Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 17. Installation configuration

17.1. Customizing nodes
Copy link

Although directly making changes to OpenShift Container Platform nodes is discouraged, there are times when it is necessary to implement a required low-level security, redundancy, networking, or performance feature. Direct changes to OpenShift Container Platform nodes can be done by:

  • Creating machine configs that are included in manifest files to start up a cluster during openshift-install.
  • Creating machine configs that are passed to running OpenShift Container Platform nodes via the Machine Config Operator.
  • Creating an Ignition config that is passed to coreos-installer when installing bare-metal nodes.

The following sections describe features that you might want to configure on your nodes in this way.

17.1.1. Adding day-1 kernel arguments
Copy link

Although it is often preferable to modify kernel arguments as a day-2 activity, you might want to add kernel arguments to all master or worker nodes during initial cluster installation. Here are some reasons you might want to add kernel arguments during cluster installation so they take effect before the systems first boot up:

  • You want to disable a feature, such as SELinux, so it has no impact on the systems when they first come up.
Warning

Disabling SELinux on RHCOS is not supported.

  • You need to do some low-level network configuration before the systems start.

To add kernel arguments to master or worker nodes, you can create a MachineConfig object and inject that object into the set of manifest files used by Ignition during cluster setup.

For a listing of arguments you can pass to a RHEL 8 kernel at boot time, see Kernel.org kernel parameters. It is best to only add kernel arguments with this procedure if they are needed to complete the initial OpenShift Container Platform installation.

Procedure

  1. Change to the directory that contains the installation program and generate the Kubernetes manifests for the cluster: 

    $ ./openshift-install create manifests --dir <installation_directory>
    Copy to Clipboard Toggle word wrap
  2. Decide if you want to add kernel arguments to worker or control plane nodes (also known as the master nodes).

  3. In the openshift directory, create a file (for example, 99-openshift-machineconfig-master-kargs.yaml) to define a MachineConfig object to add the kernel settings. This example adds a loglevel=7 kernel argument to control plane nodes: 

    $ cat << EOF > 99-openshift-machineconfig-master-kargs.yaml
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: master
  name: 99-openshift-machineconfig-master-kargs
spec:
  kernelArguments:
    - loglevel=7
EOF
    Copy to Clipboard Toggle word wrap

    You can change master to worker to add kernel arguments to worker nodes instead. Create a separate YAML file to add to both master and worker nodes.

You can now continue on to create the cluster.

17.1.2. Adding kernel modules to nodes
Copy link

For most common hardware, the Linux kernel includes the device driver modules needed to use that hardware when the computer starts up. For some hardware, however, modules are not available in Linux. Therefore, you must find a way to provide those modules to each host computer. This procedure describes how to do that for nodes in an OpenShift Container Platform cluster.

When a kernel module is first deployed by following these instructions, the module is made available for the current kernel. If a new kernel is installed, the kmods-via-containers software will rebuild and deploy the module so a compatible version of that module is available with the new kernel.

The way that this feature is able to keep the module up to date on each node is by:

  • Adding a systemd service to each node that starts at boot time to detect if a new kernel has been installed and
  • If a new kernel is detected, the service rebuilds the module and installs it to the kernel

For information on the software needed for this procedure, see the kmods-via-containers github site.

A few important issues to keep in mind:

  • This procedure is Technology Preview.
  • Software tools and examples are not yet available in official RPM form and can only be obtained for now from unofficial github.com sites noted in the procedure.
  • Third-party kernel modules you might add through these procedures are not supported by Red Hat.
  • In this procedure, the software needed to build your kernel modules is deployed in a RHEL 8 container. Keep in mind that modules are rebuilt automatically on each node when that node gets a new kernel. For that reason, each node needs access to a yum repository that contains the kernel and related packages needed to rebuild the module. That content is best provided with a valid RHEL subscription.

Before deploying kernel modules to your OpenShift Container Platform cluster, you can test the process on a separate RHEL system. Gather the kernel module’s source code, the KVC framework, and the kmod-via-containers software. Then build and test the module. To do that on a RHEL 8 system, do the following:

Procedure

  1. Register a RHEL 8 system: 

    # subscription-manager register
    Copy to Clipboard Toggle word wrap

  2. Attach a subscription to the RHEL 8 system: 

    # subscription-manager attach --auto
    Copy to Clipboard Toggle word wrap

  3. Install software that is required to build the software and container: 

    # yum install podman make git -y
    Copy to Clipboard Toggle word wrap

  4. Clone the kmod-via-containers repository:

    1. Create a folder for the repository: 

      $ mkdir kmods; cd kmods
      Copy to Clipboard Toggle word wrap

    2. Clone the repository: 

      $ git clone https://github.com/kmods-via-containers/kmods-via-containers
      Copy to Clipboard Toggle word wrap

  5. Install a KVC framework instance on your RHEL 8 build host to test the module. This adds a kmods-via-container systemd service and loads it:

