OpenShift Specification v4.16.0
The OpenShift configuration is a YAML document conforming to the following specification, with italicized entries being optional:
- variant (string): used to differentiate configs for different operating systems. Must be
openshift
for this specification. - version (string): the semantic version of the spec for this document. This document is for version
4.16.0
and generates Ignition configs with version3.4.0
. - metadata (object): metadata about the generated MachineConfig resource. Respected when rendering to a MachineConfig, ignored when rendering directly to an Ignition config.
- name (string): a unique name for this MachineConfig resource.
- labels (object): string key/value pairs to apply as Kubernetes labels to this MachineConfig resource.
machineconfiguration.openshift.io/role
is required.
- ignition (object): metadata about the configuration itself.
- config (object): options related to the configuration.
- merge (list of objects): a list of the configs to be merged to the current config.
- source (string): the URL of the config. Supported schemes are
http
,https
,tftp
,s3
,arn
,gs
, anddata
. When usinghttp
, it is advisable to use the verification option to ensure the contents haven’t been modified. Mutually exclusive withinline
andlocal
. - inline (string): the contents of the config. Mutually exclusive with
source
andlocal
. - local (string): a local path to the contents of the config, relative to the directory specified by the
--files-dir
command-line argument. Mutually exclusive withsource
andinline
. - compression (string): the type of compression used on the config (null or gzip). Compression cannot be used with S3.
- http_headers (list of objects): a list of HTTP headers to be added to the request. Available for
http
andhttps
source schemes only.- name (string): the header name.
- value (string): the header contents.
- verification (object): options related to the verification of the config.
- hash (string): the hash of the config, in the form
<type>-<value>
where type is eithersha512
orsha256
. Ifcompression
is specified, the hash describes the decompressed config.
- hash (string): the hash of the config, in the form
- source (string): the URL of the config. Supported schemes are
- replace (object): the config that will replace the current.
- source (string): the URL of the config. Supported schemes are
http
,https
,tftp
,s3
,arn
,gs
, anddata
. When usinghttp
, it is advisable to use the verification option to ensure the contents haven’t been modified. Mutually exclusive withinline
andlocal
. - inline (string): the contents of the config. Mutually exclusive with
source
andlocal
. - local (string): a local path to the contents of the config, relative to the directory specified by the
--files-dir
command-line argument. Mutually exclusive withsource
andinline
. - compression (string): the type of compression used on the config (null or gzip). Compression cannot be used with S3.
- http_headers (list of objects): a list of HTTP headers to be added to the request. Available for
http
andhttps
source schemes only.- name (string): the header name.
- value (string): the header contents.
- verification (object): options related to the verification of the config.
- hash (string): the hash of the config, in the form
<type>-<value>
where type is eithersha512
orsha256
. Ifcompression
is specified, the hash describes the decompressed config.
- hash (string): the hash of the config, in the form
- source (string): the URL of the config. Supported schemes are
- merge (list of objects): a list of the configs to be merged to the current config.
- timeouts (object): options relating to
http
timeouts when fetching files overhttp
orhttps
.- http_response_headers (integer): the time to wait (in seconds) for the server’s response headers (but not the body) after making a request. 0 indicates no timeout. Default is 10 seconds.
- http_total (integer): the time limit (in seconds) for the operation (connection, request, and response), including retries. 0 indicates no timeout. Default is 0.
- security (object): options relating to network security.
- tls (object): options relating to TLS when fetching resources over
https
.- certificate_authorities (list of objects): the list of additional certificate authorities (in addition to the system authorities) to be used for TLS verification when fetching over
https
. All certificate authorities must have a uniquesource
,inline
, orlocal
.- source (string): the URL of the certificate bundle (in PEM format). The bundle can contain multiple concatenated certificates. Supported schemes are
http
,https
,tftp
,s3
,arn
,gs
, anddata
. When usinghttp
, it is advisable to use the verification option to ensure the contents haven’t been modified. Mutually exclusive withinline
andlocal
. - inline (string): the contents of the certificate bundle (in PEM format). The bundle can contain multiple concatenated certificates. Mutually exclusive with
source
andlocal
. - local (string): a local path to the contents of the certificate bundle (in PEM format), relative to the directory specified by the
--files-dir
command-line argument. The bundle can contain multiple concatenated certificates. Mutually exclusive withsource
andinline
. - compression (string): the type of compression used on the certificate bundle (null or gzip). Compression cannot be used with S3.
- http_headers (list of objects): a list of HTTP headers to be added to the request. Available for
http
andhttps
source schemes only.- name (string): the header name.
- value (string): the header contents.
- verification (object): options related to the verification of the certificate bundle.
- hash (string): the hash of the certificate bundle, in the form
<type>-<value>
where type is eithersha512
orsha256
. Ifcompression
is specified, the hash describes the decompressed certificate bundle.
