[root@provisioner ~]# useradd kni [root@provisioner ~]# passwd kni [root@provisioner ~]# echo "kni ALL=(root) NOPASSWD:ALL" | tee -a /etc/sudoers.d/kni [root@provisioner ~]# chmod 0440 /etc/sudoers.d/kni
install-config.yaml
file to use the disconnected registry (optional)With the networking portions complete, the next step in installing the OpenShift Container Platform cluster is to install RHEL 8.1 on the provisioner node. This node will be used as the orchestrator while installing the OCP cluster on the three Control Plane or master nodes and the at least two worker nodes. For the purposes of this document, installing RHEL on the provisioner node is out of scope. However, options include but are not limited to using a RHEL Satellite server, PXE, or installation media.
Perform the following steps to prepare the environment.
Log in to the provisioner node via ssh
.
Create a user (for example, kni
) to deploy as non-root and provide that user sudo
privileges.
[root@provisioner ~]# useradd kni [root@provisioner ~]# passwd kni [root@provisioner ~]# echo "kni ALL=(root) NOPASSWD:ALL" | tee -a /etc/sudoers.d/kni [root@provisioner ~]# chmod 0440 /etc/sudoers.d/kni
Create an ssh
key for the new user.
[root@provisioner ~]# su - kni -c "ssh-keygen -t ed25519 -f /home/kni/.ssh/id_rsa -N ''"
Log in as the new user on the provision node.
[root@provisioner ~]# su - kni [kni@provisioner ~]$
Use Red Hat Subscription Manager to register your environment.
[kni@provisioner ~]$ sudo subscription-manager register --username=<user> --password=<pass> --auto-attach [kni@provisioner ~]$ sudo subscription-manager repos --enable=rhel-8-for-x86_64-appstream-rpms --enable=rhel-8-for-x86_64-baseos-rpms
For more information about Red Hat Subscription Manager, see Using and Configuring Red Hat Subscription Manager. |
Install the following packages.
[kni@provisioner ~]$ sudo dnf install -y libvirt qemu-kvm mkisofs python3-devel jq ipmitool
Modify the user to add the libvirt
group to the newly created user.
[kni@provisioner ~]$ sudo usermod --append --groups libvirt <user>
Restart firewalld
and enable the http
service.
[kni@provisioner ~]$ sudo systemctl start firewalld [kni@provisioner ~]$ sudo firewall-cmd --zone=public --add-service=http --permanent [kni@provisioner ~]$ sudo firewall-cmd --reload
Start and enable the libvirtd
service.
[kni@provisioner ~]$ sudo systemctl start libvirtd [kni@provisioner ~]$ sudo systemctl enable libvirtd --now
Create the default
storage pool and start it.
[kni@provisioner ~]$ sudo virsh pool-define-as --name default --type dir --target /var/lib/libvirt/images [kni@provisioner ~]$ sudo virsh pool-start default [kni@provisioner ~]$ sudo virsh pool-autostart default
Configure networking.
This step can also be run from the web console. |
[kni@provisioner ~]$ export PUB_CONN=<baremetal_nic_name> [kni@provisioner ~]$ export PROV_CONN=<prov_nic_name> [kni@provisioner ~]$ sudo nohup bash -c ' nmcli con down "$PROV_CONN" nmcli con down "$PUB_CONN" nmcli con delete "$PROV_CONN" nmcli con delete "$PUB_CONN" # RHEL 8.1 appends the word "System" in front of the connection, delete in case it exists nmcli con down "System $PUB_CONN" nmcli con delete "System $PUB_CONN" nmcli connection add ifname provisioning type bridge con-name provisioning nmcli con add type bridge-slave ifname "$PROV_CONN" master provisioning nmcli connection add ifname baremetal type bridge con-name baremetal nmcli con add type bridge-slave ifname "$PUB_CONN" master baremetal nmcli con down "$PUB_CONN";pkill dhclient;dhclient baremetal nmcli connection modify provisioning ipv6.addresses fd00:1101::1/64 ipv6.method manual nmcli con down provisioning nmcli con up provisioning '
The The IPv6 address may be any address as long as it is not routable via the Ensure that UEFI is enabled and UEFI PXE settings are set to the IPv6 protocol when using IPv6 addressing. |
ssh
back into the provisioner
node (if required).