    1. Change to the kmod-via-containers directory: 

      $ cd kmods-via-containers/
      Copy to Clipboard Toggle word wrap

    2. Install the KVC framework instance: 

      $ sudo make install
      Copy to Clipboard Toggle word wrap

    3. Reload the systemd manager configuration: 

      $ sudo systemctl daemon-reload
      Copy to Clipboard Toggle word wrap

  6. Get the kernel module source code. The source code might be used to build a third-party module that you do not have control over, but is supplied by others. You will need content similar to the content shown in the kvc-simple-kmod example that can be cloned to your system as follows: 

    $ cd .. ; git clone https://github.com/kmods-via-containers/kvc-simple-kmod
    Copy to Clipboard Toggle word wrap

  7. Edit the configuration file, simple-kmod.conf file, in this example, and change the name of the Dockerfile to Dockerfile.rhel:

    1. Change to the kvc-simple-kmod directory: 

      $ cd kvc-simple-kmod
      Copy to Clipboard Toggle word wrap

    2. Rename the Dockerfile: 

      $ cat simple-kmod.conf
      Copy to Clipboard Toggle word wrap

      Example Dockerfile

      KMOD_CONTAINER_BUILD_CONTEXT="https://github.com/kmods-via-containers/kvc-simple-kmod.git"
KMOD_CONTAINER_BUILD_FILE=Dockerfile.rhel
KMOD_SOFTWARE_VERSION=dd1a7d4
KMOD_NAMES="simple-kmod simple-procfs-kmod"
      Copy to Clipboard Toggle word wrap

  8. Create an instance of kmods-via-containers@.service for your kernel module, simple-kmod in this example: 

    $ sudo make install
    Copy to Clipboard Toggle word wrap

  9. Enable the kmods-via-containers@.service instance: 

    $ sudo kmods-via-containers build simple-kmod $(uname -r)
    Copy to Clipboard Toggle word wrap

  10. Enable and start the systemd service: 

    $ sudo systemctl enable kmods-via-containers@simple-kmod.service --now
    Copy to Clipboard Toggle word wrap

    1. Review the service status: 

      $ sudo systemctl status kmods-via-containers@simple-kmod.service
      Copy to Clipboard Toggle word wrap

      Example output

      ● kmods-via-containers@simple-kmod.service - Kmods Via Containers - simple-kmod
   Loaded: loaded (/etc/systemd/system/kmods-via-containers@.service;
          enabled; vendor preset: disabled)
   Active: active (exited) since Sun 2020-01-12 23:49:49 EST; 5s ago...
      Copy to Clipboard Toggle word wrap

  11. To confirm that the kernel modules are loaded, use the lsmod command to list the modules: 

    $ lsmod | grep simple_
    Copy to Clipboard Toggle word wrap

    Example output

    simple_procfs_kmod     16384  0
simple_kmod            16384  0
    Copy to Clipboard Toggle word wrap

  12. Optional. Use other methods to check that the simple-kmod example is working:

    • Look for a "Hello world" message in the kernel ring buffer with dmesg: 

      $ dmesg | grep 'Hello world'
      Copy to Clipboard Toggle word wrap

      Example output

      [ 6420.761332] Hello world from simple_kmod.
      Copy to Clipboard Toggle word wrap

    • Check the value of simple-procfs-kmod in /proc: 

      $ sudo cat /proc/simple-procfs-kmod
      Copy to Clipboard Toggle word wrap

      Example output

      simple-procfs-kmod number = 0
      Copy to Clipboard Toggle word wrap

    • Run the spkut command to get more information from the module: 

      $ sudo spkut 44
      Copy to Clipboard Toggle word wrap

      Example output

      KVC: wrapper simple-kmod for 4.18.0-147.3.1.el8_1.x86_64
Running userspace wrapper using the kernel module container...
+ podman run -i --rm --privileged
   simple-kmod-dd1a7d4:4.18.0-147.3.1.el8_1.x86_64 spkut 44
simple-procfs-kmod number = 0
simple-procfs-kmod number = 44
      Copy to Clipboard Toggle word wrap

Going forward, when the system boots this service will check if a new kernel is running. If there is a new kernel, the service builds a new version of the kernel module and then loads it. If the module is already built, it will just load it.

Depending on whether or not you must have the kernel module in place when OpenShift Container Platform cluster first boots, you can set up the kernel modules to be deployed in one of two ways:

  • Provision kernel modules at cluster install time (day-1): You can create the content as a MachineConfig object and provide it to openshift-install by including it with a set of manifest files.
  • Provision kernel modules via Machine Config Operator (day-2): If you can wait until the cluster is up and running to add your kernel module, you can deploy the kernel module software via the Machine Config Operator (MCO).

In either case, each node needs to be able to get the kernel packages and related software packages at the time that a new kernel is detected. There are a few ways you can set up each node to be able to obtain that content.

  • Provide RHEL entitlements to each node.
  • Get RHEL entitlements from an existing RHEL host, from the /etc/pki/entitlement directory and copy them to the same location as the other files you provide when you build your Ignition config.
  • Inside the Dockerfile, add pointers to a yum repository containing the kernel and other packages. This must include new kernel packages as they are needed to match newly installed kernels.

