Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

Chapter 17. Installation configuration

17.1. Customizing nodes
Copiar enlace

Although directly making changes to OpenShift Container Platform nodes is discouraged, there are times when it is necessary to implement a required low-level security, redundancy, networking, or performance feature. Direct changes to OpenShift Container Platform nodes can be done by:

  • Creating machine configs that are included in manifest files to start up a cluster during 
    openshift-install
    .
  • Creating machine configs that are passed to running OpenShift Container Platform nodes via the Machine Config Operator.
  • Creating an Ignition config that is passed to 
    coreos-installer
    when installing bare-metal nodes.

The following sections describe features that you might want to configure on your nodes in this way.

17.1.1. Creating machine configs with Butane
Copiar enlace

Machine configs are used to configure control plane and worker machines by instructing machines how to create users and file systems, set up the network, install systemd units, and more.

Because modifying machine configs can be difficult, you can use Butane configs to create machine configs for you, thereby making node configuration much easier.

17.1.1.1. About Butane
Copiar enlace

Butane is a command-line utility that OpenShift Container Platform uses to provide convenient, short-hand syntax for writing machine configs, as well as for performing additional validation of machine configs. The format of the Butane config file that Butane accepts is defined in the OpenShift Butane config spec.

17.1.1.2. Installing Butane
Copiar enlace

You can install the Butane tool (

butane
) to create OpenShift Container Platform machine configs from a command-line interface. You can install 
butane
on Linux, Windows, or macOS by downloading the corresponding binary file.

Tip

Butane releases are backwards-compatible with older releases and with the Fedora CoreOS Config Transpiler (FCCT).

Procedure

  1. Navigate to the Butane image download page at https://mirror.openshift.com/pub/openshift-v4/clients/butane/.

  2. Get the 

    butane
    binary:

    1. For the newest version of Butane, save the latest 

      butane
      image to your current directory: 

      $ curl https://mirror.openshift.com/pub/openshift-v4/clients/butane/latest/butane --output butane

    2. Optional: For a specific type of architecture you are installing Butane on, such as aarch64 or ppc64le, indicate the appropriate URL. For example: 

      $ curl https://mirror.openshift.com/pub/openshift-v4/clients/butane/latest/butane-aarch64 --output butane

  3. Make the downloaded binary file executable: 

    $ chmod +x butane

  4. Move the 

    butane
    binary file to a directory on your 
    PATH
    .

    To check your 

    PATH
    , open a terminal and execute the following command: 

    $ echo $PATH

Verification steps

  • You can now use the Butane tool by running the 

    butane
    command: 

    $ butane <butane_file>

17.1.1.3. Creating a MachineConfig object by using Butane
Copiar enlace

You can use Butane to produce a 

MachineConfig
object so that you can configure worker or control plane nodes at installation time or via the Machine Config Operator.

Prerequisites

  • You have installed the 
    butane
    utility.

Procedure

  1. Create a Butane config file. The following example creates a file named 

    99-worker-custom.bu
    that configures the system console to show kernel debug messages and specifies custom settings for the chrony time service: 

    variant: openshift
version: 4.8.0
metadata:
  name: 99-worker-custom
  labels:
    machineconfiguration.openshift.io/role: worker
openshift:
  kernel_arguments:
    - loglevel=7
storage:
  files:
    - path: /etc/chrony.conf
      mode: 0644
      overwrite: true
      contents:
        inline: |
          pool 0.rhel.pool.ntp.org iburst
          driftfile /var/lib/chrony/drift
          makestep 1.0 3
          rtcsync
          logdir /var/log/chrony
    Note

    The 

    99-worker-custom.bu
    file is set to create a machine config for worker nodes. To deploy on control plane nodes, change the role from 
    worker
    to 
    master
    . To do both, you could repeat the whole procedure using different file names for the two types of deployments.

  2. Create a 

    MachineConfig
    object by giving Butane the file that you created in the previous step: 

    $ butane 99-worker-custom.bu -o ./99-worker-custom.yaml

    A 

    MachineConfig
    object YAML file is created for you to finish configuring your machines.

  3. Save the Butane config in case you need to update the 
    MachineConfig
    object in the future.

  4. If the cluster is not running yet, generate manifest files and add the 

    MachineConfig
    object YAML file to the 
    openshift
    directory. If the cluster is already running, apply the file as follows: 

    $ oc create -f 99-worker-custom.yaml

17.1.2. Adding day-1 kernel arguments
Copiar enlace

Although it is often preferable to modify kernel arguments as a day-2 activity, you might want to add kernel arguments to all master or worker nodes during initial cluster installation. Here are some reasons you might want to add kernel arguments during cluster installation so they take effect before the systems first boot up:

  • You want to disable a feature, such as SELinux, so it has no impact on the systems when they first come up.
Warning

Disabling SELinux on RHCOS is not supported.

  • You need to do some low-level network configuration before the systems start.

To add kernel arguments to master or worker nodes, you can create a 

MachineConfig
object and inject that object into the set of manifest files used by Ignition during cluster setup.

For a listing of arguments you can pass to a RHEL 8 kernel at boot time, see Kernel.org kernel parameters. It is best to only add kernel arguments with this procedure if they are needed to complete the initial OpenShift Container Platform installation.

Procedure

  1. Change to the directory that contains the installation program and generate the Kubernetes manifests for the cluster: 

    $ ./openshift-install create manifests --dir <installation_directory>
  2. Decide if you want to add kernel arguments to worker or control plane nodes (also known as the master nodes).

