This is a cache of https://docs.okd.io/latest/machine_configuration/mco-coreos-layering.html. It is a snapshot of the page at 2025-06-14T18:49:39.264+0000.
Image mode for OpenShift | Machine configuration | OKD 4
  1. Documentation
×

Image mode for OpenShift

Image mode for OpenShift allows you to easily extend the functionality of your base FCOS image by layering additional images onto the base image. This layering does not modify the base FCOS image. Instead, it creates a custom layered image that includes all FCOS functionality and adds additional functionality to specific nodes in the cluster.

Image mode is a cloud-native approach to operating system management that treats your OS like a container image. You define your operating system configuration as code, build it as a unified image, and deploy it consistently across your entire fleet.

About image mode for OpenShift

Image mode for OpenShift allows you to customize the underlying node operating system on any of your cluster nodes. This helps keep everything up-to-date, including the node operating system and any added customizations such as specialized software.

You create a custom layered image by using a Containerfile and applying it to nodes by using a custom object. At any time, you can remove the custom layered image by deleting that custom object.

With image mode for OpenShift, you can install RPMs into your base image, and your custom content will be booted alongside FCOS. The Machine Config Operator (MCO) can roll out these custom layered images and monitor these custom containers in the same way it does for the default FCOS image. Image mode for OpenShift gives you greater flexibility in how you manage your FCOS nodes.

Installing realtime kernel and extensions RPMs as custom layered content is not recommended. This is because these RPMs can conflict with RPMs installed by using a machine config. If there is a conflict, the MCO enters a degraded state when it tries to install the machine config RPM. You need to remove the conflicting extension from your machine config before proceeding.

As soon as you apply the custom layered image to your cluster, you effectively take ownership of your custom layered images and those nodes. While Red Hat remains responsible for maintaining and updating the base FCOS image on standard nodes, you are responsible for maintaining and updating images on nodes that use a custom layered image. You assume the responsibility for the package you applied with the custom layered image and any issues that might arise with the package.

There are two methods for deploying a custom layered image onto your nodes:

On-cluster image mode

With on-cluster image mode, you create a MachineOSConfig object where you include the Containerfile and other parameters. The build is performed on your cluster and the resulting custom layered image is automatically pushed to your repository and applied to the machine config pool that you specified in the MachineOSConfig object. The entire process is performed completely within your cluster.

Out-of-cluster image mode

With out-of-cluster image mode, you create a Containerfile that references an OKD image and the RPM that you want to apply, build the layered image in your own environment, and push the image to your repository. Then, in your cluster, create a MachineConfig object for the targeted node pool that points to the new image. The Machine Config Operator overrides the base FCOS image, as specified by the osImageURL value in the associated machine config, and boots the new image.

For both methods, use the same base FCOS image installed on the rest of your cluster. Use the oc adm release info --image-for rhel-coreos command to obtain the base image used in your cluster.

Example Containerfiles

Image mode for OpenShift allows you to use the following types of images to create custom layered images:

  • OKD Hotfixes. You can work with Customer Experience and Engagement (CEE) to obtain and apply Hotfix packages on top of your FCOS image. In some instances, you might want a bug fix or enhancement before it is included in an official OKD release. Image mode for OpenShift allows you to easily add the Hotfix before it is officially released and remove the Hotfix when the underlying FCOS image incorporates the fix.

    Some Hotfixes require a Red Hat Support Exception and are outside of the normal scope of OKD support coverage or life cycle policies.

    Hotfixes are provided to you based on Red Hat Hotfix policy. Apply it on top of the base image and test that new custom layered image in a non-production environment. When you are satisfied that the custom layered image is safe to use in production, you can roll it out on your own schedule to specific node pools. For any reason, you can easily roll back the custom layered image and return to using the default FCOS.

    Example on-cluster Containerfile to apply a Hotfix
    containerfileArch: noarch
content: |-
  FROM configs AS final
  #Install hotfix package
  RUN dnf update -y https://example.com/files/systemd-252-46.el9_4.x86_64.rpm \
                    https://example.com/files/systemd-journal-remote-252-46.el9_4.x86_64.rpm \
                    https://example.com/files/systemd-libs-252-46.el9_4.x86_64.rpm  \
                    https://example.com/files/systemd-pam-252-46.el9_4.x86_64.rpm \
                    https://example.com/files/systemd-udev-252-46.el9_4.x86_64.rpm \
                    https://example.com/files/systemd-rpm-macros-252-46.el9_4.noarch.rpm && \
      dnf clean all && \
      ostree container commit
    Example out-of-cluster Containerfile to apply a Hotfix
    FROM quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256...
#Install hotfix package
RUN dnf update -y https://example.com/files/systemd-252-46.el9_4.x86_64.rpm \
                  https://example.com/files/systemd-journal-remote-252-46.el9_4.x86_64.rpm \
                  https://example.com/files/systemd-libs-252-46.el9_4.x86_64.rpm  \
                  https://example.com/files/systemd-pam-252-46.el9_4.x86_64.rpm \
                  https://example.com/files/systemd-udev-252-46.el9_4.x86_64.rpm \
                  https://example.com/files/systemd-rpm-macros-252-46.el9_4.noarch.rpm && \
    dnf clean all && \
    ostree container commit

  • Fedora packages. You can download Fedora packages from the Red Hat Customer Portal, such as chrony, firewalld, and iputils.

