Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 18. Network reconfiguration for single-node OpenShift

Use the Lifecycle Agent to change the network configuration of a single-node OpenShift cluster without performing a full redeployment. This is critical for many edge computing use cases such as disaster recovery and network rehoming.

Changing a single-node OpenShift cluster’s core networking, such as node IP addresses, machine network CIDRs, default gateway, VLAN, and DNS settings, is a high-risk operation because it affects both host networking and cluster configuration. The Lifecycle Agent provides a declarative, stage-driven workflow to perform these changes safely using the IPConfig custom resource (CR).

Network reconfiguration addresses critical edge computing scenarios where changing network properties without a full cluster redeployment is essential:

Disaster recovery
After a site outage or major connectivity change, a single-node OpenShift cluster might need to move to a different uplink network. For example, if a primary 5G network using IPv6 goes down due to a natural disaster, you can reconfigure the cluster to use an IPv4 satellite connection as a backup, enabling continued operations until the primary network is restored.
Network rehoming and site migration
During network consolidation or equipment upgrades, you can migrate single-node OpenShift clusters to a new L2 or L3 environment with a deterministic, reversible process and minimal downtime. This supports scenarios such as cell on wheels for increased cellular coverage at events, mobile satellite telco equipment changing networks, IoT devices transitioning between networks, and new cell site deployments using satellite connectivity until physical network installation is complete.

The Lifecycle Agent uses a stage-driven workflow controlled through the spec.stage field in the IPConfig CR. The workflow consists of three stages:

Idle stage
The initial and final stage. In this stage, the Lifecycle Agent runs health checks, performs cleanup operations, and prepares the cluster for configuration changes. Transitioning to Idle after a successful configuration is the finalization point that removes rollback capability.
Config stage
Executes the network reconfiguration in two phases. The pre-pivot phase prepares a new stateroot, which is a bootable system state that has the updated network configuration, and reboots into it. The post-pivot phase applies the network changes, regenerates certificates, and waits for cluster stabilization.
Rollback stage

Reboots into the earlier stateroot. You can trigger a rollback manually or configure automatic rollback on failure.

The network reconfiguration flow preserves the currently booted stateroot as a rollback target while preparing the new configuration in a new stateroot. This approach means the original configuration remains available for rollback until you finalize the change, only one reboot is required for the IP change, and the rollback process is fast because the earlier stateroot is already prepared.

18.1.2. Supported network property changes
Copy link

The IPConfig CR supports the following network property changes:

  • IPv4 and IPv6 address changes for single-stack or dual-stack clusters
  • Machine network CIDR changes
  • Default gateway changes
  • DNS server list updates
  • Optional VLAN ID changes on the br-ex uplink path
  • Optional DNS response filtering changes on dual-stack clusters to filter IPv4 or IPv6

Network reconfiguration by using the IPConfig CR has the following requirements:

  • The cluster must be a single-node OpenShift cluster.
  • The Lifecycle Agent must be installed.
  • A baseline dnsmasq MachineConfig resource must exist, which is automatically installed by any single-node OpenShift installed directly or indirectly by the Assisted Installer, including Agent-based Installer (ABI), multicluster engine (MCE), and Red Hat Advanced Cluster Management (RHACM).
  • All cluster operators must be available before starting a network reconfiguration.

Network reconfiguration by using the IPConfig CR has the following limitations:

  • For dual-stack clusters, exactly one IPv4 address and one IPv6 address are supported per node.
  • Only one NIC is supported. No bonding or link aggregation.
  • You can configure a maximum of one VLAN ID on the br-ex uplink path.
  • You must configure static networking on the host network. DHCP is not supported.
  • You cannot add a VLAN to a cluster that does not already have VLAN configuration.
  • Changing gateway or machine network without changing the address is not supported.
  • Changing DNS servers without changing at least one IP address is not supported.
  • You cannot set spec.ipv4 on an IPv6-only cluster or spec.ipv6 on an IPv4-only cluster.
  • The resulting routing table must not have routes that overlap or conflict with the default route through the configured gateways.
  • The cluster must not have a proxy network configuration.
  • You cannot perform an image-based upgrade and a network reconfiguration at the same time.