By packaging kernel module software with a MachineConfig object, you can deliver that software to worker or master nodes at installation time or via the Machine Config Operator.

First create a base Ignition config that you would like to use. At installation time, the Ignition config will contain the ssh public key to add to the authorized_keys file for the core user on the cluster. To add the MachineConfig object later via the MCO instead, the SSH public key is not required. For both type, the example simple-kmod service creates a systemd unit file, which requires a kmods-via-containers@simple-kmod.service.

Note

The systemd unit is a workaround for an upstream bug and makes sure that the kmods-via-containers@simple-kmod.service gets started on boot:

  1. Register a RHEL 8 system: 

    # subscription-manager register
    Copy to Clipboard Toggle word wrap

  2. Attach a subscription to the RHEL 8 system: 

    # subscription-manager attach --auto
    Copy to Clipboard Toggle word wrap

  3. Install software needed to build the software: 

    # yum install podman make git -y
    Copy to Clipboard Toggle word wrap

  4. Create an Ignition config file that creates a systemd unit file:

    1. Create a directory to host the Ignition config file: 

      $ mkdir kmods; cd kmods
      Copy to Clipboard Toggle word wrap

    2. Create the Ignition config file that creates a systemd unit file: 

      $ cat <<EOF > ./baseconfig.ign
{
  "ignition": { "version": "3.2.0" },
  "passwd": {
    "users": [
      {
        "name": "core",
        "groups": ["sudo"],
        "sshAuthorizedKeys": [
          "ssh-rsa AAAA"
        ]
      }
    ]
  },
  "systemd": {
    "units": [{
      "name": "require-kvc-simple-kmod.service",
      "enabled": true,
      "contents": "[Unit]\nRequires=kmods-via-containers@simple-kmod.service\n[Service]\nType=oneshot\nExecStart=/usr/bin/true\n\n[Install]\nWantedBy=multi-user.target"
    }]
  }
}
EOF
      Copy to Clipboard Toggle word wrap
      Note

      You must add your public SSH key to the baseconfig.ign file to use the file during openshift-install. The public SSH key is not needed if you create the MachineConfig object using the MCO.

  5. Create a base MCO YAML snippet that uses the following configuration: 

    $ cat <<EOF > mc-base.yaml
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: worker
  name: 10-kvc-simple-kmod
spec:
  config:
EOF
    Copy to Clipboard Toggle word wrap
    Note

    The mc-base.yaml is set to deploy the kernel module on worker nodes. To deploy on master nodes, change the role from worker to master. To do both, you could repeat the whole procedure using different file names for the two types of deployments.

  6. Get the kmods-via-containers software:

    1. Clone the kmods-via-containers repository: 

      $ git clone https://github.com/kmods-via-containers/kmods-via-containers
      Copy to Clipboard Toggle word wrap

    2. Clone the kvc-simple-kmod repository: 

      $ git clone https://github.com/kmods-via-containers/kvc-simple-kmod
      Copy to Clipboard Toggle word wrap
  7. Get your module software. In this example, kvc-simple-kmod is used:

  8. Create a fakeroot directory and populate it with files that you want to deliver via Ignition, using the repositories cloned earlier:

    1. Create the directory: 

      $ FAKEROOT=$(mktemp -d)
      Copy to Clipboard Toggle word wrap

    2. Change to the kmod-via-containers directory: 

      $ cd kmods-via-containers
      Copy to Clipboard Toggle word wrap

    3. Install the KVC framework instance: 

      $ make install DESTDIR=${FAKEROOT}/usr/local CONFDIR=${FAKEROOT}/etc/
      Copy to Clipboard Toggle word wrap

    4. Change to the kvc-simple-kmod directory: 

      $ cd ../kvc-simple-kmod
      Copy to Clipboard Toggle word wrap

    5. Create the instance: 

      $ make install DESTDIR=${FAKEROOT}/usr/local CONFDIR=${FAKEROOT}/etc/
      Copy to Clipboard Toggle word wrap

  9. Get a tool called filetranspiler and dependent software: 

    $ cd .. ; sudo yum install -y python3
git clone https://github.com/ashcrow/filetranspiler.git
    Copy to Clipboard Toggle word wrap

  10. Generate a final machine config YAML (mc.yaml) and have it include the base Ignition config, base machine config, and the fakeroot directory with files you would like to deliver: 

    $ ./filetranspiler/filetranspile -i ./baseconfig.ign \
     -f ${FAKEROOT} --format=yaml --dereference-symlinks \
     | sed 's/^/     /' | (cat mc-base.yaml -) > 99-simple-kmod.yaml
    Copy to Clipboard Toggle word wrap

  11. If the cluster is not up yet, generate manifest files and add this file to the openshift directory. If the cluster is already running, apply the file as follows: 

    $ oc create -f 99-simple-kmod.yaml
    Copy to Clipboard Toggle word wrap

    Your nodes will start the kmods-via-containers@simple-kmod.service service and the kernel modules will be loaded.

