Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 18. Network reconfiguration for single-node OpenShift
18.1. Understand single-node OpenShift network reconfiguration
Use the Lifecycle Agent to change the network configuration of a single-node OpenShift cluster without performing a full redeployment. This is critical for many edge computing use cases such as disaster recovery and network rehoming.
18.1.1. Use cases and workflow for single-node OpenShift network reconfiguration
Changing a single-node OpenShift cluster’s core networking, such as node IP addresses, machine network CIDRs, default gateway, VLAN, and DNS settings, is a high-risk operation because it affects both host networking and cluster configuration. The Lifecycle Agent provides a declarative, stage-driven workflow to perform these changes safely using the IPConfig custom resource (CR).
Network reconfiguration addresses critical edge computing scenarios where changing network properties without a full cluster redeployment is essential:
- Disaster recovery
- After a site outage or major connectivity change, a single-node OpenShift cluster might need to move to a different uplink network. For example, if a primary 5G network using IPv6 goes down due to a natural disaster, you can reconfigure the cluster to use an IPv4 satellite connection as a backup, enabling continued operations until the primary network is restored.
- Network rehoming and site migration
- During network consolidation or equipment upgrades, you can migrate single-node OpenShift clusters to a new L2 or L3 environment with a deterministic, reversible process and minimal downtime. This supports scenarios such as cell on wheels for increased cellular coverage at events, mobile satellite telco equipment changing networks, IoT devices transitioning between networks, and new cell site deployments using satellite connectivity until physical network installation is complete.
The Lifecycle Agent uses a stage-driven workflow controlled through the spec.stage field in the IPConfig CR. The workflow consists of three stages:
- Idle stage
- The initial and final stage. In this stage, the Lifecycle Agent runs health checks, performs cleanup operations, and prepares the cluster for configuration changes. Transitioning to Idle after a successful configuration is the finalization point that removes rollback capability.
- Config stage
- Executes the network reconfiguration in two phases. The pre-pivot phase prepares a new stateroot, which is a bootable system state that has the updated network configuration, and reboots into it. The post-pivot phase applies the network changes, regenerates certificates, and waits for cluster stabilization.
- Rollback stage
Reboots into the earlier stateroot. You can trigger a rollback manually or configure automatic rollback on failure.
The network reconfiguration flow preserves the currently booted stateroot as a rollback target while preparing the new configuration in a new stateroot. This approach means the original configuration remains available for rollback until you finalize the change, only one reboot is required for the IP change, and the rollback process is fast because the earlier stateroot is already prepared.
18.1.2. Supported network property changes
The IPConfig CR supports the following network property changes:
- IPv4 and IPv6 address changes for single-stack or dual-stack clusters
- Machine network CIDR changes
- Default gateway changes
- DNS server list updates
-
Optional VLAN ID changes on the
br-exuplink path - Optional DNS response filtering changes on dual-stack clusters to filter IPv4 or IPv6
18.1.3. Requirements and limitations for network reconfiguration
Network reconfiguration by using the IPConfig CR has the following requirements:
- The cluster must be a single-node OpenShift cluster.
- The Lifecycle Agent must be installed.
-
A baseline dnsmasq
MachineConfigresource must exist, which is automatically installed by any single-node OpenShift installed directly or indirectly by the Assisted Installer, including Agent-based Installer (ABI), multicluster engine (MCE), and Red Hat Advanced Cluster Management (RHACM). - All cluster operators must be available before starting a network reconfiguration.
Network reconfiguration by using the IPConfig CR has the following limitations:
- For dual-stack clusters, exactly one IPv4 address and one IPv6 address are supported per node.
- Only one NIC is supported. No bonding or link aggregation.
-
You can configure a maximum of one VLAN ID on the
br-exuplink path. - You must configure static networking on the host network. DHCP is not supported.
- You cannot add a VLAN to a cluster that does not already have VLAN configuration.
- Changing gateway or machine network without changing the address is not supported.
- Changing DNS servers without changing at least one IP address is not supported.
-
You cannot set
spec.ipv4on an IPv6-only cluster orspec.ipv6on an IPv4-only cluster. - The resulting routing table must not have routes that overlap or conflict with the default route through the configured gateways.
- The cluster must not have a proxy network configuration.
- You cannot perform an image-based upgrade and a network reconfiguration at the same time.
18.2. Perform single-node OpenShift network reconfiguration
You can perform a network reconfiguration on a single-node OpenShift cluster by editing the IPConfig custom resource (CR) and transitioning through the configuration stages.
18.2.1. Perform a single-node OpenShift network reconfiguration
You can change the network configuration of a single-node OpenShift cluster by editing the IPConfig custom resource (CR) and transitioning through the configuration stages.
Prerequisites
- You have a single-node OpenShift cluster.
- You have installed the Lifecycle Agent.
- You have the new network configuration details, including IP addresses, gateways, and DNS servers.
- You have cluster administrator privileges.
