mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
126 lines
4.9 KiB
Plaintext
126 lines
4.9 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * machine_configuration/machine-configs-configure.adoc
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="rhcos-add-extensions_{context}"]
|
|
|
|
= Adding extensions to {op-system}
|
|
|
|
{op-system} is a minimal container-oriented RHEL operating system, designed to provide a common set of capabilities to {product-title} clusters across all platforms. Although adding software packages to {op-system} systems is generally discouraged, the MCO provides an `extensions` feature you can use to add a minimal set of features to {op-system} nodes.
|
|
|
|
Currently, the following extensions are available:
|
|
|
|
* **usbguard**: The `usbguard` extension protects {op-system} systems from attacks by intrusive USB devices. For more information, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/security_hardening/index#usbguard_protecting-systems-against-intrusive-usb-devices[USBGuard] for details.
|
|
|
|
* **kerberos**: The `kerberos` extension provides a mechanism that allows both users and machines to identify themselves to the network to receive defined, limited access to the areas and services that an administrator has configured. For more information, see link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/using_kerberos[Using Kerberos] for details, including how to set up a Kerberos client and mount a Kerberized NFS share.
|
|
|
|
* **sandboxed-containers**: The `sandboxed-containers` extension contains RPMs for Kata, QEMU, and its dependencies. For more information, see https://docs.redhat.com/en/documentation/openshift_sandboxed_containers/latest[OpenShift Sandboxed Containers].
|
|
|
|
* **ipsec**: The `ipsec` extension contains RPMs for libreswan and NetworkManager-libreswan.
|
|
|
|
* **wasm**: The `wasm` extension enables Developer Preview functionality in {product-title} for users who want to use WASM-supported workloads.
|
|
|
|
* **sysstat**: Adding the `sysstat` extension provides additional performance monitoring for {product-title} nodes, including the system activity reporter (`sar`) command for collecting and reporting information.
|
|
|
|
* **kernel-devel**: The `kernel-devel` extension provides kernel headers and makefiles sufficient to build modules against the kernel package.
|
|
|
|
The following procedure describes how to use a machine config to add one or more extensions to your {op-system} nodes.
|
|
|
|
.Prerequisites
|
|
* Have a running {product-title} cluster (version 4.6 or later).
|
|
* Log in to the cluster as a user with administrative privileges.
|
|
|
|
.Procedure
|
|
|
|
. Create a machine config for extensions: Create a YAML file (for example, `80-extensions.yaml`) that contains a `MachineConfig` `extensions` object. This example tells the cluster to add the `usbguard` extension.
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ cat << EOF > 80-extensions.yaml
|
|
apiVersion: machineconfiguration.openshift.io/v1
|
|
kind: MachineConfig
|
|
metadata:
|
|
labels:
|
|
machineconfiguration.openshift.io/role: worker
|
|
name: 80-worker-extensions
|
|
spec:
|
|
config:
|
|
ignition:
|
|
version: 3.5.0
|
|
extensions:
|
|
- usbguard
|
|
EOF
|
|
----
|
|
|
|
. Add the machine config to the cluster. Type the following to add the machine config to the cluster:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc create -f 80-extensions.yaml
|
|
----
|
|
+
|
|
This sets all worker nodes to have rpm packages for `usbguard` installed.
|
|
|
|
. Check that the extensions were applied:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get machineconfig 80-worker-extensions
|
|
----
|
|
+
|
|
.Example output
|
|
+
|
|
[source,terminal]
|
|
----
|
|
NAME GENERATEDBYCONTROLLER IGNITIONVERSION AGE
|
|
80-worker-extensions 3.5.0 57s
|
|
----
|
|
|
|
. Check that the new machine config is now applied and that the nodes are not in a degraded state. It may take a few minutes. The worker pool will show the updates in progress, as each machine successfully has the new machine config applied:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get machineconfigpool
|
|
----
|
|
+
|
|
.Example output
|
|
+
|
|
[source,terminal]
|
|
----
|
|
NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE
|
|
master rendered-master-35 True False False 3 3 3 0 34m
|
|
worker rendered-worker-d8 False True False 3 1 1 0 34m
|
|
----
|
|
|
|
. Check the extensions. To check that the extension was applied, run:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get node | grep worker
|
|
----
|
|
+
|
|
.Example output
|
|
+
|
|
[source,terminal]
|
|
----
|
|
NAME STATUS ROLES AGE VERSION
|
|
ip-10-0-169-2.us-east-2.compute.internal Ready worker 102m v1.34.2
|
|
----
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc debug node/ip-10-0-169-2.us-east-2.compute.internal
|
|
----
|
|
+
|
|
.Example output
|
|
+
|
|
[source,terminal]
|
|
----
|
|
...
|
|
To use host binaries, run `chroot /host`
|
|
sh-4.4# chroot /host
|
|
sh-4.4# rpm -q usbguard
|
|
usbguard-0.7.4-4.el8.x86_64.rpm
|
|
----
|