  12. To confirm that the kernel modules are loaded, you can log in to a node (using oc debug node/<openshift-node>, then chroot /host). To list the modules, use the lsmod command: 

    $ lsmod | grep simple_
    Copy to Clipboard Toggle word wrap

    Example output

    simple_procfs_kmod     16384  0
simple_kmod            16384  0
    Copy to Clipboard Toggle word wrap

17.1.3. Encrypting disks during installation
Copy link

You can enable encryption for the boot disks on the control plane and compute nodes at installation time. OpenShift Container Platform supports the Trusted Platform Module (TPM) v2 and Tang encryption modes.

  • TPM v2: This is the preferred mode. TPM v2 stores passphrases in a secure cryptoprocessor contained within a server. You can use this mode to prevent the boot disk data on a cluster node from being decrypted if the disk is removed from the server.
  • Tang: Tang and Clevis are server and client components that enable network-bound disk encryption (NBDE). You can bind the boot disk data on your cluster nodes to a Tang server. This prevents the data from being decrypted unless the nodes are on a secure network where the Tang server can be accessed. Clevis is an automated decryption framework that is used to implement the decryption on the client side.
Important

The use of Tang encryption mode to encrypt your disks is only supported for bare metal and vSphere installations on user-provisioned infrastructure.

When the TPM v2 or Tang encryption modes are enabled, the RHCOS boot disks are encrypted using the LUKS2 format.

This feature:

  • Is available for installer-provisioned infrastructure and user-provisioned infrastructure deployments
  • Is supported on Red Hat Enterprise Linux CoreOS (RHCOS) systems only
  • Sets up disk encryption during the manifest installation phase so all data written to disk, from first boot forward, is encrypted
  • Requires no user intervention for providing passphrases
  • Uses AES-256-CBC encryption

Follow one of the two procedures to enable disk encryption for the nodes in your cluster.

17.1.3.1. Enabling TPM v2 disk encryption
Copy link

Use the following procedure to enable TPM v2 mode disk encryption during an OpenShift Container Platform installation.

Note

On previous versions of RHCOS, disk encryption was configured by specifying /etc/clevis.json in the Ignition config. That file is not supported in clusters created with OpenShift Container Platform 4.7 or above, and the LUKS device should be configured directly via the Ignition luks section.

Prerequisites

  • You have downloaded the OpenShift Container Platform installation program on your installation node.

Procedure

  1. Check to see if TPM v2 encryption needs to be enabled in the BIOS on each node. This is required on most Dell systems. Check the manual for your computer.

  2. On your installation node, change to the directory that contains the installation program and generate the Kubernetes manifests for the cluster: 

    $ ./openshift-install create manifests --dir <installation_directory>
    1
    Copy to Clipboard Toggle word wrap
    1
    Replace <installation_directory> with the path to the directory that you want to store the installation files in.

  3. Create machine config files to encrypt the boot disks for the control plane or compute nodes using the TPM v2 encryption mode.

    Important

    If you are also configuring boot disk mirroring on the affected nodes, skip this step. You will configure disk encryption when configuring boot disk mirroring.

    • To configure encryption on the control plane nodes, save the following machine config sample to a file in the <installation_directory>/openshift directory. For example, name the file 99-openshift-master-tpmv2-encryption.yaml: 

      apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  name: master-tpm
  labels:
    machineconfiguration.openshift.io/role: master
spec:
  config:
    ignition:
      version: 3.2.0
    storage:
      luks:
        - name: root
          device: /dev/disk/by-partlabel/root
          clevis:
            tpm2: true
      1 
      
          options: [--cipher, aes-cbc-essiv:sha256]
          wipeVolume: true
      filesystems:
        - device: /dev/mapper/root
          format: xfs
          wipeFilesystem: true
          label: root
      Copy to Clipboard Toggle word wrap
      1
      Set this attribute to true to use a Trusted Platform Module (TPM) secure cryptoprocessor to encrypt the root file system.

    • To configure encryption on the compute nodes, save the following machine config sample to a file in the <installation_directory>/openshift directory. For example, name the file 99-openshift-worker-tpmv2-encryption.yaml: 

      apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  name: worker-tpm
  labels:
    machineconfiguration.openshift.io/role: worker
spec:
  config:
    ignition:
      version: 3.2.0
    storage:
      luks:
        - name: root
          device: /dev/disk/by-partlabel/root
          clevis:
            tpm2: true
      1 
      
          options: [--cipher, aes-cbc-essiv:sha256]
          wipeVolume: true
      filesystems:
        - device: /dev/mapper/root
          format: xfs
          wipeFilesystem: true
          label: root
      Copy to Clipboard Toggle word wrap
      1
      Set this attribute to true to use a Trusted Platform Module (TPM) secure cryptoprocessor to encrypt the root file system.
  4. Create a backup copy of the YAML files. The original YAML files are consumed when you create the Ignition config files.
  5. Continue with the remainder of the OpenShift Container Platform deployment.
Important

If you configure additional data partitions, they will not be encrypted unless encryption is explicitly requested.