# ssh provisioner.<cluster-name>.<domain>
Verify the connection bridges have been properly created.
[kni@provisioner ~]$ sudo nmcli con show
NAME UUID TYPE DEVICE baremetal 4d5133a5-8351-4bb9-bfd4-3af264801530 bridge baremetal provisioning 43942805-017f-4d7d-a2c2-7cb3324482ed bridge provisioning virbr0 d9bca40f-eee1-410b-8879-a2d4bb0465e7 bridge virbr0 bridge-slave-eno1 76a8ed50-c7e5-4999-b4f6-6d9014dd0812 ethernet eno1 bridge-slave-eno2 f31c3353-54b7-48de-893a-02d2b34c4736 ethernet eno2
Create a pull-secret.txt
file.
[kni@provisioner ~]$ vim pull-secret.txt
In a web browser, navigate to Install on Bare Metal with user-provisioned infrastructure, and scroll down to the Downloads section. Click Copy pull secret. Paste the contents into the pull-secret.txt
file and save the contents in the kni
user’s home directory.
The latest-4.x can be used to deploy the latest Generally Available version of OpenShift Container Platform:
[kni@provisioner ~]$ export VERSION=latest-4.4 export RELEASE_IMAGE=$(curl -s https://mirror.openshift.com/pub/openshift-v4/clients/ocp/$VERSION/release.txt | grep 'Pull From: quay.io' | awk -F ' ' '{print $3}')
After retrieving the installer, the next step is to extract it.
Set the environment variables:
[kni@provisioner ~]$ export cmd=openshift-baremetal-install [kni@provisioner ~]$ export pullsecret_file=~/pull-secret.txt [kni@provisioner ~]$ export extract_dir=$(pwd)
Get the oc
binary:
[kni@provisioner ~]$ curl -s https://mirror.openshift.com/pub/openshift-v4/clients/ocp/$VERSION/openshift-client-linux-$VERSION.tar.gz | tar zxvf - oc
Extract the installer:
[kni@provisioner ~]$ sudo cp oc /usr/local/bin [kni@provisioner ~]$ oc adm release extract --registry-config "${pullsecret_file}" --command=$cmd --to "${extract_dir}" ${RELEASE_IMAGE}
To employ image caching, you must download two images: the Red Hat Enterprise Linux CoreOS (RHCOS) image used by the bootstrap VM and the RHCOS image used by the installer to provision the different nodes. Image caching is optional, but especially useful when running the installer on a network with limited bandwidth.
If you are running the installer on a network with limited bandwidth and the RHCOS images download takes more than 15 to 20 minutes, the installer will timeout. Caching images on a web server will help in such scenarios.
Use the following steps to install a container that contains the images.
Install podman
.
[kni@provisioner ~]$ sudo dnf install -y podman
Open firewall port 8080
to be used for RHCOS image caching.
[kni@provisioner ~]$ sudo firewall-cmd --add-port=8080/tcp --zone=public --permanent
Create a directory to store the bootstraposimage
and clusterosimage
.
[kni@provisioner ~]$ mkdir /home/kni/rhcos_image_cache
Set the appropriate SELinux context for the newly created directory.
[kni@provisioner ~]$ sudo semanage fcontext -a -t httpd_sys_content_t "/home/kni/rhcos_image_cache(/.*)?" [kni@provisioner ~]$ sudo restorecon -Rv rhcos_image_cache/
Get the commit ID from the installer. The ID determines which images the installer needs to download.
