...
     spec:
       bootImageSkewEnforcement:
         mode: Manual
         manual:
           mode: RHCOSVersion
           rhcosVersion: 9.2.20251023-0
     # ...

     If the spec.bootImageSkewEnforcement.manual.mode is RHCOSVersion, specify the RHCOS version of the boot image with the rhcosVersion parameter, as shown in the example.

   • Update the MachineConfiguration object with the OpenShift Container Platform version

     apiVersion: operator.openshift.io/v1
     kind: MachineConfiguration
     metadata:
       name: cluster
     # ...
     spec:
       bootImageSkewEnforcement:
         mode: Manual
         manual:
           mode: OCPVersion
           ocpVersion: 4.22.0
     # ...

     If the spec.bootImageSkewEnforcement.manual.mode is OCPVersion, specify the OpenShift Container Platform version of the boot image with the ocpVersion parameter, as shown in the example.

Procedure

1. Set an environment variable with your cluster architecture by running the following command:

   $ export ARCH=<architecture_type>

   Replace <architecture_type> with one of the following values:

   • Use aarch64 for the AArch64 or ARM64 architecture.
   • Use x86_64 for the x86_64 or AMD64 architecture.

   You can find the architecture as a label in any MachineSet object.

   Example machine set with an architecture label

   apiVersion: machine.openshift.io/v1beta1
   kind: MachineSet
   metadata:
     annotations:
       capacity.cluster-autoscaler.kubernetes.io/labels: kubernetes.io/arch=amd64
   # ...

2. Determine your Azure image variant and Hyper-V generation:

   1. Obtain the required values from your machine set by running the following command:

      $ oc get machineset <machineset-name> -n openshift-machine-api \
        -o jsonpath='{.spec.template.spec.providerSpec.value.image}'

      Example output

      {"offer":"rh-ocp-worker","publisher":"redhat","resourceID":"","sku":"rh-ocp-worker","type":"MarketplaceWithPlan","version":"4.16.20231023"}

   2. Determine your image variant by comparing the output to the entries in the following table:

      Expand

      Output parmeters	Variant
      resourceID is non-empty	no-purchase-plan
      publisher is azureopenshift	no-purchase-plan
      publisher is redhat and offer is rh-ocp-worker	ocp
      publisher is redhat and offer is rh-opp-worker	opp
      publisher is redhat and offer is rh-oke-worker	oke
      publisher is redhat-limited and offer is rh-ocp-worker	ocp-emea
      publisher is redhat-limited and offer is rh-ocp-worker	opp-emea
      publisher is redhat-limited and offer is rh-ocp-worker	oke-emea

      Show more

      Make note of the variant for later use.

   3. Determine your image Hyper-V generation by comparing the output to the entries in the following table:

      Expand

      Output	Image type	Hyper-V generation
      resourceID is non-empty	Legacy uploaded	hyperVGen2 if the resourceID value contains gen2 hyperVGen1 if the resourceID value does not contain gen2
      publisher is azureopenshift	Unpaid marketplace	hyperVGen2 if sku contains v2 or the cluster architecture is AArch64 or ARM64 hyperVGen1 for all other images
      publisher is redhat or redhat-limited.	Paid marketplace	hyperVGen1 if sku contains -gen1 hyperVGen2 for all other images

      Show more

      Make note of the generation for later use.

   4. Optional: You can compare the output of the version parameter against the output of the following command to determine if your boot image needs updating.

      $ openshift-install coreos print-stream-json | jq '.architectures."'"${ARCH}"'"."rhel-coreos-extensions"."marketplace"."azure"'

      ARCH is the environment variable you created in a previous step.

      In the output of the command, locate your variant and generation as shown in the following example:

      Example output

        "ocp": {
      # ...
          "hyperVGen2": {
            "publisher": "redhat",
            "offer": "rh-ocp-worker",
            "sku": "rh-ocp-worker",
            "version": "4.18.2025031114"

      If the boot image referenced in the version parameter of your machine set matches or is later than the version in this output, no further action on your part is required to update the boot image. If not, continue with this procedure.

