Este conteúdo não está disponível no idioma selecionado.
Machine configuration
Managing and applying configuration and updates of the base operating system and container runtimes in OpenShift Container Platform
Abstract
Chapter 1. Machine configuration overview
There are times when you need to make changes to the operating systems running on OpenShift Container Platform nodes. This can include changing settings for network time service, adding kernel arguments, or configuring journaling in a specific way.
			Aside from a few specialized features, most changes to operating systems on OpenShift Container Platform nodes can be done by creating what are referred to as MachineConfig objects that are managed by the Machine Config Operator. For example, you can use the Machine Config Operator (MCO) and machine configs to manage update to systemd, CRI-O and kubelet, the kernel, Network Manager and other system features.
		
Tasks in this section describe how to use features of the Machine Config Operator to configure operating system features on OpenShift Container Platform nodes.
				NetworkManager stores new network configurations to /etc/NetworkManager/system-connections/ in a key file format.
			
				Previously, NetworkManager stored new network configurations to /etc/sysconfig/network-scripts/ in the ifcfg format. Starting with RHEL 9.0, RHEL stores new network configurations at /etc/NetworkManager/system-connections/ in a key file format. The connections configurations stored to /etc/sysconfig/network-scripts/ in the old format still work uninterrupted. Modifications in existing profiles continue updating the older files.
			
1.1. About the Machine Config Operator
OpenShift Container Platform 4.20 integrates both operating system and cluster management. Because the cluster manages its own updates, including updates to Red Hat Enterprise Linux CoreOS (RHCOS) on cluster nodes, OpenShift Container Platform provides an opinionated lifecycle management experience that simplifies the orchestration of node upgrades.
OpenShift Container Platform employs three daemon sets and controllers to simplify node management. These daemon sets orchestrate operating system updates and configuration changes to the hosts by using standard Kubernetes-style constructs. They include:
- 
						The machine-config-controller, which coordinates machine upgrades from the control plane. It monitors all of the cluster nodes and orchestrates their configuration updates.
- 
						The machine-config-daemondaemon set, which runs on each node in the cluster and updates a machine to configuration as defined by machine config and as instructed by the MachineConfigController. When the node detects a change, it drains off its pods, applies the update, and reboots. These changes come in the form of Ignition configuration files that apply the specified machine configuration and control kubelet configuration. The update itself is delivered in a container. This process is key to the success of managing OpenShift Container Platform and RHCOS updates together.
- 
						The machine-config-serverdaemon set, which provides the Ignition config files to control plane nodes as they join the cluster.
				The machine configuration is a subset of the Ignition configuration. The machine-config-daemon reads the machine configuration to see if it needs to do an OSTree update or if it must apply a series of systemd kubelet file changes, configuration changes, or other changes to the operating system or OpenShift Container Platform configuration.
			
				When you perform node management operations, you create or modify a KubeletConfig custom resource (CR).
			
When changes are made to a machine configuration, the Machine Config Operator (MCO) automatically reboots all corresponding nodes in order for the changes to take effect.
You can mitigate the disruption caused by some machine config changes by using a node disruption policy. See Understanding node restart behaviors after machine config changes.
					Alternatively, you can prevent the nodes from automatically rebooting after machine configuration changes before making the changes. Pause the autoreboot process by setting the spec.paused field to true in the corresponding machine config pool. When paused, machine configuration changes are not applied until you set the spec.paused field to false and the nodes have rebooted into the new configuration.
				
- When the MCO detects any of the following changes, it applies the update without draining or rebooting the node: - 
									Changes to the SSH key in the spec.config.passwd.users.sshAuthorizedKeysparameter of a machine config.
- 
									Changes to the global pull secret or pull secret in the openshift-confignamespace.
- 
									Automatic rotation of the /etc/kubernetes/kubelet-ca.crtcertificate authority (CA) by the Kubernetes API Server Operator.
 
- 
									Changes to the SSH key in the 
- When the MCO detects changes to the - /etc/containers/registries.conffile, such as editing an- ImageDigestMirrorSet,- ImageTagMirrorSet, or- ImageContentSourcePolicyobject, it drains the corresponding nodes, applies the changes, and uncordons the nodes. The node drain does not happen for the following changes:- 
									The addition of a registry with the pull-from-mirror = "digest-only"parameter set for each mirror.
- 
									The addition of a mirror with the pull-from-mirror = "digest-only"parameter set in a registry.
- 
									The addition of items to the unqualified-search-registrieslist.
 
- 
									The addition of a registry with the 
				There might be situations where the configuration on a node does not fully match what the currently-applied machine config specifies. This state is called configuration drift. The Machine Config Daemon (MCD) regularly checks the nodes for configuration drift. If the MCD detects configuration drift, the MCO marks the node degraded until an administrator corrects the node configuration. A degraded node is online and operational, but, it cannot be updated.
			
1.2. Machine config overview
				The Machine Config Operator (MCO) manages updates to systemd, CRI-O and Kubelet, the kernel, Network Manager and other system features. It also offers a MachineConfig CRD that can write configuration files onto the host (see machine-config-operator). Understanding what MCO does and how it interacts with other components is critical to making advanced, system-level changes to an OpenShift Container Platform cluster. Here are some things you should know about MCO, machine configs, and how they are used:
			
- A machine config can make a specific change to a file or service on the operating system of each system representing a pool of OpenShift Container Platform nodes.
- MCO applies changes to operating systems in pools of machines. All OpenShift Container Platform clusters start with worker and control plane node pools. By adding more role labels, you can configure custom pools of nodes. For example, you can set up a custom pool of worker nodes that includes particular hardware features needed by an application. However, examples in this section focus on changes to the default pool types. Important- A node can have multiple labels applied that indicate its type, such as - masteror- worker, however it can be a member of only a single machine config pool.
- Machine configs are processed alphabetically, in lexicographically increasing order, by their name. The render controller uses the first machine config in the list as the base and appends the rest to the base machine config into a rendered machine config, which is then applied to the appropriate nodes.
- When you create a machine config for the worker nodes, the changes are also applied to the nodes in all custom pools. - However, as of OpenShift Container Platform 4.15, any machine configs that target custom pools always override worker machine configs if the worker machine configs contain definitions for the same fields. 
- 
						After a machine config change, the MCO updates the affected nodes alphabetically by zone, based on the topology.kubernetes.io/zonelabel. If a zone has more than one node, the oldest nodes are updated first. For nodes that do not use zones, such as in bare metal deployments, the nodes are upgraded by age, with the oldest nodes updated first. The MCO updates the number of nodes as specified by themaxUnavailablefield on the machine configuration pool at a time.
- Some machine configuration must be in place before OpenShift Container Platform is installed to disk. In most cases, this can be accomplished by creating a machine config that is injected directly into the OpenShift Container Platform installer process, instead of running as a postinstallation machine config. In other cases, you might need to do bare metal installation where you pass kernel arguments at OpenShift Container Platform installer startup, to do such things as setting per-node individual IP addresses or advanced disk partitioning.
- MCO manages items that are set in machine configs. Manual changes you do to your systems will not be overwritten by MCO, unless MCO is explicitly told to manage a conflicting file. In other words, MCO only makes specific updates you request, it does not claim control over the whole node.
- Manual changes to nodes are strongly discouraged. If you need to decommission a node and start a new one, those direct changes would be lost.
- 
						MCO is only supported for writing to files in /etcand/vardirectories, although there are symbolic links to some directories that can be writeable by being symbolically linked to one of those areas. The/optand/usr/localdirectories are examples.
- Ignition is the configuration format used in MachineConfigs. See the Ignition Configuration Specification v3.5.0 for details.
- Although Ignition config settings can be delivered directly at OpenShift Container Platform installation time, and are formatted in the same way that MCO delivers Ignition configs, MCO has no way of seeing what those original Ignition configs are. Therefore, you should wrap Ignition config settings into a machine config before deploying them.
- 
						When a file managed by MCO changes outside of MCO, the Machine Config Daemon (MCD) sets the node as degraded. It will not overwrite the offending file, however, and should continue to operate in adegradedstate.
- 
						A key reason for using a machine config is that it will be applied when you spin up new nodes for a pool in your OpenShift Container Platform cluster. The machine-api-operatorprovisions a new machine and MCO configures it.
MCO uses Ignition as the configuration format. OpenShift Container Platform 4.6 moved from Ignition config specification version 2 to version 3.
1.2.1. What can you change with machine configs?
The kinds of components that MCO can change include:
- config: Create Ignition config objects (see the Ignition configuration specification) to do things like modify files, systemd services, and other features on OpenShift Container Platform machines, including: - 
									Configuration files: Create or overwrite files in the /varor/etcdirectory.
- systemd units: Create and set the status of a systemd service or add to an existing systemd service by dropping in additional settings.
- users and groups: Change SSH keys in the passwd section postinstallation. Important- 
												Changing SSH keys by using a machine config is supported only for the coreuser.
- Adding new users by using a machine config is not supported.
 
- 
												Changing SSH keys by using a machine config is supported only for the 
 
- 
									Configuration files: Create or overwrite files in the 
- kernelArguments: Add arguments to the kernel command line when OpenShift Container Platform nodes boot.
- 
							kernelType: Optionally identify a non-standard kernel to use instead of the standard kernel. Use realtimeto use the RT kernel (for RAN). This is only supported on select platforms. Use the64k-pagesparameter to enable the 64k page size kernel. This setting is exclusive to machines with 64-bit ARM architectures.
- fips: Enable FIPS mode. FIPS should be set at installation-time setting and not a postinstallation procedure. Important- To enable FIPS mode for your cluster, you must run the installation program from a Red Hat Enterprise Linux (RHEL) computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see Switching RHEL to FIPS mode. - When running Red Hat Enterprise Linux (RHEL) or Red Hat Enterprise Linux CoreOS (RHCOS) booted in FIPS mode, OpenShift Container Platform core components use the RHEL cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the x86_64, ppc64le, and s390x architectures. 
- extensions: Extend RHCOS features by adding selected pre-packaged software. For this feature, available extensions include usbguard and kernel modules.
- 
							Custom resources (for ContainerRuntimeandKubelet): Outside of machine configs, MCO manages two special custom resources for modifying CRI-O container runtime settings (ContainerRuntimeCR) and the Kubelet service (KubeletCR).
The MCO is not the only Operator that can change operating system components on OpenShift Container Platform nodes. Other Operators can modify operating system-level features as well. One example is the Node Tuning Operator, which allows you to do node-level tuning through Tuned daemon profiles.
Tasks for the MCO configuration that can be done after installation are included in the following procedures. See descriptions of RHCOS bare metal installation for system configuration tasks that must be done during or before OpenShift Container Platform installation. By default, many of the changes you make with the MCO require a reboot.
- When the MCO detects any of the following changes, it applies the update without draining or rebooting the node: - 
									Changes to the SSH key in the spec.config.passwd.users.sshAuthorizedKeysparameter of a machine config.
- 
									Changes to the global pull secret or pull secret in the openshift-confignamespace.
- 
									Automatic rotation of the /etc/kubernetes/kubelet-ca.crtcertificate authority (CA) by the Kubernetes API Server Operator.
 
- 
									Changes to the SSH key in the 
- When the MCO detects changes to the - /etc/containers/registries.conffile, such as editing an- ImageDigestMirrorSet,- ImageTagMirrorSet, or- ImageContentSourcePolicyobject, it drains the corresponding nodes, applies the changes, and uncordons the nodes. The node drain does not happen for the following changes:- 
									The addition of a registry with the pull-from-mirror = "digest-only"parameter set for each mirror.
- 
									The addition of a mirror with the pull-from-mirror = "digest-only"parameter set in a registry.
- 
									The addition of items to the unqualified-search-registrieslist.
 
- 
									The addition of a registry with the 
In other cases, you can mitigate the disruption to your workload when the MCO makes changes by using node disruption policies. For information, see Understanding node restart behaviors after machine config changes.
					There might be situations where the configuration on a node does not fully match what the currently-applied machine config specifies. This state is called configuration drift. The Machine Config Daemon (MCD) regularly checks the nodes for configuration drift. If the MCD detects configuration drift, the MCO marks the node degraded until an administrator corrects the node configuration. A degraded node is online and operational, but, it cannot be updated. For more information on configuration drift, see Understanding configuration drift detection.
				
1.2.2. Node configuration management with machine config pools
Machines that run control plane components or user workloads are divided into groups based on the types of resources they handle. These groups of machines are called machine config pools (MCP). Each MCP manages a set of nodes and its corresponding machine configs. The role of the node determines which MCP it belongs to; the MCP governs nodes based on its assigned node role label. Nodes in an MCP have the same configuration; this means nodes can be scaled up and torn down in response to increased or decreased workloads.
					By default, there are two MCPs created by the cluster when it is installed: master and worker. Each default MCP has a defined configuration applied by the Machine Config Operator (MCO), which is responsible for managing MCPs and facilitating MCP updates.
				
For worker nodes, you can create additional MCPs, or custom pools, to manage nodes with custom use cases that extend outside of the default node types. Custom MCPs for the control plane nodes are not supported.
Custom pools are pools that inherit their configurations from the worker pool. They use any machine config targeted for the worker pool, but add the ability to deploy changes only targeted at the custom pool. Since a custom pool inherits its configuration from the worker pool, any change to the worker pool is applied to the custom pool as well. Custom pools that do not inherit their configurations from the worker pool are not supported by the MCO.
						A node can only be included in one MCP. If a node has multiple labels that correspond to several MCPs, like worker,infra, it is managed by the infra custom pool, not the worker pool. Custom pools take priority on selecting nodes to manage based on node labels; nodes that do not belong to a custom pool are managed by the worker pool.
					
					It is recommended to have a custom pool for every node role you want to manage in your cluster. For example, if you create infra nodes to handle infra workloads, it is recommended to create a custom infra MCP to group those nodes together. If you apply an infra role label to a worker node so it has the worker,infra dual label, but do not have a custom infra MCP, the MCO considers it a worker node. If you remove the worker label from a node and apply the infra label without grouping it in a custom pool, the node is not recognized by the MCO and is unmanaged by the cluster.
				
						Any node labeled with the infra role that is only running infra workloads is not counted toward the total number of subscriptions. The MCP managing an infra node is mutually exclusive from how the cluster determines subscription charges; tagging a node with the appropriate infra role and using taints to prevent user workloads from being scheduled on that node are the only requirements for avoiding subscription charges for infra workloads.
					
The MCO applies updates for pools independently; for example, if there is an update that affects all pools, nodes from each pool update in parallel with each other. If you add a custom pool, nodes from that pool also attempt to update concurrently with the master and worker nodes.
					There might be situations where the configuration on a node does not fully match what the currently-applied machine config specifies. This state is called configuration drift. The Machine Config Daemon (MCD) regularly checks the nodes for configuration drift. If the MCD detects configuration drift, the MCO marks the node degraded until an administrator corrects the node configuration. A degraded node is online and operational, but, it cannot be updated.
				
1.3. Understanding the Machine Config Operator node drain behavior
When you use a machine config to change a system feature, such as adding new config files, modifying systemd units or kernel arguments, or updating SSH keys, the Machine Config Operator (MCO) applies those changes and ensures that each node is in the desired configuration state.
After you make the changes, the MCO generates a new rendered machine config. In the majority of cases, when applying the new rendered machine config, the Operator performs the following steps on each affected node until all of the affected nodes have the updated configuration:
- Cordon. The MCO marks the node as not schedulable for additional workloads.
- Drain. The MCO terminates all running workloads on the node, causing the workloads to be rescheduled onto other nodes.
- Apply. The MCO writes the new configuration to the nodes as needed.
- Reboot. The MCO restarts the node.
- Uncordon. The MCO marks the node as schedulable for workloads.
				Throughout this process, the MCO maintains the required number of pods based on the MaxUnavailable value set in the machine config pool.
			
There are conditions which can prevent the MCO from draining a node. If the MCO fails to drain a node, the Operator will be unable to reboot the node, preventing any changes made to the node through a machine config. For more information and mitigation steps, see the MCCDrainError runbook.
If the MCO drains pods on the master node, note the following conditions:
- In single-node OpenShift clusters, the MCO skips the drain operation.
- The MCO does not drain static pods in order to prevent interference with services, such as etcd.
In certain cases the nodes are not drained. For more information, see "About the Machine Config Operator."
There are ways to mitigate the disruption caused by drain and reboot cycles by using node disruption policies or disabling control plane reboots. For more information, see "Understanding node restart behaviors after machine config changes" and "Disabling the Machine Config Operator from automatically rebooting."
1.4. Understanding configuration drift detection
There might be situations when the on-disk state of a node differs from what is configured in the machine config. This is known as configuration drift. For example, a cluster admin might manually modify a file, a systemd unit file, or a file permission that was configured through a machine config. This causes configuration drift. Configuration drift can cause problems between nodes in a Machine Config Pool or when the machine configs are updated.
				The Machine Config Operator (MCO) uses the Machine Config Daemon (MCD) to check nodes for configuration drift on a regular basis. If detected, the MCO sets the node and the machine config pool (MCP) to Degraded and reports the error. A degraded node is online and operational, but, it cannot be updated.
			