17.1.3.2. Enabling Tang disk encryption
Copy link

Use the following procedure to enable Tang mode disk encryption during an OpenShift Container Platform installation.

Note

On previous versions of RHCOS, disk encryption was configured by specifying /etc/clevis.json in the Ignition config. That file is not supported in clusters created with OpenShift Container Platform 4.7 or above, and the LUKS device should be configured directly via the Ignition luks section.

Prerequisites

  • You have downloaded the OpenShift Container Platform installation program on your installation node.
  • You have access to a Red Hat Enterprise Linux (RHEL) 8 machine that can be used to generate a thumbprint of the Tang exchange key.

Procedure

  1. Set up a Tang server or access an existing one. See Network-bound disk encryption for instructions.

  2. Add kernel arguments to configure networking when you do the Red Hat Enterprise Linux CoreOS (RHCOS) installations for your cluster. For example, to configure DHCP networking, identify ip=dhcp, or set static networking when you add parameters to the kernel command line. For both DHCP and static networking, you also must provide the rd.neednet=1 kernel argument.

    Important

    Skipping this step causes the second boot to fail.

  1. Install the clevis package on a RHEL 8 machine, if it is not already installed: 

    $ sudo yum install clevis
    Copy to Clipboard Toggle word wrap

  1. On the RHEL 8 machine, run the following command to generate a thumbprint of the exchange key. Replace http://tang.example.com:7500 with the URL of your Tang server: 

    $ clevis-encrypt-tang '{"url":"http://tang.example.com:7500"}' < /dev/null > /dev/null
    1
    Copy to Clipboard Toggle word wrap
    1
    In this example, tangd.socket is listening on port 7500 on the Tang server.
    Note

    The clevis-encrypt-tang command is used in this step only to generate a thumbprint of the exchange key. No data is being passed to the command for encryption at this point, so /dev/null is provided as an input instead of plain text. The encrypted output is also sent to /dev/null, because it is not required for this procedure.

    Example output

    The advertisement contains the following signing keys:

PLjNyRdGw03zlRoGjQYMahSZGu9
    1
    Copy to Clipboard Toggle word wrap

    1
    The thumbprint of the exchange key.

    When the Do you wish to trust these keys? [ynYN] prompt displays, type Y.

    Note

    RHEL 8 provides Clevis version 15, which uses the SHA-1 hash algorithm to generate thumbprints. Some other distributions provide Clevis version 17 or later, which use the SHA-256 hash algorithm for thumbprints. You must use a Clevis version that uses SHA-1 to create the thumbprint, to prevent Clevis binding issues when you install Red Hat Enterprise Linux CoreOS (RHCOS) on your OpenShift Container Platform cluster nodes.

  2. If you have not yet generated the Kubernetes manifests, change to the directory that contains the installation program on your installation node and create them: 

    $ ./openshift-install create manifests --dir <installation_directory>
    1
    Copy to Clipboard Toggle word wrap
    1
    Replace <installation_directory> with the path to the directory that you want to store the installation files in.

  3. Create machine config files to encrypt the boot disks for the control plane or compute nodes using the Tang encryption mode.

    Important

    If you are also configuring boot disk mirroring on the affected nodes, record the exchange key thumbprint for later use, and skip this step. You will configure disk encryption when configuring boot disk mirroring.

    • To configure encryption on the control plane nodes, save the following machine config sample to a file in the <installation_directory>/openshift directory. For example, name the file 99-openshift-master-tang-encryption.yaml: 

      apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  name: master-tang
  labels:
    machineconfiguration.openshift.io/role: master
spec:
  config:
    ignition:
      version: 3.2.0
    storage:
      luks:
        - name: root
          device: /dev/disk/by-partlabel/root
          clevis:
            tang:
              - url: http://tang.example.com:7500
      1 
      
                thumbprint: PLjNyRdGw03zlRoGjQYMahSZGu9
      2 
      
          options: [--cipher, aes-cbc-essiv:sha256]
          wipeVolume: true
      filesystems:
        - device: /dev/mapper/root
          format: xfs
          wipeFilesystem: true
          label: root
  kernelArguments:
    - rd.neednet=1
      3
      Copy to Clipboard Toggle word wrap
      1
      Specify the URL of a Tang server. In this example, tangd.socket is listening on port 7500 on the Tang server.
      2
      Specify the exchange key thumbprint, which was generated in a preceding step.
      3
      Add the rd.neednet=1 kernel argument to bring the network up in the initramfs. This argument is required.

