openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
834223014dff5984940beff0d8cbc2fdffedbe74
openshift-docs/modules/nodes-nodes-kernel-arguments.adoc
Andrea Hoffer 834223014d OSDOCS-2893: Updating kube references from 1.22 to 1.23
2022-01-20 19:41:20 +00:00

179 lines
8.0 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * nodes/nodes-nodes-working.adoc
// * post_installation_configuration/machine-configuration-tasks.adoc
[id="nodes-nodes-kernel-arguments_{context}"]
= Adding kernel arguments to nodes
In some special cases, you might want to add kernel arguments
to a set of nodes in your cluster.
This should only be done with caution and clear understanding
of the implications of the arguments you set.
[WARNING]
====
Improper use of kernel arguments can result in your systems becoming unbootable.
====
Examples of kernel arguments you could set include:
* **enforcing=0**: Configures Security Enhanced Linux (SELinux) to run in permissive mode.
In permissive mode, the system acts as if SELinux is enforcing the loaded security policy,
including labeling objects and emitting access denial entries in the logs,
but it does not actually deny any operations. While not recommended for production systems,
permissive mode can be helpful for debugging.
* **nosmt**: Disables symmetric multithreading (SMT) in the kernel.
Multithreading allows multiple logical threads for each CPU.
You could consider `nosmt` in multi-tenant environments to reduce
risks from potential cross-thread attacks. By disabling SMT, you essentially choose security over performance.
* **systemd.unified_cgroup_hierarchy**: Enables
link:https://www.kernel.org/doc/html/latest/admin-guide/cgroup-v2.html[Linux control groups version 2] (cgroups v2).
Cgroup v2 is the next version of the kernel
link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/resource_management_guide/ch01[control groups]
and offers multiple improvements.
See link:https://www.kernel.org/doc/Documentation/admin-guide/kernel-parameters.txt[Kernel.org kernel parameters]
for a list and descriptions of kernel arguments.
In the following procedure, you create a `MachineConfig` object that identifies:
* A set of machines to which you want to add the kernel argument.
In this case, machines with a worker role.
* Kernel arguments that are appended to the end of the existing kernel arguments.
* A label that indicates where in the list of machine configs the change is applied.
.Prerequisites
* Have administrative privilege to a working {product-title} cluster.
.Procedure
. List existing `MachineConfig` objects for your {product-title} cluster to determine how to
label your machine config:
+
[source,terminal]
----
$ oc get MachineConfig
----
+
.Example output
[source,terminal]
----
NAME GENERATEDBYCONTROLLER IGNITIONVERSION AGE
00-master 52dd3ba6a9a527fc3ab42afac8d12b693534c8c9 3.2.0 33m
00-worker 52dd3ba6a9a527fc3ab42afac8d12b693534c8c9 3.2.0 33m
01-master-container-runtime 52dd3ba6a9a527fc3ab42afac8d12b693534c8c9 3.2.0 33m
01-master-kubelet 52dd3ba6a9a527fc3ab42afac8d12b693534c8c9 3.2.0 33m
01-worker-container-runtime 52dd3ba6a9a527fc3ab42afac8d12b693534c8c9 3.2.0 33m
01-worker-kubelet 52dd3ba6a9a527fc3ab42afac8d12b693534c8c9 3.2.0 33m
99-master-generated-registries 52dd3ba6a9a527fc3ab42afac8d12b693534c8c9 3.2.0 33m
99-master-ssh 3.2.0 40m
99-worker-generated-registries 52dd3ba6a9a527fc3ab42afac8d12b693534c8c9 3.2.0 33m
99-worker-ssh 3.2.0 40m
rendered-master-23e785de7587df95a4b517e0647e5ab7 52dd3ba6a9a527fc3ab42afac8d12b693534c8c9 3.2.0 33m
rendered-worker-5d596d9293ca3ea80c896a1191735bb1 52dd3ba6a9a527fc3ab42afac8d12b693534c8c9 3.2.0 33m
----
. Create a `MachineConfig` object file that identifies the kernel argument (for example, `05-worker-kernelarg-selinuxpermissive.yaml`)
+
[source,yaml]
----
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: worker<1>
name: 05-worker-kernelarg-selinuxpermissive<2>
spec:
config:
ignition:
version: 3.2.0
kernelArguments:
- enforcing=0<3>
----
+
<1> Applies the new kernel argument only to worker nodes.