The MCD performs configuration drift detection upon each of the following conditions:
- When a node boots.
- After any of the files (Ignition files and systemd drop-in units) specified in the machine config are modified outside of the machine config.
- Before a new machine config is applied. Note- If you apply a new machine config to the nodes, the MCD temporarily shuts down configuration drift detection. This shutdown is needed because the new machine config necessarily differs from the machine config on the nodes. After the new machine config is applied, the MCD restarts detecting configuration drift using the new machine config. 
When performing configuration drift detection, the MCD validates that the file contents and permissions fully match what the currently-applied machine config specifies. Typically, the MCD detects configuration drift in less than a second after the detection is triggered.
If the MCD detects configuration drift, the MCD performs the following tasks:
- Emits an error to the console logs
- Emits a Kubernetes event
- Stops further detection on the node
- 
						Sets the node and MCP to degraded
You can check if you have a degraded node by listing the MCPs:
oc get mcp worker
$ oc get mcp worker
				If you have a degraded MCP, the DEGRADEDMACHINECOUNT field is non-zero, similar to the following output:
			
Example output
NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE worker rendered-worker-404caf3180818d8ac1f50c32f14b57c3 False True True 2 1 1 1 5h51m
NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
worker   rendered-worker-404caf3180818d8ac1f50c32f14b57c3   False     True       True       2              1                   1                     1                      5h51mYou can determine if the problem is caused by configuration drift by examining the machine config pool:
oc describe mcp worker
$ oc describe mcp workerExample output
Or, if you know which node is degraded, examine that node:
oc describe node/ci-ln-j4h8nkb-72292-pxqxz-worker-a-fjks4
$ oc describe node/ci-ln-j4h8nkb-72292-pxqxz-worker-a-fjks4Example output
- 1
- The error message indicating that configuration drift was detected between the node and the listed machine config. Here the error message indicates that the contents of the/etc/mco-test-file, which was added by the machine config, has changed outside of the machine config.
- 2
- The state of the node isDegraded.
				You can correct configuration drift and return the node to the Ready state by performing one of the following remediations:
			
- Ensure that the contents and file permissions of the files on the node match what is configured in the machine config. You can manually rewrite the file contents or change the file permissions.
- Generate a force file on the degraded node. The force file causes the MCD to bypass the usual configuration drift detection and reapplies the current machine config. Note- Generating a force file on a node causes that node to reboot. 
1.5. Checking machine config pool status
				To see the status of the Machine Config Operator (MCO), its sub-components, and the resources it manages, use the following oc commands:
			
Procedure
- To see the number of MCO-managed nodes available on your cluster for each machine config pool (MCP), run the following command: - oc get machineconfigpool - $ oc get machineconfigpool- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE master rendered-master-06c9c4… True False False 3 3 3 0 4h42m worker rendered-worker-f4b64… False True False 3 2 2 0 4h42m - NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE master rendered-master-06c9c4… True False False 3 3 3 0 4h42m worker rendered-worker-f4b64… False True False 3 2 2 0 4h42m- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - UPDATED
- 
									The Truestatus indicates that the MCO has applied the current machine config to the nodes in that MCP. The current machine config is specified in theSTATUSfield in theoc get mcpoutput. TheFalsestatus indicates a node in the MCP is updating.
- UPDATING
- 
									The Truestatus indicates that the MCO is applying the desired machine config, as specified in theMachineConfigPoolcustom resource, to at least one of the nodes in that MCP. The desired machine config is the new, edited machine config. Nodes that are updating might not be available for scheduling. TheFalsestatus indicates that all nodes in the MCP are updated.
- DEGRADED
- 
									A Truestatus indicates the MCO is blocked from applying the current or desired machine config to at least one of the nodes in that MCP, or the configuration is failing. Nodes that are degraded might not be available for scheduling. AFalsestatus indicates that all nodes in the MCP are ready.
- MACHINECOUNT
- Indicates the total number of machines in that MCP.
- READYMACHINECOUNT
- 
									Indicates the number of machines that are both running the current machine config and are ready for scheduling. This count is always less than or equal to the UPDATEDMACHINECOUNTnumber.
- UPDATEDMACHINECOUNT
- Indicates the total number of machines in that MCP that have the current machine config.
- DEGRADEDMACHINECOUNT
- Indicates the total number of machines in that MCP that are marked as degraded or unreconcilable.
 - In the previous output, there are three control plane (master) nodes and three worker nodes. The control plane MCP and the associated nodes are updated to the current machine config. The nodes in the worker MCP are being updated to the desired machine config. Two of the nodes in the worker MCP are updated and one is still updating, as indicated by the - UPDATEDMACHINECOUNTbeing- 2. There are no issues, as indicated by the- DEGRADEDMACHINECOUNTbeing- 0and- DEGRADEDbeing- False.- While the nodes in the MCP are updating, the machine config listed under - CONFIGis the current machine config, which the MCP is being updated from. When the update is complete, the listed machine config is the desired machine config, which the MCP was updated to.Note- If a node is being cordoned, that node is not included in the - READYMACHINECOUNT, but is included in the- MACHINECOUNT. Also, the MCP status is set to- UPDATING. Because the node has the current machine config, it is counted in the- UPDATEDMACHINECOUNTtotal:- Example output - NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE master rendered-master-06c9c4… True False False 3 3 3 0 4h42m worker rendered-worker-c1b41a… False True False 3 2 3 0 4h42m - NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE master rendered-master-06c9c4… True False False 3 3 3 0 4h42m worker rendered-worker-c1b41a… False True False 3 2 3 0 4h42m- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To check the status of the nodes in an MCP by examining the - MachineConfigPoolcustom resource, run the following command: :- oc describe mcp worker - $ oc describe mcp worker- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- If a node is being cordoned, the node is not included in the - Ready Machine Count. It is included in the- Unavailable Machine Count:- Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To see each existing - MachineConfigobject, run the following command:- oc get machineconfigs - $ oc get machineconfigs- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Note that the - MachineConfigobjects listed as- renderedare not meant to be changed or deleted.
- To view the contents of a particular machine config (in this case, - 01-master-kubelet), run the following command:- oc describe machineconfigs 01-master-kubelet - $ oc describe machineconfigs 01-master-kubelet- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The output from the command shows that this - MachineConfigobject contains both configuration files (- cloud.confand- kubelet.conf) and a systemd service (Kubernetes Kubelet):- Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
				If something goes wrong with a machine config that you apply, you can always back out that change. For example, if you had run oc create -f ./myconfig.yaml to apply a machine config, you could remove that machine config by running the following command:
			
oc delete -f ./myconfig.yaml
$ oc delete -f ./myconfig.yamlIf that was the only problem, the nodes in the affected pool should return to a non-degraded state. This actually causes the rendered configuration to roll back to its previously rendered state.
If you add your own machine configs to your cluster, you can use the commands shown in the previous example to check their status and the related status of the pool to which they are applied.
1.6. About checking machine config node status
				If you make changes to a machine config pool (MCP) that results in a new machine config, for example by using a MachineConfig or KubeletConfig object, you can get detailed information about the progress of the node updates by using the machine config nodes custom resource.
			
				The MachineConfigNode custom resource allows you to monitor the progress of individual node updates as they move through the update phases. This information can be helpful with troubleshooting if one of the nodes has an issue during the update. The custom resource reports where in the update process the node is at the moment, the phases that have completed, and the phases that are remaining.
			
The node update process consists of the following phases and subphases that are tracked by the machine config node custom resource, explained with more detail later in this section:
- Update Prepared. The MCO stops the configuration drift monitoring process and verifies that the newly-created machine config can be applied to a node.
- Update Executed. The MCO cordons and drains the node and applies the new machine config to the node files and operating system, as needed. It contains the following sub-phases: - Cordoned
- Drained
- AppliedFilesAndOS
 
- PinnedImageSetsProgressing The MCO is performing the steps needed to pin and pre-load container images.
- 
						PinnedImageSetsDegraded The pinned image process failed. You can view the reason for the failure by using the oc describe machineconfignodecommand, as described later in this section.
- 
						NodeDegraded The node update failed. You can view the reason for the failure by using the oc describe machineconfignodecommand, as described later in this section.
- Update Post update action The MCO is reloading CRI-O, as needed.
- Rebooted Node The MCO is rebooting the node, as needed.
- Update Complete. The MCO is uncordoning the node, updating the node state to the cluster, and resumes producing node metrics. It contains the following sub-phase: - Uncordoned
 
- Updated The MCO completed a node update and the current config version of the node is equal to the desired updated version.
- Resumed. The MCO restarted the config drift monitor process and the node returns to operational state.
				As the update moves through these phases, you can query the MachineConfigNode custom resource, which reports one of the following conditions for each phase:
			
- 
						True. The phase is complete on that node.
- 
						False. The phase has not yet started or will not be executed on that node.
- 
						Unknown. The phase is either being executed on that node or has an error. If the phase has an error, you can use theoc describe machineconfignodescommand for more information, as described later in this section.
For example, consider a cluster with a newly-created machine config:
oc get machineconfig
$ oc get machineconfigExample output
You can watch as the nodes are updated with the new machine config:
oc get machineconfignodes
$ oc get machineconfignodesExample output
- 1
- This node has been updated. The new machine config,rendered-worker-f351f6947f15cd0380514f4b1c89f8f2, is shown as the desired and current machine configs.
- 2
- This node is currently being updated to the new machine config. The previous and new machine configs are shown as the desired and current machine configs, respectively.
- 3
- This node has not yet been updated to the new machine config. The previous machine config is shown as the desired and current machine configs.
| Field | Meaning | 
|---|---|
| 
								 | The name of the node. | 
| 
								 | The name of the machine config pool associated with that node. | 
| 
								 | The name of the new machine config that the node updates to. | 
| 
								 | The name of the current machine configuration on that node. | 
| 
								 | Indicates if the node has been updated by using one of the following conditions: 
 | 
| 
								 | The age of the machine configuration node from when it was created. The age is not changed if the associated node is updated. | 
				You can use the -o wide flag to display additional information about the updates:
			
oc get machineconfignodes -o wide
$ oc get machineconfignodes -o wideExample output
				In addition to the fields defined in the previous table, the -o wide output displays the following fields:
			
| Phase Name | Definition | 
|---|---|
| 
								 | Indicates if the MCO is preparing to update the node. | 
| 
								 | Indicates if the MCO has completed the body of the update on the node. | 
| 
								 | Indicates if the MCO has executed the post-update actions on the node. | 
| 
								 | Indicates if the MCO has completed the update on the node. | 
| 
								 | Indicates if the node has resumed normal processes. | 
| 
								 | Indicates if the MCO has updated the node files and operating system. | 
| 
								 | Indicates if the MCO has marked the node as not schedulable. | 
| 
								 | Indicates if the MCO has drained the node. | 
| 
								 | Indicates if the MCO has restarted the node. | 
| 
								 | Indicates if the MCO has marked the node as schedulable. | 
				For more details on the update status, you can use the oc describe machineconfignode command:
			
oc describe machineconfignode/<machine_config_node_name>
$ oc describe machineconfignode/<machine_config_node_name>Example output
1.6.1. Checking machine config node status
					During the update of a machine config pool (MCP), you can monitor the progress of all of the nodes in your cluster by using the oc get machineconfignodes and oc describe machineconfignodes commands. These commands provide information that can be helpful if issues arise during the update and you need to troubleshoot a node.
				
For more information on the meaning of these fields, see "About checking machine config node status."
Procedure
- View the update status of all nodes in the cluster, including the current and desired machine configurations, by running the following command: - oc get machineconfignodes - $ oc get machineconfignodes- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- View of all machine config node status fields for the nodes in your cluster by running the following command: - oc get machineconfignodes -o wide - $ oc get machineconfignodes -o wide- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Check the update status of nodes in a specific machine config pool by running the following command: - oc get machineconfignodes $(oc get machineconfignodes -o json | jq -r '.items[]|select(.spec.pool.name=="<pool_name>")|.metadata.name') - $ oc get machineconfignodes $(oc get machineconfignodes -o json | jq -r '.items[]|select(.spec.pool.name=="<pool_name>")|.metadata.name')- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - <pool_name>
- Specifies the name of the machine config pool. - Example output - NAME POOLNAME DESIREDCONFIG CURRENTCONFIG UPDATED AGE ci-ln-g6dr34b-72292-g9btv-worker-a-sjh5r worker rendered-worker-d5534cb730e5e108905fc285c2a42b6c rendered-worker-d5534cb730e5e108905fc285c2a42b6c True 20M ci-ln-g6dr34b-72292-g9btv-worker-b-xthbz worker rendered-worker-d5534cb730e5e108905fc285c2a42b6c rendered-worker-faf6b50218a8bbce21f1370866283de5 False 20M ci-ln-g6dr34b-72292-g9btv-worker-c-gnpd6 worker rendered-worker-faf6b50218a8bbce21f1370866283de5 rendered-worker-faf6b50218a8bbce21f1370866283de5 True 19M - NAME POOLNAME DESIREDCONFIG CURRENTCONFIG UPDATED AGE ci-ln-g6dr34b-72292-g9btv-worker-a-sjh5r worker rendered-worker-d5534cb730e5e108905fc285c2a42b6c rendered-worker-d5534cb730e5e108905fc285c2a42b6c True 20M ci-ln-g6dr34b-72292-g9btv-worker-b-xthbz worker rendered-worker-d5534cb730e5e108905fc285c2a42b6c rendered-worker-faf6b50218a8bbce21f1370866283de5 False 20M ci-ln-g6dr34b-72292-g9btv-worker-c-gnpd6 worker rendered-worker-faf6b50218a8bbce21f1370866283de5 rendered-worker-faf6b50218a8bbce21f1370866283de5 True 19M- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Check the update status of an individual node by running the following command: - oc describe machineconfignode/<node_name> - $ oc describe machineconfignode/<node_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
1.7. Understanding Machine Config Operator certificates
Machine Config Operator certificates are used to secure connections between the Red Hat Enterprise Linux CoreOS (RHCOS) nodes and the Machine Config Server. For more information, see Machine Config Operator certificates.
1.7.1. Viewing and interacting with certificates
					The following certificates are handled in the cluster by the Machine Config Controller (MCC) and can be found in the ControllerConfig resource:
				
- 
							/etc/kubernetes/kubelet-ca.crt
- 
							/etc/kubernetes/static-pod-resources/configmaps/cloud-config/ca-bundle.pem
- 
							/etc/pki/ca-trust/source/anchors/openshift-config-user-ca-bundle.crt
The MCC also handles the image registry certificates and its associated user bundle certificate.
You can get information about the listed certificates, including the underyling bundle the certificate comes from, and the signing and subject data.
Prerequisites
- 
							This procedure contains optional steps that require that the python-yqRPM package is installed.
Procedure
- Get detailed certificate information by running the following command: - oc get controllerconfig/machine-config-controller -o yaml | yq -y '.status.controllerCertificates' - $ oc get controllerconfig/machine-config-controller -o yaml | yq -y '.status.controllerCertificates'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Get a simpler version of the information found in the - ControllerConfigresource by checking the machine config pool status using the following command:- oc get mcp master -o yaml | yq -y '.status.certExpirys' - $ oc get mcp master -o yaml | yq -y '.status.certExpirys'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - This method is meant for OpenShift Container Platform applications that already consume machine config pool information. 
- Check which image registry certificates are on the nodes: - Log in to a node: - oc debug node/<node_name> - $ oc debug node/<node_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Set - /hostas the root directory within the debug shell:- chroot /host - sh-5.1# chroot /host- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Look at the contents of the - /etc/docker/cert.ddirectory:- ls /etc/docker/certs.d - sh-5.1# ls /etc/docker/certs.d- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - image-registry.openshift-image-registry.svc.cluster.local:5000 image-registry.openshift-image-registry.svc:5000 - image-registry.openshift-image-registry.svc.cluster.local:5000 image-registry.openshift-image-registry.svc:5000- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
Chapter 2. Using machine config objects to configure nodes
			You can use the tasks in this section to create MachineConfig objects that modify files, systemd unit files, and other operating system features running on OpenShift Container Platform nodes. For more ideas on working with machine configs, see content related to updating SSH authorized keys, verifying image signatures, enabling SCTP, and configuring iSCSI initiatornames for OpenShift Container Platform.
		
OpenShift Container Platform supports Ignition specification version 3.5. You should base all new machine configs you create going forward on Ignition specification version 3.5. If you are upgrading your OpenShift Container Platform cluster, any existing machine configs with a previous Ignition specification will be translated automatically to specification version 3.5.
			There might be situations where the configuration on a node does not fully match what the currently-applied machine config specifies. This state is called configuration drift. The Machine Config Daemon (MCD) regularly checks the nodes for configuration drift. If the MCD detects configuration drift, the MCO marks the node degraded until an administrator corrects the node configuration. A degraded node is online and operational, but, it cannot be updated. For more information on configuration drift, see Understanding configuration drift detection.
		
Use the following "Configuring chrony time service" procedure as a model for how to go about adding other configuration files to OpenShift Container Platform nodes.
2.1. Configuring chrony time service
				You can set the time server and related settings used by the chrony time service (chronyd) by modifying the contents of the chrony.conf file and passing those contents to your nodes as a machine config.
			