3. Obtain the values needed to identify the new boot image and set the values as environment variables:

   1. Obtain the values required for the new boot image by running the following command:

      $ openshift-install coreos print-stream-json | jq '.architectures."'"${ARCH}"'"."rhel-coreos-extensions"."marketplace"."azure"'

      ARCH is the environment variable you created in a previous step.

   2. In the output of the command, locate your variant and generation as shown in the following example:

      Example output

        "ocp": {
        # ...
          "hyperVGen2": {
            "publisher": "redhat",
            "offer": "rh-ocp-worker",
            "sku": "rh-ocp-worker",
            "version": "9.6.20251015"

   3. Set an environment variable with your image variant by running the following command:

      $ export VARIANT=<variant>

      Replace <variant> with the variant of your image, one of the following vales: no-purchase-plan, ocp, opp, oke, ocp-emea, opp-emea, or oke-emea.

   4. Set an environment variable with your image generation by running the following command:

      $ export GEN=<generation>

      Replace <generation> with the generation of your image, one of the following vales: hyperVGen1 or hyperVGen2.

   5. Set environment variables for the publisher, offer, sku, and version fields based on the openshift-install output for your variant and generation by running the following commands:

      $ export PUBLISHER=$(openshift-install coreos print-stream-json | jq -r '.architectures."'"${ARCH}"'"."rhel-coreos-extensions"."marketplace"."azure"."'"${VARIANT}"'"."'"${GEN}"'".publisher')

      ARCH, VARIANT, and GEN are environment variables you created in a previous step.

      $ export OFFER=$(openshift-install coreos print-stream-json | jq -r '.architectures."'"${ARCH}"'"."rhel-coreos-extensions"."marketplace"."azure"."'"${VARIANT}"'"."'"${GEN}"'".offer')

      $ export SKU=$(openshift-install coreos print-stream-json | jq -r '.architectures."'"${ARCH}"'"."rhel-coreos-extensions"."marketplace"."azure"."'"${VARIANT}"'"."'"${GEN}"'".sku')

      $ export VERSION=$(openshift-install coreos print-stream-json | jq -r '.architectures."'"${ARCH}"'"."rhel-coreos-extensions"."marketplace"."azure"."'"${VARIANT}"'"."'"${GEN}"'".version')

   6. Obtain the RHCOS version by running the following command:

      $ echo $VERSION

      Example output

      9.6.20251015

      Make note of the RHCOS version for later use.

   7. Set an environment variable with the type of your image by running the following command:

      $ export IMAGE_TYPE=<image_type>

      Replace <image_type> with one of the following values based on the variant of your image:

      • For the no-purchase-plan variant, use MarketplaceNoPlan.
      • For all other variants, use MarketplaceWithPlan.

4. Update each of your compute machine sets to include the new boot image:

   1. Obtain the name of your machine sets for use in the following step by running the following command:

      $ oc get machineset -n openshift-machine-api

      Example output

      NAME                                        DESIRED   CURRENT   READY   AVAILABLE   AGE
      ci-ln-lbf9h9k-1d09d-fwh4l-worker-eastus21   1         1         1       1           135m
      ci-ln-lbf9h9k-1d09d-fwh4l-worker-eastus22   1         1         1       1           135m
      ci-ln-lbf9h9k-1d09d-fwh4l-worker-eastus23   1         1         1       1           135m

   2. Edit a machine set to update the image field in the providerSpec stanza to add your boot image by running the following command:

      $ oc patch machineset <machineset-name> -n openshift-machine-api --type merge \
        -p '{"spec":{"template":{"spec":{"providerSpec":{"value":{"image":{"publisher":"'${PUBLISHER}'","offer":"'${OFFER}'","sku":"'${SKU}'","version":"'${VERSION}'","resourceID":"","type":"'${IMAGE_TYPE}'"}}}}}}}'

      PUBLISHER, OFFER, SKU, VERSION, and IMAGE_TYPE are environment variables you created in previous steps.