[kni@provisioner ~]$ export COMMIT_ID=$(/usr/local/bin/openshift-baremetal-install version | grep '^built from commit' | awk '{print $4}')
Get the URI for the RHCOS image that the installer will deploy on the nodes.
[kni@provisioner ~]$ export RHCOS_OPENSTACK_URI=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json | jq .images.openstack.path | sed 's/"//g')
Get the URI for the RHCOS image that the installer will deploy on the bootstrap VM.
[kni@provisioner ~]$ export RHCOS_QEMU_URI=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json | jq .images.qemu.path | sed 's/"//g')
Get the path where the images are published.
[kni@provisioner ~]$ export RHCOS_PATH=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json | jq .baseURI | sed 's/"//g')
Get the SHA hash for the RHCOS image that will be deployed on the bootstrap VM.
[kni@provisioner ~]$ export RHCOS_QEMU_SHA_UNCOMPRESSED=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json | jq -r '.images.qemu["uncompressed-sha256"]')
Get the SHA hash for the RHCOS image that will be deployed on the nodes.
[kni@provisioner ~]$ export RHCOS_OPENSTACK_SHA_COMPRESSED=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json | jq -r '.images.openstack.sha256')
Download the images and place them in the /home/kni/rhcos_image_cache
directory.
[kni@provisioner ~]$ curl -L ${RHCOS_PATH}${RHCOS_QEMU_URI} -o /home/kni/rhcos_image_cache [kni@provisioner ~]$ curl -L ${RHCOS_PATH}${RHCOS_OPENSTACK_URI} -o /home/kni/rhcos_image_cache
Confirm SELinux type is of httpd_sys_content_t
for the newly created files.
[kni@provisioner ~]$ ls -Z /home/kni/rhcos_image_cache
Create the pod.
[kni@provisioner ~]$ podman run -d --name rhcos_image_cache \ -v /home/kni/rhcos_image_cache:/var/www/html \ -p 8080:8080/tcp \ registry.centos.org/centos/httpd-24-centos7:latest
install-config.yaml
fileThe install-config.yaml
file requires some additional details.
Most of the information is teaching the installer and the resulting cluster enough about the available hardware so that it is able to fully manage it.
Configure install-config.yaml
. Change the appropriate variables to match your environment, including pullSecret
and sshKey
.
apiVersion: v1 baseDomain: <domain> metadata: name: <cluster-name> networking: machineCIDR: <public-cidr> networkType: OVNKubernetes compute: - name: worker replicas: 2 controlPlane: name: master replicas: 3 platform: baremetal: {} platform: baremetal: apiVIP: <api-ip> ingressVIP: <wildcard-ip> dnsVIP: <dns-ip> provisioningBridge: provisioning provisioningNetworkCIDR: 172.22.0.0/24 hosts: - name: openshift-master-0 role: master bmc: address: ipmi://<out-of-band-ip> username: <user> password: <password> bootMACAddress: <NIC1-mac-address> hardwareProfile: default - name: openshift-master-1 role: master bmc: address: ipmi://<out-of-band-ip> username: <user> password: <password> bootMACAddress: <NIC1-mac-address> hardwareProfile: default - name: openshift-master-2 role: master bmc: address: ipmi://<out-of-band-ip> username: <user> password: <password> bootMACAddress: <NIC1-mac-address> hardwareProfile: default - name: openshift-worker-0 role: worker bmc: address: ipmi://<out-of-band-ip> username: <user> password: <password> bootMACAddress: <NIC1-mac-address> hardwareProfile: unknown - name: openshift-worker-1 role: worker bmc: address: ipmi://<out-of-band-ip> username: <user> password: <password> bootMACAddress: <NIC1-mac-address> hardwareProfile: unknown pullSecret: '<pull_secret>' sshKey: '<ssh_pub_key>'
Create a directory to store cluster configs.
