# useradd kni
install-config
parametersWith the configuration of the prerequisites complete, the next step is to install RHEL 9.x on the provisioner node. The installer uses the provisioner node as the orchestrator while installing the OpenShift Container Platform cluster. For the purposes of this document, installing RHEL on the provisioner node is out of scope. However, options include but are not limited to using a RHEL Satellite server, PXE, or installation media.
Perform the following steps to prepare the environment.
Log in to the provisioner node via ssh
.
Create a non-root user (kni
) and provide that user with sudo
privileges:
# useradd kni
# passwd kni
# echo "kni ALL=(root) NOPASSWD:ALL" | tee -a /etc/sudoers.d/kni
# chmod 0440 /etc/sudoers.d/kni
Create an ssh
key for the new user:
# su - kni -c "ssh-keygen -t ed25519 -f /home/kni/.ssh/id_rsa -N ''"
Log in as the new user on the provisioner node:
# su - kni
Use Red Hat Subscription Manager to register the provisioner node:
$ sudo subscription-manager register --username=<user> --password=<pass> --auto-attach
$ sudo subscription-manager repos --enable=rhel-9-for-<architecture>-appstream-rpms --enable=rhel-9-for-<architecture>-baseos-rpms
For more information about Red Hat Subscription Manager, see Using and Configuring Red Hat Subscription Manager. |
Install the following packages:
$ sudo dnf install -y libvirt qemu-kvm mkisofs python3-devel jq ipmitool
Modify the user to add the libvirt
group to the newly created user:
$ sudo usermod --append --groups libvirt <user>
Restart firewalld
and enable the http
service:
$ sudo systemctl start firewalld
$ sudo firewall-cmd --zone=public --add-service=http --permanent
$ sudo firewall-cmd --reload
Start and enable the libvirtd
service:
$ sudo systemctl enable libvirtd --now
Create the default
storage pool and start it:
$ sudo virsh pool-define-as --name default --type dir --target /var/lib/libvirt/images
$ sudo virsh pool-start default
$ sudo virsh pool-autostart default
Create a pull-secret.txt
file:
$ vim pull-secret.txt
In a web browser, navigate to Install OpenShift on Bare Metal with installer-provisioned infrastructure. Click Copy pull secret. Paste the contents into the pull-secret.txt
file and save the contents in the kni
user’s home directory.
The OpenShift Container Platform installation program installs the chrony
Network Time Protocol (NTP) service on the cluster nodes. To complete installation, each node must have access to an NTP time server. You can verify NTP server synchronization by using the chrony
service.
For disconnected clusters, you must configure the NTP servers on the control plane nodes. For more information see the Additional resources section.
You installed the chrony
package on the target node.
Log in to the node by using the ssh
command.
View the NTP servers available to the node by running the following command:
$ chronyc sources
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^+ time.cloudflare.com 3 10 377 187 -209us[ -209us] +/- 32ms
^+ t1.time.ir2.yahoo.com 2 10 377 185 -4382us[-4382us] +/- 23ms
^+ time.cloudflare.com 3 10 377 198 -996us[-1220us] +/- 33ms
^* brenbox.westnet.ie 1 10 377 193 -9538us[-9761us] +/- 24ms
Use the ping
command to ensure that the node can access an NTP server, for example:
$ ping time.cloudflare.com
PING time.cloudflare.com (162.159.200.123) 56(84) bytes of data.
64 bytes from time.cloudflare.com (162.159.200.123): icmp_seq=1 ttl=54 time=32.3 ms
64 bytes from time.cloudflare.com (162.159.200.123): icmp_seq=2 ttl=54 time=30.9 ms
64 bytes from time.cloudflare.com (162.159.200.123): icmp_seq=3 ttl=54 time=36.7 ms
...
Before installation, you must configure the networking on the provisioner node. Installer-provisioned clusters deploy with a bare-metal bridge and network, and an optional provisioning bridge and network.