  3. In the 

    openshift
    directory, create a file (for example, 
    99-openshift-machineconfig-master-kargs.yaml
    ) to define a 
    MachineConfig
    object to add the kernel settings. This example adds a 
    loglevel=7
    kernel argument to control plane nodes: 

    $ cat << EOF > 99-openshift-machineconfig-master-kargs.yaml
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: master
  name: 99-openshift-machineconfig-master-kargs
spec:
  kernelArguments:
    - loglevel=7
EOF

    You can change 

    master
    to 
    worker
    to add kernel arguments to worker nodes instead. Create a separate YAML file to add to both master and worker nodes.

You can now continue on to create the cluster.

17.1.3. Adding kernel modules to nodes
Copiar enlace

For most common hardware, the Linux kernel includes the device driver modules needed to use that hardware when the computer starts up. For some hardware, however, modules are not available in Linux. Therefore, you must find a way to provide those modules to each host computer. This procedure describes how to do that for nodes in an OpenShift Container Platform cluster.

When a kernel module is first deployed by following these instructions, the module is made available for the current kernel. If a new kernel is installed, the kmods-via-containers software will rebuild and deploy the module so a compatible version of that module is available with the new kernel.

The way that this feature is able to keep the module up to date on each node is by:

  • Adding a systemd service to each node that starts at boot time to detect if a new kernel has been installed and
  • If a new kernel is detected, the service rebuilds the module and installs it to the kernel

For information on the software needed for this procedure, see the kmods-via-containers github site.

A few important issues to keep in mind:

  • This procedure is Technology Preview.
  • Software tools and examples are not yet available in official RPM form and can only be obtained for now from unofficial 
    github.com
    sites noted in the procedure.
  • Third-party kernel modules you might add through these procedures are not supported by Red Hat.
  • In this procedure, the software needed to build your kernel modules is deployed in a RHEL 8 container. Keep in mind that modules are rebuilt automatically on each node when that node gets a new kernel. For that reason, each node needs access to a 
    yum
    repository that contains the kernel and related packages needed to rebuild the module. That content is best provided with a valid RHEL subscription.

17.1.3.1. Building and testing the kernel module container
Copiar enlace

Before deploying kernel modules to your OpenShift Container Platform cluster, you can test the process on a separate RHEL system. Gather the kernel module’s source code, the KVC framework, and the kmod-via-containers software. Then build and test the module. To do that on a RHEL 8 system, do the following:

Procedure

  1. Register a RHEL 8 system: 

    # subscription-manager register

  2. Attach a subscription to the RHEL 8 system: 

    # subscription-manager attach --auto

  3. Install software that is required to build the software and container: 

    # yum install podman make git -y

  4. Clone the 

    kmod-via-containers
    repository:

    1. Create a folder for the repository: 

      $ mkdir kmods; cd kmods

    2. Clone the repository: 

      $ git clone https://github.com/kmods-via-containers/kmods-via-containers

  5. Install a KVC framework instance on your RHEL 8 build host to test the module. This adds a 

    kmods-via-container
    systemd service and loads it:

    1. Change to the 

      kmod-via-containers
      directory: 

      $ cd kmods-via-containers/

    2. Install the KVC framework instance: 

      $ sudo make install

    3. Reload the systemd manager configuration: 

      $ sudo systemctl daemon-reload

  6. Get the kernel module source code. The source code might be used to build a third-party module that you do not have control over, but is supplied by others. You will need content similar to the content shown in the 

    kvc-simple-kmod
    example that can be cloned to your system as follows: 

    $ cd .. ; git clone https://github.com/kmods-via-containers/kvc-simple-kmod

  7. Edit the configuration file, 

    simple-kmod.conf
    file, in this example, and change the name of the Dockerfile to 
    Dockerfile.rhel
    :

    1. Change to the 

      kvc-simple-kmod
      directory: 

      $ cd kvc-simple-kmod

    2. Rename the Dockerfile: 

      $ cat simple-kmod.conf

      Example Dockerfile

      KMOD_CONTAINER_BUILD_CONTEXT="https://github.com/kmods-via-containers/kvc-simple-kmod.git"
KMOD_CONTAINER_BUILD_FILE=Dockerfile.rhel
KMOD_SOFTWARE_VERSION=dd1a7d4
KMOD_NAMES="simple-kmod simple-procfs-kmod"

  8. Create an instance of 

    kmods-via-containers@.service
    for your kernel module, 
    simple-kmod
    in this example: 

    $ sudo make install

  9. Enable the 

    kmods-via-containers@.service
    instance: 

    $ sudo kmods-via-containers build simple-kmod $(uname -r)

  10. Enable and start the systemd service: 

    $ sudo systemctl enable kmods-via-containers@simple-kmod.service --now

    1. Review the service status: 

      $ sudo systemctl status kmods-via-containers@simple-kmod.service

      Example output

      ● kmods-via-containers@simple-kmod.service - Kmods Via Containers - simple-kmod
   Loaded: loaded (/etc/systemd/system/kmods-via-containers@.service;
          enabled; vendor preset: disabled)
   Active: active (exited) since Sun 2020-01-12 23:49:49 EST; 5s ago...

  11. To confirm that the kernel modules are loaded, use the 

    lsmod
    command to list the modules: 

    $ lsmod | grep simple_

    Example output

    simple_procfs_kmod     16384  0
simple_kmod            16384  0

  12. Optional. Use other methods to check that the 

    simple-kmod
    example is working:

    • Look for a "Hello world" message in the kernel ring buffer with 

      dmesg
      : 

      $ dmesg | grep 'Hello world'

      Example output

      [ 6420.761332] Hello world from simple_kmod.