[kni@provisioner ~]$ mkdir ~/clusterconfigs [kni@provisioner ~]$ cp install-config.yaml ~/clusterconfigs
Ensure all bare metal nodes are powered off prior to installing the OpenShift Container Platform cluster.
[kni@provisioner ~]$ ipmitool -I lanplus -U <user> -P <password> -H <management-server-ip> power off
Ensure that old bootstrap resources are removed, if any are left over from a previous deployment attempt.
for i in $(sudo virsh list | tail -n +3 | grep bootstrap | awk {'print $2'}); do sudo virsh destroy $i; sudo virsh undefine $i; sudo virsh vol-delete $i --pool default; sudo virsh vol-delete $i.ign --pool default; done
install-config
parametersThis topic describes the required parameters, the hosts
parameter, and the bmc
address
parameter
for the install-config.yaml
file.
Parameters |
Default |
Description |
|
The name of the network interface on control plane nodes connected to the provisioning network. (OpenShift Container Platform 4.4 only) |
|
|
Details about bare metal hosts to use to build the cluster. |
|
|
The default configuration used for machine pools without a platform configuration. |
|
|
|
The VIP to use for internal API communication. This setting must either be provided or pre-configured in DNS so that the default name resolve correctly. |
|
|
The VIP to use for Ingress traffic. This setting must either be provided or pre-configured in DNS so that the default name resolve correctly. |
|
The VIP to use for internal DNS communication. This setting has no default and must always be provided. |
The hosts
parameter is a list of separate bare metal assets that should be used to build the cluster.
Name |
Default |
Description |
|
The name of the |
|
|
Either |
|
|
Connection details for the baseboard management controller. See below for details. |
|
|
The MAC address of the NIC the host will use to boot on the provisioning network. |
The bmc
parameter for each host is a set of values for accessing the baseboard management controller in the host.
Name |
Default |
Description |
|
The username for authenticating to the BMC. |
|
|
The password associated with |
|
|
The URL for communicating with the BMC controller, based on the provider being used. See BMC Addressing for details. |
Keep the following in mind when providing values for the bmc
address
field.
The address
field for each bmc
entry is a URL with details for connecting to the controller,
including the type of controller in the URL scheme and its location on the network.
IPMI hosts use ipmi://<host>:<port>
. An unadorned <host>:<port>
is also accepted.
If the port is omitted, the default of 623 is used.
Dell iDRAC hosts use idrac://
(or idrac+http://
to disable TLS).
Fujitsu iRMC hosts use irmc://<host>:<port>
, where <port>
is optional if using the default.
For Redfish, use redfish://
(or redfish+http://
to disable TLS).
The hostname (or IP address) and the path to the system ID are both required.
For example, redfish://myhost.example/redfish/v1/Systems/System.Embedded.1
or redfish://myhost.example/redfish/v1/Systems/1
.
In some cases, you might want to install an OpenShift KNI cluster using a local copy of the installation registry. This could be for enhancing network efficiency because the cluster nodes are on a network that does not have access to the internet.
A local, or mirrored, copy of the registry requires the following:
A certificate for the registry node. This can be a self-signed certificate.
A webserver - this will be served by a container on a system.
An updated pull secret that contains the certificate and local repository information.
Creating a disconnected registry on a registry node is optional. The subsequent sections indicate that they are optional since they are steps you need to execute only when creating a disconnected registry on a registry node. You should execute all of the subsequent sub-sections labeled "(optional)" when creating a disconnected registry on a registry node. |
Make the following changes to the registry node.
Open the firewall port on the registry node.
[user@registry ~]$ sudo firewall-cmd --add-port=5000/tcp --zone=libvirt --permanent [user@registry ~]$ sudo firewall-cmd --add-port=5000/tcp --zone=public --permanent [user@registry ~]$ sudo firewall-cmd --reload
Install the required packages for the registry node.
[user@registry ~]$ sudo yum -y install python3 podman httpd httpd-tools jq
Create the directory structure where the repository information will be held.