Procedure
- Create a Butane config including the contents of the - chrony.conffile. For example, to configure chrony on worker nodes, create a- 99-worker-chrony.bufile.Note- The Butane version you specify in the config file should match the OpenShift Container Platform version and always ends in - 0. For example,- 4.20.0. See "Creating machine configs with Butane" for information about Butane.- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1 1 1 2
- On control plane nodes, substitutemasterforworkerin both of these locations.
- 2 3
- Specify an octal value mode for themodefield in the machine config file. After creating the file and applying the changes, themodeis converted to a decimal value. You can check the YAML file with the commandoc get mc <mc-name> -o yaml.
- 3 4
- Specify any valid, reachable time source, such as the one provided by your DHCP server.
 Note- For all-machine to all-machine communication, the Network Time Protocol (NTP) on UDP is port - 123. If an external NTP time server is configured, you must open UDP port- 123.- Alternatively, you can specify any of the following NTP servers: - 1.rhel.pool.ntp.org,- 2.rhel.pool.ntp.org, or- 3.rhel.pool.ntp.org. When you use NTP with your DHCP server, you must set the- sourcedir /run/chrony-dhcpparameter in the- chrony.conffile.
- Use Butane to generate a - MachineConfigobject file,- 99-worker-chrony.yaml, containing the configuration to be delivered to the nodes:- butane 99-worker-chrony.bu -o 99-worker-chrony.yaml - $ butane 99-worker-chrony.bu -o 99-worker-chrony.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Apply the configurations in one of two ways: - 
								If the cluster is not running yet, after you generate manifest files, add the MachineConfigobject file to the<installation_directory>/openshiftdirectory, and then continue to create the cluster.
- If the cluster is already running, apply the file: - oc apply -f ./99-worker-chrony.yaml - $ oc apply -f ./99-worker-chrony.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- 
								If the cluster is not running yet, after you generate manifest files, add the 
2.2. Disabling the chrony time service
				You can disable the chrony time service (chronyd) for nodes with a specific role by using a MachineConfig custom resource (CR).
			
Prerequisites
- 
						Install the OpenShift CLI (oc).
- 
						Log in as a user with cluster-adminprivileges.
Procedure
- Create the - MachineConfigCR that disables- chronydfor the specified node role.- Save the following YAML in the - disable-chronyd.yamlfile:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Node role where you want to disablechronyd, for example,master.
 
- Create the - MachineConfigCR by running the following command:- oc create -f disable-chronyd.yaml - $ oc create -f disable-chronyd.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
2.3. Adding kernel arguments to nodes
In some special cases, you might want to add kernel arguments to a set of nodes in your cluster. This should only be done with caution and clear understanding of the implications of the arguments you set.
Improper use of kernel arguments can result in your systems becoming unbootable.
Examples of kernel arguments you could set include:
- 
						nosmt: Disables symmetric multithreading (SMT) in the kernel. Multithreading allows multiple logical threads for each CPU. You could consider nosmtin multi-tenant environments to reduce risks from potential cross-thread attacks. By disabling SMT, you essentially choose security over performance.
- enforcing=0: Configures Security Enhanced Linux (SELinux) to run in permissive mode. In permissive mode, the system acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations. While not supported for production systems, permissive mode can be helpful for debugging. Warning- Disabling SELinux on RHCOS in production is not supported. Once SELinux has been disabled on a node, it must be re-provisioned before re-inclusion in a production cluster. 
See Kernel.org kernel parameters for a list and descriptions of kernel arguments.
				In the following procedure, you create a MachineConfig object that identifies:
			
- A set of machines to which you want to add the kernel argument. In this case, machines with a worker role.
- Kernel arguments that are appended to the end of the existing kernel arguments.
- A label that indicates where in the list of machine configs the change is applied.
Prerequisites
- Have administrative privilege to a working OpenShift Container Platform cluster.
Procedure
- List existing - MachineConfigobjects for your OpenShift Container Platform cluster to determine how to label your machine config:- oc get MachineConfig - $ oc get MachineConfig- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create a - MachineConfigobject file that identifies the kernel argument (for example,- 05-worker-kernelarg-selinuxpermissive.yaml)- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create the new machine config: - oc create -f 05-worker-kernelarg-selinuxpermissive.yaml - $ oc create -f 05-worker-kernelarg-selinuxpermissive.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Check the machine configs to see that the new one was added: - oc get MachineConfig - $ oc get MachineConfig- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Check the nodes: - oc get nodes - $ oc get nodes- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - You can see that scheduling on each worker node is disabled as the change is being applied. 
- Check that the kernel argument worked by going to one of the worker nodes and listing the kernel command-line arguments (in - /proc/cmdlineon the host):- oc debug node/ip-10-0-141-105.ec2.internal - $ oc debug node/ip-10-0-141-105.ec2.internal- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - You should see the - enforcing=0argument added to the other kernel arguments.
2.4. Enabling multipathing with kernel arguments on RHCOS
Enabling multipathing during installation is supported and recommended for nodes provisioned in OpenShift Container Platform. In setups where any I/O to non-optimized paths results in I/O system errors, you must enable multipathing at installation time. For more information about enabling multipathing during installation time, see "Enabling multipathing post installation" in the Installing on bare metal documentation.
Red Hat Enterprise Linux CoreOS (RHCOS) supports multipathing on the primary disk, allowing stronger resilience to hardware failure to achieve higher host availability. Postinstallation support is available by activating multipathing via the machine config.
On IBM Z® and IBM® LinuxONE, you can enable multipathing only if you configured your cluster for it during installation. For more information, see "Installing RHCOS and starting the OpenShift Container Platform bootstrap process" in Installing a cluster with z/VM on IBM Z® and IBM® LinuxONE.
When an OpenShift Container Platform cluster is installed or configured as a postinstallation activity on a single VIOS host with "vSCSI" storage on IBM Power® with multipath configured, the CoreOS nodes with multipath enabled fail to boot. This behavior is expected, as only one path is available to the node.
Prerequisites
- You have a running OpenShift Container Platform cluster.
- You are logged in to the cluster as a user with administrative privileges.
- You have confirmed that the disk is enabled for multipathing. Multipathing is only supported on hosts that are connected to a SAN via an HBA adapter.
Procedure
- To enable multipathing postinstallation on control plane nodes: - Create a machine config file, such as - 99-master-kargs-mpath.yaml, that instructs the cluster to add the- masterlabel and that identifies the multipath kernel argument, for example:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- To enable multipathing postinstallation on worker nodes: - Create a machine config file, such as - 99-worker-kargs-mpath.yaml, that instructs the cluster to add the- workerlabel and that identifies the multipath kernel argument, for example:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Create the new machine config by using either the master or worker YAML file you previously created: - oc create -f ./99-worker-kargs-mpath.yaml - $ oc create -f ./99-worker-kargs-mpath.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Check the machine configs to see that the new one was added: - oc get MachineConfig - $ oc get MachineConfig- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Check the nodes: - oc get nodes - $ oc get nodes- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - You can see that scheduling on each worker node is disabled as the change is being applied. 
- Check that the kernel argument worked by going to one of the worker nodes and listing the kernel command-line arguments (in - /proc/cmdlineon the host):- oc debug node/ip-10-0-141-105.ec2.internal - $ oc debug node/ip-10-0-141-105.ec2.internal- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - You should see the added kernel arguments. 
2.5. Adding a real-time kernel to nodes
Some OpenShift Container Platform workloads require a high degree of determinism.While Linux is not a real-time operating system, the Linux real-time kernel includes a preemptive scheduler that provides the operating system with real-time characteristics.
				If your OpenShift Container Platform workloads require these real-time characteristics, you can switch your machines to the Linux real-time kernel. For OpenShift Container Platform, 4.20 you can make this switch using a MachineConfig object. Although making the change is as simple as changing a machine config kernelType setting to realtime, there are a few other considerations before making the change:
			
- Currently, real-time kernel is supported only on worker nodes, and only for radio access network (RAN) use.
- The following procedure is fully supported with bare metal installations that use systems that are certified for Red Hat Enterprise Linux for Real Time 8.
- Real-time support in OpenShift Container Platform is limited to specific subscriptions.
- The following procedure is also supported for use with Google Cloud Platform.
Prerequisites
- Have a running OpenShift Container Platform cluster (version 4.4 or later).
- Log in to the cluster as a user with administrative privileges.
Procedure
- Create a machine config for the real-time kernel: Create a YAML file (for example, - 99-worker-realtime.yaml) that contains a- MachineConfigobject for the- realtimekernel type. This example tells the cluster to use a real-time kernel for all worker nodes:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Add the machine config to the cluster. Type the following to add the machine config to the cluster: - oc create -f 99-worker-realtime.yaml - $ oc create -f 99-worker-realtime.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Check the real-time kernel: Once each impacted node reboots, log in to the cluster and run the following commands to make sure that the real-time kernel has replaced the regular kernel for the set of nodes you configured: - oc get nodes - $ oc get nodes- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME STATUS ROLES AGE VERSION ip-10-0-143-147.us-east-2.compute.internal Ready worker 103m v1.33.4 ip-10-0-146-92.us-east-2.compute.internal Ready worker 101m v1.33.4 ip-10-0-169-2.us-east-2.compute.internal Ready worker 102m v1.33.4 - NAME STATUS ROLES AGE VERSION ip-10-0-143-147.us-east-2.compute.internal Ready worker 103m v1.33.4 ip-10-0-146-92.us-east-2.compute.internal Ready worker 101m v1.33.4 ip-10-0-169-2.us-east-2.compute.internal Ready worker 102m v1.33.4- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - oc debug node/ip-10-0-143-147.us-east-2.compute.internal - $ oc debug node/ip-10-0-143-147.us-east-2.compute.internal- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The kernel name contains - rtand text “PREEMPT RT” indicates that this is a real-time kernel.
- To go back to the regular kernel, delete the - MachineConfigobject:- oc delete -f 99-worker-realtime.yaml - $ oc delete -f 99-worker-realtime.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
2.6. Configuring journald settings
				If you need to configure settings for the journald service on OpenShift Container Platform nodes, you can do that by modifying the appropriate configuration file and passing the file to the appropriate pool of nodes as a machine config.
			
				This procedure describes how to modify journald rate limiting settings in the /etc/systemd/journald.conf file and apply them to worker nodes. See the journald.conf man page for information on how to use that file.
			
Prerequisites
- Have a running OpenShift Container Platform cluster.
- Log in to the cluster as a user with administrative privileges.
Procedure
- Create a Butane config file, - 40-worker-custom-journald.bu, that includes an- /etc/systemd/journald.conffile with the required settings.Note- The Butane version you specify in the config file should match the OpenShift Container Platform version and always ends in - 0. For example,- 4.20.0. See "Creating machine configs with Butane" for information about Butane.- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Use Butane to generate a - MachineConfigobject file,- 40-worker-custom-journald.yaml, containing the configuration to be delivered to the worker nodes:- butane 40-worker-custom-journald.bu -o 40-worker-custom-journald.yaml - $ butane 40-worker-custom-journald.bu -o 40-worker-custom-journald.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Apply the machine config to the pool: - oc apply -f 40-worker-custom-journald.yaml - $ oc apply -f 40-worker-custom-journald.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Check that the new machine config is applied and that the nodes are not in a degraded state. It might take a few minutes. The worker pool will show the updates in progress, as each node successfully has the new machine config applied: - oc get machineconfigpool - $ oc get machineconfigpool NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE master rendered-master-35 True False False 3 3 3 0 34m worker rendered-worker-d8 False True False 3 1 1 0 34m- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To check that the change was applied, you can log in to a worker node: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
2.7. Adding extensions to RHCOS
				RHCOS is a minimal container-oriented RHEL operating system, designed to provide a common set of capabilities to OpenShift Container Platform clusters across all platforms. Although adding software packages to RHCOS systems is generally discouraged, the MCO provides an extensions feature you can use to add a minimal set of features to RHCOS nodes.
			
Currently, the following extensions are available:
- 
						usbguard: The usbguardextension protects RHCOS systems from attacks by intrusive USB devices. For more information, see USBGuard for details.
- 
						kerberos: The kerberosextension provides a mechanism that allows both users and machines to identify themselves to the network to receive defined, limited access to the areas and services that an administrator has configured. For more information, see Using Kerberos for details, including how to set up a Kerberos client and mount a Kerberized NFS share.
- 
						sandboxed-containers: The sandboxed-containersextension contains RPMs for Kata, QEMU, and its dependencies. For more information, see OpenShift Sandboxed Containers.
- 
						ipsec: The ipsecextension contains RPMs for libreswan and NetworkManager-libreswan.
- 
						wasm: The wasmextension enables Developer Preview functionality in OpenShift Container Platform for users who want to use WASM-supported workloads.
- 
						sysstat: Adding the sysstatextension provides additional performance monitoring for OpenShift Container Platform nodes, including the system activity reporter (sar) command for collecting and reporting information.
- 
						kernel-devel: The kernel-develextension provides kernel headers and makefiles sufficient to build modules against the kernel package.
The following procedure describes how to use a machine config to add one or more extensions to your RHCOS nodes.
Prerequisites
- Have a running OpenShift Container Platform cluster (version 4.6 or later).
- Log in to the cluster as a user with administrative privileges.
Procedure
- Create a machine config for extensions: Create a YAML file (for example, - 80-extensions.yaml) that contains a- MachineConfig- extensionsobject. This example tells the cluster to add the- usbguardextension.- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Add the machine config to the cluster. Type the following to add the machine config to the cluster: - oc create -f 80-extensions.yaml - $ oc create -f 80-extensions.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - This sets all worker nodes to have rpm packages for - usbguardinstalled.
- Check that the extensions were applied: - oc get machineconfig 80-worker-extensions - $ oc get machineconfig 80-worker-extensions- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME GENERATEDBYCONTROLLER IGNITIONVERSION AGE 80-worker-extensions 3.5.0 57s - NAME GENERATEDBYCONTROLLER IGNITIONVERSION AGE 80-worker-extensions 3.5.0 57s- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Check that the new machine config is now applied and that the nodes are not in a degraded state. It may take a few minutes. The worker pool will show the updates in progress, as each machine successfully has the new machine config applied: - oc get machineconfigpool - $ oc get machineconfigpool- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE master rendered-master-35 True False False 3 3 3 0 34m worker rendered-worker-d8 False True False 3 1 1 0 34m - NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE master rendered-master-35 True False False 3 3 3 0 34m worker rendered-worker-d8 False True False 3 1 1 0 34m- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Check the extensions. To check that the extension was applied, run: - oc get node | grep worker - $ oc get node | grep worker- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME STATUS ROLES AGE VERSION ip-10-0-169-2.us-east-2.compute.internal Ready worker 102m v1.33.4 - NAME STATUS ROLES AGE VERSION ip-10-0-169-2.us-east-2.compute.internal Ready worker 102m v1.33.4- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - oc debug node/ip-10-0-169-2.us-east-2.compute.internal - $ oc debug node/ip-10-0-169-2.us-east-2.compute.internal- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - ... To use host binaries, run `chroot /host` sh-4.4# chroot /host sh-4.4# rpm -q usbguard usbguard-0.7.4-4.el8.x86_64.rpm - ... To use host binaries, run `chroot /host` sh-4.4# chroot /host sh-4.4# rpm -q usbguard usbguard-0.7.4-4.el8.x86_64.rpm- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
2.8. Loading custom firmware blobs in the machine config manifest
				Because the default location for firmware blobs in /usr/lib is read-only, you can locate a custom firmware blob by updating the search path. This enables you to load local firmware blobs in the machine config manifest when the blobs are not managed by RHCOS.
			
Procedure
- Create a Butane config file, - 98-worker-firmware-blob.bu, that updates the search path so that it is root-owned and writable to local storage. The following example places the custom blob file from your local workstation onto nodes under- /var/lib/firmware.Note- The Butane version you specify in the config file should match the OpenShift Container Platform version and always ends in - 0. For example,- 4.20.0. See "Creating machine configs with Butane" for information about Butane.- Butane config file for custom firmware blob - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Sets the path on the node where the firmware package is copied to.
- 2
- Specifies a file with contents that are read from a local file directory on the system running Butane. The path of the local file is relative to afiles-dirdirectory, which must be specified by using the--files-diroption with Butane in the following step.
- 3
- Sets the permissions for the file on the RHCOS node. It is recommended to set0644permissions.
- 4
- Thefirmware_class.pathparameter customizes the kernel search path of where to look for the custom firmware blob that was copied from your local workstation onto the root file system of the node. This example uses/var/lib/firmwareas the customized path.
 
- Run Butane to generate a - MachineConfigobject file that uses a copy of the firmware blob on your local workstation named- 98-worker-firmware-blob.yaml. The firmware blob contains the configuration to be delivered to the nodes. The following example uses the- --files-diroption to specify the directory on your workstation where the local file or files are located:- butane 98-worker-firmware-blob.bu -o 98-worker-firmware-blob.yaml --files-dir <directory_including_package_name> - $ butane 98-worker-firmware-blob.bu -o 98-worker-firmware-blob.yaml --files-dir <directory_including_package_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Apply the configurations to the nodes in one of two ways: - 
								If the cluster is not running yet, after you generate manifest files, add the MachineConfigobject file to the<installation_directory>/openshiftdirectory, and then continue to create the cluster.
- If the cluster is already running, apply the file: - oc apply -f 98-worker-firmware-blob.yaml - $ oc apply -f 98-worker-firmware-blob.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - A - MachineConfigobject YAML file is created for you to finish configuring your machines.
 
- 
								If the cluster is not running yet, after you generate manifest files, add the 
- 
						Save the Butane config in case you need to update the MachineConfigobject in the future.
2.9. Changing the core user password for node access
				By default, Red Hat Enterprise Linux CoreOS (RHCOS) creates a user named core on the nodes in your cluster. You can use the core user to access the node through a cloud provider serial console or a bare metal baseboard controller manager (BMC). This can be helpful, for example, if a node is down and you cannot access that node by using SSH or the oc debug node command. However, by default, there is no password for this user, so you cannot log in without creating one.
			