    • Check the value of 

      simple-procfs-kmod
      in 
      /proc
      : 

      $ sudo cat /proc/simple-procfs-kmod

      Example output

      simple-procfs-kmod number = 0

    • Run the 

      spkut
      command to get more information from the module: 

      $ sudo spkut 44

      Example output

      KVC: wrapper simple-kmod for 4.18.0-147.3.1.el8_1.x86_64
Running userspace wrapper using the kernel module container...
+ podman run -i --rm --privileged
   simple-kmod-dd1a7d4:4.18.0-147.3.1.el8_1.x86_64 spkut 44
simple-procfs-kmod number = 0
simple-procfs-kmod number = 44

Going forward, when the system boots this service will check if a new kernel is running. If there is a new kernel, the service builds a new version of the kernel module and then loads it. If the module is already built, it will just load it.

Depending on whether or not you must have the kernel module in place when OpenShift Container Platform cluster first boots, you can set up the kernel modules to be deployed in one of two ways:

  • Provision kernel modules at cluster install time (day-1): You can create the content as a 
    MachineConfig
    object and provide it to 
    openshift-install
    by including it with a set of manifest files.
  • Provision kernel modules via Machine Config Operator (day-2): If you can wait until the cluster is up and running to add your kernel module, you can deploy the kernel module software via the Machine Config Operator (MCO).

In either case, each node needs to be able to get the kernel packages and related software packages at the time that a new kernel is detected. There are a few ways you can set up each node to be able to obtain that content.

  • Provide RHEL entitlements to each node.
  • Get RHEL entitlements from an existing RHEL host, from the 
    /etc/pki/entitlement
    directory and copy them to the same location as the other files you provide when you build your Ignition config.
  • Inside the Dockerfile, add pointers to a 
    yum
    repository containing the kernel and other packages. This must include new kernel packages as they are needed to match newly installed kernels.
17.1.3.2.1. Provision kernel modules via a MachineConfig object
Copiar enlace

By packaging kernel module software with a 

MachineConfig
object, you can deliver that software to worker or control plane nodes at installation time or via the Machine Config Operator.

Procedure

  1. Register a RHEL 8 system: 

    # subscription-manager register

  2. Attach a subscription to the RHEL 8 system: 

    # subscription-manager attach --auto

  3. Install software needed to build the software: 

    # yum install podman make git -y

  4. Create a directory to host the kernel module and tooling: 

    $ mkdir kmods; cd kmods

  5. Get the 

    kmods-via-containers
    software:

    1. Clone the 

      kmods-via-containers
      repository: 

      $ git clone https://github.com/kmods-via-containers/kmods-via-containers

    2. Clone the 

      kvc-simple-kmod
      repository: 

      $ git clone https://github.com/kmods-via-containers/kvc-simple-kmod
  6. Get your module software. In this example, 
    kvc-simple-kmod
    is used.

  7. Create a fakeroot directory and populate it with files that you want to deliver via Ignition, using the repositories cloned earlier:

    1. Create the directory: 

      $ FAKEROOT=$(mktemp -d)

    2. Change to the 

      kmod-via-containers
      directory: 

      $ cd kmods-via-containers

    3. Install the KVC framework instance: 

      $ make install DESTDIR=${FAKEROOT}/usr/local CONFDIR=${FAKEROOT}/etc/

    4. Change to the 

      kvc-simple-kmod
      directory: 

      $ cd ../kvc-simple-kmod

    5. Create the instance: 

      $ make install DESTDIR=${FAKEROOT}/usr/local CONFDIR=${FAKEROOT}/etc/

  8. Clone the fakeroot directory, replacing any symbolic links with copies of their targets, by running the following command: 

    $ cd .. && rm -rf kmod-tree && cp -Lpr ${FAKEROOT} kmod-tree

  9. Create a Butane config file, 

    99-simple-kmod.bu
    , that embeds the kernel module tree and enables the systemd service.

    Note

    See "Creating machine configs with Butane" for information about Butane. 

    variant: openshift
version: 4.8.0
metadata:
  name: 99-simple-kmod
  labels:
    machineconfiguration.openshift.io/role: worker
    1 
    
storage:
  trees:
    - local: kmod-tree
systemd:
  units:
    - name: kmods-via-containers@simple-kmod.service
      enabled: true
    1
    To deploy on control plane nodes, change worker to master. To deploy on both control plane and worker nodes, perform the remainder of these instructions once for each node type.

  10. Use Butane to generate a machine config YAML file, 

    99-simple-kmod.yaml
    , containing the files and configuration to be delivered: 

    $ butane 99-simple-kmod.bu --files-dir . -o 99-simple-kmod.yaml

  11. If the cluster is not up yet, generate manifest files and add this file to the 

    openshift
    directory. If the cluster is already running, apply the file as follows: 

    $ oc create -f 99-simple-kmod.yaml

    Your nodes will start the 

    kmods-via-containers@simple-kmod.service
    service and the kernel modules will be loaded.

  12. To confirm that the kernel modules are loaded, you can log in to a node (using 

    oc debug node/<openshift-node>
    , then 
    chroot /host
    ). To list the modules, use the 
    lsmod
    command: 

    $ lsmod | grep simple_

    Example output

    simple_procfs_kmod     16384  0
simple_kmod            16384  0

17.1.4. Encrypting and mirroring disks during installation
Copiar enlace

During an OpenShift Container Platform installation, you can enable boot disk encryption and mirroring on the cluster nodes.

17.1.4.1. About disk encryption
Copiar enlace

You can enable encryption for the boot disks on the control plane and compute nodes at installation time. OpenShift Container Platform supports the Trusted Platform Module (TPM) v2 and Tang encryption modes.