    • To configure encryption on the compute nodes, save the following machine config sample to a file in the <installation_directory>/openshift directory. For example, name the file 99-openshift-worker-tang-encryption.yaml: 

      apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  name: worker-tang
  labels:
    machineconfiguration.openshift.io/role: worker
spec:
  config:
    ignition:
      version: 3.2.0
    storage:
      luks:
        - name: root
          device: /dev/disk/by-partlabel/root
          clevis:
            tang:
              - url: http://tang.example.com:7500
      1 
      
                thumbprint: PLjNyRdGw03zlRoGjQYMahSZGu9
      2 
      
          options: [--cipher, aes-cbc-essiv:sha256]
          wipeVolume: true
      filesystems:
        - device: /dev/mapper/root
          format: xfs
          wipeFilesystem: true
          label: root
  kernelArguments:
    - rd.neednet=1
      3
      Copy to Clipboard Toggle word wrap
      1
      Specify the URL of a Tang server. In this example, tangd.socket is listening on port 7500 on the Tang server.
      2
      Specify the exchange key thumbprint, which was generated in a preceding step.
      3
      Add the rd.neednet=1 kernel argument to bring the network up in the initramfs. This argument is required.
  4. Create a backup copy of the YAML files. The original YAML files are consumed when you create the Ignition config files.
  5. Continue with the remainder of the OpenShift Container Platform installation.
Important

If you configure additional data partitions, they will not be encrypted unless encryption is explicitly requested.

17.1.4. Mirroring disks during installation
Copy link

During OpenShift Container Platform installation on control plane and compute nodes, you can enable mirroring of the boot disk to two or more redundant storage devices. A node continues to function after storage device failure as long as one device remains available.

Mirroring does not support replacement of a failed disk. To restore the mirror to a pristine, non-degraded state, reprovision the node.

Important

Mirroring is available only for user-provisioned infrastructure deployments on Red Hat Enterprise Linux CoreOS (RHCOS) systems. Mirroring support is available on x86_64 nodes booted with BIOS or UEFI and on ppc64le nodes.

Procedure

To enable boot disk mirroring during OpenShift Container Platform deployment:

  1. Follow the bare metal install procedure up to the point where you created Ignition configs for your installation.

    For example, you should have entered the following command: 

    $ openshift-install create ignition-configs --dir $HOME/clusterconfig
    Copy to Clipboard Toggle word wrap

  2. Verify that the Ignition config files were created: 

    $ ls $HOME/clusterconfig/
    Copy to Clipboard Toggle word wrap

    Example output

    auth  bootstrap.ign  master.ign  metadata.json  worker.ign
    Copy to Clipboard Toggle word wrap

  3. Create a RHCOS Config (RCC) with a reference to your master.ign or worker.ign config, depending on the type of node you are configuring. The RCC must specify the devices to be used for boot disk mirroring. If you want LUKS encryption on the mirrored root filesystem, you must configure it in this RCC.

    The following RCC example demonstrates how to create $HOME/clusterconfig/worker-raid.rcc:

    RCC example

    variant: rhcos
version: 0.1.0
ignition:
  config:
    merge:
      - local: worker.ign
    1 
    
boot_device:
  mirror:
    devices:
    2 
    
      - /dev/sda
      - /dev/sdb
  luks:
    3 
    
    tpm2: true
    4 
    
    tang:
    5 
    
      - url: http://tang.example.com:7500
        thumbprint: <tang_thumbprint>
storage:
    6 
    
  luks:
    - name: root
      options: [--cipher, aes-cbc-essiv:sha256]
    Copy to Clipboard Toggle word wrap

    1
    Use the name of the Ignition config for your node type.
    2
    List all disk devices that should be included in the boot disk mirror, including the disk that RHCOS will be installed onto.
    3
    Include this section if you want to encrypt the root filesystem. See "Encrypting disks during installation" for more details.
    4
    Include this field if you want to use a Trusted Platform Module (TPM) to encrypt the root filesystem. See "Enabling TPM v2 disk encryption" for more details.
    5
    Include this section if you want to use a Tang server. To obtain the server URL and thumbprint, follow the instructions in "Enabling Tang disk encryption".
    6
    Include this section if you want to encrypt the root filesystem.

  4. Run the Fedora CoreOS Config Transpiler (FCCT) tool to merge your RCC, such as worker-raid.rcc, with the Ignition config specified in the RCC that you created in the previous step: 

    $ podman run --pull=always --rm --volume $HOME/clusterconfig:/pwd --workdir /pwd \
    quay.io/coreos/fcct:release --files-dir . worker-raid.rcc --output worker-raid.ign
    Copy to Clipboard Toggle word wrap

    This command produces a combined Ignition config in $HOME/clusterconfig/worker-raid.ign.

  5. Continue with the remainder of the OpenShift Container Platform deployment, using the combined Ignition config to provision nodes.

17.1.4.1. Configuring a RAID-enabled data volume
Copy link

You can enable software RAID partitioning to provide an external data volume.