You can also configure networking from the web console. |
Export the bare-metal network NIC name by running the following command:
$ export PUB_CONN=<baremetal_nic_name>
Configure the bare-metal network:
The SSH connection might disconnect after executing these steps. |
For a network using DHCP, run the following command:
$ sudo nohup bash -c "
nmcli con down \"$PUB_CONN\"
nmcli con delete \"$PUB_CONN\"
# RHEL 8.1 appends the word \"System\" in front of the connection, delete in case it exists
nmcli con down \"System $PUB_CONN\"
nmcli con delete \"System $PUB_CONN\"
nmcli connection add ifname baremetal type bridge <con_name> baremetal bridge.stp no (1)
nmcli con add type bridge-slave ifname \"$PUB_CONN\" master baremetal
pkill dhclient;dhclient baremetal
"
1 | Replace <con_name> with the connection name. |
For a network using static IP addressing and no DHCP network, run the following command:
$ sudo nohup bash -c "
nmcli con down \"$PUB_CONN\"
nmcli con delete \"$PUB_CONN\"
# RHEL 8.1 appends the word \"System\" in front of the connection, delete in case it exists
nmcli con down \"System $PUB_CONN\"
nmcli con delete \"System $PUB_CONN\"
nmcli connection add ifname baremetal type bridge con-name baremetal bridge.stp no ipv4.method manual ipv4.addr "x.x.x.x/yy" ipv4.gateway "a.a.a.a" ipv4.dns "b.b.b.b" (1)
nmcli con add type bridge-slave ifname \"$PUB_CONN\" master baremetal
nmcli con up baremetal
"
1 | Replace <con_name> with the connection name. Replace x.x.x.x/yy with the IP address and CIDR for the network. Replace a.a.a.a with the network gateway. Replace b.b.b.b with the IP address of the DNS server. |
Optional: If you are deploying with a provisioning network, export the provisioning network NIC name by running the following command:
$ export PROV_CONN=<prov_nic_name>
Optional: If you are deploying with a provisioning network, configure the provisioning network by running the following command:
$ sudo nohup bash -c "
nmcli con down \"$PROV_CONN\"
nmcli con delete \"$PROV_CONN\"
nmcli connection add ifname provisioning type bridge con-name provisioning
nmcli con add type bridge-slave ifname \"$PROV_CONN\" master provisioning
nmcli connection modify provisioning ipv6.addresses fd00:1101::1/64 ipv6.method manual
nmcli con down provisioning
nmcli con up provisioning
"
The SSH connection might disconnect after executing these steps. The IPv6 address can be any address that is not routable through the bare-metal network. Ensure that UEFI is enabled and UEFI PXE settings are set to the IPv6 protocol when using IPv6 addressing. |
Optional: If you are deploying with a provisioning network, configure the IPv4 address on the provisioning network connection by running the following command:
$ nmcli connection modify provisioning ipv4.addresses 172.22.0.254/24 ipv4.method manual
SSH back into the provisioner
node (if required) by running the following command:
# ssh kni@provisioner.<cluster-name>.<domain>
Verify that the connection bridges have been properly created by running the following command:
$ sudo nmcli con show
NAME UUID TYPE DEVICE
baremetal 4d5133a5-8351-4bb9-bfd4-3af264801530 bridge baremetal
provisioning 43942805-017f-4d7d-a2c2-7cb3324482ed bridge provisioning
virbr0 d9bca40f-eee1-410b-8879-a2d4bb0465e7 bridge virbr0
bridge-slave-eno1 76a8ed50-c7e5-4999-b4f6-6d9014dd0812 ethernet eno1
bridge-slave-eno2 f31c3353-54b7-48de-893a-02d2b34c4736 ethernet eno2
In a typical OpenShift Container Platform cluster setup, all nodes, including the control plane and worker nodes, reside in the same network. However, for edge computing scenarios, it can be beneficial to locate worker nodes closer to the edge. This often involves using different network segments or subnets for the remote worker nodes than the subnet used by the control plane and local worker nodes. Such a setup can reduce latency for the edge and allow for enhanced scalability. However, the network must be configured properly before installing OpenShift Container Platform to ensure that the edge subnets containing the remote worker nodes can reach the subnet containing the control plane nodes and receive traffic from the control plane too.
All control plane nodes must run in the same subnet. When using more than one subnet, you can also configure the Ingress VIP to run on the control plane nodes by using a manifest. See "Configuring network components to run on the control plane" for details. Deploying a cluster with multiple subnets requires using virtual media. |
This procedure details the network configuration required to allow the remote worker nodes in the second subnet to communicate effectively with the control plane nodes in the first subnet and to allow the control plane nodes in the first subnet to communicate effectively with the remote worker nodes in the second subnet.
