Managing Node Configuration with MachineConfig
You can use the tasks described in this section to create MachineConfig objects that modify files, systemd units, and SSH public keys on nodes, as well as to recover nodes that have experienced configuration drift.
MachineConfig supports Ignition specification version 3.4. All MachineConfig objects must be created in compliance with this version.
In certain situations, the configuration on a node may not fully match the configuration currently applied through the MachineConfig. This condition is referred to as configuration drift. The machine configuration daemon periodically verifies whether a node's configuration has drifted. If drift is detected, the node is marked as Degraded and remains in that state until an administrator restores the expected configuration.
The following examples demonstrate how to use MachineConfig objects to manage node configurations.
TOC
Configuring the Chrony Time Service
To configure the Chrony time synchronization service (chronyd) and specify the NTP servers and related settings, you can update the chrony.conf file on the target nodes via a MachineConfig object.
-
First, create a temporary file that contains the desired Chrony configuration:
-
Then, base64-encode the contents of the file:
-
Create a
MachineConfigobject named99-worker-chrony. In the.spec.config.storage.files[0].contents.sourcefield, insert the base64-encoded string in the formatdata:text/plain;base64,<encoded-content>:This configuration creates a
MachineConfigobject that applies a customizedchrony.conffile to nodes associated with theworkermachine configuration pool. The file will be written to/etc/chrony.confon each node, with file permissions set to0644.
Disabling the Chrony Time Service
To disable the Chrony time synchronization service on nodes with a specific role, you can create a MachineConfig object that overrides the systemd unit definition and disables the service.
Example configuration:
This configuration pushes a custom version of the chronyd.service unit file to the nodes in the worker machine configuration pool. The service is explicitly disabled. Once the configuration is applied and the nodes are rebooted, the Chrony service will no longer start automatically.
Configuring the SSH Public Key for the boot User
The machine configuration system allows you to configure an SSH public key for the boot user on managed nodes. Configuration for other user accounts is not supported. Note that machine configuration will not create users or groups automatically—you must ensure that the boot user and group exist on the node before applying the configuration.
Example configuration:
This MachineConfig will install the specified SSH key in the /home/boot/.ssh/authorized_keys file on nodes in the worker machine configuration pool.
Recovering from Configuration Drift
If a node's configuration diverges from its assigned MachineConfig, it will be marked as Degraded. In this state, the node continues to operate but cannot receive further configuration updates until the issue is resolved.
There are two ways to restore a node from this degraded state:
-
Manually revert the configuration You can manually adjust the files and permissions on the node to exactly match those specified in the assigned
MachineConfig. The system will detect the correction and clear the degraded status. -
Force the configuration to be reapplied Create an empty file at
/run/machine-config-daemon-forceon the affected node. The machine configuration daemon will detect this trigger, reapply the currentMachineConfig, delete the trigger file, and reboot the node. After rebooting, the node will transition fromDegradedback toDone.