You can perform a network reconfiguration on a single-node OpenShift cluster by editing the IPConfig custom resource (CR) and transitioning through the configuration stages.

You can change the network configuration of a single-node OpenShift cluster by editing the IPConfig custom resource (CR) and transitioning through the configuration stages.

Prerequisites

  • You have a single-node OpenShift cluster.
  • You have installed the Lifecycle Agent.
  • You have the new network configuration details, including IP addresses, gateways, and DNS servers.
  • You have cluster administrator privileges.
  • You have installed the OpenShift CLI (oc).

Procedure

  1. Verify that the IPConfig CR exists and check its current state by running the following command: 

    $ oc get ipc ipconfig -o yaml

    If the CR does not exist, verify that you installed the Lifecycle Agent.

  2. Verify that the spec.stage field is set to Idle, the Idle status condition is set to true, and review the current network configuration in the status fields.

    Note

    You can only modify spec fields when the CR is in the Idle stage.

  3. Edit the IPConfig CR to specify the new network configuration by running the following command: 

    $ oc edit ipc ipconfig

  4. Update the spec fields with your new network configuration. The following example shows a dual-stack configuration with VLAN and DNS settings: 

    apiVersion: lca.openshift.io/v1
kind: IPConfig
metadata:
  name: ipconfig
spec:
  stage: Idle
  ipv4:
    address: 192.0.2.10
    machineNetwork: 192.0.2.0/24
    gateway: 192.0.2.1
  ipv6:
    address: 2001:db8::10
    machineNetwork: 2001:db8::/64
    gateway: 2001:db8::1
  dnsServers:
  - 192.0.2.53
  - 2001:4860:4860::8888
  vlanID: 100
  dnsFilterOutFamily: none
  autoRollbackOnFailure:
    initMonitorTimeoutSeconds: 1800

    where:

    spec.stage
    Set this field to Config when you are ready to apply the new network settings.
    spec.ipv4.address
    Specifies the target IPv4 address. Must be within the machine network CIDR.
    spec.ipv4.machineNetwork
    Specifies the target machine network CIDR.
    spec.ipv4.gateway
    Specifies the target default gateway.
    spec.dnsServers
    Specifies an ordered list of DNS servers. The first server in the list is used as the primary DNS server. Use a maximum of two servers.
    spec.vlanID
    Specifies an optional VLAN ID. Only specify if the cluster already has VLAN configuration.
    spec.dnsFilterOutFamily
    Specifies optional DNS filtering for dual-stack clusters. Set to ipv4 or ipv6 to filter out A or AAAA records respectively.
    spec.autoRollbackOnFailure.initMonitorTimeoutSeconds
    Specifies the timeout in seconds for automatic rollback if the configuration does not complete. The default value is 1800 seconds, or 30 minutes.

  5. After saving the configuration, change the stage to Config to start the network reconfiguration by running the following command: 

    $ oc patch ipc ipconfig --type merge -p '{"spec":{"stage":"Config"}}'
    Note

    After triggering the network reconfiguration, update your external DNS servers to resolve the cluster’s new API and ingress endpoints.

  6. Monitor the progress of the configuration by running the following command: 

    $ oc get ipc ipconfig -o yaml

    Watch for the following progression:

    • The controller sets the ConfigInProgress condition
    • The pre-pivot phase runs and triggers a reboot
    • After reboot, the post-pivot phase applies the network changes
    • The controller waits for cluster stabilization
    • The ConfigCompleted condition is set when successful
  7. After the configuration completes successfully, verify that the status.validNextStages field includes Idle and Rollback.

  8. Verify the new network configuration by running the following command: 

    $ oc get nodes -o wide

  9. Verify cluster health by running the following command: 

    $ oc get clusteroperators

  10. When you are satisfied with the new configuration, finalize the change by setting the stage to Idle. Run the following command: 

    $ oc patch ipc ipconfig --type merge -p '{"spec":{"stage":"Idle"}}'
    Important

    After you finalize the configuration by transitioning to Idle, you cannot roll back to the previous network configuration. The old stateroot is removed during Idle state cleanup.