In this procedure, the cluster spans two subnets:
The first subnet (10.0.0.0
) contains the control plane and local worker nodes.
The second subnet (192.168.0.0
) contains the edge worker nodes.
Configure the first subnet to communicate with the second subnet:
Log in as root
to a control plane node by running the following command:
$ sudo su -
Get the name of the network interface:
# nmcli dev status
Add a route to the second subnet (192.168.0.0
) via the gateway:
s+
# nmcli connection modify <interface_name> +ipv4.routes "192.168.0.0/24 via <gateway>"
+
Replace <interface_name>
with the interface name. Replace <gateway>
with the IP address of the actual gateway.
+ .Example
+
# nmcli connection modify eth0 +ipv4.routes "192.168.0.0/24 via 192.168.0.1"
Apply the changes:
# nmcli connection up <interface_name>
Replace <interface_name>
with the interface name.
Verify the routing table to ensure the route has been added successfully:
# ip route
Repeat the previous steps for each control plane node in the first subnet.
Adjust the commands to match your actual interface names and gateway. |
Configure the second subnet to communicate with the first subnet:
Log in as root
to a remote worker node:
$ sudo su -
Get the name of the network interface:
# nmcli dev status
Add a route to the first subnet (10.0.0.0
) via the gateway:
# nmcli connection modify <interface_name> +ipv4.routes "10.0.0.0/24 via <gateway>"
Replace <interface_name>
with the interface name. Replace <gateway>
with the IP address of the actual gateway.
# nmcli connection modify eth0 +ipv4.routes "10.0.0.0/24 via 10.0.0.1"
Apply the changes:
# nmcli connection up <interface_name>
Replace <interface_name>
with the interface name.
Verify the routing table to ensure the route has been added successfully:
# ip route
Repeat the previous steps for each worker node in the second subnet.
Adjust the commands to match your actual interface names and gateway. |
Once you have configured the networks, test the connectivity to ensure the remote worker nodes can reach the control plane nodes and the control plane nodes can reach the remote worker nodes.
From the control plane nodes in the first subnet, ping a remote worker node in the second subnet:
$ ping <remote_worker_node_ip_address>
If the ping is successful, it means the control plane nodes in the first subnet can reach the remote worker nodes in the second subnet. If you don’t receive a response, review the network configurations and repeat the procedure for the node.
From the remote worker nodes in the second subnet, ping a control plane node in the first subnet:
$ ping <control_plane_node_ip_address>
If the ping is successful, it means the remote worker nodes in the second subnet can reach the control plane in the first subnet. If you don’t receive a response, review the network configurations and repeat the procedure for the node.
Use the stable-4.x
version of the installation program and your selected architecture to deploy the generally available stable version of OpenShift Container Platform:
$ export VERSION=stable-4.13
$ export RELEASE_ARCH=<architecture>
$ export RELEASE_IMAGE=$(curl -s https://mirror.openshift.com/pub/openshift-v4/$RELEASE_ARCH/clients/ocp/$VERSION/release.txt | grep 'Pull From: quay.io' | awk -F ' ' '{print $3}')
After retrieving the installer, the next step is to extract it.
Set the environment variables:
$ export cmd=openshift-baremetal-install
$ export pullsecret_file=~/pull-secret.txt
$ export extract_dir=$(pwd)
Get the oc
binary:
$ curl -s https://mirror.openshift.com/pub/openshift-v4/clients/ocp/$VERSION/openshift-client-linux.tar.gz | tar zxvf - oc
Extract the installer:
$ sudo cp oc /usr/local/bin
$ oc adm release extract --registry-config "${pullsecret_file}" --command=$cmd --to "${extract_dir}" ${RELEASE_IMAGE}
$ sudo cp openshift-baremetal-install /usr/local/bin
To employ image caching, you must download the Red Hat Enterprise Linux CoreOS (RHCOS) image used by the bootstrap VM to provision the cluster nodes. Image caching is optional, but it is especially useful when running the installation program on a network with limited bandwidth.
The installation program no longer needs the |
If you are running the installation program on a network with limited bandwidth and the RHCOS images download takes more than 15 to 20 minutes, the installation program will timeout. Caching images on a web server will help in such scenarios.