5. If boot image skew enforcement in your cluster is set to the manual mode, update the version of the new boot image in the MachineConfiguration object as described in "Updating the boot image skew enforcement version".

Verification

1. Scale up a machine set to check that the new node is using the new boot image:

   1. Increase the machine set replicas by one to trigger a new machine by running the following command:

      $ oc scale --replicas=<count> machineset <machineset_name> -n openshift-machine-api

      where:

      <count>

      Specifies the total number of replicas, including any existing replicas, that you want for this machine set.

      <machineset_name>

      Specifies the name of the machine set to scale.

   2. Optional: View the status of the machine set as it provisions by running the following command:

      $ oc get machines.machine.openshift.io -n openshift-machine-api -w

      It can take several minutes for the machine set to achieve the Running state.

   3. Verify that the new node has been created and is in the Ready state by running the following command:

      $ oc get nodes

2. Verify that the new node is using the new boot image by running the following command:

   $ oc debug node/<new_node> -- chroot /host cat /sysroot/.coreos-aleph-version.json

   Replace <new_node> with the name of your new node.

   Example output

   {
   # ...
       "ref": "docker://ostree-image-signed:oci-archive:/rhcos-9.6.20251015-ostree.x86_64.ociarchive",
       "version": "9.6.20251015"
   }

   where:

   version

   Specifies the boot image version.

3. Verify that the boot image is the same the RHCOS version as the image you noted in a previous step by running the following command:

   $ echo $VERSION

   Example output

   9.6.20251015

Procedure

1. Determine if your cluster uses a default RHCOS image or a custom RHCOS image from the AWS Marketplace image:

   1. Obtain the current AWS region where the cluster is installed and set the value in an environment variable by running the following command:

      $ export REGION=$(oc get infrastructure cluster -o jsonpath='{.status.platformStatus.aws.region}')

   2. Obtain the current Amazon Machine Image (AMI) ID for your region and set the value in an environment variable by running the following command:

      $ export CURRENT_AMI=$(oc get machineset -n openshift-machine-api -o jsonpath='{.items[0].spec.template.spec.providerSpec.value.ami.id}')

   3. Obtain the product ID for your AMI and set the value in an environment variable by running the following command:

      $ export PRODUCT_ID=$(aws ec2 describe-images --image-ids "$CURRENT_AMI" --region "$REGION" \
        --query 'Images[0].Name' --output text | \
        grep -oE '[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}')

      CURRENT_AMI and REGION are environment variables you created in previous steps.

   4. Display the contents of the PRODUCT_ID environment variable by running the following command:

      $ echo $PRODUCT_ID

      • If the output for the PRODUCT_ID environment variable is empty, as shown in the following example, your cluster uses a standard OpenShift Container Platform image.

        Example with empty output

      • If the output for the PRODUCT_ID environment variable is not empty, as shown in the following example, your cluster uses an AWS Marketplace image.

        Example with non-empty output

        59ead7de-2540-4653-a8b0-fa7926d5c845

      • If the command returns an error, and you are unable to determine your cluster variant, contact Red Hat Support. If Red Hat Support determines that your cluster uses an AWS Marketplace image, you can set the PRODUCT_ID environment variable with the appropriate product ID from the following table.

        $ export PRODUCT_ID=<Product_ID_from_table>

        Expand

        Variant	Product ID
        OpenShift Container Platform on x86 - NA	59ead7de-2540-4653-a8b0-fa7926d5c845
        OpenShift Kubernetes Engine on x86 - NA	963b36c3-de6f-48ed-b802-2b38b2a2cdeb
        OpenShift Platform Plus on x86 - NA	f5da01a6-d046-487c-9072-42fe53b1cad4
        OpenShift Container Platform on ARM - NA	abc249f8-7440-45f7-a4b1-c026baff64c1
        OpenShift Kubernetes Engine on ARM - NA	d2d3ebcd-c1ca-43d8-bf0a-530433200f35
        OpenShift Platform Plus on ARM - NA	be6d3e94-c8dc-4a3e-9218-4b449b11f06f
        OpenShift Container Platform on x86 - EU, ME and Africa	962791c7-3ae5-46d1-ba62-c7a5ebac54fd
        OpenShift Kubernetes Engine on x86 - EU, ME and Africa	7026c8d7-392c-4010-b93c-f93f7bc5495f
        OpenShift Platform Plus on x86 - EU, ME and Africa	628c9df3-0254-4f91-bc1f-8619d1b8eaa8