    Example out-of-cluster Containerfile to apply the rsyslog utility
    # Using a 4.18.0 image
FROM quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256...
# Install rsyslog package
RUN dnf install -y rsyslog && \
    ostree container commit
# Copy your custom configuration in
ADD remote.conf /etc/rsyslog.d/remote.conf

  • Third-party packages. You can download and install RPMs from third-party organizations, such as the following types of packages:

    • Bleeding edge drivers and kernel enhancements to improve performance or add capabilities.

    • Forensic client tools to investigate possible and actual break-ins.

    • Security agents.

    • Inventory agents that provide a coherent view of the entire cluster.

    • SSH Key management packages.

    Example on-cluster Containerfile to apply a third-party package from EPEL
    FROM configs AS final

#Enable EPEL (more info at https://docs.fedoraproject.org/en-US/epel/ ) and install htop
RUN dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm && \
    dnf install -y htop && \
    dnf clean all && \
    ostree container commit
    Example out-of-cluster Containerfile to apply a third-party package from EPEL
    # Get FCOS base image of target cluster `oc adm release info --image-for rhel-coreos`
FROM quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256...

#Enable EPEL (more info at https://docs.fedoraproject.org/en-US/epel/ ) and install htop
RUN dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm && \
    dnf install -y htop && \
    dnf clean all && \
    ostree container commit

    This Containerfile installs the Fedora fish program. Because fish requires additional Fedora packages, the image must be built on an entitled Fedora host. For Fedora entitlements to work, you must copy the etc-pki-entitlement secret into the openshift-machine-config-operator namespace.

    Example on-cluster Containerfile to apply a third-party package that has Fedora dependencies
    FROM configs AS final

# RHEL entitled host is needed here to access RHEL packages
# Install fish as third party package from EPEL
RUN dnf install -y https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/f/fish-3.3.1-3.el9.x86_64.rpm && \
    dnf clean all && \
    ostree container commit
    Example out-of-cluster Containerfile to apply a third-party package that has Fedora dependencies
    # Get FCOS base image of target cluster `oc adm release info --image-for rhel-coreos`
FROM quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256...

# Fedora entitled host is needed here to access Fedora packages
# Install fish as third party package from EPEL
RUN dnf install -y https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/f/fish-3.3.1-3.el9.x86_64.rpm && \
    dnf clean all && \
    ostree container commit

After you create the machine config, the Machine Config Operator (MCO) performs the following steps:

  1. Renders a new machine config for the specified pool or pools.

  2. Performs cordon and drain operations on the nodes in the pool or pools.

  3. Writes the rest of the machine config parameters onto the nodes.

  4. Applies the custom layered image to the node.

  5. Reboots the node using the new image.

It is strongly recommended that you test your images outside of your production environment before rolling out to your cluster.

About on-cluster image mode

You can use the image mode for OpenShift on-cluster build process to apply a custom layered image to your nodes by creating a MachineOSConfig custom resource (CR), as described in "Using On-cluster image mode to apply a custom layered image".

When you create the object, the Machine Config Operator (MCO) creates a MachineOSBuild object and a builder pod. The process also creates transient objects, such as config maps, which are cleaned up after the build is complete. The MachineOSBuild object and the associated builder-* pod use the same naming scheme, <MachineOSConfig_CR_name>-<hash>, for example:

Example MachineOSBuild object
NAME                                             PREPARED   BUILDING   SUCCEEDED   INTERRUPTED   FAILED
layered-image-c8765e26ebc87e1e17a7d6e0a78e8bae   False      False      True        False         False
Example builder pod
NAME                                                      READY   STATUS      RESTARTS        AGE
build-layered-image-c8765e26ebc87e1e17a7d6e0a78e8bae      2/2     Running     0               11m

You should not need to interact with these new objects or the machine-os-builder pod. However, you can use all of these resources for troubleshooting, if necessary.

When the build is complete, the MCO pushes the new custom layered image to your repository and rolls the image out to the nodes in the associated machine config pool. You can see the digested image pull spec for the new custom layered image in the MachineOSConfig object. This is now the active image pull spec for this MachineOSConfig.

Example digested image pull spec
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineOSConfig
metadata:
  annotations:
    machineconfiguration.openshift.io/current-machine-os-build: layered-9a8f89455246fa0c42ecee6ff1fa1a45
  labels:
    machineconfiguration.openshift.io/createdByOnClusterBuildsHelper: ""
  name: layered-image
# ...
status:
  currentImagePullSpec: image-registry.openshift-image-registry.svc:5000/openshift-machine-config-operator/os-image@sha256:3c8fc667adcb432ce0c83581f16086afec08a961dd28fed69bb6bad6db0a0754

You can test a MachineOSBuild object to make sure it builds correctly without rolling out the custom layered image to active nodes by using a custom machine config pool that contains non-production nodes. Alternatively, you can use a custom machine config pool that has no nodes. The MachineOSBuild object builds even if there are no nodes for the MCO to deploy the custom layered image onto.

You can apply a custom layered image to any machine config pool in your cluster, including the control plane, worker, or custom pools.

For single-node OpenShift clusters, you can apply a custom layered image to the control plane node only.

Making certain changes to a MachineOSConfig object triggers an automatic rebuild of the associated custom layered image. You can mitigate the effects of the rebuild by pausing the machine config pool where the custom layered image is applied as described in "Pausing the machine config pools". While the pools are paused, the MCO does not roll out the newly built image to the nodes after the build is complete. However, the build runs regardless of whether the pool is paused or not. For example, if you want to remove and replace a MachineOSCOnfig object, pausing the machine config pools before making the change prevents the MCO from reverting the associated nodes to the base image, reducing the number of reboots needed.