If you enable TLS for the HTTPD server, you must confirm the root certificate is signed by an authority trusted by the client and verify the trusted certificate chain between your OpenShift Container Platform hub and spoke clusters and the HTTPD server. Using a server configured with an untrusted certificate prevents the images from being downloaded to the image creation service. Using untrusted HTTPS servers is not supported. |
Install a container that contains the images.
Install podman
:
$ sudo dnf install -y podman
Open firewall port 8080
to be used for RHCOS image caching:
$ sudo firewall-cmd --add-port=8080/tcp --zone=public --permanent
$ sudo firewall-cmd --reload
Create a directory to store the bootstraposimage
:
$ mkdir /home/kni/rhcos_image_cache
Set the appropriate SELinux context for the newly created directory:
$ sudo semanage fcontext -a -t httpd_sys_content_t "/home/kni/rhcos_image_cache(/.*)?"
$ sudo restorecon -Rv /home/kni/rhcos_image_cache/
Get the URI for the RHCOS image that the installation program will deploy on the bootstrap VM:
$ export RHCOS_QEMU_URI=$(/usr/local/bin/openshift-baremetal-install coreos print-stream-json | jq -r --arg ARCH "$(arch)" '.architectures[$ARCH].artifacts.qemu.formats["qcow2.gz"].disk.location')
Get the name of the image that the installation program will deploy on the bootstrap VM:
$ export RHCOS_QEMU_NAME=${RHCOS_QEMU_URI##*/}
Get the SHA hash for the RHCOS image that will be deployed on the bootstrap VM:
$ export RHCOS_QEMU_UNCOMPRESSED_SHA256=$(/usr/local/bin/openshift-baremetal-install coreos print-stream-json | jq -r --arg ARCH "$(arch)" '.architectures[$ARCH].artifacts.qemu.formats["qcow2.gz"].disk["uncompressed-sha256"]')
Download the image and place it in the /home/kni/rhcos_image_cache
directory:
$ curl -L ${RHCOS_QEMU_URI} -o /home/kni/rhcos_image_cache/${RHCOS_QEMU_NAME}
Confirm SELinux type is of httpd_sys_content_t
for the new file:
$ ls -Z /home/kni/rhcos_image_cache
Create the pod:
$ podman run -d --name rhcos_image_cache \(1)
-v /home/kni/rhcos_image_cache:/var/www/html \
-p 8080:8080/tcp \
registry.access.redhat.com/ubi9/httpd-24
1 | Creates a caching webserver with the name rhcos_image_cache . This pod serves the bootstrapOSImage image in the install-config.yaml file for deployment. |
Generate the bootstrapOSImage
configuration:
$ export BAREMETAL_IP=$(ip addr show dev baremetal | awk '/inet /{print $2}' | cut -d"/" -f1)
$ export BOOTSTRAP_OS_IMAGE="http://${BAREMETAL_IP}:8080/${RHCOS_QEMU_NAME}?sha256=${RHCOS_QEMU_UNCOMPRESSED_SHA256}"
$ echo " bootstrapOSImage=${BOOTSTRAP_OS_IMAGE}"
Add the required configuration to the install-config.yaml
file under platform.baremetal
:
platform:
baremetal:
bootstrapOSImage: <bootstrap_os_image> (1)
1 | Replace <bootstrap_os_image> with the value of $BOOTSTRAP_OS_IMAGE . |
See the "Configuring the install-config.yaml file" section for additional details.
On Red Hat Enterprise Linux CoreOS (RHCOS) machines, NetworkManager
sets the hostnames. By default, DHCP provides the hostnames to NetworkManager
, which is the recommended method. NetworkManager
gets the hostnames through a reverse DNS lookup in the following cases:
If DHCP does not provide the hostnames
If you use kernel arguments to set the hostnames
If you use another method to set the hostnames
Reverse DNS lookup occurs after the network has been initialized on a node, and can increase the time it takes NetworkManager
to set the hostname. Other system services can start prior to NetworkManager
setting the hostname, which can cause those services to use a default hostname such as localhost
.
You can avoid the delay in setting hostnames by using DHCP to provide the hostname for each cluster node. Additionally, setting the hostnames through DHCP can bypass manual DNS record name configuration errors in environments that have a DNS split-horizon implementation. |
The install-config.yaml
file requires some additional details.