[user@registry ~]$ sudo mkdir -p /opt/registry/{auth,certs,data}
Generate a self-signed certificate for the registry node and put it in the /opt/registry/certs
directory.
Adjust the certificate information as appropriate.
[user@registry ~]$ host_fqdn=$( hostname --long ) [user@registry ~]$ cert_c="<Country Name>" # Country Name (C, 2 letter code) [user@registry ~]$ cert_s="<State>" # Certificate State (S) [user@registry ~]$ cert_l="<Locality>" # Certificate Locality (L) [user@registry ~]$ cert_o="<Organization>" # Certificate Organization (O) [user@registry ~]$ cert_ou="<Org Unit>" # Certificate Organizational Unit (OU) [user@registry ~]$ cert_cn="${host_fqdn}" # Certificate Common Name (CN) [user@registry ~]$ openssl req \ -newkey rsa:4096 \ -nodes \ -sha256 \ -keyout /opt/registry/certs/domain.key \ -x509 \ -days 365 \ -out /opt/registry/certs/domain.crt \ -subj "/C=${cert_c}/ST=${cert_s}/L=${cert_l}/O=${cert_o}/OU=${cert_ou}/CN=${cert_cn}"
When replacing <Country Name> , ensure that it only contains two letters. For example, US .
|
Update the registry node’s ca-trust
with the new certificate.
[user@registry ~]$ sudo cp /opt/registry/certs/domain.crt /etc/pki/ca-trust/source/anchors/ [user@registry ~]$ sudo update-ca-trust extract
The registry container uses the /opt/registry
directory for certificates, authentication files, and to store its data files.
The registry container uses httpd
and needs an htpasswd
file for authentication.
Create an htpasswd
file in /opt/registry/auth
for the container to use.
[user@registry ~]$ htpasswd -bBc /opt/registry/auth/htpasswd <user> <passwd>
Replace <user>
with the user name and <passwd>
with the password.
Create and start the registry container.
[user@registry ~]$ podman create \ --name ocpdiscon-registry \ -p 5000:5000 \ -e "REGISTRY_AUTH=htpasswd" \ -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry" \ -e "REGISTRY_HTTP_SECRET=ALongRandomSecretForRegistry" \ -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \ -e "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt" \ -e "REGISTRY_HTTP_TLS_KEY=/certs/domain.key" \ -e "REGISTRY_COMPATIBILITY_SCHEMA1_ENABLED=true" \ -v /opt/registry/data:/var/lib/registry:z \ -v /opt/registry/auth:/auth:z \ -v /opt/registry/certs:/certs:z \ docker.io/library/registry:2
[user@registry ~]$ podman start ocpdiscon-registry
Copy the pull secret file from the provisioner node to the registry node and modify it to include the authentication information for the new registry node.
Copy the pull-secret.txt
file.
[user@registry ~]$ scp kni@provisioner:/home/kni/pull-secret.txt pull-secret.txt
Update the host_fqdn
environment variable with the fully qualified domain name of the registry node.
[user@registry ~]$ host_fqdn=$( hostname --long )
Update the b64auth
environment variable with the base64 encoding of the http
credentials used to create the htpasswd
file.
[user@registry ~]$ b64auth=$( echo -n '<username>:<passwd>' openssl base64 )
Replace <username>
with the user name and <passwd>
with the password.
Set the AUTHSTRING
environment variable to use the base64
authorization string. The $USER
variable is an environment variable containing the name of the current user.
[user@registry ~]$ AUTHSTRING="{\"$host_fqdn:5000\": {\"auth\": \"$b64auth\",\"email\": \"$USER@redhat.com\"}}"
Update the pull-secret.txt
file.
[user@registry ~]$ jq ".auths += $AUTHSTRING" < pull-secret.txt > pull-secret-update.txt
Copy the oc
binary from the provisioner node to the registry node.