        Show more

2. Determine the AMI for the new boot image by using one of the following steps, depending upon the type of image used in your cluster:

   • For a cluster that uses a default RHCOS image, perform the following steps:

     1. Set an environment variable with your cluster architecture by running the following command:

        $ export ARCH=<architecture_type>

        Replace <architecture_type> with one of the following values:

        • Specify aarch64 for the AArch64 or ARM64 architecture.
        • Specify ppc64le for the IBM Power® (ppc64le) architecture.
        • Specify s390x for the IBM Z® and IBM® LinuxONE (s390x) architecture.
        • Specify x86_64 for the x86_64 or AMD64 architecture.

        You can find the architecture as a label in any MachineSet object.

        Example machine set with an architecture label

        apiVersion: machine.openshift.io/v1beta1
        kind: MachineSet
        metadata:
          annotations:
            capacity.cluster-autoscaler.kubernetes.io/labels: kubernetes.io/arch=amd64
        # ...

     2. Obtain the AMI for the new boot image and set an environment variable with the AMI by running the following command:

        $ export AMI_ID=$(openshift-install coreos print-stream-json | jq -r ".architectures.\"${ARCH}\".images.aws.regions.\"${REGION}\".image")

        ARCH and REGION are environment variables you created in previous steps.

     3. View the RHCOS version of the new boot image by running the following command:

        $ openshift-install coreos print-stream-json | jq -r ".architectures.\"${ARCH}\".images.aws.regions.\"${REGION}\".release"

        Example output

        9.6.20251212-1

        Make note of the RHCOS version for later use.

   • For a cluster that uses a custom RHCOS image, perform the following steps:

     1. Obtain a list of valid AMI images by running the following command:

        $ aws ec2 describe-images --region "${REGION}" --filters "Name=name,Values=*${PRODUCT_ID}*" \
          --query 'reverse(sort_by(Images, &CreationDate))[].[CreationDate,ImageId,Name]' --output table

        REGION and PRODUCT_ID are environment variables you created in previous steps.

        This command returns the AMIs ordered by creation date, with the latest images first. The RHCOS version of each AMI is contained in the AMI name. Choose the latest image version available.

        Make note of the Red Hat Enterprise Linux CoreOS (RHCOS) version for later use.

     2. Set an environment variable with the AMI of the new boot image by running the following command:

        $ export AMI_ID=<ami-value>

3. Update each of your compute machine sets to include the new boot image:

   1. Obtain the name of your machine sets for use in the following step by running the following command:

      $ oc get machineset -n openshift-machine-api

      Example output

      NAME                                 DESIRED   CURRENT   READY   AVAILABLE   AGE
      rhhdrbk-b5564-4pcm9-worker-0         3         3         3       3           123m
      ci-ln-xj96skb-72292-48nm5-worker-d   1         1         1       1           27m

   2. Edit a machine set to update the image field in the providerSpec stanza to add your boot image by running the following command:

      $ oc patch machineset <machineset_name> -n openshift-machine-api --type merge -p '{"spec":{"template":{"spec":{"providerSpec":{"value":{"ami":{"id":"'${AMI_ID}'"}}}}}}}'

      Replace <machineset_name> with the name of your machine set.

      AMI_ID is the environment variable you created in a previous step.

4. If boot image skew enforcement in your cluster is set to the manual mode, update the boot image version in the MachineConfiguration object as described in "Updating the boot image skew enforcement version."