OpenShift v3 – Base installation
There are two installation processes:
- Simple: That it can be done in three ways. I will not follow those methods, but if you can try it you can follow the available OpenShift documentation
- Docker container: You can download the all-in-one image from dockerhub.
- Download binaries: Red Hat offers binaries to be run in our system. Another all-in-one model available on the OpenShift github.
- Source code: As OpenShift is Open Source you can download and compile it. All-in-one also available in github
- Advanced: It uses Ansible and we are going to do it during this tutorial, because it will be a production-like environment.
Do we start?
All the commands must be done with root user.
First of all I am going to install a DNS server, although it could be created in Master is recommended to be in a external system, I am going to install it on the Gateway
yum install bind bind-utils
yum install bind-utils
The next step is to configure the server, so lets edit the file /etc/named.conf as follows:
// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { any; }; //listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; forwarders { 8.8.8.8; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable no; dnssec-validation no; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "osc.test" IN { type master; file "osc.test.zone"; }; zone "100.168.192.IN-ADDR.ARPA." IN { type master; file "100.168.192.IN-ADDR.ARPA.zone"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
Now the zone and reverse files /var/named/osc.test.zone y /var/named/100.168.192.IN-ADDR.ARPA.zone. This is my sample configuration, IPs, hostnames, domains, etc, cn be configured as your needs:
$ORIGIN osc.test. $TTL 3H @ IN SOA osc.test. root.osc.test. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS gw.osc.test. @ IN A 192.168.100.99 gw IN A 192.168.100.99 master IN A 192.168.100.100 node-1 IN A 192.168.100.101 node-2 IN A 192.168.100.102 ; This wildcard record is intended to allow OpenShift router to route applications by hostname *.apps.osc.test. 300 IN A 192.168.100.100
$ORIGIN 100.168.192.IN-ADDR.ARPA. $TTL 3H @ IN SOA osc.test. root.osc.test. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS gw.osc.test. 99 PTR gw.osc.test. 100 PTR master.osc.test. 101 PTR node-1.osc.test. 102 PTR node-2.osc.test.
Configuring files owner
chown named:named /var/named/{osc.test.zone,100.168.192.IN-ADDR.ARPA.zone}
Is time to start and enable the service.
systemctl start named systemctl enable named
At the end is necessary to adjust the firewall
firewall-cmd --add-service=dns firewall-cmd --add-service=dns --permanent
From any of the nodes, that should be configured to use the Master as DNS inside the /etc/resolv.conf file, lets do a zone transfer:
root@node-1 ~]# dig -t axfr osc.test ; DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 -t axfr osc.test ;; global options: +cmd osc.test. 10800 IN SOA osc.test. root.osc.test. 0 86400 3600 604800 10800 osc.test. 10800 IN NS gw.osc.test. osc.test. 10800 IN A 192.168.100.99 gw.osc.test. 10800 IN A 192.168.100.99 master.osc.test. 10800 IN A 192.168.100.100 node-1.osc.test. 10800 IN A 192.168.100.101 node-2.osc.test. 10800 IN A 192.168.100.102 osc.test. 10800 IN SOA osc.test. root.osc.test. 0 86400 3600 604800 10800 ;; Query time: 0 msec ;; SERVER: 192.168.100.99#53(192.168.100.99) ;; WHEN: Thu Sep 01 12:19:41 UTC 2016 ;; XFR size: 7 records (messages 1, bytes 202)
Firewall
In advance of future configurations, I am going to let the firewall configured.
Ports:
Port | Protocol | Description |
---|---|---|
4789 | UDP | Required to SDN communication between pods in different nodes |
Port | Protocol | Description |
---|---|---|
8053 | TCP/UDP | dnsmasq usage |
4789 | UDP | Required to SDN communication between pods in different nodes |
8443 | TCP | Required to management API access |
Port | Protocol | Description |
---|---|---|
80 | TCP | Required to route applications |
4789 | UDP | Required to SDN communication between pods in different nodes |
10250 | TCP | This port is intended for the Master to proxies through kubelet the oc commands |
Packages installation
It is time to install interesting stuff. Lets start with the basis:
yum install wget git net-tools bind-utils iptables-services bridge-utils bash-completion
Lets install the EPEL repositories, although it will be disabled
yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm sed -i -e "s/^enabled=1/enabled=0/" /etc/yum.repos.d/epel.repo
The installation of openshift-ansible will be done on the Gateway only. It will be the tool we will use for the OpenShift installation.
First is necessary to install ansible, that is in the EPEL reopistories, and after that lets clone the openshift-ansible github repository. We must be sure that we are on the master branch.
yum -y --enablerepo=epel install ansible pyOpenSSL cd ~ git clone https://github.com/openshift/openshift-ansible cd openshift-ansible git checkout master
Time to install and configure docker to use the internal registry:
yum install docker sed -i '/OPTIONS=.*/c\OPTIONS="--selinux-enabled --insecure-registry 172.30.0.0/16"' /etc/sysconfig/docker
cat <<EOF > /etc/sysconfig/docker-storage-setup DEVS=/dev/vdb VG=docker-vg EOF docker-storage-setup
systemctl start docker systemctl enable docker
When modifying OPTIONS as before we configure docker to trust any registry inside that subnet without validate the certificates. Docker requires by default valid certificates in order to access a registry. This is a security system. Of course we can create our own certificates for the internal registry, but it is out of the scope of this tutorial.
You should set in DEVS option from persisten storage configuration the device you wnat to use.
At last we are going to configure the Gateway in order to access via SSH to the nodes with the creation of a rsa key with blank passphrase
ssh-keygen ssh-copy-id root@master.osc.test ssh-copy-id root@node-1.osc.test ssh-copy-id root@node-2.osc.test
And here ends the base installation. On the next post I am going to show the installation of our cluster, but first we take a look how Ansible works. See you.