  • TPM v2: This is the preferred mode. TPM v2 stores passphrases in a secure cryptoprocessor contained within a server. You can use this mode to prevent the boot disk data on a cluster node from being decrypted if the disk is removed from the server.
  • Tang: Tang and Clevis are server and client components that enable network-bound disk encryption (NBDE). You can bind the boot disk data on your cluster nodes to one or more Tang servers. This prevents the data from being decrypted unless the nodes are on a secure network where the Tang servers can be accessed. Clevis is an automated decryption framework that is used to implement the decryption on the client side.
Important

The use of the Tang encryption mode to encrypt your disks is only supported for bare metal and vSphere installations on user-provisioned infrastructure.

Note

On previous versions of Red Hat Enterprise Linux CoreOS (RHCOS), disk encryption was configured by specifying 

/etc/clevis.json
in the Ignition config. That file is not supported in clusters created with OpenShift Container Platform 4.7 or above, and disk encryption should be configured by using the following procedure.

When the TPM v2 or Tang encryption modes are enabled, the RHCOS boot disks are encrypted using the LUKS2 format.

This feature:

  • Is available for installer-provisioned infrastructure and user-provisioned infrastructure deployments
  • Is supported on Red Hat Enterprise Linux CoreOS (RHCOS) systems only
  • Sets up disk encryption during the manifest installation phase so all data written to disk, from first boot forward, is encrypted
  • Requires no user intervention for providing passphrases
  • Uses AES-256-XTS encryption, or AES-256-CBC if FIPS mode is enabled
17.1.4.1.1. Configuring an encryption threshold
Copiar enlace

In OpenShift Container Platform, you can specify a requirement for more than one Tang server. You can also configure the TPM v2 and Tang encryption modes simultaneously, so that the boot disk data can be decrypted only if the TPM secure cryptoprocessor is present and the Tang servers can be accessed over a secure network.

You can use the 

threshold
attribute in your Butane configuration to define the minimum number of TPM v2 and Tang encryption conditions that must be met for decryption to occur. The threshold is met when the stated value is reached through any combination of the declared conditions. For example, the 
threshold
value of 
2
in the following configuration can be reached by accessing the two Tang servers, or by accessing the TPM secure cryptoprocessor and one of the Tang servers:

Example Butane configuration for disk encryption

variant: openshift
version: 4.8.0
metadata:
  name: worker-storage
  labels:
    machineconfiguration.openshift.io/role: worker
boot_device:
  layout: x86_64
  luks:
    tpm2: true
1 

    tang:
2 

      - url: http://tang1.example.com:7500
        thumbprint: jwGN5tRFK-kF6pIX89ssF3khxxX
      - url: http://tang2.example.com:7500
        thumbprint: VCJsvZFjBSIHSldw78rOrq7h2ZF
    threshold: 2
3 

openshift:
  fips: true

1
Include this field if you want to use a Trusted Platform Module (TPM) to encrypt the root file system.
2
Include this section if you want to use one or more Tang servers.
3
Specify the minimum number of TPM v2 and Tang encryption conditions that must be met for decryption to occur.
Important

The default 

threshold
value is 
1
. If you include multiple encryption conditions in your configuration but do not specify a threshold, decryption can occur if any of the conditions are met.

Note

If you require both TPM v2 and Tang for decryption, the value of the 

threshold
attribute must equal the total number of stated Tang servers plus one. If the 
threshold
value is lower, it is possible for the threshold to be reached by using one of the encryption modes only. For example, if 
tpm2
is set to 
true
and you specify two Tang servers, a threshold of 
2
can be met by accessing the two Tang servers even if the TPM secure cryptoprocessor is not available.

17.1.4.2. About disk mirroring
Copiar enlace

During OpenShift Container Platform installation on control plane and worker nodes, you can enable mirroring of the boot and other disks to two or more redundant storage devices. A node continues to function after storage device failure as long as one device remains available.

Mirroring does not support replacement of a failed disk. To restore the mirror to a pristine, non-degraded state, reprovision the node.

Note

Mirroring is available only for user-provisioned infrastructure deployments on RHCOS systems. Mirroring support is available on x86_64 nodes booted with BIOS or UEFI and on ppc64le nodes.

17.1.4.3. Configuring disk encryption and mirroring
Copiar enlace

You can enable and configure encryption and mirroring during an OpenShift Container Platform installation.

Prerequisites

  • You have downloaded the OpenShift Container Platform installation program on your installation node.

  • You installed Butane on your installation node.

    Note

    Butane is a command-line utility that OpenShift Container Platform uses to provide convenient, short-hand syntax for writing machine configs, as well as for performing additional validation of machine configs. For more information, see the Creating machine configs with Butane section.

  • You have access to a Red Hat Enterprise Linux (RHEL) 8 machine that can be used to generate a thumbprint of the Tang exchange key.

Procedure

  1. If you want to use TPM v2 to encrypt your cluster, check to see if TPM v2 encryption needs to be enabled in the BIOS on each node. This is required on most Dell systems. Check the manual for your computer.

  2. If you want to use Tang to encrypt your cluster, follow these preparatory steps:

    1. Set up a Tang server or access an existing one. See Network-bound disk encryption for instructions.

    2. Install the 

      clevis
      package on a RHEL 8 machine, if it is not already installed: 

      $ sudo yum install clevis

    3. On the RHEL 8 machine, run the following command to generate a thumbprint of the exchange key. Replace 

      http://tang.example.com:7500
      with the URL of your Tang server: 

      $ clevis-encrypt-tang '{"url":"http://tang.example.com:7500"}' < /dev/null > /dev/null
      1
      1
      In this example, tangd.socket is listening on port 7500 on the Tang server.
      Note

      The 

      clevis-encrypt-tang
      command is used in this step only to generate a thumbprint of the exchange key. No data is being passed to the command for encryption at this point, so 
      /dev/null
      is provided as an input instead of plain text. The encrypted output is also sent to 
      /dev/null
      , because it is not required for this procedure.