- hash (string): the hash of the certificate bundle, in the form
- source (string): the URL of the certificate bundle (in PEM format). The bundle can contain multiple concatenated certificates. Supported schemes are
- certificate_authorities (list of objects): the list of additional certificate authorities (in addition to the system authorities) to be used for TLS verification when fetching over
- tls (object): options relating to TLS when fetching resources over
- proxy (object): options relating to setting an
HTTP(S)
proxy when fetching resources.- http_proxy (string): will be used as the proxy URL for HTTP requests and HTTPS requests unless overridden by
https_proxy
orno_proxy
. - https_proxy (string): will be used as the proxy URL for HTTPS requests unless overridden by
no_proxy
. - no_proxy (list of strings): specifies a list of strings to hosts that should be excluded from proxying. Each value is represented by an
IP address prefix (1.2.3.4)
,an IP address prefix in CIDR notation (1.2.3.4/8)
,a domain name
, ora special DNS label (*)
. An IP address prefix and domain name can also include a literal port number(1.2.3.4:80)
. A domain name matches that name and all subdomains. A domain name with a leading.
matches subdomains only. For examplefoo.com
matchesfoo.com
andbar.foo.com
;.y.com
matchesx.y.com
but noty.com
. A single asterisk(*)
indicates that no proxying should be done.
- http_proxy (string): will be used as the proxy URL for HTTP requests and HTTPS requests unless overridden by
- config (object): options related to the configuration.
- storage (object): describes the desired state of the system’s storage devices.
- disks (list of objects): the list of disks to be configured and their options. Every entry must have a unique
device
.- device (string): the absolute path to the device. Devices are typically referenced by the
/dev/disk/by-*
symlinks. The boot disk can be referenced as/dev/disk/by-id/coreos-boot-disk
. - wipe_table (boolean): whether or not the partition tables shall be wiped. When true, the partition tables are erased before any further manipulation. Otherwise, the existing entries are left intact.
- partitions (list of objects): the list of partitions and their configuration for this particular disk. Every partition must have a unique
number
, or if 0 is specified, a uniquelabel
.- label (string): the PARTLABEL for the partition.
- number (integer): the partition number, which dictates its position in the partition table (one-indexed). If zero, use the next available partition slot.
- size_mib (integer): the size of the partition (in mebibytes). If zero, the partition will be made as large as possible.
- start_mib (integer): the start of the partition (in mebibytes). If zero, the partition will be positioned at the start of the largest block available.
- type_guid (string): the GPT partition type GUID. If omitted, the default will be 0FC63DAF-8483-4772-8E79-3D69D8477DE4 (Linux filesystem data).
- guid (string): the GPT unique partition GUID.
- wipe_partition_entry (boolean): if true, Ignition will clobber an existing partition if it does not match the config. If false (default), Ignition will fail instead.
- should_exist (boolean): whether or not the partition with the specified
number
should exist. If omitted, it defaults to true. If false Ignition will either delete the specified partition or fail, depending onwipePartitionEntry
. If falsenumber
must be specified and non-zero andlabel
,start
,size
,guid
, andtypeGuid
must all be omitted. - resize (boolean): whether or not the existing partition should be resized. If omitted, it defaults to false. If true, Ignition will resize an existing partition if it matches the config in all respects except the partition size.
- device (string): the absolute path to the device. Devices are typically referenced by the
- raid (list of objects): the list of RAID arrays to be configured. Every RAID array must have a unique
name
.- name (string): the name to use for the resulting md device.
- level (string): the redundancy level of the array (e.g. linear, raid1, raid5, etc.).
- devices (list of strings): the list of devices (referenced by their absolute path) in the array.
- spares (integer): the number of spares (if applicable) in the array.
- options (list of strings): any additional options to be passed to mdadm.
- filesystems (list of objects): the list of filesystems to be configured.
device
andformat
need to be specified. Every filesystem must have a uniquedevice
.- device (string): the absolute path to the device. Devices are typically referenced by the
/dev/disk/by-*
symlinks. - format (string): the filesystem format (ext4, xfs, vfat, or swap).
- path (string): the mount-point of the filesystem while Ignition is running relative to where the root filesystem will be mounted. This is not necessarily the same as where it should be mounted in the real root, but it is encouraged to make it the same.
- wipe_filesystem (boolean): whether or not to wipe the device before filesystem creation, see Ignition’s documentation on filesystems for more information. Defaults to false.
- label (string): the label of the filesystem.
- uuid (string): the uuid of the filesystem.
- options (list of strings): any additional options to be passed to the format-specific mkfs utility.
- mount_options (list of strings): any special options to be passed to the mount command.