When a machine config pool is paused, the oc get machineconfigpools reports the following status:

Example output
NAME      CONFIG                                              UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
master    rendered-master-a0b404d061a6183cc36d302363422aba    True      False      False      3              3                   3                     0                      4h14m
worker    rendered-worker-221507009cbcdec0eec8ab3ccd789d18    False     False      False      2              2                   2                     0                      4h14m (1)
1 The worker machine config pool is paused, as indicated by the three False statuses and the READYMACHINECOUNT at 0.

After the changes have been rolled out, you can unpause the machine config pool.

In the case of a build failure, for example due to network issues or an invalid secret, the MCO retries the build three additional times before the job fails. The MCO creates a different build pod for each build attempt. You can use the build pod logs to troubleshoot any build failures. Note that the MCO automatically removes these build pods after a short period of time.

Example failed MachineOSBuild object
NAME                                             PREPARED   BUILDING   SUCCEEDED   INTERRUPTED   FAILED   AGE
layered-image-c8765e26ebc87e1e17a7d6e0a78e8bae   False      False      False        False        True     12m

You can manually rebuild your custom layered image by either modifying your MachineOSConfig object or applying an annotation to the MachineOSConfig object. For more information, see "Rebuilding an on-cluster custom layered image".

If you used a custom machine config pool to apply an on-cluster layered image to a node, you can remove the custom layered image from the node and revert to the base image. For more information, see "Reverting an on-cluster layered node".

You can modify an on-custom layered image as needed, to install additional packages, remove existing packages, change repositories, update secrets, or other similar changes, by editing the MachineOSConfig object. For more information, see "Modifying a custom layered image".

On-cluster image mode known limitations

Note the following limitations when working with the on-cluster layering feature:

  • On-cluster image mode is not supported on multi-architecture compute machines.

  • Using multiple MachineOSConfig objects on the same machine config pool is not supported. You need a separate MachineOSConfig CR for each machine config pool where you want to use a distinct custom layered image.

  • If you scale up a machine set that uses a custom layered image, the nodes reboot two times. The first, when the node is initially created with the base image and a second time when the custom layered image is applied.

  • Node disruption policies are not supported on nodes with a custom layered image. As a result the following configuration changes cause a node reboot:

    • Modifying the configuration files in the /var or /etc directory

    • Adding or modifying a systemd service

    • Changing SSH keys

    • Removing mirroring rules from ICSP, ITMS, and IDMS objects

    • Changing the trusted CA, by updating the user-ca-bundle configmap in the openshift-config namespace

  • The images used in creating custom layered images take up space in your push registry. Always be aware of the free space in your registry and prune the images as needed. You can automatically remove an on-cluster custom layered image from the repository by deleting the MachineOSBuild object that created the image. Note that the credentials provided by the registry push secret must also grant permission to delete an image from the registry. For more information, see "Removing an on-cluster custom layered image".

Additional resources

Using the on-cluster image mode to apply a custom layered image

To apply a custom layered image to your cluster by using the on-cluster build process, create a MachineOSConfig custom resource (CR) that specifies the following parameters:

  • the Containerfile to build

  • the machine config pool to associate the build

  • where the final image should be pushed and pulled from

  • the push and pull secrets to use

Prerequisites

  • You have the pull secret in the openshift-machine-config-operator namespace that the Machine Config Operator (MCO) needs in order to pull the base operating system image from your repository. By default, the MCO uses the cluster global pull secret, which it synchronizes into the openshift-machine-config-operator namespace. You can add your pull secret to the OKD global pull secret or you can use a different pull secret. For information on modifying the global pull secret, see "Updating the global cluster pull secret".

  • You have the push secret of the registry that the MCO needs to push the new custom layered image to. The credentials provided by the secret must also grant permission to delete an image from the registry.

    In a disconnected environment, ensure that the disconnected cluster can access the registry where you want to push the image. Image mirroring applies only to pulling images.

  • You have the pull secret that your nodes need to pull the new custom layered image from your registry. This should be a different secret than the one used to push the image to the repository.

  • You are familiar with how to configure a Containerfile. Instructions on how to create a Containerfile are beyond the scope of this documentation.

  • Optional: You have a separate machine config pool for the nodes where you want to apply the custom layered image. One benefit to having a custom machine config pool for the nodes it that you can easily revert to the base image, if needed. For more information, see "Reverting an on-cluster layered node".