Procedure

  • Create a machine config in the <installation_directory>/openshift directory that configures a data volume by using software RAID. In this example, it is called raid1-alt-storage.yaml:

    Sample RAID 1 on secondary disks configuration file

    apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: worker
  name: raid1-alt-storage
spec:
  config:
    ignition:
      version: 3.2.0
    storage:
      disks:
      - device: /dev/sdc
        partitions:
        - label: data-1
        wipeTable: true
      - device: /dev/sdd
        partitions:
        - label: data-2
        wipeTable: true
      filesystems:
      - device: /dev/md/md-data
        format: xfs
        path: /var/lib/containers
        wipeFilesystem: true
      raid:
      - devices:
        - /dev/disk/by-partlabel/data-1
        - /dev/disk/by-partlabel/data-2
        level: raid1
        name: md-data
    systemd:
      units:
      - contents: |-
          [Unit]
          Before=local-fs.target
          Requires=systemd-fsck@dev-md-md\x2ddata.service
          After=systemd-fsck@dev-md-md\x2ddata.service

          [Mount]
          Where=/var/lib/containers
          What=/dev/md/md-data
          Type=xfs

          [Install]
          RequiredBy=local-fs.target
        enabled: true
        name: var-lib-containers.mount
    1
    Copy to Clipboard Toggle word wrap

    1
    If you choose a different mount point, you must update the unit name to correspond to your mount point. Otherwise the unit will not activate. You can generate a matching unit name with echo $(systemd-escape -p $mountpoint).mount where $mountpoint is your chosen mount point.

17.1.5. Configuring chrony time service
Copy link

You can set the time server and related settings used by the chrony time service (chronyd) by modifying the contents of the chrony.conf file and passing those contents to your nodes as a machine config.

Procedure

  1. Create the contents of the chrony.conf file and encode it as base64. For example: 

    $ cat << EOF | base64
    pool 0.rhel.pool.ntp.org iburst
    1 
    
    driftfile /var/lib/chrony/drift
    makestep 1.0 3
    rtcsync
    logdir /var/log/chrony
EOF
    Copy to Clipboard Toggle word wrap
    1
    Specify any valid, reachable time source, such as the one provided by your DHCP server. Alternately, you can specify any of the following NTP servers: 1.rhel.pool.ntp.org, 2.rhel.pool.ntp.org, or 3.rhel.pool.ntp.org.

    Example output

    ICAgIHNlcnZlciBjbG9jay5yZWRoYXQuY29tIGlidXJzdAogICAgZHJpZnRmaWxlIC92YXIvbGli
L2Nocm9ueS9kcmlmdAogICAgbWFrZXN0ZXAgMS4wIDMKICAgIHJ0Y3N5bmMKICAgIGxvZ2RpciAv
dmFyL2xvZy9jaHJvbnkK
    Copy to Clipboard Toggle word wrap

  2. Create the MachineConfig object file, replacing the base64 string with the one you just created. This example adds the file to master nodes. You can change it to worker or make an additional MachineConfig for the worker role. Create MachineConfig files for each type of machine that your cluster uses: 

    $ cat << EOF > ./99-masters-chrony-configuration.yaml
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: master
  name: 99-masters-chrony-configuration
spec:
  config:
    ignition:
      config: {}
      security:
        tls: {}
      timeouts: {}
      version: 3.2.0
    networkd: {}
    passwd: {}
    storage:
      files:
      - contents:
          source: data:text/plain;charset=utf-8;base64,ICAgIHNlcnZlciBjbG9jay5yZWRoYXQuY29tIGlidXJzdAogICAgZHJpZnRmaWxlIC92YXIvbGliL2Nocm9ueS9kcmlmdAogICAgbWFrZXN0ZXAgMS4wIDMKICAgIHJ0Y3N5bmMKICAgIGxvZ2RpciAvdmFyL2xvZy9jaHJvbnkK
        mode: 420
    1 
    
        overwrite: true
        path: /etc/chrony.conf
  osImageURL: ""
EOF
    Copy to Clipboard Toggle word wrap
    1
    Specify an octal value mode for the mode field in the machine config file. After creating the file and applying the changes, the mode is converted to a decimal value. You can check the YAML file with the command oc get mc <mc-name> -o yaml.
  3. Make a backup copy of the configuration files.

  4. Apply the configurations in one of two ways:

    • If the cluster is not up yet, after you generate manifest files, add this file to the <installation_directory>/openshift directory, and then continue to create the cluster.

    • If the cluster is already running, apply the file: 

       $ oc apply -f ./99-masters-chrony-configuration.yaml
      Copy to Clipboard Toggle word wrap

17.2. Configuring your firewall
Copy link

If you use a firewall, you must configure it so that OpenShift Container Platform can access the sites that it requires to function. You must always grant access to some sites, and you grant access to more if you use Red Hat Insights, the Telemetry service, a cloud to host your cluster, and certain build strategies.

Before you install OpenShift Container Platform, you must configure your firewall to grant access to the sites that OpenShift Container Platform requires.

There are no special configuration considerations for services running on only controller nodes versus worker nodes.