				You can create a password for the core user by using a machine config. The Machine Config Operator (MCO) assigns the password and injects the password into the /etc/shadow file, allowing you to log in with the core user. The MCO does not examine the password hash. As such, the MCO cannot report if there is a problem with the password.
			
- The password works only through a cloud provider serial console or a BMC. It does not work with SSH.
- 
							If you have a machine config that includes an /etc/shadowfile or a systemd unit that sets a password, it takes precedence over the password hash.
You can change the password, if needed, by editing the machine config you used to create the password. Also, you can remove the password by deleting the machine config. Deleting the machine config does not remove the user account.
Procedure
- Using a tool that is supported by your operating system, create a hashed password. For example, create a hashed password using - mkpasswdby running the following command:- mkpasswd -m SHA-512 testpass - $ mkpasswd -m SHA-512 testpass- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - $6$CBZwA6s6AVFOtiZe$aUKDWpthhJEyR3nnhM02NM1sKCpHn9XN.NPrJNQ3HYewioaorpwL3mKGLxvW0AOb4pJxqoqP4nFX77y0p00.8. - $ $6$CBZwA6s6AVFOtiZe$aUKDWpthhJEyR3nnhM02NM1sKCpHn9XN.NPrJNQ3HYewioaorpwL3mKGLxvW0AOb4pJxqoqP4nFX77y0p00.8.- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create a machine config file that contains the - coreusername and the hashed password:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create the machine config by running the following command: - oc create -f <file-name>.yaml - $ oc create -f <file-name>.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The nodes do not reboot and should become available in a few moments. You can use the - oc get mcpto watch for the machine config pools to be updated, as shown in the following example:- NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE master rendered-master-d686a3ffc8fdec47280afec446fce8dd True False False 3 3 3 0 64m worker rendered-worker-4605605a5b1f9de1d061e9d350f251e5 False True False 3 0 0 0 64m - NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE master rendered-master-d686a3ffc8fdec47280afec446fce8dd True False False 3 3 3 0 64m worker rendered-worker-4605605a5b1f9de1d061e9d350f251e5 False True False 3 0 0 0 64m- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- After the nodes return to the - UPDATED=Truestate, start a debug session for a node by running the following command:- oc debug node/<node_name> - $ oc debug node/<node_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Set - /hostas the root directory within the debug shell by running the following command:- chroot /host - sh-4.4# chroot /host- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Check the contents of the - /etc/shadowfile:- Example output - ... core:$6$2sE/010goDuRSxxv$o18K52wor.wIwZp:19418:0:99999:7::: ... - ... core:$6$2sE/010goDuRSxxv$o18K52wor.wIwZp:19418:0:99999:7::: ...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The hashed password is assigned to the - coreuser.
Chapter 3. Using node disruption policies to minimize disruption from machine config changes
			By default, when you make certain changes to the fields in a MachineConfig object, the Machine Config Operator (MCO) drains and reboots the nodes associated with that machine config. However, you can create a node disruption policy that defines a set of changes to some Ignition config objects that would require little or no disruption to your workloads.
		
Node disruption policies are not supported for on-cluster custom layered images.
			A node disruption policy allows you to define the configuration changes that cause a disruption to your cluster, and which changes do not. This allows you to reduce node downtime when making small machine configuration changes in your cluster. To configure the policy, you modify the MachineConfiguration object, which is in the openshift-machine-config-operator namespace. See the example node disruption policies in the MachineConfiguration objects that follow.
		
There are machine configuration changes that always require a reboot, regardless of any node disruption policies. For more information, see About the Machine Config Operator.
			After you create the node disruption policy, the MCO validates the policy to search for potential issues in the file, such as problems with formatting. The MCO then merges the policy with the cluster defaults and populates the status.nodeDisruptionPolicyStatus fields in the machine config with the actions to be performed upon future changes to the machine config. The configurations in your policy always overwrite the cluster defaults.
		
The MCO does not validate whether a change can be successfully applied by your node disruption policy. Therefore, you are responsible to ensure the accuracy of your node disruption policies.
			For example, you can configure a node disruption policy so that sudo configurations do not require a node drain and reboot. Or, you can configure your cluster so that updates to sshd are applied with only a reload of that one service.
		
You can control the behavior of the MCO when making the changes to the following Ignition configuration objects:
- configuration files: You add to or update the files in the - /varor- /etcdirectory. You can configure a policy for a specific file anywhere in the directory or for a path to a specific directory. For a path, a change or addition to any file in that directory triggers the policy.Note- If a file is included in more than one policy, only the policy with the best match to that file is applied. - For example, if you have a policy for the - /etc/directory and a policy for the- /etc/pki/directory, a change to the- /etc/pki/tls/certs/ca-bundle.crtfile would apply the- etc/pkipolicy.
- systemd units: You create and set the status of a systemd service or modify a systemd service.
- 
					users and groups: You change SSH keys in the passwdsection postinstallation.
- 
					ICSP, ITMS, IDMS objects: You can remove mirroring rules from an ImageContentSourcePolicy(ICSP),ImageTagMirrorSet(ITMS), andImageDigestMirrorSet(IDMS) object.
When you make any of these changes, the node disruption policy determines which of the following actions are required when the MCO implements the changes:
- Reboot: The MCO drains and reboots the nodes. This is the default behavior.
- None: The MCO does not drain or reboot the nodes. The MCO applies the changes with no further action.
- Drain: The MCO cordons and drains the nodes of their workloads. The workloads restart with the new configurations.
- Reload: For services, the MCO reloads the specified services without restarting the service.
- Restart: For services, the MCO fully restarts the specified services.
- DaemonReload: The MCO reloads the systemd manager configuration.
- Special: This is an internal MCO-only action and cannot be set by the user.
- 
						The RebootandNoneactions cannot be used with any other actions, as theRebootandNoneactions override the others.
- Actions are applied in the order that they are set in the node disruption policy list.
- If you make other machine config changes that do require a reboot or other disruption to the nodes, that reboot supercedes the node disruption policy actions.
3.1. Example node disruption policies
				The following example MachineConfiguration objects contain a node disruption policy.
			
				A MachineConfiguration object and a MachineConfig object are different objects. A MachineConfiguration object is a singleton object in the MCO namespace that contains configuration parameters for the MCO operator. A MachineConfig object defines changes that are applied to a machine config pool.
			
				The following example MachineConfiguration object shows no user defined policies. The default node disruption policy values are shown in the status stanza.
			
Default node disruption policy
				The default node disruption policy does not contain a policy for changes to the /etc/containers/registries.conf.d file. This is because both OpenShift Container Platform and Red Hat Enterprise Linux (RHEL) use the registries.conf.d file to specify aliases for image short names. It is recommended that you always pull an image by its fully-qualified name. This is particularly important with public registries, because the image might not deploy if the public registry requires authentication. You can create a user-defined policy to use with the /etc/containers/registries.conf.d file, if you need to use image short names.
			
				In the following example, when changes are made to the SSH keys, the MCO drains the cluster nodes, reloads the crio.service, reloads the systemd configuration, and restarts the crio-service.
			
Example node disruption policy for an SSH key change
				In the following example, when changes are made to the /etc/chrony.conf file, the MCO restarts the chronyd.service on the cluster nodes. If files are added to or modified in the /var/run directory, the MCO applies the changes with no further action.
			
Example node disruption policy for a configuration file change
				In the following example, when changes are made to the auditd.service systemd unit, the MCO drains the cluster nodes, reloads the crio.service, reloads the systemd manager configuration, and restarts the crio.service.
			
Example node disruption policy for a systemd unit change
				In the following example, when changes are made to the registries.conf file, such as by editing an ImageContentSourcePolicy (ICSP) object, the MCO does not drain or reboot the nodes and applies the changes with no further action.
			
Example node disruption policy for a registries.conf file change
3.2. Configuring node restart behaviors upon machine config changes
You can create a node disruption policy to define the machine configuration changes that cause a disruption to your cluster, and which changes do not.
				You can control how your nodes respond to changes in the files in the /var or /etc directory, the systemd units, the SSH keys, and the registries.conf file.
			
When you make any of these changes, the node disruption policy determines which of the following actions are required when the MCO implements the changes:
- Reboot: The MCO drains and reboots the nodes. This is the default behavior.
- None: The MCO does not drain or reboot the nodes. The MCO applies the changes with no further action.
- Drain: The MCO cordons and drains the nodes of their workloads. The workloads restart with the new configurations.
- Reload: For services, the MCO reloads the specified services without restarting the service.
- Restart: For services, the MCO fully restarts the specified services.
- DaemonReload: The MCO reloads the systemd manager configuration.
- Special: This is an internal MCO-only action and cannot be set by the user.
- 
							The RebootandNoneactions cannot be used with any other actions, as theRebootandNoneactions override the others.
- Actions are applied in the order that they are set in the node disruption policy list.
- If you make other machine config changes that do require a reboot or other disruption to the nodes, that reboot supercedes the node disruption policy actions.
Procedure
- Edit the - machineconfigurations.operator.openshift.ioobject to define the node disruption policy:- oc edit MachineConfiguration cluster -n openshift-machine-config-operator - $ oc edit MachineConfiguration cluster -n openshift-machine-config-operator- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Add a node disruption policy similar to the following: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specifies the node disruption policy.
- 2
- Specifies a list of machine config file definitions and actions to take to changes on those paths. This list supports a maximum of 50 entries.
- 3
- Specifies the series of actions to be executed upon changes to the specified files. Actions are applied in the order that they are set in this list. This list supports a maximum of 10 entries.
- 4
- Specifies that the listed service is to be reloaded upon changes to the specified files.
- 5
- Specifies the full name of the service to be acted upon.
- 6
- Specifies the location of a file that is managed by a machine config. The actions in the policy apply when changes are made to the file inpath.
- 7
- Specifies a list of service names and actions to take upon changes to the SSH keys in the cluster.
- 8
- Specifies a list of systemd unit names and actions to take upon changes to those units.
 
Verification
- View the - MachineConfigurationobject file that you created:- oc get MachineConfiguration/cluster -o yaml - $ oc get MachineConfiguration/cluster -o yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specifies the current cluster-validated policies.
 
Chapter 4. Configuring MCO-related custom resources
			Besides managing MachineConfig objects, the MCO manages two custom resources (CRs): KubeletConfig and ContainerRuntimeConfig. Those CRs let you change node-level settings impacting how the kubelet and CRI-O container runtime services behave.
		
4.1. Creating a KubeletConfig CR to edit kubelet parameters
				The kubelet configuration is currently serialized as an Ignition configuration, so it can be directly edited. However, there is also a new kubelet-config-controller added to the Machine Config Controller (MCC). This lets you use a KubeletConfig custom resource (CR) to edit the kubelet parameters.
			
					As the fields in the kubeletConfig object are passed directly to the kubelet from upstream Kubernetes, the kubelet validates those values directly. Invalid values in the kubeletConfig object might cause cluster nodes to become unavailable. For valid values, see the Kubernetes documentation.
				
Consider the following guidance:
- 
						Edit an existing KubeletConfigCR to modify existing settings or add new settings, instead of creating a CR for each change. It is recommended that you create a CR only to modify a different machine config pool, or for changes that are intended to be temporary, so that you can revert the changes.
- 
						Create one KubeletConfigCR for each machine config pool with all the config changes you want for that pool.
- 
						As needed, create multiple KubeletConfigCRs with a limit of 10 per cluster. For the firstKubeletConfigCR, the Machine Config Operator (MCO) creates a machine config appended withkubelet. With each subsequent CR, the controller creates anotherkubeletmachine config with a numeric suffix. For example, if you have akubeletmachine config with a-2suffix, the nextkubeletmachine config is appended with-3.
					If you are applying a kubelet or container runtime config to a custom machine config pool, the custom role in the machineConfigSelector must match the name of the custom machine config pool.
				
					For example, because the following custom machine config pool is named infra, the custom role must also be infra:
				
				If you want to delete the machine configs, delete them in reverse order to avoid exceeding the limit. For example, you delete the kubelet-3 machine config before deleting the kubelet-2 machine config.
			
					If you have a machine config with a kubelet-9 suffix, and you create another KubeletConfig CR, a new machine config is not created, even if there are fewer than 10 kubelet machine configs.
				
Example KubeletConfig CR
oc get kubeletconfig
$ oc get kubeletconfigNAME AGE set-kubelet-config 15m
NAME                      AGE
set-kubelet-config        15mExample showing a KubeletConfig machine config
oc get mc | grep kubelet
$ oc get mc | grep kubelet... 99-worker-generated-kubelet-1 b5c5119de007945b6fe6fb215db3b8e2ceb12511 3.5.0 26m ...
...
99-worker-generated-kubelet-1                  b5c5119de007945b6fe6fb215db3b8e2ceb12511   3.5.0             26m
...The following procedure is an example to show how to configure the maximum number of pods per node, the maximum PIDs per node, and the maximum container log size size on the worker nodes.
Prerequisites
- Obtain the label associated with the static - MachineConfigPoolCR for the type of node you want to configure. Perform one of the following steps:- View the machine config pool: - oc describe machineconfigpool <name> - $ oc describe machineconfigpool <name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For example: - oc describe machineconfigpool worker - $ oc describe machineconfigpool worker- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- If a label has been added it appears underlabels.
 
- If the label is not present, add a key/value pair: - oc label machineconfigpool worker custom-kubelet=set-kubelet-config - $ oc label machineconfigpool worker custom-kubelet=set-kubelet-config- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
Procedure
- View the available machine configuration objects that you can select: - oc get machineconfig - $ oc get machineconfig- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - By default, the two kubelet-related configs are - 01-master-kubeletand- 01-worker-kubelet.
- Check the current value for the maximum pods per node: - oc describe node <node_name> - $ oc describe node <node_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For example: - oc describe node ci-ln-5grqprb-f76d1-ncnqq-worker-a-mdv94 - $ oc describe node ci-ln-5grqprb-f76d1-ncnqq-worker-a-mdv94- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Look for - value: pods: <value>in the- Allocatablestanza:- Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Configure the worker nodes as needed: - Create a YAML file similar to the following that contains the kubelet configuration: Important- Kubelet configurations that target a specific machine config pool also affect any dependent pools. For example, creating a kubelet configuration for the pool containing worker nodes will also apply to any subset pools, including the pool containing infrastructure nodes. To avoid this, you must create a new machine config pool with a selection expression that only includes worker nodes, and have your kubelet configuration target this new pool. - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 
										Use podPidsLimitto set the maximum number of PIDs in any pod.
- 
										Use containerLogMaxSizeto set the maximum size of the container log file before it is rotated.
- Use - maxPodsto set the maximum pods per node.Note- The rate at which the kubelet talks to the API server depends on queries per second (QPS) and burst values. The default values, - 50for- kubeAPIQPSand- 100for- kubeAPIBurst, are sufficient if there are limited pods running on each node. It is recommended to update the kubelet QPS and burst rates if there are enough CPU and memory resources on the node.- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- 
										Use 
- Update the machine config pool for workers with the label: - oc label machineconfigpool worker custom-kubelet=set-kubelet-config - $ oc label machineconfigpool worker custom-kubelet=set-kubelet-config- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create the - KubeletConfigobject:- oc create -f change-maxPods-cr.yaml - $ oc create -f change-maxPods-cr.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
Verification
- Verify that the - KubeletConfigobject is created:- oc get kubeletconfig - $ oc get kubeletconfig- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME AGE set-kubelet-config 15m - NAME AGE set-kubelet-config 15m- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Depending on the number of worker nodes in the cluster, wait for the worker nodes to be rebooted one by one. For a cluster with 3 worker nodes, this could take about 10 to 15 minutes. 
- Verify that the changes are applied to the node: - Check on a worker node that the - maxPodsvalue changed:- oc describe node <node_name> - $ oc describe node <node_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Locate the - Allocatablestanza:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- In this example, thepodsparameter should report the value you set in theKubeletConfigobject.
 
 
- Verify the change in the - KubeletConfigobject:- oc get kubeletconfigs set-kubelet-config -o yaml - $ oc get kubeletconfigs set-kubelet-config -o yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - This should show a status of - Trueand- type:Success, as shown in the following example:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
4.2. Creating a ContainerRuntimeConfig CR to edit CRI-O parameters
				You can change some of the settings associated with the OpenShift Container Platform CRI-O runtime for the nodes associated with a specific machine config pool (MCP). Using a ContainerRuntimeConfig custom resource (CR), you set the configuration values and add a label to match the MCP. The MCO then rebuilds the crio.conf and storage.conf configuration files on the associated nodes with the updated values.
			
					To revert the changes implemented by using a ContainerRuntimeConfig CR, you must delete the CR. Removing the label from the machine config pool does not revert the changes.
				
				You can modify the following settings by using a ContainerRuntimeConfig CR:
			
- 
						Log level: The logLevelparameter sets the CRI-Olog_levelparameter, which is the level of verbosity for log messages. The default isinfo(log_level = info). Other options includefatal,panic,error,warn,debug, andtrace.
- 
						Overlay size: The overlaySizeparameter sets the CRI-O Overlay storage driversizeparameter, which is the maximum size of a container image.
- 
						Container runtime: The defaultRuntimeparameter sets the container runtime to eithercrunorrunc. The default iscrun.
				You should have one ContainerRuntimeConfig CR for each machine config pool with all the config changes you want for that pool. If you are applying the same content to all the pools, you only need one ContainerRuntimeConfig CR for all the pools.
			
				You should edit an existing ContainerRuntimeConfig CR to modify existing settings or add new settings instead of creating a new CR for each change. It is recommended to create a new ContainerRuntimeConfig CR only to modify a different machine config pool, or for changes that are intended to be temporary so that you can revert the changes.
			