Procedure

  1. Create a MachineOSconfig object:

    1. Create a YAML file similar to the following:

      apiVersion: machineconfiguration.openshift.io/v1 (1)
kind: MachineOSConfig
metadata:
  name: layered-image (2)
spec:
  machineConfigPool:
    name: layered (3)
  containerFile: (4)
  - containerfileArch: NoArch (5)
    content: |-
      FROM configs AS final
      RUN dnf install -y cowsay && \
        dnf clean all && \
        ostree container commit
  imageBuilder: (6)
    imageBuilderType: Job
  baseImagePullSecret: (7)
    name: global-pull-secret-copy
  renderedImagePushSpec: image-registry.openshift-image-registry.svc:5000/openshift/os-image:latest  (8)
  renderedImagePushSecret: (9)
    name: builder-dockercfg-mtcl23
      1 Specifies the machineconfiguration.openshift.io/v1 API that is required for MachineConfig CRs.
      2 Specifies a name for the MachineOSConfig object. This name is used with other [image-mode-os-on-lower] resources. The examples in this documentation use the name layered-image.
      3 Specifies the name of the machine config pool associated with the nodes where you want to deploy the custom layered image. The examples in this documentation use the layered machine config pool.
      4 Specifies the Containerfile to configure the custom layered image.
      5 Specifies the architecture this containerfile is to be built for: ARM64, AMD64, PPC64LE, S390X, or NoArch. The default is NoArch, which defines a Containerfile that can be applied to any architecture.
      6 Specifies the name of the image builder to use. This must be Job, which is a reference to the job object that is managing the image build.
      7 Optional: Specifies the name of the pull secret that the MCO needs to pull the base operating system image from the registry. By default, the global pull secret is used.
      8 Specifies the image registry to push the newly-built custom layered image to. This can be any registry that your cluster has access to in the host[:port][/namespace]/name or svc_name.namespace.svc[:port]/repository/name:<tag> format. This example uses the internal OKD registry. You can specify a mirror registry if you cluster is properly configured to use a mirror registry.
      9 Specifies the name of the push secret that the MCO needs to push the newly-built custom layered image to that registry.

    2. Create the MachineOSConfig object:

      $ oc create -f <filename>.yaml

  2. If necessary, when the MachineOSBuild object has been created and is in the READY state, modify the node spec for the nodes where you want to use the new custom layered image:

    1. Check that the MachineOSBuild object is ready, by running the following command:

      $ oc get machineosbuild

      When the SUCCEEDED value is True, the build is complete:

      Example output showing that the MachineOSBuild object is ready
      NAME                                                     PREPARED   BUILDING   SUCCEEDED   INTERRUPTED   FAILED   AGE
layered-image-ad5a3cad36303c363cf458ab0524e7c0-builder   False      False      True        False         False    43s

    2. Edit the nodes where you want to deploy the custom layered image by adding a label for the machine config pool you specified in the MachineOSConfig object:

      $ oc label node <node_name> 'node-role.kubernetes.io/<mcp_name>='

      where:

      node-role.kubernetes.io/<mcp_name>=

      Specifies a node selector that identifies the nodes to deploy the custom layered image.

      When you save the changes, the MCO drains, cordons, and reboots the nodes. After the reboot, the node uses the new custom layered image.

Verification

  1. Verify that the new pods are ready by running the following command:

    $ oc get pods -n openshift-machine-config-operator
    Example output
    NAME                                                                    READY   STATUS    RESTARTS   AGE
build-layered-image-ad5a3cad36303c363cf458ab0524e7c0-hxrws              2/2     Running   0          2m40s (1)
# ...
machine-os-builder-6fb66cfb99-zcpvq                                     1/1     Running   0          2m42s (2)
    1 This is the build pod where the custom layered image is building, named in the build-<MachineOSConfig_CR_name>-<hash> format.
    2 This pod can be used for troubleshooting.

  2. Verify the current stage of your layered build by running the following command:

    $ oc get machineosbuilds
    Example output
    NAME                                             PREPARED   BUILDING   SUCCEEDED   INTERRUPTED   FAILED   AGE
layered-image-ad5a3cad36303c363cf458ab0524e7c0   False      True       False       False         False    12m (1)
    1 The MachineOSBuild is named in the <MachineOSConfig_CR_name>-<hash> format.

  3. Verify that the MachineOSConfig object contains a reference to the new custom layered image by running the following command:

    $ oc describe machineosconfig <object_name>
    Example digested image pull spec
    apiVersion: machineconfiguration.openshift.io/v1
kind: MachineOSConfig
metadata:
  annotations:
    machineconfiguration.openshift.io/current-machine-os-build: layered-9a8f89455246fa0c42ecee6ff1fa1a45
  labels:
    machineconfiguration.openshift.io/createdByOnClusterBuildsHelper: ""
  name: layered-image
# ...
status:
  currentImagePullSpec: image-registry.openshift-image-registry.svc:5000/openshift-machine-config-operator/os-image@sha256:3c8fc667adcb432ce0c83581f16086afec08a961dd28fed69bb6bad6db0a0754 (1)
    1 Digested image pull spec for the new custom layered image.

  4. Verify that the appropriate nodes are using the new custom layered image:

    1. Start a debug session as root for a control plane node by running the following command:

      $ oc debug node/<node_name>

    2. Set /host as the root directory within the debug shell:

      sh-4.4# chroot /host

    3. Run the rpm-ostree status command to view that the custom layered image is in use:

      sh-5.1# rpm-ostree status
      Example output
      # ...
Deployments:
* ostree-unverified-registry:image-registry.openshift-image-registry.svc:5000/openshift-machine-config-operator/os-images@sha256:3c8fc667adcb432ce0c83581f16086afec08a961dd28fed69bb6bad6db0a0754
                   Digest: sha256:3c8fc667adcb432ce0c83581f16086afec08a961dd28fed69bb6bad6db0a0754 (1)
                  Version: 419.94.202502100215-0 (2025-02-12T19:20:44Z)
      1 Digested image pull spec for the new custom layered image.
Additional resources

Modifying an on-cluster custom layered image

You can modify an on-cluster custom layered image, as needed. This allows you to install additional packages, remove existing packages, change the pull or push repositories, update secrets, or other similar changes. You can edit the MachineOSConfig object, apply changes to the YAML file that created the MachineOSConfig object, or create a new YAML file for that purpose.

