OpenShift v3 (Mega Tutorial) – Part 1 – Base Installation


OpenShift v3 – Base installation

There are two installation processes:

  1. Simple: That it can be done in three ways. I will not follow those methods, but if you can try it you can follow the available OpenShift documentation
    • Docker container: You can download the all-in-one image from dockerhub.
    • Download binaries: Red Hat offers binaries to be run in our system. Another all-in-one model available on the OpenShift github.
    • Source code: As OpenShift is Open Source you can download and compile it. All-in-one also available in github
  2. Advanced: It uses Ansible and we are going to do it during this tutorial, because it will be a production-like environment.

Do we start?

All the commands must be done with root user.

First of all I am going to install a DNS server, although it could be created in Master is recommended to be in a external system, I am going to install it on the Gateway

yum install bind bind-utils
yum install bind-utils

The next step is to configure the server, so lets edit the file /etc/named.conf as follows:

// named.conf
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
// See /usr/share/doc/bind*/sample/ for example named configuration files.

options {
listen-on port 53 { any; };
//listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
forwarders {; };

- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
recursion yes;

dnssec-enable no;
dnssec-validation no;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/";
session-keyfile "/run/named/session.key";

logging {
channel default_debug {
file "data/";
severity dynamic;

zone "." IN {
type hint;
file "";

zone "osc.test" IN {
type master;
file "";

zone "100.168.192.IN-ADDR.ARPA." IN {
type master;
file "";

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

Now the zone and reverse files /var/named/ This is my sample configuration, IPs, hostnames, domains, etc, cn be configured as your needs:

$ORIGIN osc.test.
@ IN SOA osc.test. root.osc.test. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS gw.osc.test.
@ IN A
gw     IN A
master IN A
node-1 IN A
node-2 IN A
; This wildcard record is intended to allow OpenShift router to route applications by hostname
*.apps.osc.test. 300 IN A

$ORIGIN 100.168.192.IN-ADDR.ARPA.
@ IN SOA osc.test. root.osc.test. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS gw.osc.test.
99  PTR gw.osc.test.
100 PTR master.osc.test.
101 PTR node-1.osc.test.
102 PTR node-2.osc.test.

Configuring files owner

chown named:named /var/named/{,}

Is time to start and enable the service.

systemctl start named

systemctl enable named

At the end is necessary to adjust the firewall

firewall-cmd --add-service=dns

firewall-cmd --add-service=dns --permanent

From any of the nodes, that should be configured to use the Master as DNS inside the /etc/resolv.conf file, lets do a zone transfer:

root@node-1 ~]# dig -t axfr osc.test

; DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 -t axfr osc.test
;; global options: +cmd
osc.test. 10800 IN SOA osc.test. root.osc.test. 0 86400 3600 604800 10800
osc.test. 10800 IN NS gw.osc.test.
osc.test. 10800 IN A
gw.osc.test.     10800 IN A
master.osc.test. 10800 IN A
node-1.osc.test. 10800 IN A
node-2.osc.test. 10800 IN A
osc.test. 10800 IN SOA osc.test. root.osc.test. 0 86400 3600 604800 10800
;; Query time: 0 msec
;; WHEN: Thu Sep 01 12:19:41 UTC 2016
;; XFR size: 7 records (messages 1, bytes 202)


In advance of future configurations, I am going to let the firewall configured.


Node to Node
Port Protocol Description
4789 UDP Required to SDN communication between pods in different nodes
Nodes to Master
Port Protocol Description
8053 TCP/UDP dnsmasq usage
4789 UDP Required to SDN communication between pods in different nodes
8443 TCP Required to management API access
Master to Nodes
Port Protocol Description
80 TCP Required to route applications
4789 UDP Required to SDN communication between pods in different nodes
10250 TCP This port is intended for the Master to proxies through kubelet the oc commands


Packages installation

It is time to install interesting stuff. Lets start with the basis:

yum install wget git net-tools bind-utils iptables-services bridge-utils bash-completion

Lets install the EPEL repositories, although it will be disabled

yum -y install

sed -i -e "s/^enabled=1/enabled=0/" /etc/yum.repos.d/epel.repo

The installation of openshift-ansible will be done on the Gateway only. It will be the tool we will use for the OpenShift installation.

First is necessary to install ansible, that is in the EPEL reopistories, and after that lets clone the openshift-ansible github repository. We must be sure that we are on the master branch.

yum -y --enablerepo=epel install ansible pyOpenSSL

cd ~

git clone

cd openshift-ansible

git checkout master


Time to install and configure docker to use the internal registry:

yum install docker

sed -i '/OPTIONS=.*/c\OPTIONS="--selinux-enabled --insecure-registry"' /etc/sysconfig/docker

cat <<EOF > /etc/sysconfig/docker-storage-setup
systemctl start docker
systemctl enable docker

When modifying OPTIONS as before we configure docker to trust any registry inside that subnet without validate the certificates. Docker requires by default valid certificates in order to access a registry. This is a security system. Of course we can create our own certificates for the internal registry, but it is out of the scope of this tutorial.

You should set in DEVS option from persisten storage configuration the device you wnat to use.


At last we are going to configure the Gateway in order to access via SSH to the nodes with the creation of a rsa key with blank passphrase

ssh-copy-id root@master.osc.test
ssh-copy-id root@node-1.osc.test
ssh-copy-id root@node-2.osc.test


And here ends the base installation. On the next post I am going to show the installation of our cluster, but first we take a look how Ansible works. See you.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.