				You can create multiple ContainerRuntimeConfig CRs, as needed, with a limit of 10 per cluster. For the first ContainerRuntimeConfig CR, the MCO creates a machine config appended with containerruntime. With each subsequent CR, the controller creates a new containerruntime machine config with a numeric suffix. For example, if you have a containerruntime machine config with a -2 suffix, the next containerruntime machine config is appended with -3.
			
				If you want to delete the machine configs, you should delete them in reverse order to avoid exceeding the limit. For example, you should delete the containerruntime-3 machine config before deleting the containerruntime-2 machine config.
			
					If you have a machine config with a containerruntime-9 suffix, and you create another ContainerRuntimeConfig CR, a new machine config is not created, even if there are fewer than 10 containerruntime machine configs.
				
Example showing multiple ContainerRuntimeConfig CRs
oc get ctrcfg
$ oc get ctrcfgExample output
NAME AGE ctr-overlay 15m ctr-level 5m45s
NAME         AGE
ctr-overlay  15m
ctr-level    5m45sExample showing multiple containerruntime machine configs
oc get mc | grep container
$ oc get mc | grep containerExample output
				The following example sets the log_level field to debug, sets the overlay size to 8 GB, and configures runC as the container runtime:
			
Example ContainerRuntimeConfig CR
- 1
- Specifies the machine config pool label. For a container runtime config, the role must match the name of the associated machine config pool.
- 2
- Optional: Specifies the level of verbosity for log messages.
- 3
- Optional: Specifies the maximum size of a container image.
- 4
- Optional: Specifies the container runtime to deploy to new containers, eithercrunorrunc. The default value iscrun.
Procedure
					To change CRI-O settings using the ContainerRuntimeConfig CR:
				
- Create a YAML file for the - ContainerRuntimeConfigCR:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create the - ContainerRuntimeConfigCR:- oc create -f <file_name>.yaml - $ oc create -f <file_name>.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Verify that the CR is created: - oc get ContainerRuntimeConfig - $ oc get ContainerRuntimeConfig- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME AGE overlay-size 3m19s - NAME AGE overlay-size 3m19s- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Check that a new - containerruntimemachine config is created:- oc get machineconfigs | grep containerrun - $ oc get machineconfigs | grep containerrun- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - 99-worker-generated-containerruntime 2c9371fbb673b97a6fe8b1c52691999ed3a1bfc2 3.5.0 31s - 99-worker-generated-containerruntime 2c9371fbb673b97a6fe8b1c52691999ed3a1bfc2 3.5.0 31s- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Monitor the machine config pool until all are shown as ready: - oc get mcp worker - $ oc get mcp worker- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE worker rendered-worker-169 False True False 3 1 1 0 9h - NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE worker rendered-worker-169 False True False 3 1 1 0 9h- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Verify that the settings were applied in CRI-O: - Open an - oc debugsession to a node in the machine config pool and run- chroot /host.- oc debug node/<node_name> - $ oc debug node/<node_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - chroot /host - sh-4.4# chroot /host- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Verify the changes in the - crio.conffile:- crio config | grep 'log_level' - sh-4.4# crio config | grep 'log_level'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - log_level = "debug" - log_level = "debug"- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Verify the changes in the - storage.conffile:- head -n 7 /etc/containers/storage.conf - sh-4.4# head -n 7 /etc/containers/storage.conf- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Verify the changes in the - crio/crio.conf.d/01-ctrcfg-defaultRuntimefile:- cat /etc/crio/crio.conf.d/01-ctrcfg-defaultRuntime - sh-5.1# cat /etc/crio/crio.conf.d/01-ctrcfg-defaultRuntime- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - [crio] [crio.runtime] default_runtime = "runc"- [crio] [crio.runtime] default_runtime = "runc"- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
4.3. Setting the default maximum container root partition size for Overlay with CRI-O
The root partition of each container shows all of the available disk space of the underlying host. Follow this guidance to set a maximum partition size for the root disk of all containers.
				To configure the maximum Overlay size, as well as other CRI-O options like the log level, you can create the following ContainerRuntimeConfig custom resource definition (CRD):
			
Procedure
- Create the configuration object: - oc apply -f overlaysize.yml - $ oc apply -f overlaysize.yml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To apply the new CRI-O configuration to your worker nodes, edit the worker machine config pool: - oc edit machineconfigpool worker - $ oc edit machineconfigpool worker- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Add the - custom-criolabel based on the- matchLabelsname you set in the- ContainerRuntimeConfigCRD:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Save the changes, then view the machine configs: - oc get machineconfigs - $ oc get machineconfigs- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - New - 99-worker-generated-containerruntimeand- rendered-worker-xyzobjects are created:- Example output - 99-worker-generated-containerruntime 4173030d89fbf4a7a0976d1665491a4d9a6e54f1 3.5.0 7m42s rendered-worker-xyz 4173030d89fbf4a7a0976d1665491a4d9a6e54f1 3.5.0 7m36s - 99-worker-generated-containerruntime 4173030d89fbf4a7a0976d1665491a4d9a6e54f1 3.5.0 7m42s rendered-worker-xyz 4173030d89fbf4a7a0976d1665491a4d9a6e54f1 3.5.0 7m36s- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- After those objects are created, monitor the machine config pool for the changes to be applied: - oc get mcp worker - $ oc get mcp worker- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The worker nodes show - UPDATINGas- True, as well as the number of machines, the number updated, and other details:- Example output - NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE worker rendered-worker-xyz False True False 3 2 2 0 20h - NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE worker rendered-worker-xyz False True False 3 2 2 0 20h- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - When complete, the worker nodes transition back to - UPDATINGas- False, and the- UPDATEDMACHINECOUNTnumber matches the- MACHINECOUNT:- Example output - NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE worker rendered-worker-xyz True False False 3 3 3 0 20h - NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE worker rendered-worker-xyz True False False 3 3 3 0 20h- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Looking at a worker machine, you see that the new 8 GB max size configuration is applied to all of the workers: - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Looking inside a container, you see that the root partition is now 8 GB: - Example output - ~ $ df -h Filesystem Size Used Available Use% Mounted on overlay 8.0G 8.0K 8.0G 0% / - ~ $ df -h Filesystem Size Used Available Use% Mounted on overlay 8.0G 8.0K 8.0G 0% /- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
4.4. Creating a drop-in file for the default CRI-O capabilities
				You can change some of the settings associated with the OpenShift Container Platform CRI-O runtime for the nodes associated with a specific machine config pool (MCP). By using a controller custom resource (CR), you set the configuration values and add a label to match the MCP. The Machine Config Operator (MCO) then rebuilds the crio.conf and default.conf configuration files on the associated nodes with the updated values.
			
Earlier versions of OpenShift Container Platform included specific machine configs by default. If you updated to a later version of OpenShift Container Platform, those machine configs were retained to ensure that clusters running on the same OpenShift Container Platform version have the same machine configs.
				You can create multiple ContainerRuntimeConfig CRs, as needed, with a limit of 10 per cluster. For the first ContainerRuntimeConfig CR, the MCO creates a machine config appended with containerruntime. With each subsequent CR, the controller creates a containerruntime machine config with a numeric suffix. For example, if you have a containerruntime machine config with a -2 suffix, the next containerruntime machine config is appended with -3.
			
				If you want to delete the machine configs, delete them in reverse order to avoid exceeding the limit. For example, delete the containerruntime-3 machine config before you delete the containerruntime-2 machine config.
			
					If you have a machine config with a containerruntime-9 suffix and you create another ContainerRuntimeConfig CR, a new machine config is not created, even if there are fewer than 10 containerruntime machine configs.
				
Example of multiple ContainerRuntimeConfig CRs
oc get ctrcfg
$ oc get ctrcfgExample output
NAME AGE ctr-overlay 15m ctr-level 5m45s
NAME         AGE
ctr-overlay  15m
ctr-level    5m45sExample showing multiple containerruntime related system configs
cat /proc/1/status | grep Cap
$ cat /proc/1/status | grep Capcapsh --decode=<decode_CapBnd_value>
$ capsh --decode=<decode_CapBnd_value> - 1
- Replace<decode_CapBnd_value>with the specific value you want to decode.
Chapter 5. Pinning images to nodes
A slow, unreliable connection to an image registry can interfere with operations that require pulling images, such as updating a cluster or deploying an application. This can include clusters that have low bandwidth, clusters with unreliable internet connectivity, or clusters in a disconnected environment. For example, a cluster update might require pulling more than one hundred images. Failure to pull those images could cause retries that can interfere with the update process and might cause the update to fail.
One way to prevent this is to pull the required images in advance, before they are actually needed, and pinning those images to a specific machine config pool (MCP). This ensures that the images are available to your nodes when needed. Pinned images can provide a more consistent update, which is important when scheduling updates into maintenance windows.
Pinned images also ensures that the images are available when deploying applications, so that you can deploy in a more reliable manner.
			You can pin images to specific nodes by using a PinnedImageSet custom resource (CR), as described in Pinning images. Pinned images are stored on the nodes in the /etc/crio/crio.conf.d/50-pinned-images file on those nodes. The contents of the file appear similar to the following example:
		
[crio]
  [crio.image]
    pinned_images = ["quay.io/openshift-release-dev/ocp-release@sha256:4198606580b69c8335ad7ae531c3a74e51aee25db5faaf368234e8c8dae5cbea", "quay.io/openshift-release-dev/ocp-release@sha256:513cf1028aa1a021fa73d0601427a0fbcf6d212b88aaf9d76d4e4841a061e44e", "quay.io/openshift-release-dev/ocp-release@sha256:61eae2d261e54d1b8a0e05f6b5326228b00468364563745eed88460af04f909b"]
[crio]
  [crio.image]
    pinned_images = ["quay.io/openshift-release-dev/ocp-release@sha256:4198606580b69c8335ad7ae531c3a74e51aee25db5faaf368234e8c8dae5cbea", "quay.io/openshift-release-dev/ocp-release@sha256:513cf1028aa1a021fa73d0601427a0fbcf6d212b88aaf9d76d4e4841a061e44e", "quay.io/openshift-release-dev/ocp-release@sha256:61eae2d261e54d1b8a0e05f6b5326228b00468364563745eed88460af04f909b"]Another benefit to pinned images is that image garbage collection does not remove the pinned images.
Before pulling the images, the Machine Config Operator (MCO) verifies that there is enough storage space available on each affected node. If the node has sufficient space, the MCO creates the pinned image file, pulls the images, and reloads CRI-O. If there is not sufficient space, the MCO does not pull the images and presents an error message.
5.1. Pinning images
				You can pin images to your nodes by using a PinnedImageSet custom resource (CR). The pinned image set defines the list of images to pre-load and the machine config pool to which the images should be pinned.
			
				The images are stored in the /etc/crio/crio.conf.d/50-pinned-images file on the nodes.
			
					Only images that you can successfully inspect with the podman manifest inspect <IMAGE_URL> command can be used with a pinned image set. Image inspections could fail due to unsupported manifest formats, registry authorization issues, invalid schemas, network connectivity issues, or other issues.
				
Procedure
- Create a YAML file that defines the - PinnedImageSetobject, similar to the following example:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - labels
- Specifies an optional node selector to specify the machine config pool to pin the images to. If not specified, the images are pinned to all nodes in the cluster.
- pinnedImages
- Specifies a list of one or more images to pre-load.
 
- Create the - PinnedImageSetobject by running the following command:- oc create -f <file_name>.yaml - $ oc create -f <file_name>.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- Check that the pinned image set is reported in the machine config node object for the affected machine config pool by running the following command: - oc describe machineconfignode <machine_config_node_name> - $ oc describe machineconfignode <machine_config_node_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example command - oc describe machineconfignode ci-ln-25hlkvt-72292-jrs48-worker-a-2bdj - $ oc describe machineconfignode ci-ln-25hlkvt-72292-jrs48-worker-a-2bdj- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output for a successful image pull and pin - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Any failures or error messages would appear in the - MachineConfigNodeobject status fields, as shown in the following example:- Example output for a failed image pull and pin - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Check that the pinned image file is created and contains the correct images. - Start a debug session for a node by running the following command: - oc debug node/<node_name> - $ oc debug node/<node_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Set - /hostas the root directory within the debug shell by running the following command:- chroot /host - sh-5.1# chroot /host- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Verify the contents of the pinned image file by running the following command: - cat /etc/crio/crio.conf.d/50-pinned-images - $ cat /etc/crio/crio.conf.d/50-pinned-images- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - [crio] [crio.image] pinned_images = ["quay.io/openshift-release-dev/ocp-release@sha256:4198606580b69c8335ad7ae531c3a74e51aee25db5faaf368234e8c8dae5cbea", "quay.io/openshift-release-dev/ocp-release@sha256:513cf1028aa1a021fa73d0601427a0fbcf6d212b88aaf9d76d4e4841a061e44e", "quay.io/openshift-release-dev/ocp-release@sha256:61eae2d261e54d1b8a0e05f6b5326228b00468364563745eed88460af04f909b"]- [crio] [crio.image] pinned_images = ["quay.io/openshift-release-dev/ocp-release@sha256:4198606580b69c8335ad7ae531c3a74e51aee25db5faaf368234e8c8dae5cbea", "quay.io/openshift-release-dev/ocp-release@sha256:513cf1028aa1a021fa73d0601427a0fbcf6d212b88aaf9d76d4e4841a061e44e", "quay.io/openshift-release-dev/ocp-release@sha256:61eae2d261e54d1b8a0e05f6b5326228b00468364563745eed88460af04f909b"]- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - pinnedImages
- Specifies the images that have been pulled and pinned for the affected machine config pool.
 
 
Chapter 6. Boot image management
For Google Cloud and Amazon Web Services (AWS) clusters, by default the Machine Config Operator (MCO) manages and updates the boot image that is used to scale up your nodes. This means that by default, the MCO updates the boot images whenever you upgrade your cluster.
For VMware vSphere, you can enable boot image management as a Technology Preview feature.
For all other platforms, the MCO does not update the boot image with each cluster update.
Boot image management on vSphere is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
6.1. About boot image management
By default, for Google Cloud and Amazon Web Services (AWS) clusters, the Machine Config Operator (MCO) updates the boot image in the machine sets in your cluster whenever you update your cluster.
For VMware vSphere, you can enable boot image management as a Technology Preview feature. For information on how to enable this feature, see "Enabling boot image management".
Boot image management on vSphere is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
You can disable the boot image management feature, if needed. When the feature is disabled, the boot image no longer updates with the cluster. For example, with the feature disabled, if your cluster was originally created with OpenShift Container Platform 4.16, the boot image that the MCO would use to create nodes is the same 4.16 version, even if your cluster is at a later version.
However, using an older boot image could cause the following issues:
- Extra time to start nodes
- Certificate expiration issues
- Version skew issues
For information on how to disable this feature, see "Disabling boot image management". If you disable this feature, you can re-enable the feature at any time. For information, see "Enabling boot image management".
The ability to configure boot image management is available for only Google Cloud and AWS clusters. It is not supported for clusters managed by the Cluster CAPI Operator.
How the cluster behaves after disabling or re-enabling the feature, depends upon when you made the change, including the following scenarios:
- If you disable the feature before updating to a new OpenShift Container Platform version: - The boot image version used by the machine sets remains the same OpenShift Container Platform version as when the feature was disabled.
- When you scale up nodes, the new nodes use that same OpenShift Container Platform version.
 
- If you disable the feature after updating to a new OpenShift Container Platform version: - The boot image version used by the machine sets is updated to match the updated OpenShift Container Platform version.
- When you scale up nodes, the new nodes use the updated OpenShift Container Platform version.
- If you update to a later OpenShift Container Platform version, the boot image version in the machine sets remains at the current version and is not updated with the cluster.
 
- If you enable the feature after disabling: - The boot image version used by the machine sets is updated to the current OpenShift Container Platform version, if different.
- When you scale up nodes, the new nodes use the current OpenShift Container Platform version in the cluster.
 
Because a boot image is used only when a node is scaled up, this feature has no effect on existing nodes.
To view the current boot image used in your cluster, use one of the following methods, based on your platform:
- For Google Cloud and AWS, you can examine a machine set. Note- The location and format of the boot image within the machine set differs, based on the platform. However, the boot image is always listed in the - spec.template.spec.providerSpec.parameter.- Example Google Cloud machine set with the boot image reference - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- This boot image is the same as the originally-installed OpenShift Container Platform version, in this example OpenShift Container Platform 4.12, regardless of the current version of the cluster. The way that the boot image is represented in the machine set depends on the platform, as the structure of theproviderSpecfield differs from platform to platform.
 - Example AWS machine set with the boot image reference - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- For VMware vSphere, examine an affected node by opening an - oc debugsession to the node and using the- rpm-ostree statuscommand.- rpm-ostree status - sh-5.1# rpm-ostree status- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example AWS node with the boot image reference - State: idle Deployments: * ostree-unverified-registry:quay.io/my-registry/... Digest: sha256:...- State: idle Deployments: * ostree-unverified-registry:quay.io/my-registry/... Digest: sha256:...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
					If any of the machine sets for which you want to enable boot image management use a *-user-data secret that is based on Ignition version 2.2.0, the Machine Config Operator converts the Ignition version to 3.4.0 when you enable the feature. OpenShift Container Platform versions 4.5 and lower use Ignition version 2.2.0. If this conversion fails, the MCO or your cluster could degrade. An error message that includes err: converting ignition stub failed: failed to parse Ignition config is added to the output of the oc get ClusterOperator machine-config command. You can use the following general steps to correct the problem:
				
- Disable the boot image management feature. For information, see "Disabling boot image management".
- 
							Manually update the *-user-datasecret to use Ignition version to 3.2.0.
- Enable the boot image management feature. For information, see "Enabling boot image management".
6.2. Disabling boot image management
By default, for Google Cloud and Amazon Web Services (AWS) clusters, the Machine Config Operator (MCO) manages and updates the boot image in the machine sets in your cluster whenever you update your cluster. For VMware vSphere, you can enable boot image management as a Technology Preview feature.
				You can disable the boot image management feature for your cluster by editing the MachineConfiguration object. When disabled, the Machine Config Operator (MCO) no longer manages the boot image in your cluster and no longer updates the boot image with each cluster update.
			