- with_mount_unit (boolean): whether to additionally generate a generic mount unit for this filesystem or a swap unit for this swap area. If a more specific unit is needed, a custom one can be specified in the
systemd.units
section. The unit will be named with the escaped version of thepath
ordevice
, depending on the unit type. If your filesystem is located on a Tang-backed LUKS device, the unit will automatically require network access if you specify the device as/dev/mapper/<device-name>
or/dev/disk/by-id/dm-name-<device-name>
.
- device (string): the absolute path to the device. Devices are typically referenced by the
- files (list of objects): the list of files to be written. Every file, directory and link must have a unique
path
.- path (string): the absolute path to the file.
- overwrite (boolean): whether to delete preexisting nodes at the path.
contents
must be specified ifoverwrite
is true. Defaults to false. - contents (object): options related to the contents of the file.
- source (string): the URL of the file. Only the
data
scheme is supported. If source is omitted and a regular file already exists at the path, Ignition will do nothing. If source is omitted and no file exists, an empty file will be created. Mutually exclusive withinline
andlocal
. - inline (string): the contents of the file. Mutually exclusive with
source
andlocal
. - local (string): a local path to the contents of the file, relative to the directory specified by the
--files-dir
command-line argument. Mutually exclusive withsource
andinline
. - compression (string): the type of compression used on the file (null or gzip). Compression cannot be used with S3.
- verification (object): options related to the verification of the file.
- hash (string): the hash of the file, in the form
<type>-<value>
where type is eithersha512
orsha256
. Ifcompression
is specified, the hash describes the decompressed file.
- hash (string): the hash of the file, in the form
- source (string): the URL of the file. Only the
- mode (integer): the file’s permission mode. Setuid/setgid/sticky bits are not supported. If not specified, the permission mode for files defaults to 0644 or the existing file’s permissions if
overwrite
is false,contents
is unspecified, and a file already exists at the path. - user (object): specifies the file’s owner.
- id (integer): the user ID of the owner.
- name (string): the user name of the owner.
- group (object): specifies the file’s group.
- id (integer): the group ID of the group.
- name (string): the group name of the group.
- luks (list of objects): the list of luks devices to be created. Every device must have a unique
name
.- name (string): the name of the luks device.
- device (string): the absolute path to the device. Devices are typically referenced by the
/dev/disk/by-*
symlinks. - key_file (object): options related to the contents of the key file.
- source (string): the URL of the key file. Supported schemes are
http
,https
,tftp
,s3
,arn
,gs
, anddata
. When usinghttp
, it is advisable to use the verification option to ensure the contents haven’t been modified. Mutually exclusive withinline
andlocal
. - inline (string): the contents of the key file. Mutually exclusive with
source
andlocal
. - local (string): a local path to the contents of the key file, relative to the directory specified by the
--files-dir
command-line argument. Mutually exclusive withsource
andinline
. - compression (string): the type of compression used on the key file (null or gzip). Compression cannot be used with S3.
- http_headers (list of objects): a list of HTTP headers to be added to the request. Available for
http
andhttps
source schemes only.- name (string): the header name.
- value (string): the header contents.
- verification (object): options related to the verification of the key file.
- hash (string): the hash of the key file, in the form
<type>-<value>
where type is eithersha512
orsha256
. Ifcompression
is specified, the hash describes the decompressed key file.
- hash (string): the hash of the key file, in the form
- source (string): the URL of the key file. Supported schemes are
- label (string): the label of the luks device.
- uuid (string): the uuid of the luks device.
- options (list of strings): any additional options to be passed to
cryptsetup luksFormat
. - discard (boolean): whether to issue discard commands to the underlying block device when blocks are freed. Enabling this improves performance and device longevity on SSDs and space utilization on thinly provisioned SAN devices, but leaks information about which disk blocks contain data. If omitted, it defaults to false.
- open_options (list of strings): any additional options to be passed to
cryptsetup luksOpen
. Supported options will be persistently written to the luks volume. - wipe_volume (boolean): whether or not to wipe the device before volume creation, see Ignition’s documentation on filesystems for more information.
- clevis (object): describes the clevis configuration for the luks device.
- tang (list of objects): describes a tang server. Every server must have a unique
url
.- url (string): url of the tang server.
- thumbprint (string): thumbprint of a trusted signing key.
- advertisement (string): the advertisement JSON. If not specified, the advertisement is fetched from the tang server during provisioning.
- tpm2 (boolean): whether or not to use a tpm2 device.
- threshold (integer): sets the minimum number of pieces required to decrypt the device. Default is 1.
- custom (object): overrides the clevis configuration. The
pin
&config
will be passed directly toclevis luks bind
. If specified, all other clevis options must be omitted.- pin (string): the clevis pin.
- config (string): the clevis configuration JSON.
- needs_network (boolean): whether or not the device requires networking.