Procedure

  1. Allowlist the following registry URLs:

    Expand
    URLPortFunction

    registry.redhat.io

    443, 80

    Provides core container images

    quay.io

    443, 80

    Provides core container images

    cdn.quay.io

    443, 80

    Provides core container images

    cdn01.quay.io

    443, 80

    Provides core container images

    cdn02.quay.io

    443, 80

    Provides core container images

    cdn03.quay.io

    443, 80

    Provides core container images

    sso.redhat.com

    443, 80

    The https://console.redhat.com/openshift site uses authentication from sso.redhat.com

    You can use the wildcard *.quay.io instead of cdn0[1-3].quay.io in your allowlist. When you add a site, such as quay.io, to your allowlist, do not add a wildcard entry, such as *.quay.io, to your denylist. In most cases, image registries use a content delivery network (CDN) to serve images. If a firewall blocks access, then image downloads are denied when the initial download request is redirected to a hostname such as cdn01.quay.io.

  2. Allowlist any site that provides resources for a language or framework that your builds require.

  3. If you do not disable Telemetry, you must grant access to the following URLs to access Red Hat Insights:

    Expand
    URLPortFunction

    cert-api.access.redhat.com

    443, 80

    Required for Telemetry

    api.access.redhat.com

    443, 80

    Required for Telemetry

    infogw.api.openshift.com

    443, 80

    Required for Telemetry

    console.redhat.com/api/ingress

    443, 80

    Required for Telemetry and for insights-operator

  4. If you use Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) to host your cluster, you must grant access to the URLs that provide the cloud provider API and DNS for that cloud:

    Expand
    CloudURLPortFunction

    AWS

    *.amazonaws.com

    443, 80

    Required to access AWS services and resources. Review the AWS Service Endpoints in the AWS documentation to determine the exact endpoints to allow for the regions that you use.

    GCP

    *.googleapis.com

    443, 80

    Required to access GCP services and resources. Review Cloud Endpoints in the GCP documentation to determine the endpoints to allow for your APIs.

    accounts.google.com

    443, 80

    Required to access your GCP account.

    Azure

    management.azure.com

    443, 80

    Required to access Azure services and resources. Review the Azure REST API reference in the Azure documentation to determine the endpoints to allow for your APIs.

    *.blob.core.windows.net

    443, 80

    Required to download Ignition files.

    login.microsoftonline.com

    443, 80

    Required to access Azure services and resources. Review the Azure REST API reference in the Azure documentation to determine the endpoints to allow for your APIs.

  5. Allowlist the following URLs:

    Expand
    URLPortFunction

    mirror.openshift.com

    443, 80

    Required to access mirrored installation content and images. This site is also a source of release image signatures, although the Cluster Version Operator needs only a single functioning source.

    storage.googleapis.com/openshift-release

    443, 80

    A source of release image signatures, although the Cluster Version Operator needs only a single functioning source.

    *.apps.<cluster_name>.<base_domain>

    443, 80

    Required to access the default cluster routes unless you set an ingress wildcard during installation.

    quayio-production-s3.s3.amazonaws.com

    443, 80

    Required to access Quay image content in AWS.

    api.openshift.com

    443, 80

    Required both for your cluster token and to check if updates are available for the cluster.

    rhcos-redirector.apps.art.xq1c.p1.openshiftapps.com,
    rhcos.mirror.openshift.com

    443, 80

    Required to download Red Hat Enterprise Linux CoreOS (RHCOS) images.

    console.redhat.com/openshift

    443, 80

    Required for your cluster token.

    registry.access.redhat.com

    443, 80

    Required for odo CLI.

    sso.redhat.com

    443, 80

    The https://console.redhat.com/openshift site uses authentication from sso.redhat.com

    Operators require route access to perform health checks. Specifically, the authentication and web console Operators connect to two routes to verify that the routes work. If you are the cluster administrator and do not want to allow *.apps.<cluster_name>.<base_domain>, then allow these routes:

    • oauth-openshift.apps.<cluster_name>.<base_domain>
    • console-openshift-console.apps.<cluster_name>.<base_domain>, or the hostname that is specified in the spec.route.hostname field of the consoles.operator/cluster object if the field is not empty.

  6. Allowlist the following URLs for optional third-party content:

    Expand
    URLPortFunction

    registry.connect.redhat.com

    443, 80

    Required for all third-party images and certified operators.

    rhc4tp-prod-z8cxf-image-registry-us-east-1-evenkyleffocxqvofrk.s3.dualstack.us-east-1.amazonaws.com

    443, 80

    Provides access to container images hosted on registry.connect.redhat.com

    oso-rhc4tp-docker-registry.s3-us-west-2.amazonaws.com

    443, 80

    Required for Sonatype Nexus, F5 Big IP operators.

  7. If you use a default Red Hat Network Time Protocol (NTP) server allow the following URLs:

    • 1.rhel.pool.ntp.org
    • 2.rhel.pool.ntp.org
    • 3.rhel.pool.ntp.org
Note

If you do not use a default Red Hat NTP server, verify the NTP server for your platform and allow it in your firewall.

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat