OpenShift Origin installation over Fedora 19 (Mega Tutorial) – Part 1


OpenShift Origin

Over several post I ‘ll show how to install OpenShift over Fedora 19.

This is the diagram:

1  “broker” machine with at least 1Gb of RAM y 10 Gb of HDD (I’ll do it over a virtual machine)

1  “node1” machine with at least 1Gb of RAM y 30 Gb of HDD (I’ll do it over a virtual machine too)

It can also be done on a single machine, but to better understand the behavior of each component is best done separately.

Let’s start.

Operating System installation

We must install Fedora 19 on both machines.


Fedora 19 installation

at software selection, we choose minimal install.


Minimal install


Hosts Configurations

  • Systems used : broker and node1

Let’s update both systems after the installation

yum update -y
systemctl reboot

To perform an installation without hassle, the first thing we do is set OpenShift Origin v3 repositories. We assume that we are “root” on both hosts.

cat <<EOF> /etc/yum.repos.d/openshift.repo


It’s important that all systems are synchronized, so let’s install ntp and synchronize with a network clock.

yum install -y ntpdate ntp
systemctl enable ntpd.service
systemctl start ntpd.service

Let’s remove firewalld for simplified management, and install system-config-firewall.

yum remove -y firewalld
yum install -y system-config-firewall

DNS configuration

  • Systems used: broker

First let’s install bind and bind-utils packages, which provide tools for configuring the name server.

yum install -y bind bind-utils

The broker machine will be responsible to manage all nodes, their namespaces, etc. The broker must have access to DNS to modify the entries, so let’s securize the DNS server with DNSSEC.
To avoid a lot of typing, let’s use a few system variables. I’ll use as domain “”, you can use the one you want.

Let’s create DNSSEC key pair, and save private key value on a KEY variable.

cd /var/named
dnssec-keygen -a HMAC-MD5 -b 512 -n USER -r /dev/urandom ${domain}
KEY="$(grep Key: K${domain}*.private | cut -d ' ' -f 2)"
echo $KEY

We must create another key to allow access on DNS server to startup script.

rndc-confgen -a -r /dev/urandom

Let’s configure the owner and the file permissions. Also let’s restore the SELinux context (yes, Enforcing mode will be enabled)

chown -v root:named /etc/rndc.key
chmod -v 640 /etc/rndc.key
restorecon -v /etc/rndc.* /etc/named.*

A forwarder configuration must be created to allow queries to other DNS (for a external resolution)

echo "forwarders {;; } ;" >> /var/named/forwarders.conf
restorecon -v /var/named/forwarders.conf
chmod -v 640 /var/named/forwarders.conf

We create the dynamic resolution directory, and let’s create the config file.

mkdir /var/named/dynamic
cat << EOF >/var/named/dynamic/${domain}.db
\$TTL 1 ; 1 seconds (for testing only)
${domain}       IN SOA  ns1.${domain}. hostmaster.${domain}. (
            2014090100 ; serial
            60         ; refresh (1 minute)
            15         ; retry (15 seconds)
            1800       ; expire (30 minutes)
            10         ; minimum (10 seconds)
        NS  ns1.${domain}.
        MX  10 mail.${domain}.
\$ORIGIN ${domain}.
ns1         A

Let’s verify content

cat /var/named/dynamic/${domain}.db
$TTL 1 ; 1 seconds (for testing only)       IN SOA (
            2014090100 ; serial
            60         ; refresh (1 minute)
            15         ; retry (15 seconds)
            1800       ; expire (30 minutes)
            10         ; minimum (10 seconds)
        MX  10
ns1         A

We install DNSSEC key for the domain, and update the owner and the SELinux context.

cat < /var/named/${domain}.key
key ${domain} {
  algorithm HMAC-MD5;
  secret "${KEY}";
chown -Rv named:named /var/named
restorecon -rv /var/named

Now, the BIND main config file.

cat < /etc/named.conf
// named.conf
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
// See /usr/share/doc/bind*/sample/ for example named configuration files.

options {
    listen-on port 53 { any; };
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
    allow-query     { any; };
    recursion yes;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";

    // set forwarding to the next nearest server (from DHCP response
    forward only;
    include "forwarders.conf";

logging {
        channel default_debug {
                file "data/";
                severity dynamic;

// use the default rndc key
include "/etc/rndc.key";

controls {
    inet port 953
    allow {; } keys { "rndc-key"; };

include "/etc/named.rfc1912.zones";

include "${domain}.key";

zone "${domain}" IN {
    type master;
    file "dynamic/${domain}.db";
    allow-update { key ${domain} ; } ;
chown -v root:named /etc/named.conf
restorecon -v /etc/named.conf

Let’s configure firewall and enable DNS service

systemctl start iptables
systemctl enable iptables
lokkit --service=dns
systemctl start named

Let’s add broker to DNS

# nsupdate -k ${keyfile}
> server
> update add 180 A
> send

#dig @

Now is the time to configure network.
If we have static configuration, only we need to point to our DNS server.
I’ll show how to configure a DHCP configuration, and how to avoid that DHCP server gives us another DNS server and another domain.

cat <<EOF> /etc/sysconfig/network-scripts/ifcfg-eth0

Finally let’s modify hostname.

cat /etc/hostname

In the next post, let’s configure MongoDB database and ActiveMQ messaging broker. It’s available here.

See you soon.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.