- tang (list of objects): describes a tang server. Every server must have a unique
- trees (list of objects): a list of local directory trees to be embedded in the config. Symlinks must not be present. Ownership is not preserved. File modes are set to 0755 if the local file is executable or 0644 otherwise. File attributes can be overridden by creating a corresponding entry in the
files
section; such entries must omitcontents
.- local (string): the base of the local directory tree, relative to the directory specified by the
--files-dir
command-line argument. - path (string): the path of the tree within the target system. Defaults to
/
.
- local (string): the base of the local directory tree, relative to the directory specified by the
- disks (list of objects): the list of disks to be configured and their options. Every entry must have a unique
- systemd (object): describes the desired state of the systemd units.
- units (list of objects): the list of systemd units. Every unit must have a unique
name
.- name (string): the name of the unit. This must be suffixed with a valid unit type (e.g. “thing.service”).
- enabled (boolean): whether or not the service shall be enabled. When true, the service is enabled. When false, the service is disabled. When omitted, the service is unmodified. In order for this to have any effect, the unit must have an install section.
- mask (boolean): whether or not the service shall be masked. When true, the service is masked by symlinking it to
/dev/null
. When false, the service is unmasked by deleting the symlink to/dev/null
if it exists. - contents (string): the contents of the unit. Mutually exclusive with
contents_local
. - contents_local (string): a local path to the contents of the unit, relative to the directory specified by the
--files-dir
command-line argument. Mutually exclusive withcontents
. - dropins (list of objects): the list of drop-ins for the unit. Every drop-in must have a unique
name
.- name (string): the name of the drop-in. This must be suffixed with “.conf”.
- contents (string): the contents of the drop-in. Mutually exclusive with
contents_local
. - contents_local (string): a local path to the contents of the drop-in, relative to the directory specified by the
--files-dir
command-line argument. Mutually exclusive withcontents
.
- units (list of objects): the list of systemd units. Every unit must have a unique
- passwd (object): describes the desired additions to the passwd database.
- users (list of objects): the list of accounts that shall exist. All users must have a unique
name
.- name (string): the username for the account. Must be
core
. - password_hash (string): the hashed password for the account.
- ssh_authorized_keys (list of strings): a list of SSH keys to be added as an SSH key fragment at
.ssh/authorized_keys.d/ignition
in the user’s home directory. All SSH keys must be unique. - ssh_authorized_keys_local (list of strings): a list of local paths to SSH key files, relative to the directory specified by the
--files-dir
command-line argument, to be added as SSH key fragments at.ssh/authorized_keys.d/ignition
in the user’s home directory. All SSH keys must be unique. Each file may contain multiple SSH keys, one per line.
- name (string): the username for the account. Must be
- users (list of objects): the list of accounts that shall exist. All users must have a unique
- boot_device (object): describes the desired boot device configuration. At least one of
luks
ormirror
must be specified.- layout (string): the disk layout of the target OS image. Supported values are
aarch64
,ppc64le
, andx86_64
. Defaults tox86_64
. - luks (object): describes the clevis configuration for encrypting the root filesystem.
- tang (list of objects): describes a tang server. Every server must have a unique
url
.- url (string): url of the tang server.
- thumbprint (string): thumbprint of a trusted signing key.
- advertisement (string): the advertisement JSON. If not specified, the advertisement is fetched from the tang server during provisioning.
- tpm2 (boolean): whether or not to use a tpm2 device.
- threshold (integer): sets the minimum number of pieces required to decrypt the device. Default is 1.
- discard (boolean): whether to issue discard commands to the underlying block device when blocks are freed. Enabling this improves performance and device longevity on SSDs and space utilization on thinly provisioned SAN devices, but leaks information about which disk blocks contain data. If omitted, it defaults to false.
- tang (list of objects): describes a tang server. Every server must have a unique
- mirror (object): describes mirroring of the boot disk for fault tolerance.
- devices (list of strings): the list of whole-disk devices (not partitions) to include in the disk array, referenced by their absolute path. At least two devices must be specified.
- layout (string): the disk layout of the target OS image. Supported values are
- grub (object): Unsupported
- users (list of objects): Unsupported
- name (string): Unsupported
- password_hash (string): Unsupported
- users (list of objects): Unsupported
- openshift (object): describes miscellaneous OpenShift configuration. Respected when rendering to a MachineConfig, ignored when rendering directly to an Ignition config.
- kernel_type (string): which kernel to use on the node. Must be
default
orrealtime
. - kernel_arguments (list of strings): arguments to be added to the kernel command line.
- extensions (list of strings): RHCOS extensions to be installed on the node.
- fips (boolean): whether or not to enable FIPS 140-2 compatibility. If omitted, defaults to false.
- kernel_type (string): which kernel to use on the node. Must be