[user@registry ~]$ sudo scp kni@provisioner:/usr/local/bin/oc /usr/local/bin
Mirror the remote install images to the local repository.
[user@registry ~]$ /usr/local/bin/oc adm release mirror \ -a pull-secret-update.txt --from=$UPSTREAM_REPO \ --to-release-image=$LOCAL_REG/$LOCAL_REPO:${VERSION} \ --to=$LOCAL_REG/$LOCAL_REPO
install-config.yaml
file to use the disconnected registry (optional)On the provisioner node, the install-config.yaml
file should use the newly created pull-secret from the pull-secret-update.txt
file. The install-config.yaml
file must also contain the disconnected registry node’s certificate and registry information.
Add the disconnected registry node’s certificate to the install-config.yaml
file. The certificate should follow the "additionalTrustBundle: |"
line and be properly indented, usually by two spaces.
[kni@provisioner ~]$ echo "additionalTrustBundle: |" >> install-config.yaml [kni@provisioner ~]$ sed -e 's/^/ /' /opt/registry/certs/domain.crt >> install-config.yaml
Add the mirror information for the registry to the install-config.yaml
file.
[kni@provisioner ~]$ echo "imageContentSources:" >> install-config.yaml [kni@provisioner ~]$ echo "- mirrors:" >> install-config.yaml [kni@provisioner ~]$ echo " - registry.example.com:5000/ocp4/openshift4" >> install-config.yaml [kni@provisioner ~]$ echo " source: quay.io/openshift-release-dev/ocp-v4.0-art-dev" >> install-config.yaml [kni@provisioner ~]$ echo "- mirrors:" >> install-config.yaml [kni@provisioner ~]$ echo " - registry.example.com:5000/ocp4/openshift4" >> install-config.yaml [kni@provisioner ~]$ echo " source: registry.svc.ci.openshift.org/ocp/release" >> install-config.yaml [kni@provisioner ~]$ echo "- mirrors:" >> install-config.yaml [kni@provisioner ~]$ echo " - registry.example.com:5000/ocp4/openshift4" >> install-config.yaml [kni@provisioner ~]$ echo " source: quay.io/openshift-release-dev/ocp-release" >> install-config.yaml
Replace registry.example.com with your registry’s fully qualified domain name.
|
During installation, the installer deploys router pods on worker nodes. By default, the installer installs two router pods. If the initial cluster has only one worker node, or if a deployed cluster requires additional routers to handle external traffic loads destined for services within the OpenShift Container Platform cluster, you may create a yaml
file to set an appropriate number of router replicas.
By default, the installer deploys two routers. If the cluster has at least two worker nodes, you can skip this section. For more information on the Ingress Operator see: Ingress Operator in OpenShift Container Platform. |
If the cluster has no worker nodes, the installer deploys the two routers on the master nodes by default. If the cluster has no worker nodes, you can skip this section. |
Create a router-replicas.yaml
file.
apiVersion: operator.openshift.io/v1 kind: IngressController metadata: name: default namespace: openshift-ingress-operator spec: replicas: <num-of-router-pods> endpointPublishingStrategy: type: HostNetwork nodePlacement: nodeSelector: matchLabels: node-role.kubernetes.io/worker: ""
Replace |
Save and copy the router-replicas.yaml
file to the clusterconfigs/openshift
directory.
cp ~/router-replicas.yaml clusterconfigs/openshift/99_router-replicas.yaml
OpenShift Container Platform installer has been retrieved.
OpenShift Container Platform installer has been extracted.
Required parameters for the install-config.yaml
have been configured.
The hosts
parameter for the install-config.yaml
has been configured.
The bmc
parameter for the install-config.yaml
has been configured.
Conventions for the values configured in the bmc
address
field have been applied.
Created a disconnected registry (optional).
(optional) Validate disconnected registry settings if in use.
(optional) Deployed routers on worker nodes.