-
You have installed the OpenShift CLI (
oc).
Procedure
Verify that the
IPConfigCR exists and check its current state by running the following command:$ oc get ipc ipconfig -o yamlIf the CR does not exist, verify that you installed the Lifecycle Agent.
Verify that the
spec.stagefield is set toIdle, theIdlestatus condition is set totrue, and review the current network configuration in thestatusfields.NoteYou can only modify spec fields when the CR is in the
Idlestage.Edit the
IPConfigCR to specify the new network configuration by running the following command:$ oc edit ipc ipconfigUpdate the spec fields with your new network configuration. The following example shows a dual-stack configuration with VLAN and DNS settings:
apiVersion: lca.openshift.io/v1 kind: IPConfig metadata: name: ipconfig spec: stage: Idle ipv4: address: 192.0.2.10 machineNetwork: 192.0.2.0/24 gateway: 192.0.2.1 ipv6: address: 2001:db8::10 machineNetwork: 2001:db8::/64 gateway: 2001:db8::1 dnsServers: - 192.0.2.53 - 2001:4860:4860::8888 vlanID: 100 dnsFilterOutFamily: none autoRollbackOnFailure: initMonitorTimeoutSeconds: 1800where:
spec.stage-
Set this field to
Configwhen you are ready to apply the new network settings. spec.ipv4.address- Specifies the target IPv4 address. Must be within the machine network CIDR.
spec.ipv4.machineNetwork- Specifies the target machine network CIDR.
spec.ipv4.gateway- Specifies the target default gateway.
spec.dnsServers- Specifies an ordered list of DNS servers. The first server in the list is used as the primary DNS server. Use a maximum of two servers.
spec.vlanID- Specifies an optional VLAN ID. Only specify if the cluster already has VLAN configuration.
spec.dnsFilterOutFamily-
Specifies optional DNS filtering for dual-stack clusters. Set to
ipv4oripv6to filter out A or AAAA records respectively. spec.autoRollbackOnFailure.initMonitorTimeoutSeconds- Specifies the timeout in seconds for automatic rollback if the configuration does not complete. The default value is 1800 seconds, or 30 minutes.
After saving the configuration, change the stage to
Configto start the network reconfiguration by running the following command:$ oc patch ipc ipconfig --type merge -p '{"spec":{"stage":"Config"}}'NoteAfter triggering the network reconfiguration, update your external DNS servers to resolve the cluster’s new API and ingress endpoints.
Monitor the progress of the configuration by running the following command:
$ oc get ipc ipconfig -o yamlWatch for the following progression:
-
The controller sets the
ConfigInProgresscondition - The pre-pivot phase runs and triggers a reboot
- After reboot, the post-pivot phase applies the network changes
- The controller waits for cluster stabilization
-
The
ConfigCompletedcondition is set when successful
-
The controller sets the
-
After the configuration completes successfully, verify that the
status.validNextStagesfield includesIdleandRollback. Verify the new network configuration by running the following command:
$ oc get nodes -o wideVerify cluster health by running the following command:
$ oc get clusteroperatorsWhen you are satisfied with the new configuration, finalize the change by setting the stage to
Idle. Run the following command:$ oc patch ipc ipconfig --type merge -p '{"spec":{"stage":"Idle"}}'ImportantAfter you finalize the configuration by transitioning to
Idle, you cannot roll back to the previous network configuration. The old stateroot is removed duringIdlestate cleanup.
18.2.2. Roll back a network reconfiguration
If you see issues after a network reconfiguration, you can roll back to an earlier network configuration. The rollback reboots the node into an earlier stateroot with the original network settings.
Prerequisites
- You have completed a network reconfiguration that has not been finalized.
-
The
status.validNextStagesfield in theIPConfigcustomer resource (CR) includesRollback. - You have cluster administrator privileges.
Procedure
Verify that rollback stage is available by checking the
IPConfigCR. Run the following command:$ oc get ipc ipconfig -o jsonpath='{.status.validNextStages}'Verify that the output includes
Rollback.Check the rollback availability expiration timestamp by running the following command:
$ oc get ipc ipconfig -o jsonpath='{.status.rollbackAvailabilityExpiration}'NotePlan your rollback before this timestamp. After this timestamp, rolling back requires manual recovery because of expired control plane or kubelet certificates in the rollback stateroot.
Trigger the rollback by setting the stage to
Rollbackby running the following command:$ oc patch ipc ipconfig --type merge -p '{"spec":{"stage":"Rollback"}}'The Lifecycle Agent reboots the node into the earlier stateroot.
After the node reboots, monitor the rollback progress by running the following command:
$ oc get ipc ipconfig -o yamlWait for the
RollbackCompletedcondition to be set.Verify the node is using the original network configuration by running the following command:
$ oc get nodes -o wideFinalize the rollback by setting the stage to
Idleby running the following command:$ oc patch ipc ipconfig --type merge -p '{"spec":{"stage":"Idle"}}'
18.2.3. Automatic rollback mechanisms for network reconfiguration
Network reconfiguration includes many automatic rollback safety mechanisms that help protect your cluster from failed configuration changes.