Disabling this feature does not rollback the nodes or machine sets to the originally-installed boot image. The machine sets retain the boot image version that was present when the feature was disabled and is not updated if the cluster is upgraded to a new OpenShift Container Platform version in the future. This feature has no effect on existing nodes.
After disabling the feature, you can re-enable the feature at any time. For more information, see "Enabling updated boot images".
Procedure
- Edit the - MachineConfigurationobject to disable the boot image management feature for some or all of your machine sets:- oc edit MachineConfiguration cluster - $ oc edit MachineConfiguration cluster- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Optional: Disable the feature for all machine sets: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
Verification
- When the affected nodes return to the - READYstate, view the current state of the boot image management feature by viewing the machine configuration object:- oc get machineconfiguration cluster -o yaml - $ oc get machineconfiguration cluster -o yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example machine set with the boot image reference - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- When the affected nodes return to the - READYstate, check the current boot image by using one of the following methods:- For Google Cloud and AWS, get the boot image version by running the following command. The location and format of the boot image within the machine set differs, based on the platform. However, the boot image is always listed in the - spec.template.spec.providerSpec.parameter.- oc get machinesets <machineset_name> -n openshift-machine-api -o yaml - $ oc get machinesets <machineset_name> -n openshift-machine-api -o yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example machine set with the boot image reference - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- This boot image is the same as the current OpenShift Container Platform version.
 
- For VMware vSphere, get the boot image version from an affected node: - Open an - oc debugsession to the node by running a command similar to the following:- oc debug node/<node_name> - $ oc debug node/<node_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Set - /hostas the root directory within the debug shell by running the following command:- chroot /host - sh-5.1# chroot /host- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Run the - rpm-ostree statuscommand to view that the custom layered image is in use:- rpm-ostree status - sh-5.1# rpm-ostree status- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - State: idle Deployments: * ostree-unverified-registry:quay.io/my-registry/... Digest: sha256:...- State: idle Deployments: * ostree-unverified-registry:quay.io/my-registry/... Digest: sha256:...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
 
6.3. Enabling boot image management
By default, for Google Cloud and Amazon Web Services (AWS) clusters, the Machine Config Operator (MCO) updates the boot image in the machine sets in your cluster whenever you update your cluster.
				If you disabled the boot image management feature, so that the boot images are not updated, you can re-enable the feature by editing the MachineConfiguration object.
			
For VMware vSphere, you can enable boot image management as a Technology Preview feature.
Boot image management on vSphere is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
Enabling the feature updates the boot image to the current OpenShift Container Platform version. If the cluster is again updated to a new OpenShift Container Platform version in the future, the boot image is updated again. New nodes created after enabling the feature use the updated boot image. This feature has no effect on existing nodes.
Prerequisites
- For vSphere, enable the - TechPreviewNoUpgradefeature set on the cluster. For more information, see "Enabling features using feature gates".Note- Enabling the - TechPreviewNoUpgradefeature set cannot be undone and prevents minor version updates. These feature sets are not recommended on production clusters.- Wait until the - managedBootImagesStatusstanza displays in the- MachineConfigurationobject.- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Procedure
- Edit the - MachineConfigurationobject, named- cluster, to enable the boot image management feature for some or all of your machine sets:- oc edit MachineConfiguration cluster - $ oc edit MachineConfiguration cluster- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Optional: Enable the boot image management feature for all machine sets: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Optional: Enable the boot image management feature for specific machine sets: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Tip- If an appropriate label is not present on the machine set, add a key-value pair by running a command similar to following: - oc label machineset.machine ci-ln-hmy310k-72292-5f87z-worker-a region="east" -n openshift-machine-api - $ oc label machineset.machine ci-ln-hmy310k-72292-5f87z-worker-a region="east" -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
Verification
- When the affected nodes return to the - READYstate, view the current state of the boot image management feature by viewing the machine configuration object:- oc get machineconfiguration cluster -o yaml - $ oc get machineconfiguration cluster -o yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example machine set with the boot image reference - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- When the affected nodes return to the - READYstate, check the current boot image by using one of the following methods:- For Google Cloud and AWS, get the boot image version by running the following command. The location and format of the boot image within the machine set differs, based on the platform. However, the boot image is always listed in the - spec.template.spec.providerSpec.parameter.- oc get machinesets <machineset_name> -n openshift-machine-api -o yaml - $ oc get machinesets <machineset_name> -n openshift-machine-api -o yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example machine set with the boot image reference - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- This boot image is the same as the current OpenShift Container Platform version.
 
- For VMware vSphere, get the boot image version from an affected node: - Open an - oc debugsession to the node by running a command similar to the following:- oc debug node/<node_name> - $ oc debug node/<node_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Set - /hostas the root directory within the debug shell by running the following command:- chroot /host - sh-5.1# chroot /host- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Run the - rpm-ostree statuscommand to view that the custom layered image is in use:- rpm-ostree status - sh-5.1# rpm-ostree status- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - State: idle Deployments: * ostree-unverified-registry:quay.io/my-registry/... Digest: sha256:...- State: idle Deployments: * ostree-unverified-registry:quay.io/my-registry/... Digest: sha256:...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
 
Chapter 7. Managing unused rendered machine configs
The Machine Config Operator (MCO) does not perform any garbage collection activities. This means that all rendered machine configs remain in the cluster. Each time a user or controller applies a new machine config, the MCO creates new rendered configs for each affected machine config pool. Over time, this can lead to a large number of rendered machine configs, which can make working with machine configs confusing. Having too many rendered machine configs can also contribute to disk space issues and performance issues with etcd.
			You can remove old, unused rendered machine configs by using the oc adm prune renderedmachineconfigs command with the --confirm flag. With this command, you can remove all unused rendered machine configs or only those in a specific machine config pool. You can also remove a specified number of unused rendered machine configs in order to keep some older machine configs, in case you want to check older configurations.
		
			You can use the oc adm prune renderedmachineconfigs command without the --confirm flag to see which rendered machine configs would be removed.
		
			Use the list subcommand to display all the rendered machine configs in the cluster or a specific machine config pool.
		
				The oc adm prune renderedmachineconfigs command deletes only rendered machine configs that are not in use. If a rendered machine configs are in use by a machine config pool, the rendered machine config is not deleted. In this case, the command output specifies the reason that the rendered machine config was not deleted.
			
7.1. Viewing rendered machine configs
				You can view a list of rendered machine configs by using the oc adm prune renderedmachineconfigs command with the list subcommand.
			
				For example, the command in the following procedure would list all rendered machine configs for the worker machine config pool.
			
Procedure
- Optional: List the rendered machine configs by using the following command: - oc adm prune renderedmachineconfigs list --in-use=false --pool-name=worker - $ oc adm prune renderedmachineconfigs list --in-use=false --pool-name=worker- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - list
- Displays a list of rendered machine configs in your cluster.
- --in-use
- 
									Optional: Specifies whether to display only the used machine configs or all machine configs from the specified pool. If true, the output lists the rendered machine configs that are being used by a machine config pool. Iffalse, the output lists all rendered machine configs in the cluster. The default value isfalse.
- --pool-name
- Optional: Specifies the machine config pool from which to display the machine configs.
 - Example output - worker rendered-worker-f38bf61ced3c920cf5a29a200ed43243 -- 2025-01-21 13:45:01 +0000 UTC (Currently in use: false) rendered-worker-fc94397dc7c43808c7014683c208956e-- 2025-01-30 17:20:53 +0000 UTC (Currently in use: false) rendered-worker-708c652868f7597eaa1e2622edc366ef -- 2025-01-31 18:01:16 +0000 UTC (Currently in use: true) - worker rendered-worker-f38bf61ced3c920cf5a29a200ed43243 -- 2025-01-21 13:45:01 +0000 UTC (Currently in use: false) rendered-worker-fc94397dc7c43808c7014683c208956e-- 2025-01-30 17:20:53 +0000 UTC (Currently in use: false) rendered-worker-708c652868f7597eaa1e2622edc366ef -- 2025-01-31 18:01:16 +0000 UTC (Currently in use: true)- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- List the rendered machine configs that you can remove automatically by running the following command. Any rendered machine config marked with the - as it’s currently in usemessage in the command output cannot be removed.- oc adm prune renderedmachineconfigs --pool-name=worker - $ oc adm prune renderedmachineconfigs --pool-name=worker- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The command runs in dry-run mode, and no machine configs are removed. - where: - --pool-name
- Optional: Displays the machine configs in the specified machine config pool.
 - Example output - Dry run enabled - no modifications will be made. Add --confirm to remove rendered machine configs. dry-run deleting rendered MachineConfig rendered-worker-f38bf61ced3c920cf5a29a200ed43243 dry-run deleting MachineConfig rendered-worker-fc94397dc7c43808c7014683c208956e Skip dry-run deleting rendered MachineConfig rendered-worker-708c652868f7597eaa1e2622edc366ef as it's currently in use - Dry run enabled - no modifications will be made. Add --confirm to remove rendered machine configs. dry-run deleting rendered MachineConfig rendered-worker-f38bf61ced3c920cf5a29a200ed43243 dry-run deleting MachineConfig rendered-worker-fc94397dc7c43808c7014683c208956e Skip dry-run deleting rendered MachineConfig rendered-worker-708c652868f7597eaa1e2622edc366ef as it's currently in use- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
7.2. Removing unused rendered machine configs
				You can remove unused rendered machine configs by using the oc adm prune renderedmachineconfigs command with the --confirm command. If any rendered machine config is not deleted, the command output indicates which was not deleted and lists the reason for skipping the deletion.
			
Procedure
- Optional: List the rendered machine configs that you can remove automatically by running the following command. Any rendered machine config marked with the - as it’s currently in usemessage in the command output cannot be removed.- oc adm prune renderedmachineconfigs --pool-name=worker - $ oc adm prune renderedmachineconfigs --pool-name=worker- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Dry run enabled - no modifications will be made. Add --confirm to remove rendered machine configs. dry-run deleting rendered MachineConfig rendered-worker-f38bf61ced3c920cf5a29a200ed43243 dry-run deleting MachineConfig rendered-worker-fc94397dc7c43808c7014683c208956e Skip dry-run deleting rendered MachineConfig rendered-worker-708c652868f7597eaa1e2622edc366ef as it's currently in use - Dry run enabled - no modifications will be made. Add --confirm to remove rendered machine configs. dry-run deleting rendered MachineConfig rendered-worker-f38bf61ced3c920cf5a29a200ed43243 dry-run deleting MachineConfig rendered-worker-fc94397dc7c43808c7014683c208956e Skip dry-run deleting rendered MachineConfig rendered-worker-708c652868f7597eaa1e2622edc366ef as it's currently in use- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - pool-name
- Optional: Specifies the machine config pool where you want to delete the machine configs from.
 
- Remove the unused rendered machine configs by running the following command. The command in the following procedure would delete the two oldest unused rendered machine configs in the - workermachine config pool.- oc adm prune renderedmachineconfigs --pool-name=worker --count=2 --confirm - $ oc adm prune renderedmachineconfigs --pool-name=worker --count=2 --confirm- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - --count
- Optional: Specifies the maximum number of unused rendered machine configs you want to delete, starting with the oldest.
- --confirm
- Indicates that pruning should occur, instead of performing a dry-run.
- --pool-name
- Optional: Specifies the machine config pool from which you want to delete the machine. If not specified, all the pools are evaluated.
 - Example output - deleting rendered MachineConfig rendered-worker-f38bf61ced3c920cf5a29a200ed43243 deleting rendered MachineConfig rendered-worker-fc94397dc7c43808c7014683c208956e Skip deleting rendered MachineConfig rendered-worker-708c652868f7597eaa1e2622edc366ef as it's currently in use - deleting rendered MachineConfig rendered-worker-f38bf61ced3c920cf5a29a200ed43243 deleting rendered MachineConfig rendered-worker-fc94397dc7c43808c7014683c208956e Skip deleting rendered MachineConfig rendered-worker-708c652868f7597eaa1e2622edc366ef as it's currently in use- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Chapter 8. Image mode for OpenShift
Image mode for OpenShift allows you to easily extend the functionality of your base RHCOS image by layering additional images onto the base image. This layering does not modify the base RHCOS image. Instead, it creates a custom layered image that includes all RHCOS functionality and adds additional functionality to specific nodes in the cluster.
Image mode is a cloud-native approach to operating system management that treats your OS like a container image. You define your operating system configuration as code, build it as a unified image, and deploy it consistently across your entire fleet.
8.1. About image mode for OpenShift
Image mode for OpenShift allows you to customize the underlying node operating system on any of your cluster nodes. This helps keep everything up-to-date, including the node operating system and any added customizations such as specialized software.
You create a custom layered image by using a Containerfile and applying it to nodes by using a custom object. At any time, you can remove the custom layered image by deleting that custom object.
With image mode for OpenShift, you can install RPMs into your base image, and your custom content will be booted alongside RHCOS. The Machine Config Operator (MCO) can roll out these custom layered images and monitor these custom containers in the same way it does for the default RHCOS image. Image mode for OpenShift gives you greater flexibility in how you manage your RHCOS nodes.
					Installing realtime kernel and extensions RPMs as custom layered content is not recommended. This is because these RPMs can conflict with RPMs installed by using a machine config. If there is a conflict, the MCO enters a degraded state when it tries to install the machine config RPM. You need to remove the conflicting extension from your machine config before proceeding.
				
As soon as you apply the custom layered image to your cluster, you effectively take ownership of your custom layered images and those nodes. While Red Hat remains responsible for maintaining and updating the base RHCOS image on standard nodes, you are responsible for maintaining and updating images on nodes that use a custom layered image. You assume the responsibility for the package you applied with the custom layered image and any issues that might arise with the package.
There are two methods for deploying a custom layered image onto your nodes:
- On-cluster image mode
- 
							With on-cluster image mode, you create a MachineOSConfigobject where you include the Containerfile and other parameters. The build is performed on your cluster and the resulting custom layered image is automatically pushed to your repository and applied to the machine config pool that you specified in theMachineOSConfigobject. The entire process is performed completely within your cluster.
- Out-of-cluster image mode
- 
							With out-of-cluster image mode, you create a Containerfile that references an OpenShift Container Platform image and the RPM that you want to apply, build the layered image in your own environment, and push the image to your repository. Then, in your cluster, create a MachineConfigobject for the targeted node pool that points to the new image. The Machine Config Operator overrides the base RHCOS image, as specified by theosImageURLvalue in the associated machine config, and boots the new image.
					For both methods, use the same base RHCOS image installed on the rest of your cluster. Use the oc adm release info --image-for rhel-coreos command to obtain the base image used in your cluster.
				
8.2. Example Containerfiles
Image mode for OpenShift allows you to use the following types of images to create custom layered images:
- OpenShift Container Platform Hotfixes. You can work with Customer Experience and Engagement (CEE) to obtain and apply Hotfix packages on top of your RHCOS image. In some instances, you might want a bug fix or enhancement before it is included in an official OpenShift Container Platform release. Image mode for OpenShift allows you to easily add the Hotfix before it is officially released and remove the Hotfix when the underlying RHCOS image incorporates the fix. Important- Some Hotfixes require a Red Hat Support Exception and are outside of the normal scope of OpenShift Container Platform support coverage or life cycle policies. - Hotfixes are provided to you based on Red Hat Hotfix policy. Apply it on top of the base image and test that new custom layered image in a non-production environment. When you are satisfied that the custom layered image is safe to use in production, you can roll it out on your own schedule to specific node pools. For any reason, you can easily roll back the custom layered image and return to using the default RHCOS. - Example on-cluster Containerfile to apply a Hotfix - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example out-of-cluster Containerfile to apply a Hotfix - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- RHEL packages. You can download Red Hat Enterprise Linux (RHEL) packages from the Red Hat Customer Portal, such as chrony, firewalld, and iputils. - Example out-of-cluster Containerfile to apply the rsyslog utility - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Third-party packages. You can download and install RPMs from third-party organizations, such as the following types of packages: - Bleeding edge drivers and kernel enhancements to improve performance or add capabilities.
- Forensic client tools to investigate possible and actual break-ins.
- Security agents.
- Inventory agents that provide a coherent view of the entire cluster.
- SSH Key management packages.
 - Example on-cluster Containerfile to apply a third-party package from EPEL - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example out-of-cluster Containerfile to apply a third-party package from EPEL - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - This Containerfile installs the RHEL fish program. Because fish requires additional RHEL packages, the image must be built on an entitled RHEL host. For RHEL entitlements to work, you must copy the - etc-pki-entitlementsecret into the- openshift-machine-config-operatornamespace.- Example on-cluster Containerfile to apply a third-party package that has RHEL dependencies - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example out-of-cluster Containerfile to apply a third-party package that has RHEL dependencies - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
After you create the machine config, the Machine Config Operator (MCO) performs the following steps:
- Renders a new machine config for the specified pool or pools.
- Performs cordon and drain operations on the nodes in the pool or pools.
- Writes the rest of the machine config parameters onto the nodes.
- Applies the custom layered image to the node.
- Reboots the node using the new image.
It is strongly recommended that you test your images outside of your production environment before rolling out to your cluster.
8.3. About on-cluster image mode
				You can use the image mode for OpenShift on-cluster build process to apply a custom layered image to your nodes by creating a MachineOSConfig custom resource (CR), as described in "Using On-cluster image mode to apply a custom layered image".
			