If you modify and apply the MachineOSConfig object YAML or create a new YAML file, the YAML overwrites any changes you made directly to the MachineOSConfig object itself.

Making certain changes to a MachineOSConfig object triggers an automatic rebuild of the associated custom layered image. You can mitigate the effects of the rebuild by pausing the machine config pool where the custom layered image is applied as described in "Pausing the machine config pools". While the pools are paused, the MCO does not roll out the newly built image to the nodes after the build is complete. However, the build runs regardless of whether the pool is paused or not. For example, if you want to remove and replace a MachineOSCOnfig object, pausing the machine config pools before making the change prevents the MCO from reverting the associated nodes to the base image, reducing the number of reboots needed.

When a machine config pool is paused, the oc get machineconfigpools reports the following status:

Example output
NAME      CONFIG                                              UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
master    rendered-master-a0b404d061a6183cc36d302363422aba    True      False      False      3              3                   3                     0                      4h14m
worker    rendered-worker-221507009cbcdec0eec8ab3ccd789d18    False     False      False      2              2                   2                     0                      4h14m (1)
1 The worker machine config pool is paused, as indicated by the three False statuses and the READYMACHINECOUNT at 0.

After the changes have been rolled out, you can unpause the machine config pool.

Prerequisites

  • You have opted in to on-cluster image mode by creating a MachineOSConfig object.

Procedure

  • Modify an object to update the associated custom layered image:

    1. Edit the MachineOSConfig object to modify the custom layered image. The following example adds the rngd daemon to nodes that already have the tree package that was installed using a custom layered image.

      apiVersion: machineconfiguration.openshift.io/v1
kind: MachineOSConfig
metadata:
  name: layered-image
spec:
  machineConfigPool:
    name: worker
  containerFile:
  - containerfileArch: noarch
    content: |- (1)
      FROM configs AS final

      RUN rpm-ostree install rng-tools && \
          systemctl enable rngd && \
          rpm-ostree cleanup -m && \
          ostree container commit

      RUN rpm-ostree install tree && \
          ostree container commit
  imageBuilder:
    imageBuilderType: PodImageBuilder
  baseImagePullSecret:
    name: global-pull-secret-copy (2)
  renderedImagePushspec: image-registry.openshift-image-registry.svc:5000/openshift-machine-config-operator/os-images:latest (3)
  renderedImagePushSecret:  (4)
    name: new-secret-name
      1 Optional: Modify the Containerfile, for example to add or remove packages.
      2 Optional: Update the secret needed to pull the base operating system image from the registry.
      3 Optional: Modify the image registry to push the newly built custom layered image to.
      4 Optional: Update the secret needed to push the newly built custom layered image to the registry.

      When you save the changes, the MCO drains, cordons, and reboots the nodes. After the reboot, the node uses the cluster base Fedora CoreOS (FCOS) image. If your changes modify a secret only, no new build is triggered and no reboot is performed.

Verification

  1. Verify that the new MachineOSBuild object was created by using the following command:

    $ oc get machineosbuild
    Example output
    NAME                                             PREPARED   BUILDING   SUCCEEDED   INTERRUPTED   FAILED   AGE
layered-image-a5457b883f5239cdcb71b57e1a30b6ef   False      False      True        False         False    4d17h
layered-image-f91f0f5593dd337d89bf4d38c877590b   False      True       False       False         False    2m41s (1)
    1 The value True in the BUILDING column indicates that the MachineOSBuild object is building. When the SUCCEEDED column reports True, the build is complete.

  2. You can watch as the new machine config is rolled out to the nodes by using the following command:

    $ oc get machineconfigpools
    Example output
    NAME      CONFIG                                              UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
master    rendered-master-a0b404d061a6183cc36d302363422aba    True      False      False      3              3                   3                     0                      3h38m
worker    rendered-worker-221507009cbcdec0eec8ab3ccd789d18    False     True       False      2              2                   2                     0                      3h38m (1)
    1 The value FALSE in the UPDATED column indicates that the MachineOSBuild object is building. When the UPDATED column reports FALSE, the new custom layered image has rolled out to the nodes.

  3. When the node is back in the Ready state, check that the changes were applied:

    1. Open an oc debug session to the node by running the following command:

      $ oc debug node/<node_name>

    2. Set /host as the root directory within the debug shell by running the following command:

      sh-5.1# chroot /host

    3. Use an appropriate command to verify that change was applied. The following examples shows that the rngd daemon was installed:

      sh-5.1# rpm -qa |grep rng-tools
      Example output
      rng-tools-6.17-3.fc41.x86_64
      sh-5.1# rngd -v
      Example output
      rngd 6.16
Additional resources

Rebuilding an on-cluster custom layered image

In situations where you want to rebuild an on-cluster custom layered image, you can either modify your MachineOSConfig object or add an annotation to the MachineOSConfig object. Both of these actions trigger an automatic rebuild of the object. For example, you could perform a rebuild if the you change the Containerfile or need to update the osimageurl location in a machine config.

After you add the annotation, the Machine Config Operator (MCO) deletes the current MachineOSBuild object and creates a new one in its place. When the build process is complete, the MCO automatically removes the annotation.

Prerequisites

  • You have opted-in to on-cluster image mode by creating a MachineOSConfig object.

