Skip to content

Machine Config

Create MachineConfig objects that modify files, systemd unit files, and other operating system features running on OpenShift Container Platform nodes. OpenShift Container Platform supports Ignition specification version 3.2. All new machine configs you create going forward should be based on Ignition specification version 3.2.

Force Machine Config

Inspired by https://bugzilla.redhat.com/show_bug.cgi?id=1766513

1
oc debug node/worker0 -- chroot /host touch /run/machine-config-daemon-force

Pause rebooting

1
oc patch --type=merge --patch='{"spec":{"paused":true}}' machineconfigpool/master

Rollout sshd config example

Butane Config for worker node 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
---
variant: openshift
version: 4.17.0
metadata:
  name: 99-worker-sshd-custom
  labels:
    machineconfiguration.openshift.io/role: worker
storage:
  files:
    - path: /etc/ssh/sshd_config.d/49-sshd-custom.conf
      mode: 0644
      overwrite: true
      contents:
        inline: |
          Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
          MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
          KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256
Butane Config for worker node 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
---
variant: openshift
version: 4.17.0
metadata:
  name: 99-master-sshd-custom
  labels:
    machineconfiguration.openshift.io/role: master
storage:
  files:
    - path: /etc/ssh/sshd_config.d/49-sshd-custom.conf
      mode: 0644
      overwrite: true
      contents:
        inline: |
          Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
          MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
          KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256

Convert butane in Machine Config

1
2
butane sshd-worker.yaml -o sshd-worker.machineconfig.yaml
butane sshd-master.yaml -o sshd-master.machineconfig.yaml
Machine Config for worker node 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
# Generated by Butane; do not edit
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: worker
  name: 99-worker-sshd-custom
spec:
  config:
    ignition:
      version: 3.4.0
    storage:
      files:
        - contents:
            compression: gzip
            source: data:;base64,H4sIAAAAAAAC/3yNzU6FMBCF9zwFD0BNOlrC3d0blsaHqGXoNOlfOsXw+KYqGli4m3znO2dmlwkL9xpZwiRMLUM7b3CcoMZfCpOwJtxTxshMTyaFw7jg7u0xc09BG8GkQTQF67n5lyoJ/6SgxrPbveL+8DYVVylwb7bygaCUvH0Zarx7995mUrEDmoW+i9FxzW3rgp6nlytSIIfFratDQeh90FHYkrYscDeko8WfR91nAAAA//8E0KQIPQEAAA==
          mode: 420
          overwrite: true
          path: /etc/ssh/sshd_config.d/49-sshd-custom.conf
Machine Config for worker node 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
---
variant: openshift
version: 4.17.0
metadata:
  name: 99-master-sshd-custom
  labels:
    machineconfiguration.openshift.io/role: master
storage:
  files:
    - path: /etc/ssh/sshd_config.d/49-sshd-custom.conf
      mode: 0644
      overwrite: true
      contents:
        inline: |
          Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
          MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
          KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256

Apply changes to cluster

1
2
oc apply -f sshd-worker.machineconfig.yaml
oc apply -f sshd-master.machineconfig.yaml

All nodes (worker&master) will be drained and rebooted.

Watch rollout: watch 'oc get mcp,nodes'

2025-01-14 2021-05-06 Contributors: Robert Bohne Robert Guske