- Automatic rollback on post-pivot failure
- If network configuration or certificate regeneration fails after the reboot, the system automatically triggers a rollback to the earlier stateroot.
- Init-monitor timeout rollback
-
If the network reconfiguration does not complete within the configured timeout, the system automatically triggers a rollback. The default timeout is 1800 seconds, 30 minutes. You can configure this timeout by using the
spec.autoRollbackOnFailure.initMonitorTimeoutSecondsfield in theIPConfigCR. Setting the value to0uses the default timeout.
18.2.4. IPConfig reference specifications
The IPConfig custom resource (CR) is a cluster-scoped CR that controls the IP configuration workflow for single-node OpenShift clusters using the Lifecycle Agent.
The CR name must be ipconfig.
| Field | Type | Description |
|---|---|---|
|
| String |
Controls the current stage of the IP configuration workflow. Valid values are |
|
| String |
The IPv4 node address without CIDR notation, for example |
|
| String |
The machine network CIDR, for example |
|
| String | The IPv4 default gateway address, used to create the default route for IPv4 traffic. Must be within the machine network CIDR. |
|
| String |
The IPv6 node address without CIDR notation, for example |
|
| String |
The IPv6 machine network CIDR, for example |
|
| String | The IPv6 default gateway, used to create the default route for IPv6 traffic. You can use link-local gateways. |
|
| Array of strings | Ordered list of DNS server IP addresses. The first server in the list is used as the primary DNS server. Must match cluster IP families. Maximum of 2 servers. |
|
| Integer | The VLAN ID to configure. Valid values are 1-4094. You can only set this field if the cluster already has VLAN configuration. |
|
| String |
DNS response filtering for dual-stack clusters only. Set to |
|
| Integer |
Timeout in seconds for the init-monitor watchdog. Set to |
18.3. Troubleshoot single-node OpenShift network reconfiguration
Use the following information to diagnose and resolve network reconfiguration issues on single-node OpenShift clusters.
18.3.1. Gather diagnostic information for network reconfiguration issues
You can gather diagnostic information to help troubleshoot network reconfiguration issues on single-node OpenShift clusters.
Procedure
Inspect the
IPConfigcustom resource (CR) status by running the following command:$ oc get ipc ipconfig -o yamlReview the
status.conditionsfield for the current state, reason, and message. Checkstatus.validNextStagesfor possible stage transitions, andstatus.historyfor timestamps of stage progression.View the Lifecycle Agent controller logs by running the following command:
$ oc logs -n openshift-lifecycle-agent deployment/lifecycle-agent-controller-manager -c managerCreate a debug session on the target node by running the following command:
$ oc debug node/<node_name> # chroot /host-
Replace
<node_name>with the name of your single-node OpenShift node.
-
Replace
View the relevant service logs depending on which phase you are troubleshooting by running one of the following commands:
View the logs for pre-pivot issues by running the following command:
$ sudo journalctl -u lca-ipconfig-pre-pivot -b --no-pagerView the logs for post-pivot issues by running the following command:
$ sudo journalctl -u ip-configuration.service -b --no-pagerView the logs for
init-monitorwatchdog issues by running the following command:$ sudo journalctl -u lca-init-monitor.service -b --no-pagerView the logs for rollback issues by running the following command:
$ sudo journalctl -u lca-ipconfig-rollback -b --no-pager
18.3.2. Network reconfiguration troubleshooting reference
Use the following reference information to help diagnose and resolve network reconfiguration issues on single-node OpenShift clusters.
| File | Description |
|---|---|
|
| Pre-pivot configuration data |
|
| Post-pivot configuration data |
|
|
Generated |
|
| Configuration for certificate regeneration |
|
| Auto-rollback configuration |
|
| Pull secret for the recert image, if a custom pull secret was specified |
|
|
Persistence file that stores |
| Issue | Cause | Solution |
|---|---|---|
| Stage transition rejected |
You attempted to transition to a stage not in |
Check |
| Specification fields cannot be changed |
You attempted to modify |
Wait for the current operation to complete and the CR to return to |
| Health checks never pass | Cluster health blockers are preventing progress. | Investigate cluster health issues. |
| Post-pivot phase failed | An error occurred during network configuration or certificate regeneration. |
Review the post-pivot service logs. If auto-rollback is enabled, the node automatically reverts. Otherwise, manually trigger rollback by setting |
| Pods not receiving new IP family | Pre-existing pods might not automatically receive an IP address from the new family because of CNI behavior. | Delete and re-create the affected pods to obtain addresses from the new IP family. |
| Configuration stuck in disconnected environment | The Lifecycle Agent or recert container might be attempting to pull images not available in the disconnected registry. |
Ensure all required images are mirrored to your disconnected registry before starting. Verify the |
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}