Procedure

  • Edit the MachineOSConfig object to add the machineconfiguration.openshift.io/rebuild annotation by using the following command:

    $ oc edit MachineOSConfig <object_name>
    Example MachineOSConfig object
    apiVersion: machineconfiguration.openshift.io/v1
kind: MachineOSConfig
metadata:
  annotations:
    machineconfiguration.openshift.io/current-machine-os-build: layering-c26d4a003432df70ee66c83981144cfa
    machineconfiguration.openshift.io/rebuild: "" (1)
# ...
  name: layered-image
# ...
    1 Add this annotation to trigger a rebuild of the custom layered image.
Verification

  • Check that the MachineOSBuild object is building by using the following command:

    $ oc get machineosbuild
    Example output
    NAME                                             PREPARED   BUILDING   SUCCEEDED   INTERRUPTED   FAILED   AGE
layered-image-d6b929a29c6dbfa8e4007c8069a2fd08   False      True       False       False         False    2m41s (1)
    1 The value True in the BUILDING column indicates that the MachineOSBuild object is building.

  • Edit the MachineOSConfig object to verify that the MCO removed the machineconfiguration.openshift.io/rebuild annotation by using the following command:

    $ oc edit MachineOSConfig <object_name>
    Example MachineOSConfig object
    apiVersion: machineconfiguration.openshift.io/v1
kind: MachineOSConfig
metadata:
  annotations:
    machineconfiguration.openshift.io/current-machine-os-build: layering-c26d4a003432df70ee66c83981144cfa
# ...
  name: layered-image
# ...

Reverting an on-cluster custom layered image

If you applied an on-cluster layered image to a node in a custom machine config pool (MCP), you can remove the custom layered image from the node and revert to the base image.

To revert the node, remove the node from the custom MCP by removing the custom machine config pool label from the node. After you remove the label, the Machine Config Operator (MCO) reboots the node with the cluster base Fedora CoreOS (FCOS) image, overriding the custom layered image.

Before you remove the label, make sure the node is associated with another MCP.
Prerequisites

  • You have opted-in to On-cluster image mode by creating a MachineOSConfig object.

  • You have applied a MachineOSConfig object to a node in a custom machine config pool.

Procedure

  • Remove the label from the node by using the following command:

    $ oc label node/<node_name> node-role.kubernetes.io/<mcp_name>-

    When you save the changes, the MCO drains, cordons, and reboots the nodes. After the reboot, the node uses the cluster base Fedora CoreOS (FCOS) image.

Verification

  • Verify that the custom layered image is removed by performing any of the following checks:

    • Check that the worker machine config pool is updating with the previous machine config:

      $ oc get mcp
      Sample output
      NAME      CONFIG                                              UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
layered   rendered-layered-e8c8bc1de69777325003e80bc0c04b82   True      False      False      0              0                   0                     0                      4h20m (1)
master    rendered-master-50d7bc27ee8b9ca2250383f0647ade7f    True      False      False      3              3                   3                     0                      5h39m
worker    rendered-worker-e8c8bc1de69777325003e80bc0c04b82    True      False      False      3              3                   3                     0                      5h39m (2)
      1 The custom machine config pool no longer has any nodes.
      2 When the UPDATING field is True, the machine config pool is updating with the previous machine config. When the field becomes False, the worker machine config pool has rolled out to the previous machine config.

    • Check the nodes to see that scheduling on the nodes is disabled. This indicates that the change is being applied:

      $ oc get nodes
      Example output
      NAME                                         STATUS                     ROLES                  AGE   VERSION
ip-10-0-148-79.us-west-1.compute.internal    Ready                      worker                 32m   v1.32.3
ip-10-0-155-125.us-west-1.compute.internal   Ready,SchedulingDisabled   worker                 35m   v1.32.3
ip-10-0-170-47.us-west-1.compute.internal    Ready                      control-plane,master   42m   v1.32.3
ip-10-0-174-77.us-west-1.compute.internal    Ready                      control-plane,master   42m   v1.32.3
ip-10-0-211-49.us-west-1.compute.internal    Ready                      control-plane,master   42m   v1.32.3
ip-10-0-218-151.us-west-1.compute.internal   Ready                      worker                 31m   v1.32.3

    • When the node is back in the Ready state, check that the node is using the base image:

      1. Open an oc debug session to the node. For example:

        $ oc debug node/ip-10-0-155-125.us-west-1.compute.internal

      2. Set /host as the root directory within the debug shell:

        sh-4.4# chroot /host

      3. Run the rpm-ostree status command to view that the base image is in use:

        sh-4.4# rpm-ostree status
        Example output
        State: idle
Deployments:
* ostree-unverified-registry:registry.build05.ci.openshift.org/ci-ln-qd0hmqk/stable@sha256:a8bd32573f787f6d1c23e1d669abbefd1e31339826d06e750c0ca632ad6c414f
                   Digest: sha256:a8bd32573f787f6d1c23e1d669abbefd1e31339826d06e750c0ca632ad6c414f
                  Version: 419.96.202501202201-0 (2025-01-20T22:06:13Z)

Removing an on-cluster custom layered image

To prevent the custom layered images from taking up excessive space in your registry, you can automatically remove an on-cluster custom layered image from the repository by deleting the MachineOSBuild object that created the image.

The credentials provided by the registry push secret that you added to the MachineOSBuild object must grant the permission for deleting an image from the registry. If the delete permission is not provided, the image is not removed when you delete the MachineOSBuild object.

Note that the custom layered image is not deleted if the image is either currently in use on a node or is desired by the nodes, as indicated by the machineconfiguration.openshift.io/currentConfig or machineconfiguration.openshift.io/desiredConfig annotation on the node.