18.2.2. Roll back a network reconfiguration
Copy link

If you see issues after a network reconfiguration, you can roll back to an earlier network configuration. The rollback reboots the node into an earlier stateroot with the original network settings.

Prerequisites

  • You have completed a network reconfiguration that has not been finalized.
  • The status.validNextStages field in the IPConfig customer resource (CR) includes Rollback.
  • You have cluster administrator privileges.

Procedure

  1. Verify that rollback stage is available by checking the IPConfig CR. Run the following command: 

    $ oc get ipc ipconfig -o jsonpath='{.status.validNextStages}'

    Verify that the output includes Rollback.

  2. Check the rollback availability expiration timestamp by running the following command: 

    $ oc get ipc ipconfig -o jsonpath='{.status.rollbackAvailabilityExpiration}'
    Note

    Plan your rollback before this timestamp. After this timestamp, rolling back requires manual recovery because of expired control plane or kubelet certificates in the rollback stateroot.

  3. Trigger the rollback by setting the stage to Rollback by running the following command: 

    $ oc patch ipc ipconfig --type merge -p '{"spec":{"stage":"Rollback"}}'

    The Lifecycle Agent reboots the node into the earlier stateroot.

  4. After the node reboots, monitor the rollback progress by running the following command: 

    $ oc get ipc ipconfig -o yaml

    Wait for the RollbackCompleted condition to be set.

  5. Verify the node is using the original network configuration by running the following command: 

    $ oc get nodes -o wide

  6. Finalize the rollback by setting the stage to Idle by running the following command: 

    $ oc patch ipc ipconfig --type merge -p '{"spec":{"stage":"Idle"}}'

Network reconfiguration includes many automatic rollback safety mechanisms that help protect your cluster from failed configuration changes.

Automatic rollback on post-pivot failure
If network configuration or certificate regeneration fails after the reboot, the system automatically triggers a rollback to the earlier stateroot.
Init-monitor timeout rollback
If the network reconfiguration does not complete within the configured timeout, the system automatically triggers a rollback. The default timeout is 1800 seconds, 30 minutes. You can configure this timeout by using the spec.autoRollbackOnFailure.initMonitorTimeoutSeconds field in the IPConfig CR. Setting the value to 0 uses the default timeout.

18.2.4. IPConfig reference specifications
Copy link

The IPConfig custom resource (CR) is a cluster-scoped CR that controls the IP configuration workflow for single-node OpenShift clusters using the Lifecycle Agent.

Note

The CR name must be ipconfig.

Expand
Table 18.1. IPConfig spec fields
FieldTypeDescription

spec.stage

String

Controls the current stage of the IP configuration workflow. Valid values are Idle, Config, and Rollback. You can only change the stage to a value listed in status.validNextStages.

spec.ipv4.address

String

The IPv4 node address without CIDR notation, for example 192.0.2.10. Required if the ipv4 object is present. Omit the entire ipv4 object for IPv6-only clusters.

spec.ipv4.machineNetwork

String

The machine network CIDR, for example 192.0.2.0/24. The address must be within this CIDR.

spec.ipv4.gateway

String

The IPv4 default gateway address, used to create the default route for IPv4 traffic. Must be within the machine network CIDR.

spec.ipv6.address

String

The IPv6 node address without CIDR notation, for example 2001:db8::10. Required if the ipv6 object is present. Omit the entire ipv6 object for IPv4-only clusters.

spec.ipv6.machineNetwork

String

The IPv6 machine network CIDR, for example 2001:db8::/64. The address must be within this CIDR.

spec.ipv6.gateway

String

The IPv6 default gateway, used to create the default route for IPv6 traffic. You can use link-local gateways.

spec.dnsServers

Array of strings

Ordered list of DNS server IP addresses. The first server in the list is used as the primary DNS server. Must match cluster IP families. Maximum of 2 servers.

spec.vlanID

Integer

The VLAN ID to configure. Valid values are 1-4094. You can only set this field if the cluster already has VLAN configuration.

spec.dnsFilterOutFamily

String

DNS response filtering for dual-stack clusters only. Set to ipv4 to filter out A records, ipv6 to filter out AAAA records, or none to disable filtering. You can only configure this field to ipv4 or ipv6 when the cluster uses a dual-stack configuration.

spec.autoRollbackOnFailure.initMonitorTimeoutSeconds

Integer

Timeout in seconds for the init-monitor watchdog. Set to 0 or leave unset to use the default of 1800 seconds.