Most of the information teaches the installation program and the resulting cluster enough about the available hardware that it is able to fully manage it.
The installation program no longer needs the |
Configure install-config.yaml
. Change the appropriate variables to match the environment, including pullSecret
and sshKey
:
apiVersion: v1
baseDomain: <domain>
metadata:
name: <cluster_name>
networking:
machineNetwork:
- cidr: <public_cidr>
networkType: OVNKubernetes
compute:
- name: worker
replicas: 2 (1)
controlPlane:
name: master
replicas: 3
platform:
baremetal: {}
platform:
baremetal:
apiVIPs:
- <api_ip>
ingressVIPs:
- <wildcard_ip>
provisioningNetworkCIDR: <CIDR>
bootstrapExternalStaticIP: <bootstrap_static_ip_address> (2)
bootstrapExternalStaticGateway: <bootstrap_static_gateway> (3)
hosts:
- name: openshift-master-0
role: master
bmc:
address: ipmi://<out_of_band_ip> (4)
username: <user>
password: <password>
bootMACAddress: <NIC1_mac_address>
rootDeviceHints:
deviceName: "<installation_disk_drive_path>" (5)
- name: <openshift_master_1>
role: master
bmc:
address: ipmi://<out_of_band_ip>
username: <user>
password: <password>
bootMACAddress: <NIC1_mac_address>
rootDeviceHints:
deviceName: "<installation_disk_drive_path>"
- name: <openshift_master_2>
role: master
bmc:
address: ipmi://<out_of_band_ip>
username: <user>
password: <password>
bootMACAddress: <NIC1_mac_address>
rootDeviceHints:
deviceName: "<installation_disk_drive_path>"
- name: <openshift_worker_0>
role: worker
bmc:
address: ipmi://<out_of_band_ip>
username: <user>
password: <password>
bootMACAddress: <NIC1_mac_address>
- name: <openshift_worker_1>
role: worker
bmc:
address: ipmi://<out_of_band_ip>
username: <user>
password: <password>
bootMACAddress: <NIC1_mac_address>
rootDeviceHints:
deviceName: "<installation_disk_drive_path>"
pullSecret: '<pull_secret>'
sshKey: '<ssh_pub_key>'
1 | Scale the worker machines based on the number of worker nodes that are part of the OpenShift Container Platform cluster. Valid options for the replicas value are 0 and integers greater than or equal to 2 . Set the number of replicas to 0 to deploy a three-node cluster, which contains only three control plane machines. A three-node cluster is a smaller, more resource-efficient cluster that can be used for testing, development, and production. You cannot install the cluster with only one worker. |
||
2 | When deploying a cluster with static IP addresses, you must set the bootstrapExternalStaticIP configuration setting to specify the static IP address of the bootstrap VM when there is no DHCP server on the bare-metal network. |
||
3 | When deploying a cluster with static IP addresses, you must set the bootstrapExternalStaticGateway configuration setting to specify the gateway IP address for the bootstrap VM when there is no DHCP server on the bare-metal network. |
||
4 | See the BMC addressing sections for more options. | ||
5 | To set the path to the installation disk drive, enter the kernel name of the disk. For example, /dev/sda .
|
Before OpenShift Container Platform 4.12, the cluster installation program only accepted an IPv4 address or an IPv6 address for the |
Create a directory to store the cluster configuration:
$ mkdir ~/clusterconfigs
Copy the install-config.yaml
file to the new directory:
$ cp install-config.yaml ~/clusterconfigs
Ensure all bare metal nodes are powered off prior to installing the OpenShift Container Platform cluster:
$ ipmitool -I lanplus -U <user> -P <password> -H <management-server-ip> power off
Remove old bootstrap resources if any are left over from a previous deployment attempt:
for i in $(sudo virsh list | tail -n +3 | grep bootstrap | awk {'print $2'});
do
sudo virsh destroy $i;
sudo virsh undefine $i;
sudo virsh vol-delete $i --pool $i;
sudo virsh vol-delete $i.ign --pool $i;
sudo virsh pool-destroy $i;
sudo virsh pool-undefine $i;
done
install-config
parametersSee the following tables for the required parameters, the hosts
parameter,
and the bmc
parameter for the install-config.yaml
file.