				When you create the object, the Machine Config Operator (MCO) creates a MachineOSBuild object and a builder pod. The process also creates transient objects, such as config maps, which are cleaned up after the build is complete. The MachineOSBuild object and the associated builder-* pod use the same naming scheme, <MachineOSConfig_CR_name>-<hash>, for example:
			
Example MachineOSBuild object
NAME PREPARED BUILDING SUCCEEDED INTERRUPTED FAILED layered-image-c8765e26ebc87e1e17a7d6e0a78e8bae False False True False False
NAME                                             PREPARED   BUILDING   SUCCEEDED   INTERRUPTED   FAILED
layered-image-c8765e26ebc87e1e17a7d6e0a78e8bae   False      False      True        False         FalseExample builder pod
NAME READY STATUS RESTARTS AGE build-layered-image-c8765e26ebc87e1e17a7d6e0a78e8bae 2/2 Running 0 11m
NAME                                                      READY   STATUS      RESTARTS        AGE
build-layered-image-c8765e26ebc87e1e17a7d6e0a78e8bae      2/2     Running     0               11m
				You should not need to interact with these new objects or the machine-os-builder pod. However, you can use all of these resources for troubleshooting, if necessary.
			
				When the build is complete, the MCO pushes the new custom layered image to your repository and rolls the image out to the nodes in the associated machine config pool. You can see the digested image pull spec for the new custom layered image in the MachineOSConfig object. This is now the active image pull spec for this MachineOSConfig.
			
Example digested image pull spec
				You can test a MachineOSBuild object to make sure it builds correctly without rolling out the custom layered image to active nodes by using a custom machine config pool that contains non-production nodes. Alternatively, you can use a custom machine config pool that has no nodes. The MachineOSBuild object builds even if there are no nodes for the MCO to deploy the custom layered image onto.
			
You can apply a custom layered image to any machine config pool in your cluster, including the control plane, worker, or custom pools.
For single-node OpenShift clusters, you can apply a custom layered image to the control plane node only.
				Making certain changes to a MachineOSConfig object triggers an automatic rebuild of the associated custom layered image. You can mitigate the effects of the rebuild by pausing the machine config pool where the custom layered image is applied as described in "Pausing the machine config pools". While the pools are paused, the MCO does not roll out the newly built image to the nodes after the build is complete. However, the build runs regardless of whether the pool is paused or not. For example, if you want to remove and replace a MachineOSCOnfig object, pausing the machine config pools before making the change prevents the MCO from reverting the associated nodes to the base image, reducing the number of reboots needed.
			
				When a machine config pool is paused, the oc get machineconfigpools reports the following status:
			
Example output
NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE master rendered-master-a0b404d061a6183cc36d302363422aba True False False 3 3 3 0 4h14m worker rendered-worker-221507009cbcdec0eec8ab3ccd789d18 False False False 2 2 2 0 4h14m
NAME      CONFIG                                              UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
master    rendered-master-a0b404d061a6183cc36d302363422aba    True      False      False      3              3                   3                     0                      4h14m
worker    rendered-worker-221507009cbcdec0eec8ab3ccd789d18    False     False      False      2              2                   2                     0                      4h14m - 1
- Theworkermachine config pool is paused, as indicated by the threeFalsestatuses and theREADYMACHINECOUNTat0.
After the changes have been rolled out, you can unpause the machine config pool.
				In the case of a build failure, for example due to network issues or an invalid secret, the MCO retries the build three additional times before the job fails. The MCO creates a different build pod for each build attempt. Note that the MCO automatically removes these build pods after a short period of time. Also, the affected machine config pool reports a build failure through the ImageBuildDegraded status condition. You can use the build pod logs to troubleshoot any build failures.
			
Example failed MachineOSBuild object
NAME PREPARED BUILDING SUCCEEDED INTERRUPTED FAILED AGE layered-image-c8765e26ebc87e1e17a7d6e0a78e8bae False False False False True 12m
NAME                                             PREPARED   BUILDING   SUCCEEDED   INTERRUPTED   FAILED   AGE
layered-image-c8765e26ebc87e1e17a7d6e0a78e8bae   False      False      False        False        True     12m
				You can manually rebuild your custom layered image by either modifying your MachineOSConfig object or applying an annotation to the MachineOSConfig object. For more information, see "Rebuilding an on-cluster custom layered image".
			
If you used a custom machine config pool to apply an on-cluster layered image to a node, you can remove the custom layered image from the node and revert to the base image. For more information, see "Reverting an on-cluster layered node".
You can modify an on-custom layered image as needed, to install additional packages, remove existing packages, change repositories, update secrets, or other similar changes, by editing the MachineOSConfig object. For more information, see "Modifying a custom layered image".
8.3.1. On-cluster image mode known limitations
Note the following limitations when working with the on-cluster layering feature:
- On-cluster image mode is not supported on multi-architecture compute machines.
- 
							Using multiple MachineOSConfigobjects on the same machine config pool is not supported. You need a separateMachineOSConfigCR for each machine config pool where you want to use a distinct custom layered image.
- If you scale up a machine set that uses a custom layered image, the nodes reboot two times. The first, when the node is initially created with the base image and a second time when the custom layered image is applied.
- Node disruption policies are not supported on nodes with a custom layered image. However, the following machine configuration changes do not cause a new image build or the reboot of a node with an on-cluster custom layered image: - 
									Modifying the configuration files in the /varor/etcdirectory
- Adding or modifying a systemd service
- Changing SSH keys
- 
									Removing mirroring rules from ICSP,ITMS, andIDMSobjects
- 
									Changing the trusted CA, by updating the user-ca-bundleconfigmap in theopenshift-confignamespace
 
- 
									Modifying the configuration files in the 
- The following machine configuration changes do cause a new image build and a node reboot: - Changing the kernel arguments
- 
									Changing the OSImageURLparameter
- Adding or removing extensions
 
- 
							The images used in creating custom layered images take up space in your push registry. Always be aware of the free space in your registry and prune the images as needed. You can automatically remove an on-cluster custom layered image from the repository by deleting the MachineOSBuildobject that created the image. Note that the credentials provided by the registry push secret must also grant permission to delete an image from the registry. For more information, see "Removing an on-cluster custom layered image".
8.3.2. Using the on-cluster image mode to apply a custom layered image
					To apply a custom layered image to your cluster by using the on-cluster build process, create a MachineOSConfig custom resource (CR) that specifies the following parameters:
				
- the Containerfile to build
- the machine config pool to associate the build
- where the final image should be pushed and pulled from
- the push and pull secrets to use
					You can create only one MachineOSConfig CR for each machine config pool.
				
Prerequisites
- 
							You have the pull secret in the openshift-machine-config-operatornamespace that the Machine Config Operator (MCO) needs in order to pull the base operating system image from your repository. By default, the MCO uses the cluster global pull secret, which it synchronizes into theopenshift-machine-config-operatornamespace. You can add your pull secret to the OpenShift Container Platform global pull secret or you can use a different pull secret. For information on modifying the global pull secret, see "Updating the global cluster pull secret".
- You have the push secret of the registry that the MCO needs to push the new custom layered image to. The credentials provided by the secret must also grant permission to delete an image from the registry. Note- In a disconnected environment, ensure that the disconnected cluster can access the registry where you want to push the image. Image mirroring applies only to pulling images. 
- You have the pull secret that your nodes need to pull the new custom layered image from your registry. This should be a different secret than the one used to push the image to the repository.
- You are familiar with how to configure a Containerfile. Instructions on how to create a Containerfile are beyond the scope of this documentation.
- Optional: You have a separate machine config pool for the nodes where you want to apply the custom layered image. One benefit to having a custom machine config pool for the nodes it that you can easily revert to the base image, if needed. For more information, see "Reverting an on-cluster layered node".
Procedure
- Create a - MachineOSconfigobject:- Create a YAML file similar to the following: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specifies themachineconfiguration.openshift.io/v1API that is required forMachineConfigCRs.
- 2
- Specifies a name for theMachineOSConfigobject. The name must match the name of the associated machine config pool. This name is used with other on-cluster image mode resources. The examples in this documentation use the namelayered-image.
- 3
- Specifies the name of the machine config pool associated with the nodes where you want to deploy the custom layered image. The examples in this documentation use thelayered-imagemachine config pool.
- 4
- Specifies the Containerfile to configure the custom layered image.
- 5
- Specifies the architecture this containerfile is to be built for:ARM64,AMD64,PPC64LE,S390X, orNoArch. The default isNoArch, which defines a Containerfile that can be applied to any architecture.
- 6
- Specifies the name of the image builder to use. This must beJob, which is a reference to thejobobject that is managing the image build.
- 7
- Optional: Specifies the name of the pull secret that the MCO needs to pull the base operating system image from the registry. By default, the global pull secret is used.
- 8
- Specifies the image registry to push the newly-built custom layered image to. This can be any registry that your cluster has access to in thehost[:port][/namespace]/nameorsvc_name.namespace.svc[:port]/repository/name:<tag>format. This example uses the internal OpenShift Container Platform registry. You can specify a mirror registry if you cluster is properly configured to use a mirror registry.
- 9
- Specifies the name of the push secret that the MCO needs to push the newly-built custom layered image to that registry.
 
- Create the - MachineOSConfigobject:- oc create -f <filename>.yaml - $ oc create -f <filename>.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- If necessary, when the - MachineOSBuildobject has been created and is in the- READYstate, modify the node spec for the nodes where you want to use the new custom layered image:- Check that the - MachineOSBuildobject is ready, by running the following command:- oc get machineosbuild - $ oc get machineosbuild- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - When the - SUCCEEDEDvalue is- True, the build is complete:- Example output showing that the - MachineOSBuildobject is ready- NAME PREPARED BUILDING SUCCEEDED INTERRUPTED FAILED AGE layered-image-ad5a3cad36303c363cf458ab0524e7c0-builder False False True False False 43s - NAME PREPARED BUILDING SUCCEEDED INTERRUPTED FAILED AGE layered-image-ad5a3cad36303c363cf458ab0524e7c0-builder False False True False False 43s- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Edit the nodes where you want to deploy the custom layered image by adding a label for the machine config pool you specified in the - MachineOSConfigobject:- oc label node <node_name> 'node-role.kubernetes.io/<mcp_name>=' - $ oc label node <node_name> 'node-role.kubernetes.io/<mcp_name>='- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - node-role.kubernetes.io/<mcp_name>=
- Specifies a node selector that identifies the nodes to deploy the custom layered image.
 - When you save the changes, the MCO drains, cordons, and reboots the nodes. After the reboot, the node uses the new custom layered image. 
 
Verification
- Verify that the new pods are ready by running the following command: - oc get pods -n openshift-machine-config-operator - $ oc get pods -n openshift-machine-config-operator- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME READY STATUS RESTARTS AGE build-layered-image-ad5a3cad36303c363cf458ab0524e7c0-hxrws 2/2 Running 0 2m40s # ... machine-os-builder-6fb66cfb99-zcpvq 1/1 Running 0 2m42s - NAME READY STATUS RESTARTS AGE build-layered-image-ad5a3cad36303c363cf458ab0524e7c0-hxrws 2/2 Running 0 2m40s- 1 - # ... machine-os-builder-6fb66cfb99-zcpvq 1/1 Running 0 2m42s- 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Verify the custom layered image build by running a command similar to the following: - oc get machineconfigpool <mcp_name> -o yaml - $ oc get machineconfigpool <mcp_name> -o yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Indicates whether the custom layered image build failed. IfFalse, the build succeeded. IfTrue, the build failed. You can use the build pod logs to troubleshoot any build failures.
 
- Verify the current stage of your layered build by running the following command: - oc get machineosbuilds - $ oc get machineosbuilds- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME PREPARED BUILDING SUCCEEDED INTERRUPTED FAILED AGE layered-image-ad5a3cad36303c363cf458ab0524e7c0 False True False False False 12m - NAME PREPARED BUILDING SUCCEEDED INTERRUPTED FAILED AGE layered-image-ad5a3cad36303c363cf458ab0524e7c0 False True False False False 12m- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- TheMachineOSBuildis named in the<MachineOSConfig_CR_name>-<hash>format.
 
- Verify that the - MachineOSConfigobject contains a reference to the new custom layered image by running the following command:- oc describe machineosconfig <object_name> - $ oc describe machineosconfig <object_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example digested image pull spec - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Digested image pull spec for the new custom layered image.
 
- Verify that the appropriate nodes are using the new custom layered image: - Start a debug session as root for a control plane node by running the following command: - oc debug node/<node_name> - $ oc debug node/<node_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Set - /hostas the root directory within the debug shell:- chroot /host - sh-4.4# chroot /host- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Run the - rpm-ostree statuscommand to view that the custom layered image is in use:- rpm-ostree status - sh-5.1# rpm-ostree status- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - ... - # ... Deployments: * ostree-unverified-registry:image-registry.openshift-image-registry.svc:5000/openshift-machine-config-operator/os-images@sha256:3c8fc667adcb432ce0c83581f16086afec08a961dd28fed69bb6bad6db0a0754 Digest: sha256:3c8fc667adcb432ce0c83581f16086afec08a961dd28fed69bb6bad6db0a0754- 1 - Version: 419.94.202502100215-0 (2025-02-12T19:20:44Z)- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Digested image pull spec for the new custom layered image.
 
 
Additional resources
8.3.3. Modifying an on-cluster custom layered image
					You can modify an on-cluster custom layered image, as needed. This allows you to install additional packages, remove existing packages, change the pull or push repositories, update secrets, or other similar changes. You can edit the MachineOSConfig object, apply changes to the YAML file that created the MachineOSConfig object, or create a new YAML file for that purpose.
				
					If you modify and apply the MachineOSConfig object YAML or create a new YAML file, the YAML overwrites any changes you made directly to the MachineOSConfig object itself.
				
					Making certain changes to a MachineOSConfig object triggers an automatic rebuild of the associated custom layered image. You can mitigate the effects of the rebuild by pausing the machine config pool where the custom layered image is applied as described in "Pausing the machine config pools". While the pools are paused, the MCO does not roll out the newly built image to the nodes after the build is complete. However, the build runs regardless of whether the pool is paused or not. For example, if you want to remove and replace a MachineOSCOnfig object, pausing the machine config pools before making the change prevents the MCO from reverting the associated nodes to the base image, reducing the number of reboots needed.
				
					When a machine config pool is paused, the oc get machineconfigpools reports the following status:
				
Example output
NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE master rendered-master-a0b404d061a6183cc36d302363422aba True False False 3 3 3 0 4h14m worker rendered-worker-221507009cbcdec0eec8ab3ccd789d18 False False False 2 2 2 0 4h14m
NAME      CONFIG                                              UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
master    rendered-master-a0b404d061a6183cc36d302363422aba    True      False      False      3              3                   3                     0                      4h14m
worker    rendered-worker-221507009cbcdec0eec8ab3ccd789d18    False     False      False      2              2                   2                     0                      4h14m - 1
- Theworkermachine config pool is paused, as indicated by the threeFalsestatuses and theREADYMACHINECOUNTat0.
After the changes have been rolled out, you can unpause the machine config pool.
Prerequisites
- 
							You have opted in to on-cluster image mode by creating a MachineOSConfigobject.
Procedure
- Modify an object to update the associated custom layered image: - Edit the - MachineOSConfigobject to modify the custom layered image. The following example adds the- rngddaemon to nodes that already have the tree package that was installed using a custom layered image.- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Optional: Modify the Containerfile, for example to add or remove packages.
- 2
- Optional: Update the secret needed to pull the base operating system image from the registry.
- 3
- Optional: Modify the image registry to push the newly built custom layered image to.
- 4
- Optional: Update the secret needed to push the newly built custom layered image to the registry.
 - When you save the changes, the MCO drains, cordons, and reboots the nodes. After the reboot, the node uses the cluster base Red Hat Enterprise Linux CoreOS (RHCOS) image. If your changes modify a secret only, no new build is triggered and no reboot is performed. 
 
Verification
- Verify that the new - MachineOSBuildobject was created by using the following command:- oc get machineosbuild - $ oc get machineosbuild- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME PREPARED BUILDING SUCCEEDED INTERRUPTED FAILED AGE layered-image-a5457b883f5239cdcb71b57e1a30b6ef False False True False False 4d17h layered-image-f91f0f5593dd337d89bf4d38c877590b False True False False False 2m41s - NAME PREPARED BUILDING SUCCEEDED INTERRUPTED FAILED AGE layered-image-a5457b883f5239cdcb71b57e1a30b6ef False False True False False 4d17h layered-image-f91f0f5593dd337d89bf4d38c877590b False True False False False 2m41s- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The valueTruein theBUILDINGcolumn indicates that theMachineOSBuildobject is building. When theSUCCEEDEDcolumn reportsTrue, the build is complete.
 