Using Out-of-cluster image mode to apply a custom layered image

You can use the image mode for OpenShift out-of-cluster build process to apply a custom layered image to your nodes by creating a MachineOSConfig custom resource (CR).

When you create the object, the Machine Config Operator (MCO) reboots those nodes with the new custom layered image, overriding the base Fedora CoreOS (FCOS) image.

To apply a custom layered image to your cluster, you must have the custom layered image in a repository that your cluster can access. Then, create a MachineConfig object that points to the custom layered image. You need a separate MachineConfig object for each machine config pool that you want to configure.

When you configure a custom layered image, OKD no longer automatically updates any node that uses the custom layered image. You become responsible for manually updating your nodes as appropriate. If you roll back the custom layer, OKD will again automatically update the node. See the Additional resources section that follows for important information about updating nodes that use a custom layered image.
Prerequisites

  • You must create a custom layered image that is based on an OKD image digest, not a tag.

    You should use the same base FCOS image that is installed on the rest of your cluster. Use the oc adm release info --image-for rhel-coreos command to obtain the base image being used in your cluster.

    For example, the following Containerfile creates a custom layered image from an OKD 4 image and overrides the kernel package with one from CentOS 9 Stream:

    Example Containerfile for a custom layer image
    # Using a 4.0 image
FROM quay.io/openshift-release/ocp-release@sha256... (1)
#Install hotfix rpm
RUN rpm-ostree override replace http://mirror.stream.centos.org/9-stream/BaseOS/x86_64/os/Packages/kernel-{,core-,modules-,modules-core-,modules-extra-}5.14.0-295.el9.x86_64.rpm && \ (2)
    rpm-ostree cleanup -m && \
    ostree container commit
    1 Specifies the FCOS base image of your cluster.
    2 Replaces the kernel packages.

    Instructions on how to create a Containerfile are beyond the scope of this documentation.

  • Because the process for building a custom layered image is performed outside of the cluster, you must use the --authfile /path/to/pull-secret option with Podman or Buildah. Alternatively, to have the pull secret read by these tools automatically, you can add it to one of the default file locations: ~/.docker/config.json, $XDG_RUNTIME_DIR/containers/auth.json, ~/.docker/config.json, or ~/.dockercfg. Refer to the containers-auth.json man page for more information.

  • You must push the custom layered image to a repository that your cluster can access.

Procedure

  1. Create a machine config file.

    1. Create a YAML file similar to the following:

      apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: worker (1)
  name: os-layer-custom
spec:
  osImageURL: quay.io/my-registry/custom-image@sha256... (2)
      1 Specifies the machine config pool to deploy the custom layered image.
      2 Specifies the path to the custom layered image in the repository.

    2. Create the MachineConfig object:

      $ oc create -f <file_name>.yaml

      It is strongly recommended that you test your images outside of your production environment before rolling out to your cluster.
Verification

You can verify that the custom layered image is applied by performing any of the following checks:

  1. Check that the worker machine config pool has rolled out with the new machine config:

    1. Check that the new machine config is created:

      $ oc get mc
      Sample output
      NAME                                               GENERATEDBYCONTROLLER                      IGNITIONVERSION   AGE
00-master                                          5bdb57489b720096ef912f738b46330a8f577803   3.5.0             95m
00-worker                                          5bdb57489b720096ef912f738b46330a8f577803   3.5.0             95m
01-master-container-runtime                        5bdb57489b720096ef912f738b46330a8f577803   3.5.0             95m
01-master-kubelet                                  5bdb57489b720096ef912f738b46330a8f577803   3.5.0             95m
01-worker-container-runtime                        5bdb57489b720096ef912f738b46330a8f577803   3.5.0             95m
01-worker-kubelet                                  5bdb57489b720096ef912f738b46330a8f577803   3.5.0             95m
99-master-generated-registries                     5bdb57489b720096ef912f738b46330a8f577803   3.5.0             95m
99-master-ssh                                                                                 3.2.0             98m
99-worker-generated-registries                     5bdb57489b720096ef912f738b46330a8f577803   3.5.0             95m
99-worker-ssh                                                                                 3.2.0             98m
os-layer-custom                                                                                                 10s (1)
rendered-master-15961f1da260f7be141006404d17d39b   5bdb57489b720096ef912f738b46330a8f577803   3.5.0             95m
rendered-worker-5aff604cb1381a4fe07feaf1595a797e   5bdb57489b720096ef912f738b46330a8f577803   3.5.0             95m
rendered-worker-5de4837625b1cbc237de6b22bc0bc873   5bdb57489b720096ef912f738b46330a8f577803   3.5.0             4s  (2)
      1 New machine config
      2 New rendered machine config

    2. Check that the osImageURL value in the new machine config points to the expected image:

      $ oc describe mc rendered-worker-5de4837625b1cbc237de6b22bc0bc873
      Example output
      Name:         rendered-worker-5de4837625b1cbc237de6b22bc0bc873
Namespace:
Labels:       <none>
Annotations:  machineconfiguration.openshift.io/generated-by-controller-version: 5bdb57489b720096ef912f738b46330a8f577803
              machineconfiguration.openshift.io/release-image-version: 4.0-ec.3
API Version:  machineconfiguration.openshift.io/v1
Kind:         MachineConfig
...
  Os Image URL: quay.io/my-registry/custom-image@sha256...