      Example output

      The advertisement contains the following signing keys:

PLjNyRdGw03zlRoGjQYMahSZGu9
      1

      1
      The thumbprint of the exchange key.

      When the 

      Do you wish to trust these keys? [ynYN]
      prompt displays, type 
      Y
      .

      Note

      RHEL 8 provides Clevis version 15, which uses the SHA-1 hash algorithm to generate thumbprints. Some other distributions provide Clevis version 17 or later, which use the SHA-256 hash algorithm for thumbprints. You must use a Clevis version that uses SHA-1 to create the thumbprint, to prevent Clevis binding issues when you install Red Hat Enterprise Linux CoreOS (RHCOS) on your OpenShift Container Platform cluster nodes.

    4. If the nodes are configured with static IP addressing, use the 

      coreos-installer
       
      --append-karg
      option when installing RHCOS nodes to set the IP address of the installed system. Append the 
      ip=
      and other arguments needed for your network.

      Important

      Some methods for configuring static IPs do not affect the initramfs after the first boot and will not work with Tang encryption. These include the 

      coreos-installer
       
      --copy-network
      option, as well as adding 
      ip=
      arguments to the kernel command line of the live ISO or PXE image during installation. Incorrect static IP configuration causes the second boot of the node to fail.

  3. On your installation node, change to the directory that contains the installation program and generate the Kubernetes manifests for the cluster: 

    $ ./openshift-install create manifests --dir <installation_directory>
    1
    1
    Replace <installation_directory> with the path to the directory that you want to store the installation files in.

  4. Create a Butane config that configures disk encryption, mirroring, or both. For example, to configure storage for compute nodes, create a 

    $HOME/clusterconfig/worker-storage.bu
    file.

    Butane config example for a boot device

    variant: openshift
version: 4.8.0
metadata:
  name: worker-storage
    1 
    
  labels:
    machineconfiguration.openshift.io/role: worker
    2 
    
boot_device:
  layout: x86_64
    3 
    
  luks:
    4 
    
    tpm2: true
    5 
    
    tang:
    6 
    
      - url: http://tang.example.com:7500
    7 
    
        thumbprint: PLjNyRdGw03zlRoGjQYMahSZGu9
    8 
    
    threshold: 1
    9 
    
  mirror:
    10 
    
    devices:
    11 
    
      - /dev/sda
      - /dev/sdb
openshift:
  fips: true
    12

    1 2
    For control plane configurations, replace worker with master in both of these locations.
    3
    On ppc64le nodes, set this field to ppc64le. On all other nodes, this field can be omitted.
    4
    Include this section if you want to encrypt the root file system. For more details, see the About disk encryption section.
    5
    Include this field if you want to use a Trusted Platform Module (TPM) to encrypt the root file system.
    6
    Include this section if you want to use one or more Tang servers.
    7
    Specify the URL of a Tang server. In this example, tangd.socket is listening on port 7500 on the Tang server.
    8
    Specify the exchange key thumbprint, which was generated in a preceding step.
    9
    Specify the minimum number of TPM v2 and Tang encryption conditions that must be met for decryption to occur. The default value is 1. For more information on this topic, see the Configuring an encryption threshold section.
    10
    Include this section if you want to mirror the boot disk. For more details, see About disk mirroring.
    11
    List all disk devices that should be included in the boot disk mirror, including the disk that RHCOS will be installed onto.
    12
    Include this directive to enable FIPS mode on your cluster.
    Important

    If you are configuring nodes to use both disk encryption and mirroring, both features must be configured in the same Butane config. In addition, if you are configuring disk encryption on a node with FIPS mode enabled, you must include the 

    fips
    directive in the same Butane config, even if FIPS mode is also enabled in a separate manifest.

  5. Create a control plane or compute node manifest from the corresponding Butane config and save it to the 

    <installation_directory>/openshift
    directory. For example, to create a manifest for the compute nodes, run the following command: 

    $ butane $HOME/clusterconfig/worker-storage.bu -o <installation_directory>/openshift/99-worker-storage.yaml

    Repeat this step for each node type that requires disk encryption or mirroring.

  6. Save the Butane configs in case you need to update the manifests in the future.

  7. Continue with the remainder of the OpenShift Container Platform installation.

    Tip

    You can monitor the console log on the RHCOS nodes during installation for error messages relating to disk encryption or mirroring.

    Important

    If you configure additional data partitions, they will not be encrypted unless encryption is explicitly requested.

Verification

After installing OpenShift Container Platform, you can verify if boot disk encryption or mirroring is enabled on the cluster nodes.

  1. From the installation host, access a cluster node by using a debug pod:

    1. Start a debug pod for the node. The following example starts a debug pod for the 

      compute-1
      node: 

      $ oc debug node/compute-1

    2. Set 

      /host
      as the root directory within the debug shell. The debug pod mounts the root file system of the node in 
      /host
      within the pod. By changing the root directory to 
      /host
      , you can run binaries contained in the executable paths on the node: 

      # chroot /host
      Note

      OpenShift Container Platform cluster nodes running Red Hat Enterprise Linux CoreOS (RHCOS) are immutable and rely on Operators to apply cluster changes. Accessing cluster nodes using SSH is not recommended. However, if the OpenShift Container Platform API is not available, or 

      kubelet
      is not properly functioning on the target node, 
      oc
      operations will be impacted. In such situations, it is possible to access nodes using 
      ssh core@<node>.<cluster_name>.<base_domain>
      instead.