Use the following information to diagnose and resolve network reconfiguration issues on single-node OpenShift clusters.

You can gather diagnostic information to help troubleshoot network reconfiguration issues on single-node OpenShift clusters.

Procedure

  1. Inspect the IPConfig custom resource (CR) status by running the following command: 

    $ oc get ipc ipconfig -o yaml

    Review the status.conditions field for the current state, reason, and message. Check status.validNextStages for possible stage transitions, and status.history for timestamps of stage progression.

  2. View the Lifecycle Agent controller logs by running the following command: 

    $ oc logs -n openshift-lifecycle-agent deployment/lifecycle-agent-controller-manager -c manager

  3. Create a debug session on the target node by running the following command: 

    $ oc debug node/<node_name>
# chroot /host
    • Replace <node_name> with the name of your single-node OpenShift node.

  4. View the relevant service logs depending on which phase you are troubleshooting by running one of the following commands:

    • View the logs for pre-pivot issues by running the following command: 

      $ sudo journalctl -u lca-ipconfig-pre-pivot -b --no-pager

    • View the logs for post-pivot issues by running the following command: 

      $ sudo journalctl -u ip-configuration.service -b --no-pager

    • View the logs for init-monitor watchdog issues by running the following command: 

      $ sudo journalctl -u lca-init-monitor.service -b --no-pager

    • View the logs for rollback issues by running the following command: 

      $ sudo journalctl -u lca-ipconfig-rollback -b --no-pager

Use the following reference information to help diagnose and resolve network reconfiguration issues on single-node OpenShift clusters.

Expand
Table 18.2. On-node artifacts for troubleshooting
FileDescription

/var/lib/lca/workspace/ip-config-pre-pivot.json

Pre-pivot configuration data

/var/lib/lca/workspace/ip-config-post-pivot.json

Post-pivot configuration data

/var/lib/lca/workspace/nmstate.yaml

Generated nmstate configuration for network changes

/var/lib/lca/workspace/recert_config.json

Configuration for certificate regeneration

/var/lib/lca/workspace/ip-config-autorollback-config.json

Auto-rollback configuration

/var/lib/lca/workspace/recert-pull-secret.json

Pull secret for the recert image, if a custom pull secret was specified

/var/lib/lca/ipc.json

Persistence file that stores IPConfig state for rollback and status continuity across restarts

Expand
Table 18.3. Common failure patterns
IssueCauseSolution

Stage transition rejected

You attempted to transition to a stage not in status.validNextStages.

Check status.validNextStages and only transition to an allowed stage.

Specification fields cannot be changed

You attempted to modify spec fields while the CR is not in the Idle stage.

Wait for the current operation to complete and the CR to return to Idle.

Health checks never pass

Cluster health blockers are preventing progress.

Investigate cluster health issues.

Post-pivot phase failed

An error occurred during network configuration or certificate regeneration.

Review the post-pivot service logs. If auto-rollback is enabled, the node automatically reverts. Otherwise, manually trigger rollback by setting spec.stage: Rollback.

Pods not receiving new IP family

Pre-existing pods might not automatically receive an IP address from the new family because of CNI behavior.

Delete and re-create the affected pods to obtain addresses from the new IP family.

Configuration stuck in disconnected environment

The Lifecycle Agent or recert container might be attempting to pull images not available in the disconnected registry.

Ensure all required images are mirrored to your disconnected registry before starting. Verify the lca.openshift.io/recert-pull-secret annotation references a valid pull secret.

Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Legal Notice

Theme

© 2026 Red HatBack to top