Parameters | Default | Description | ||
---|---|---|---|---|
|
The domain name for the cluster. For example, |
|||
|
|
The boot mode for a node. Options are |
||
|
The static IP address for the bootstrap VM. You must set this value when deploying a cluster with static IP addresses when there is no DHCP server on the bare-metal network. |
|||
|
The static IP address of the gateway for the bootstrap VM. You must set this value when deploying a cluster with static IP addresses when there is no DHCP server on the bare-metal network. |
|||
|
The |
|||
|
The |
|||
metadata: name: |
The name to be given to the OpenShift Container Platform cluster. For example, |
|||
networking: machineNetwork: - cidr: |
The public CIDR (Classless Inter-Domain Routing) of the external network. For example, |
|||
compute: - name: worker |
The OpenShift Container Platform cluster requires a name be provided for worker (or compute) nodes even if there are zero nodes. |
|||
compute: replicas: 2 |
Replicas sets the number of worker (or compute) nodes in the OpenShift Container Platform cluster. |
|||
controlPlane: name: master |
The OpenShift Container Platform cluster requires a name for control plane (master) nodes. |
|||
controlPlane: replicas: 3 |
Replicas sets the number of control plane (master) nodes included as part of the OpenShift Container Platform cluster. |
|||
|
The name of the network interface on nodes connected to the provisioning network. For OpenShift Container Platform 4.9 and later releases, use the |
|||
|
The default configuration used for machine pools without a platform configuration. |
|||
|
(Optional) The virtual IP address for Kubernetes API communication. This setting must either be provided in the
|
|||
|
|
|
||
|
(Optional) The virtual IP address for ingress traffic. This setting must either be provided in the
|
Parameters | Default | Description |
---|---|---|
|
|
Defines the IP range for nodes on the provisioning network. |
|
|
The CIDR for the network to use for provisioning. This option is required when not using the default address range on the provisioning network. |
|
The third IP address of the |
The IP address within the cluster where the provisioning services run. Defaults to the third IP address of the provisioning subnet. For example, |
|
The second IP address of the |
The IP address on the bootstrap VM where the provisioning services run while the installer is deploying the control plane (master) nodes. Defaults to the second IP address of the provisioning subnet. For example, |
|
|
The name of the bare-metal bridge of the hypervisor attached to the bare-metal network. |
|
|
The name of the provisioning bridge on the |
|
Defines the host architecture for your cluster. Valid values are |
|
|
The default configuration used for machine pools without a platform configuration. |
|
|
A URL to override the default operating system image for the bootstrap node. The URL must contain a SHA-256 hash of the image. For example:
|
|
|
The
|
|
|
Set this parameter to the appropriate HTTP proxy used within your environment. |
|
|
Set this parameter to the appropriate HTTPS proxy used within your environment. |
|
|
Set this parameter to the appropriate list of exclusions for proxy usage within your environment. |
The hosts
parameter is a list of separate bare metal assets used to build the cluster.
Name | Default | Description | ||
---|---|---|---|---|
|
The name of the |
|||
|
The role of the bare metal node. Either |
|||
|
Connection details for the baseboard management controller. See the BMC addressing section for additional details. |
|||
|
The MAC address of the NIC that the host uses for the provisioning network. Ironic retrieves the IP address using the
|
|||
|
Set this optional parameter to configure the network interface of a host. See "(Optional) Configuring host network interfaces" for additional details. |
Most vendors support Baseboard Management Controller (BMC) addressing with the Intelligent Platform Management Interface (IPMI). IPMI does not encrypt communications. It is suitable for use within a data center over a secured or dedicated management network. Check with your vendor to see if they support Redfish network boot. Redfish delivers simple and secure management for converged, hybrid IT and the Software Defined Data Center (SDDC). Redfish is human readable and machine capable, and leverages common internet and web services standards to expose information directly to the modern tool chain. If your hardware does not support Redfish network boot, use IPMI.