  2. If you configured boot disk encryption, verify if it is enabled:

    1. From the debug shell, review the status of the root mapping on the node: 

      # cryptsetup status root

      Example output

      /dev/mapper/root is active and is in use.
  type:    LUKS2
      1 
      
  cipher:  aes-xts-plain64
      2 
      
  keysize: 512 bits
  key location: keyring
  device:  /dev/sda4
      3 
      
  sector size:  512
  offset:  32768 sectors
  size:    15683456 sectors
  mode:    read/write

      1
      The encryption format. When the TPM v2 or Tang encryption modes are enabled, the RHCOS boot disks are encrypted using the LUKS2 format.
      2
      The encryption algorithm used to encrypt the LUKS2 volume. The aes-cbc-essiv:sha256 cipher is used if FIPS mode is enabled.
      3
      The device that contains the encrypted LUKS2 volume. If mirroring is enabled, the value will represent a software mirror device, for example /dev/md126.

    2. List the Clevis plugins that are bound to the encrypted device: 

      # clevis luks list -d /dev/sda4
      1
      1
      Specify the device that is listed in the device field in the output of the preceding step.

      Example output

      1: sss '{"t":1,"pins":{"tang":[{"url":"http://tang.example.com:7500"}]}}'
      1

      1
      In the example output, the Tang plugin is used by the Shamir’s Secret Sharing (SSS) Clevis plugin for the /dev/sda4 device.

  3. If you configured mirroring, verify if it is enabled:

    1. From the debug shell, list the software RAID devices on the node: 

      # cat /proc/mdstat

      Example output

      Personalities : [raid1]
md126 : active raid1 sdb3[1] sda3[0]
      1 
      
	  393152 blocks super 1.0 [2/2] [UU]

md127 : active raid1 sda4[0] sdb4[1]
      2 
      
	  51869632 blocks super 1.2 [2/2] [UU]

unused devices: <none>

      1
      In the example, the /dev/md126 software RAID mirror device uses the /dev/sda3 and /dev/sdb3 disk devices on the cluster node.
      2
      In the example, the /dev/md127 software RAID mirror device uses the /dev/sda4 and /dev/sdb4 disk devices on the cluster node.

    2. Review the details of each of the software RAID devices listed in the output of the preceding command. The following example lists the details of the 

      /dev/md126
      device: 

      # mdadm --detail /dev/md126

      Example output

      /dev/md126:
           Version : 1.0
     Creation Time : Wed Jul  7 11:07:36 2021
        Raid Level : raid1
      1 
      
        Array Size : 393152 (383.94 MiB 402.59 MB)
     Used Dev Size : 393152 (383.94 MiB 402.59 MB)
      Raid Devices : 2
     Total Devices : 2
       Persistence : Superblock is persistent

       Update Time : Wed Jul  7 11:18:24 2021
             State : clean
      2 
      
    Active Devices : 2
      3 
      
   Working Devices : 2
      4 
      
    Failed Devices : 0
      5 
      
     Spare Devices : 0

Consistency Policy : resync

              Name : any:md-boot
      6 
      
              UUID : ccfa3801:c520e0b5:2bee2755:69043055
            Events : 19

    Number   Major   Minor   RaidDevice State
       0     252        3        0      active sync   /dev/sda3
      7 
      
       1     252       19        1      active sync   /dev/sdb3
      8

      1
      Specifies the RAID level of the device. raid1 indicates RAID 1 disk mirroring.
      2
      Specifies the state of the RAID device.
      3 4
      States the number of underlying disk devices that are active and working.
      5
      States the number of underlying disk devices that are in a failed state.
      6
      The name of the software RAID device.
      7 8
      Provides information about the underlying disk devices that are used by the software RAID device.

    3. List the file systems that are mounted on the software RAID devices: 

      # mount | grep /dev/md

      Example output

      /dev/md127 on / type xfs (rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,prjquota)
/dev/md127 on /etc type xfs (rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,prjquota)
/dev/md127 on /usr type xfs (ro,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,prjquota)
/dev/md127 on /sysroot type xfs (ro,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,prjquota)
/dev/md127 on /var type xfs (rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,prjquota)
/dev/md127 on /var/lib/containers/storage/overlay type xfs (rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,prjquota)
/dev/md127 on /var/lib/kubelet/pods/e5054ed5-f882-4d14-b599-99c050d4e0c0/volume-subpaths/etc/tuned/1 type xfs (rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,prjquota)
/dev/md127 on /var/lib/kubelet/pods/e5054ed5-f882-4d14-b599-99c050d4e0c0/volume-subpaths/etc/tuned/2 type xfs (rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,prjquota)
/dev/md127 on /var/lib/kubelet/pods/e5054ed5-f882-4d14-b599-99c050d4e0c0/volume-subpaths/etc/tuned/3 type xfs (rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,prjquota)
/dev/md127 on /var/lib/kubelet/pods/e5054ed5-f882-4d14-b599-99c050d4e0c0/volume-subpaths/etc/tuned/4 type xfs (rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,prjquota)
/dev/md127 on /var/lib/kubelet/pods/e5054ed5-f882-4d14-b599-99c050d4e0c0/volume-subpaths/etc/tuned/5 type xfs (rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,prjquota)
/dev/md126 on /boot type ext4 (rw,relatime,seclabel)

      In the example output, the 

      /boot
      file system is mounted on the 
      /dev/md126
      software RAID device and the root file system is mounted on 
      /dev/md127
      .

  4. Repeat the verification steps for each OpenShift Container Platform node type.

17.1.4.4. Configuring a RAID-enabled data volume
Copiar enlace

You can enable software RAID partitioning to provide an external data volume. OpenShift Container Platform supports RAID 0, RAID 1, RAID 4, RAID 5, RAID 6, and RAID 10 for data protection and fault tolerance. See "About disk mirroring" for more details.