    3. Check that the associated machine config pool is updated with the new machine config:

      $ oc get mcp
      Sample output
      NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
master   rendered-master-15961f1da260f7be141006404d17d39b   True      False      False      3              3                   3                     0                      39m
worker   rendered-worker-5de4837625b1cbc237de6b22bc0bc873   True      False      False      3              0                   0                     0                      39m (1)
      1 When the UPDATING field is True, the machine config pool is updating with the new machine config. In this case, you will not see the new machine config listed in the output. When the field becomes False, the worker machine config pool has rolled out to the new machine config.

    4. Check the nodes to see that scheduling on the nodes is disabled. This indicates that the change is being applied:

      $ oc get nodes
      Example output
      NAME                                         STATUS                     ROLES                  AGE   VERSION
ip-10-0-148-79.us-west-1.compute.internal    Ready                      worker                 32m   v1.32.3
ip-10-0-155-125.us-west-1.compute.internal   Ready,SchedulingDisabled   worker                 35m   v1.32.3
ip-10-0-170-47.us-west-1.compute.internal    Ready                      control-plane,master   42m   v1.32.3
ip-10-0-174-77.us-west-1.compute.internal    Ready                      control-plane,master   42m   v1.32.3
ip-10-0-211-49.us-west-1.compute.internal    Ready                      control-plane,master   42m   v1.32.3
ip-10-0-218-151.us-west-1.compute.internal   Ready                      worker                 31m   v1.32.3

  2. When the node is back in the Ready state, check that the node is using the custom layered image:

    1. Open an oc debug session to the node. For example:

      $ oc debug node/ip-10-0-155-125.us-west-1.compute.internal

    2. Set /host as the root directory within the debug shell:

      sh-4.4# chroot /host

    3. Run the rpm-ostree status command to view that the custom layered image is in use:

      sh-4.4# sudo rpm-ostree status
      Example output
      State: idle
Deployments:
* ostree-unverified-registry:quay.io/my-registry/...
                   Digest: sha256:...
Additional resources

Updating with a FCOS custom layered image

Reverting an out-of-cluster node

You can revert an out-of-cluster custom layered image from the nodes in specific machine config pools. The Machine Config Operator (MCO) reboots those nodes with the cluster base Fedora CoreOS (FCOS) image, overriding the custom layered image.

To remove a Fedora CoreOS (FCOS) custom layered image from your cluster, you need to delete the machine config that applied the image.

Procedure

  • Delete the machine config that applied the custom layered image.

    $ oc delete mc os-layer-custom

    After deleting the machine config, the nodes reboot.

Verification

You can verify that the custom layered image is removed by performing any of the following checks:

  1. Check that the worker machine config pool is updating with the previous machine config:

    $ oc get mcp
    Sample output
    NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
master   rendered-master-6faecdfa1b25c114a58cf178fbaa45e2   True      False      False      3              3                   3                     0                      39m
worker   rendered-worker-6b000dbc31aaee63c6a2d56d04cd4c1b   False     True       False      3              0                   0                     0                      39m (1)
    1 When the UPDATING field is True, the machine config pool is updating with the previous machine config. When the field becomes False, the worker machine config pool has rolled out to the previous machine config.

  2. Check the nodes to see that scheduling on the nodes is disabled. This indicates that the change is being applied:

    $ oc get nodes
    Example output
    NAME                                         STATUS                     ROLES                  AGE   VERSION
ip-10-0-148-79.us-west-1.compute.internal    Ready                      worker                 32m   v1.32.3
ip-10-0-155-125.us-west-1.compute.internal   Ready,SchedulingDisabled   worker                 35m   v1.32.3
ip-10-0-170-47.us-west-1.compute.internal    Ready                      control-plane,master   42m   v1.32.3
ip-10-0-174-77.us-west-1.compute.internal    Ready                      control-plane,master   42m   v1.32.3
ip-10-0-211-49.us-west-1.compute.internal    Ready                      control-plane,master   42m   v1.32.3
ip-10-0-218-151.us-west-1.compute.internal   Ready                      worker                 31m   v1.32.3

  3. When the node is back in the Ready state, check that the node is using the base image:

    1. Open an oc debug session to the node by running the following command:

      $ oc debug node/<node_name>

    2. Set /host as the root directory within the debug shell by running the following command:

      sh-5.1# chroot /host

    3. Run the rpm-ostree status command to view that the custom layered image is in use:

      sh-5.1# sudo rpm-ostree status
      Example output
      State: idle
Deployments:
* ostree-unverified-registry:podman pull quay.io/openshift-release-dev/ocp-release@sha256:e2044c3cfebe0ff3a99fc207ac5efe6e07878ad59fd4ad5e41f88cb016dacd73
                   Digest: sha256:e2044c3cfebe0ff3a99fc207ac5efe6e07878ad59fd4ad5e41f88cb016dacd73

Updating with a FCOS custom layered image

When you configure image mode for OpenShift, OKD no longer automatically updates the node pool that uses the custom layered image. You become responsible to manually update your nodes as appropriate.

To update a node that uses a custom layered image, follow these general steps:

  1. The cluster automatically upgrades to version x.y.z+1, except for the nodes that use the custom layered image.

  2. You could then create a new Containerfile that references the updated OKD image and the RPM that you had previously applied.

  3. Create a new machine config that points to the updated custom layered image.

Updating a node with a custom layered image is not required. However, if that node gets too far behind the current OKD version, you could experience unexpected results.