<2> Named to identify where it fits among the machine configs (05) and what it does (adds
a kernel argument to configure SELinux permissive mode).
<3> Identifies the exact kernel argument as `enforcing=0`.
. Create the new machine config:
+
[source,terminal]
----
$ oc create -f 05-worker-kernelarg-selinuxpermissive.yaml
----
. Check the machine configs to see that the new one was added:
+
[source,terminal]
----
$ oc get MachineConfig
----
+
.Example output
[source,terminal]
----
NAME GENERATEDBYCONTROLLER IGNITIONVERSION AGE
00-master 52dd3ba6a9a527fc3ab42afac8d12b693534c8c9 3.2.0 33m
00-worker 52dd3ba6a9a527fc3ab42afac8d12b693534c8c9 3.2.0 33m
01-master-container-runtime 52dd3ba6a9a527fc3ab42afac8d12b693534c8c9 3.2.0 33m
01-master-kubelet 52dd3ba6a9a527fc3ab42afac8d12b693534c8c9 3.2.0 33m
01-worker-container-runtime 52dd3ba6a9a527fc3ab42afac8d12b693534c8c9 3.2.0 33m
01-worker-kubelet 52dd3ba6a9a527fc3ab42afac8d12b693534c8c9 3.2.0 33m
05-worker-kernelarg-selinuxpermissive 3.2.0 105s
99-master-generated-registries 52dd3ba6a9a527fc3ab42afac8d12b693534c8c9 3.2.0 33m
99-master-ssh 3.2.0 40m
99-worker-generated-registries 52dd3ba6a9a527fc3ab42afac8d12b693534c8c9 3.2.0 33m
99-worker-ssh 3.2.0 40m
rendered-master-23e785de7587df95a4b517e0647e5ab7 52dd3ba6a9a527fc3ab42afac8d12b693534c8c9 3.2.0 33m
rendered-worker-5d596d9293ca3ea80c896a1191735bb1 52dd3ba6a9a527fc3ab42afac8d12b693534c8c9 3.2.0 33m
----
. Check the nodes:
+
[source,terminal]
----
$ oc get nodes
----
+
.Example output
[source,terminal]
----
NAME STATUS ROLES AGE VERSION
ip-10-0-136-161.ec2.internal Ready worker 28m v1.23.0
ip-10-0-136-243.ec2.internal Ready master 34m v1.23.0
ip-10-0-141-105.ec2.internal Ready,SchedulingDisabled worker 28m v1.23.0
ip-10-0-142-249.ec2.internal Ready master 34m v1.23.0
ip-10-0-153-11.ec2.internal Ready worker 28m v1.23.0
ip-10-0-153-150.ec2.internal Ready master 34m v1.23.0
----
+
You can see that scheduling on each worker node is disabled as the change is being applied.
. Check that the kernel argument worked by going to one of the worker nodes and listing
the kernel command line arguments (in `/proc/cmdline` on the host):
+
[source,terminal]
----
$ oc debug node/ip-10-0-141-105.ec2.internal
----
+
.Example output
[source,terminal]
----
Starting pod/ip-10-0-141-105ec2internal-debug ...
To use host binaries, run `chroot /host`
sh-4.2# cat /host/proc/cmdline
BOOT_IMAGE=/ostree/rhcos-... console=tty0 console=ttyS0,115200n8
rootflags=defaults,prjquota rw root=UUID=fd0... ostree=/ostree/boot.0/rhcos/16...
coreos.oem.id=qemu coreos.oem.id=ec2 ignition.platform.id=ec2 enforcing=0
sh-4.2# exit
----
+
You should see the `enforcing=0` argument added to the other kernel arguments.
View Git Blame Copy Permalink