Prerequisites

  • You have downloaded the OpenShift Container Platform installation program on your installation node.

  • You have installed Butane on your installation node.

    Note

    Butane is a command-line utility that OpenShift Container Platform uses to provide convenient, short-hand syntax for writing machine configs, as well as for performing additional validation of machine configs. For more information, see the Creating machine configs with Butane section.

Procedure

  1. Create a Butane config that configures a data volume by using software RAID.

    • To configure a data volume with RAID 1 on the same disks that are used for a mirrored boot disk, create a 

      $HOME/clusterconfig/raid1-storage.bu
      file, for example:

      RAID 1 on mirrored boot disk

      variant: openshift
version: 4.8.0
metadata:
  name: raid1-storage
  labels:
    machineconfiguration.openshift.io/role: worker
boot_device:
  mirror:
    devices:
      - /dev/sda
      - /dev/sdb
storage:
  disks:
    - device: /dev/sda
      partitions:
        - label: root-1
          size_mib: 25000
      1 
      
        - label: var-1
    - device: /dev/sdb
      partitions:
        - label: root-2
          size_mib: 25000
      2 
      
        - label: var-2
  raid:
    - name: md-var
      level: raid1
      devices:
        - /dev/disk/by-partlabel/var-1
        - /dev/disk/by-partlabel/var-2
  filesystems:
    - device: /dev/md/md-var
      path: /var
      format: xfs
      wipe_filesystem: true
      with_mount_unit: true

      1 2
      When adding a data partition to the boot disk, a minimum value of 25000 mebibytes is recommended. If no value is specified, or if the specified value is smaller than the recommended minimum, the resulting root file system will be too small, and future reinstalls of RHCOS might overwrite the beginning of the data partition.

    • To configure a data volume with RAID 1 on secondary disks, create a 

      $HOME/clusterconfig/raid1-alt-storage.bu
      file, for example:

      RAID 1 on secondary disks

      variant: openshift
version: 4.8.0
metadata:
  name: raid1-alt-storage
  labels:
    machineconfiguration.openshift.io/role: worker
storage:
  disks:
    - device: /dev/sdc
      wipe_table: true
      partitions:
        - label: data-1
    - device: /dev/sdd
      wipe_table: true
      partitions:
        - label: data-2
  raid:
    - name: md-var-lib-containers
      level: raid1
      devices:
        - /dev/disk/by-partlabel/data-1
        - /dev/disk/by-partlabel/data-2
  filesystems:
    - device: /dev/md/md-var-lib-containers
      path: /var/lib/containers
      format: xfs
      wipe_filesystem: true
      with_mount_unit: true

  2. Create a RAID manifest from the Butane config you created in the previous step and save it to the 

    <installation_directory>/openshift
    directory. For example, to create a manifest for the compute nodes, run the following command: 

    $ butane $HOME/clusterconfig/<butane_config>.bu -o <installation_directory>/openshift/<manifest_name>.yaml
    1
    1
    Replace <butane_config> and <manifest_name> with the file names from the previous step. For example, raid1-alt-storage.bu and raid1-alt-storage.yaml for secondary disks.
  3. Save the Butane config in case you need to update the manifest in the future.
  4. Continue with the remainder of the OpenShift Container Platform installation.

17.1.5. Configuring chrony time service
Copiar enlace

You can set the time server and related settings used by the chrony time service (

chronyd
) by modifying the contents of the 
chrony.conf
file and passing those contents to your nodes as a machine config.

Procedure

  1. Create a Butane config including the contents of the 

    chrony.conf
    file. For example, to configure chrony on worker nodes, create a 
    99-worker-chrony.bu
    file.

    Note

    See "Creating machine configs with Butane" for information about Butane. 

    variant: openshift
version: 4.8.0
metadata:
  name: 99-worker-chrony
    1 
    
  labels:
    machineconfiguration.openshift.io/role: worker
    2 
    
storage:
  files:
  - path: /etc/chrony.conf
    mode: 0644
    3 
    
    overwrite: true
    contents:
      inline: |
        pool 0.rhel.pool.ntp.org iburst
    4 
    
        driftfile /var/lib/chrony/drift
        makestep 1.0 3
        rtcsync
        logdir /var/log/chrony
    1 2
    On control plane nodes, substitute master for worker in both of these locations.
    3
    Specify an octal value mode for the mode field in the machine config file. After creating the file and applying the changes, the mode is converted to a decimal value. You can check the YAML file with the command oc get mc <mc-name> -o yaml.
    4
    Specify any valid, reachable time source, such as the one provided by your DHCP server. Alternately, you can specify any of the following NTP servers: 1.rhel.pool.ntp.org, 2.rhel.pool.ntp.org, or 3.rhel.pool.ntp.org.

  2. Use Butane to generate a 

    MachineConfig
    object file, 
    99-worker-chrony.yaml
    , containing the configuration to be delivered to the nodes: 

    $ butane 99-worker-chrony.bu -o 99-worker-chrony.yaml

  3. Apply the configurations in one of two ways:

    • If the cluster is not running yet, after you generate manifest files, add the 
      MachineConfig
      object file to the 
      <installation_directory>/openshift
      directory, and then continue to create the cluster.

    • If the cluster is already running, apply the file: 

      $ oc apply -f ./99-worker-chrony.yaml

17.2. Configuring your firewall
Copiar enlace

If you use a firewall, you must configure it so that OpenShift Container Platform can access the sites that it requires to function. You must always grant access to some sites, and you grant access to more if you use Red Hat Insights, the Telemetry service, a cloud to host your cluster, and certain build strategies.