- You can watch as the new machine config is rolled out to the nodes by using the following command: - oc get machineconfigpools - $ oc get machineconfigpools- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE master rendered-master-a0b404d061a6183cc36d302363422aba True False False 3 3 3 0 3h38m worker rendered-worker-221507009cbcdec0eec8ab3ccd789d18 False True False 2 2 2 0 3h38m - NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE master rendered-master-a0b404d061a6183cc36d302363422aba True False False 3 3 3 0 3h38m worker rendered-worker-221507009cbcdec0eec8ab3ccd789d18 False True False 2 2 2 0 3h38m- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The valueFALSEin theUPDATEDcolumn indicates that theMachineOSBuildobject is building. When theUPDATEDcolumn reportsFALSE, the new custom layered image has rolled out to the nodes.
 
- When the node is back in the - Readystate, check that the changes were applied:- Open an - oc debugsession to the node by running the following command:- oc debug node/<node_name> - $ oc debug node/<node_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Set - /hostas the root directory within the debug shell by running the following command:- chroot /host - sh-5.1# chroot /host- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Use an appropriate command to verify that change was applied. The following examples shows that the - rngddaemon was installed:- rpm -qa |grep rng-tools - sh-5.1# rpm -qa |grep rng-tools- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - rng-tools-6.17-3.fc41.x86_64 - rng-tools-6.17-3.fc41.x86_64- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - rngd -v - sh-5.1# rngd -v- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - rngd 6.16 - rngd 6.16- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
Additional resources
8.3.4. Rebuilding an on-cluster custom layered image
					In situations where you want to rebuild an on-cluster custom layered image, you can either modify your MachineOSConfig object or add an annotation to the MachineOSConfig object. Both of these actions trigger an automatic rebuild of the object. For example, you could perform a rebuild if the you change the Containerfile or need to update the osimageurl location in a machine config.
				
					After you add the annotation, the Machine Config Operator (MCO) deletes the current MachineOSBuild object and creates a new one in its place. When the build process is complete, the MCO automatically removes the annotation.
				
Prerequisites
- 
							You have opted-in to on-cluster image mode by creating a MachineOSConfigobject.
Procedure
- Edit the - MachineOSConfigobject to add the- machineconfiguration.openshift.io/rebuildannotation by using the following command:- oc edit MachineOSConfig <object_name> - $ oc edit MachineOSConfig <object_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example - MachineOSConfigobject- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Add this annotation to trigger a rebuild of the custom layered image.
 
Verification
- Check that the - MachineOSBuildobject is building by using the following command:- oc get machineosbuild - $ oc get machineosbuild- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME PREPARED BUILDING SUCCEEDED INTERRUPTED FAILED AGE layered-image-d6b929a29c6dbfa8e4007c8069a2fd08 False True False False False 2m41s - NAME PREPARED BUILDING SUCCEEDED INTERRUPTED FAILED AGE layered-image-d6b929a29c6dbfa8e4007c8069a2fd08 False True False False False 2m41s- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The valueTruein theBUILDINGcolumn indicates that theMachineOSBuildobject is building.
 
- Edit the - MachineOSConfigobject to verify that the MCO removed the- machineconfiguration.openshift.io/rebuildannotation by using the following command:- oc edit MachineOSConfig <object_name> - $ oc edit MachineOSConfig <object_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example - MachineOSConfigobject- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
8.3.5. Reverting an on-cluster custom layered image
If you applied an on-cluster layered image to a node in a custom machine config pool (MCP), you can remove the custom layered image from the node and revert to the base image.
To revert the node, remove the node from the custom MCP by removing the custom machine config pool label from the node. After you remove the label, the Machine Config Operator (MCO) reboots the node with the cluster base Red Hat Enterprise Linux CoreOS (RHCOS) image, overriding the custom layered image.
Before you remove the label, make sure the node is associated with another MCP.
Prerequisites
- 
							You have opted-in to On-cluster image mode by creating a MachineOSConfigobject.
- 
							You have applied a MachineOSConfigobject to a node in a custom machine config pool.
Procedure
- Remove the label from the node by using the following command: - oc label node/<node_name> node-role.kubernetes.io/<mcp_name>- - $ oc label node/<node_name> node-role.kubernetes.io/<mcp_name>-- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - When you save the changes, the MCO drains, cordons, and reboots the nodes. After the reboot, the node uses the cluster base Red Hat Enterprise Linux CoreOS (RHCOS) image. 
Verification
- Verify that the custom layered image is removed by performing any of the following checks: - Check that the worker machine config pool is updating with the previous machine config: - oc get mcp - $ oc get mcp- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Sample output - NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE layered rendered-layered-e8c8bc1de69777325003e80bc0c04b82 True False False 0 0 0 0 4h20m master rendered-master-50d7bc27ee8b9ca2250383f0647ade7f True False False 3 3 3 0 5h39m worker rendered-worker-e8c8bc1de69777325003e80bc0c04b82 True False False 3 3 3 0 5h39m - NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE layered rendered-layered-e8c8bc1de69777325003e80bc0c04b82 True False False 0 0 0 0 4h20m- 1 - master rendered-master-50d7bc27ee8b9ca2250383f0647ade7f True False False 3 3 3 0 5h39m worker rendered-worker-e8c8bc1de69777325003e80bc0c04b82 True False False 3 3 3 0 5h39m- 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Check the nodes to see that scheduling on the nodes is disabled. This indicates that the change is being applied: - oc get nodes - $ oc get nodes- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- When the node is back in the - Readystate, check that the node is using the base image:- Open an - oc debugsession to the node. For example:- oc debug node/ip-10-0-155-125.us-west-1.compute.internal - $ oc debug node/ip-10-0-155-125.us-west-1.compute.internal- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Set - /hostas the root directory within the debug shell:- chroot /host - sh-4.4# chroot /host- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Run the - rpm-ostree statuscommand to view that the base image is in use:- rpm-ostree status - sh-4.4# rpm-ostree status- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - State: idle Deployments: * ostree-unverified-registry:registry.build05.ci.openshift.org/ci-ln-qd0hmqk/stable@sha256:a8bd32573f787f6d1c23e1d669abbefd1e31339826d06e750c0ca632ad6c414f Digest: sha256:a8bd32573f787f6d1c23e1d669abbefd1e31339826d06e750c0ca632ad6c414f Version: 419.96.202501202201-0 (2025-01-20T22:06:13Z)- State: idle Deployments: * ostree-unverified-registry:registry.build05.ci.openshift.org/ci-ln-qd0hmqk/stable@sha256:a8bd32573f787f6d1c23e1d669abbefd1e31339826d06e750c0ca632ad6c414f Digest: sha256:a8bd32573f787f6d1c23e1d669abbefd1e31339826d06e750c0ca632ad6c414f Version: 419.96.202501202201-0 (2025-01-20T22:06:13Z)- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
 
8.3.6. Removing an on-cluster custom layered image
					To prevent the custom layered images from taking up excessive space in your registry, you can automatically remove an on-cluster custom layered image from the repository by deleting the MachineOSBuild object that created the image.
				
					The credentials provided by the registry push secret that you added to the MachineOSBuild object must grant the permission for deleting an image from the registry. If the delete permission is not provided, the image is not removed when you delete the MachineOSBuild object.
				
					The custom layered image is not deleted if the image is either currently in use on a node or is desired by the nodes, as indicated by the machineconfiguration.openshift.io/currentImage or machineconfiguration.openshift.io/desiredImage annotations on the node, which are added to the node when you create the MachineOSConfig object.
				
8.4. Using Out-of-cluster image mode to apply a custom layered image
				You can use the image mode for OpenShift out-of-cluster build process to apply a custom layered image to your nodes by creating a MachineOSConfig custom resource (CR).
			
When you create the object, the Machine Config Operator (MCO) reboots those nodes with the new custom layered image, overriding the base Red Hat Enterprise Linux CoreOS (RHCOS) image.
				To apply a custom layered image to your cluster, you must have the custom layered image in a repository that your cluster can access. Then, create a MachineConfig object that points to the custom layered image. You need a separate MachineConfig object for each machine config pool that you want to configure.
			
When you configure a custom layered image, OpenShift Container Platform no longer automatically updates any node that uses the custom layered image. You become responsible for manually updating your nodes as appropriate. If you roll back the custom layer, OpenShift Container Platform will again automatically update the node. See the Additional resources section that follows for important information about updating nodes that use a custom layered image.
Prerequisites
- You must create a custom layered image that is based on an OpenShift Container Platform image digest, not a tag. Note- You should use the same base RHCOS image that is installed on the rest of your cluster. Use the - oc adm release info --image-for rhel-coreoscommand to obtain the base image being used in your cluster.- For example, the following Containerfile creates a custom layered image from an OpenShift Container Platform 4.20 image and overrides the kernel package with one from CentOS 9 Stream: - Example Containerfile for a custom layer image - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Instructions on how to create a Containerfile are beyond the scope of this documentation. 
- 
						Because the process for building a custom layered image is performed outside of the cluster, you must use the --authfile /path/to/pull-secretoption with Podman or Buildah. Alternatively, to have the pull secret read by these tools automatically, you can add it to one of the default file locations:~/.docker/config.json,$XDG_RUNTIME_DIR/containers/auth.json,~/.docker/config.json, or~/.dockercfg. Refer to thecontainers-auth.jsonman page for more information.
- You must push the custom layered image to a repository that your cluster can access.
Procedure
- Create a machine config file. - Create a YAML file similar to the following: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create the - MachineConfigobject:- oc create -f <file_name>.yaml - $ oc create -f <file_name>.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Important- It is strongly recommended that you test your images outside of your production environment before rolling out to your cluster. 
 
Verification
You can verify that the custom layered image is applied by performing any of the following checks:
- Check that the worker machine config pool has rolled out with the new machine config: - Check that the new machine config is created: - oc get mc - $ oc get mc- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Sample output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Check that the - osImageURLvalue in the new machine config points to the expected image:- oc describe mc rendered-worker-5de4837625b1cbc237de6b22bc0bc873 - $ oc describe mc rendered-worker-5de4837625b1cbc237de6b22bc0bc873- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Check that the associated machine config pool is updated with the new machine config: - oc get mcp - $ oc get mcp- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Sample output - NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE master rendered-master-15961f1da260f7be141006404d17d39b True False False 3 3 3 0 39m worker rendered-worker-5de4837625b1cbc237de6b22bc0bc873 True False False 3 0 0 0 39m - NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE master rendered-master-15961f1da260f7be141006404d17d39b True False False 3 3 3 0 39m worker rendered-worker-5de4837625b1cbc237de6b22bc0bc873 True False False 3 0 0 0 39m- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- When theUPDATINGfield isTrue, the machine config pool is updating with the new machine config. In this case, you will not see the new machine config listed in the output. When the field becomesFalse, the worker machine config pool has rolled out to the new machine config.
 
- Check the nodes to see that scheduling on the nodes is disabled. This indicates that the change is being applied: - oc get nodes - $ oc get nodes- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- When the node is back in the - Readystate, check that the node is using the custom layered image:- Open an - oc debugsession to the node. For example:- oc debug node/ip-10-0-155-125.us-west-1.compute.internal - $ oc debug node/ip-10-0-155-125.us-west-1.compute.internal- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Set - /hostas the root directory within the debug shell:- chroot /host - sh-4.4# chroot /host- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Run the - rpm-ostree statuscommand to view that the custom layered image is in use:- sudo rpm-ostree status - sh-4.4# sudo rpm-ostree status- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - State: idle Deployments: * ostree-unverified-registry:quay.io/my-registry/... Digest: sha256:...- State: idle Deployments: * ostree-unverified-registry:quay.io/my-registry/... Digest: sha256:...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
Additional resources
8.4.1. Reverting an out-of-cluster node
You can revert an out-of-cluster custom layered image from the nodes in specific machine config pools. The Machine Config Operator (MCO) reboots those nodes with the cluster base Red Hat Enterprise Linux CoreOS (RHCOS) image, overriding the custom layered image.
To remove a Red Hat Enterprise Linux CoreOS (RHCOS) custom layered image from your cluster, you need to delete the machine config that applied the image.
Procedure
- Delete the machine config that applied the custom layered image. - oc delete mc os-layer-custom - $ oc delete mc os-layer-custom- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - After deleting the machine config, the nodes reboot. 
Verification
You can verify that the custom layered image is removed by performing any of the following checks:
- Check that the worker machine config pool is updating with the previous machine config: - oc get mcp - $ oc get mcp- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Sample output - NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE master rendered-master-6faecdfa1b25c114a58cf178fbaa45e2 True False False 3 3 3 0 39m worker rendered-worker-6b000dbc31aaee63c6a2d56d04cd4c1b False True False 3 0 0 0 39m - NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE master rendered-master-6faecdfa1b25c114a58cf178fbaa45e2 True False False 3 3 3 0 39m worker rendered-worker-6b000dbc31aaee63c6a2d56d04cd4c1b False True False 3 0 0 0 39m- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- When theUPDATINGfield isTrue, the machine config pool is updating with the previous machine config. When the field becomesFalse, the worker machine config pool has rolled out to the previous machine config.
 
- Check the nodes to see that scheduling on the nodes is disabled. This indicates that the change is being applied: - oc get nodes - $ oc get nodes- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- When the node is back in the - Readystate, check that the node is using the base image:- Open an - oc debugsession to the node by running the following command:- oc debug node/<node_name> - $ oc debug node/<node_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Set - /hostas the root directory within the debug shell by running the following command:- chroot /host - sh-5.1# chroot /host- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Run the - rpm-ostree statuscommand to view that the custom layered image is in use:- sudo rpm-ostree status - sh-5.1# sudo rpm-ostree status- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - State: idle Deployments: * ostree-unverified-registry:podman pull quay.io/openshift-release-dev/ocp-release@sha256:e2044c3cfebe0ff3a99fc207ac5efe6e07878ad59fd4ad5e41f88cb016dacd73 Digest: sha256:e2044c3cfebe0ff3a99fc207ac5efe6e07878ad59fd4ad5e41f88cb016dacd73- State: idle Deployments: * ostree-unverified-registry:podman pull quay.io/openshift-release-dev/ocp-release@sha256:e2044c3cfebe0ff3a99fc207ac5efe6e07878ad59fd4ad5e41f88cb016dacd73 Digest: sha256:e2044c3cfebe0ff3a99fc207ac5efe6e07878ad59fd4ad5e41f88cb016dacd73- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
8.5. Updating with a RHCOS custom layered image
When you configure image mode for OpenShift, OpenShift Container Platform no longer automatically updates the node pool that uses the custom layered image. You become responsible to manually update your nodes as appropriate.
To update a node that uses a custom layered image, follow these general steps:
- The cluster automatically upgrades to version x.y.z+1, except for the nodes that use the custom layered image.
- You could then create a new Containerfile that references the updated OpenShift Container Platform image and the RPM that you had previously applied.
- Create a new machine config that points to the updated custom layered image.
Updating a node with a custom layered image is not required. However, if that node gets too far behind the current OpenShift Container Platform version, you could experience unexpected results.
Chapter 9. Machine Config Daemon metrics overview
The Machine Config Daemon is a part of the Machine Config Operator. It runs on every node in the cluster. The Machine Config Daemon manages configuration changes and updates on each of the nodes.
9.1. Understanding Machine Config Daemon metrics
Beginning with OpenShift Container Platform 4.3, the Machine Config Daemon provides a set of metrics. These metrics can be accessed using the Prometheus Cluster Monitoring stack.
				The following table describes this set of metrics. Some entries contain commands for getting specific logs. However, the most comprehensive set of logs is available using the oc adm must-gather command.
			
					Metrics marked with * in the Name and Description columns represent serious errors that might cause performance problems. Such problems might prevent updates and upgrades from proceeding.
				
| Name | Format | Description | Notes | 
|---|---|---|---|
| 
								 | 
								 | Shows the OS that MCD is running on, such as RHCOS or RHEL. In case of RHCOS, the version is provided. | |
| 
								 | Logs errors received during failed drain. * | 
								While drains might need multiple tries to succeed, terminal failed drains prevent updates from proceeding. The  For further investigation, see the logs by running: 
								 | |
| 
								 | 
								 | Logs errors encountered during pivot. * | Pivot errors might prevent OS upgrades from proceeding. 
								For further investigation, run this command to see the logs from the  
								 | 
| 
								 | 
								 | State of Machine Config Daemon for the indicated node. Possible states are "Done", "Working", and "Degraded". In case of "Degraded", the reason is included. | For further investigation, see the logs by running: 
								 | 
| 
								 | Logs kubelet health failures. * | This is expected to be empty, with failure count of 0. If failure count exceeds 2, the error indicating threshold is exceeded. This indicates a possible issue with the health of the kubelet. For further investigation, run this command to access the node and see all its logs: 
								 | |
| 
								 | 
								 | Logs the failed reboots and the corresponding errors. * | This is expected to be empty, which indicates a successful reboot. For further investigation, see the logs by running: 
								 | 
| 
								 | 
								 | Logs success or failure of configuration updates and the corresponding errors. | 
								The expected value is  For further investigation, see the logs by running: 
								 | 
        Legal Notice
        
          
            
          
        
      
 
Copyright © 2025 Red Hat
OpenShift documentation is licensed under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0).
Modified versions must remove all Red Hat trademarks.
Portions adapted from https://github.com/kubernetes-incubator/service-catalog/ with modifications by Red Hat.
Red Hat, Red Hat Enterprise Linux, the Red Hat logo, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation’s permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.