17.2.1. Configuring your firewall for OpenShift Container Platform
Copiar enlace

Before you install OpenShift Container Platform, you must configure your firewall to grant access to the sites that OpenShift Container Platform requires.

There are no special configuration considerations for services running on only controller nodes versus worker nodes.

Procedure

  1. Allowlist the following registry URLs:

    Expand
    URLPortFunction

    registry.redhat.io

    443, 80

    Provides core container images 

    access.redhat.com

    443, 80

    Provides core container images 

    quay.io

    443, 80

    Provides core container images 

    cdn.quay.io

    443, 80

    Provides core container images 

    cdn01.quay.io

    443, 80

    Provides core container images 

    cdn02.quay.io

    443, 80

    Provides core container images 

    cdn03.quay.io

    443, 80

    Provides core container images 

    sso.redhat.com

    443, 80

    The 

    https://console.redhat.com/openshift
    site uses authentication from 
    sso.redhat.com

    You can use the wildcard 

    *.quay.io
    instead of 
    cdn0[1-3].quay.io
    in your allowlist. When you add a site, such as 
    quay.io
    , to your allowlist, do not add a wildcard entry, such as 
    *.quay.io
    , to your denylist. In most cases, image registries use a content delivery network (CDN) to serve images. If a firewall blocks access, image downloads are denied when the initial download request redirects to a hostname such as 
    cdn01.quay.io
    .

  2. Allowlist any site that provides resources for a language or framework that your builds require.

  3. If you do not disable Telemetry, you must grant access to the following URLs to access Red Hat Insights:

    Expand
    URLPortFunction

    cert-api.access.redhat.com

    443, 80

    Required for Telemetry 

    api.access.redhat.com

    443, 80

    Required for Telemetry 

    infogw.api.openshift.com

    443, 80

    Required for Telemetry 

    console.redhat.com/api/ingress
    , 
    cloud.redhat.com/api/ingress

    443, 80

    Required for Telemetry and for 

    insights-operator

  4. If you use Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) to host your cluster, you must grant access to the URLs that provide the cloud provider API and DNS for that cloud:

    Expand
    CloudURLPortFunction

    AWS 

    *.amazonaws.com

    443, 80

    Required to access AWS services and resources. Review the AWS Service Endpoints in the AWS documentation to determine the exact endpoints to allow for the regions that you use.

    GCP 

    *.googleapis.com

    443, 80

    Required to access GCP services and resources. Review Cloud Endpoints in the GCP documentation to determine the endpoints to allow for your APIs. 

    accounts.google.com

    443, 80

    Required to access your GCP account.

    Azure 

    management.azure.com

    443, 80

    Required to access Azure services and resources. Review the Azure REST API reference in the Azure documentation to determine the endpoints to allow for your APIs. 

    *.blob.core.windows.net

    443, 80

    Required to download Ignition files. 

    login.microsoftonline.com

    443, 80

    Required to access Azure services and resources. Review the Azure REST API reference in the Azure documentation to determine the endpoints to allow for your APIs.

  5. Allowlist the following URLs:

    Expand
    URLPortFunction

    mirror.openshift.com

    443, 80

    Required to access mirrored installation content and images. This site is also a source of release image signatures, although the Cluster Version Operator needs only a single functioning source. 

    storage.googleapis.com/openshift-release

    443, 80

    A source of release image signatures, although the Cluster Version Operator needs only a single functioning source. 

    *.apps.<cluster_name>.<base_domain>

    443, 80

    Required to access the default cluster routes unless you set an ingress wildcard during installation. 

    quayio-production-s3.s3.amazonaws.com

    443, 80

    Required to access Quay image content in AWS. 

    api.openshift.com

    443, 80

    Required both for your cluster token and to check if updates are available for the cluster. 

    rhcos-redirector.apps.art.xq1c.p1.openshiftapps.com
    ,
    rhcos.mirror.openshift.com

    443, 80

    Required to download Red Hat Enterprise Linux CoreOS (RHCOS) images. 

    console.redhat.com/openshift

    443, 80

    Required for your cluster token. 

    registry.access.redhat.com

    443, 80

    Required for 

    odo
    CLI. 

    sso.redhat.com

    443, 80

    The 

    https://console.redhat.com/openshift
    site uses authentication from 
    sso.redhat.com

    Operators require route access to perform health checks. Specifically, the authentication and web console Operators connect to two routes to verify that the routes work. If you are the cluster administrator and do not want to allow 

    *.apps.<cluster_name>.<base_domain>
    , then allow these routes: 

    • oauth-openshift.apps.<cluster_name>.<base_domain>
       
    • console-openshift-console.apps.<cluster_name>.<base_domain>
      , or the hostname that is specified in the 
      spec.route.hostname
      field of the 
      consoles.operator/cluster
      object if the field is not empty.

  6. Allowlist the following URLs for optional third-party content:

    Expand
    URLPortFunction

    registry.connect.redhat.com

    443, 80

    Required for all third-party images and certified operators. 

    rhc4tp-prod-z8cxf-image-registry-us-east-1-evenkyleffocxqvofrk.s3.dualstack.us-east-1.amazonaws.com

    443, 80

    Provides access to container images hosted on 

    registry.connect.redhat.com
     

    oso-rhc4tp-docker-registry.s3-us-west-2.amazonaws.com

    443, 80

    Required for Sonatype Nexus, F5 Big IP operators.

  7. If you use a default Red Hat Network Time Protocol (NTP) server allow the following URLs: 

    • 1.rhel.pool.ntp.org
       
    • 2.rhel.pool.ntp.org
       
    • 3.rhel.pool.ntp.org
Note

If you do not use a default Red Hat NTP server, verify the NTP server for your platform and allow it in your firewall.

Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2026 Red HatVolver arriba