Hosts using IPMI use the ipmi://<out-of-band-ip>:<port>
address format, which defaults to port 623
if not specified. The following example demonstrates an IPMI configuration within the install-config.yaml
file.
platform:
baremetal:
hosts:
- name: openshift-master-0
role: master
bmc:
address: ipmi://<out-of-band-ip>
username: <user>
password: <password>
The |
To enable Redfish, use redfish://
or redfish+http://
to disable TLS. The installer requires both the hostname or the IP address and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml
file.
platform:
baremetal:
hosts:
- name: openshift-master-0
role: master
bmc:
address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
username: <user>
password: <password>
While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True
in the bmc
configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True
configuration parameter within the install-config.yaml
file.
platform:
baremetal:
hosts:
- name: openshift-master-0
role: master
bmc:
address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
username: <user>
password: <password>
disableCertificateVerification: True
Several redfish API endpoints are called onto your BCM when using the bare-metal installer-provisioned infrastructure.
You need to ensure that your BMC supports all of the redfish APIs before installation. |
Power on
curl -u $USER:$PASS -X POST -H'Content-Type: application/json' -H'Accept: application/json' -d '{"ResetType": "On"}' https://$SERVER/redfish/v1/Systems/$SystemID/Actions/ComputerSystem.Reset
Power off
curl -u $USER:$PASS -X POST -H'Content-Type: application/json' -H'Accept: application/json' -d '{"ResetType": "ForceOff"}' https://$SERVER/redfish/v1/Systems/$SystemID/Actions/ComputerSystem.Reset
Temporary boot using pxe
curl -u $USER:$PASS -X PATCH -H "Content-Type: application/json" https://$Server/redfish/v1/Systems/$SystemID/ -d '{"Boot": {"BootSourceOverrideTarget": "pxe", "BootSourceOverrideEnabled": "Once"}}
Set BIOS boot mode using Legacy
or UEFI
curl -u $USER:$PASS -X PATCH -H "Content-Type: application/json" https://$Server/redfish/v1/Systems/$SystemID/ -d '{"Boot": {"BootSourceOverrideMode":"UEFI"}}
Set temporary boot device using cd
or dvd
curl -u $USER:$PASS -X PATCH -H "Content-Type: application/json" https://$Server/redfish/v1/Systems/$SystemID/ -d '{"Boot": {"BootSourceOverrideTarget": "cd", "BootSourceOverrideEnabled": "Once"}}'
Mount virtual media
curl -u $USER:$PASS -X PATCH -H "Content-Type: application/json" -H "If-Match: *" https://$Server/redfish/v1/Managers/$ManagerID/VirtualMedia/$VmediaId -d '{"Image": "https://example.com/test.iso", "TransferProtocolType": "HTTPS", "UserName": "", "Password":""}'
The |
|
The address
field for each bmc
entry is a URL for connecting to the OpenShift Container Platform cluster nodes, including the type of controller in the URL scheme and its location on the network.
platform:
baremetal:
hosts:
- name: <hostname>
role: <master | worker>
bmc:
address: <address> (1)
username: <user>
password: <password>
1 | The address configuration setting specifies the protocol. |
For Dell hardware, Red Hat supports integrated Dell Remote Access Controller (iDRAC) virtual media, Redfish network boot, and IPMI.
Protocol | Address Format |
---|---|
iDRAC virtual media |
|
Redfish network boot |
|
IPMI |
|
Use |
See the following sections for additional details.
For Redfish virtual media on Dell servers, use idrac-virtualmedia://
in the address
setting. Using redfish-virtualmedia://
will not work.
Use |
The following example demonstrates using iDRAC virtual media within the install-config.yaml
file.
platform:
baremetal:
hosts:
- name: openshift-master-0
role: master
bmc:
address: idrac-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
username: <user>
password: <password>
While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True
in the bmc
configuration if using self-signed certificates.
Ensure the OpenShift Container Platform cluster nodes have AutoAttach enabled through the iDRAC console. The menu path is: Configuration → Virtual Media → Attach Mode → AutoAttach. |
The following example demonstrates a Redfish configuration using the disableCertificateVerification: True
configuration parameter within the install-config.yaml
file.
platform:
baremetal:
hosts:
- name: openshift-master-0
role: master
bmc:
address: idrac-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
username: <user>
password: <password>
disableCertificateVerification: True
To enable Redfish, use redfish://
or redfish+http://
to disable transport layer security (TLS). The installer requires both the hostname or the IP address and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml
file.
platform:
baremetal:
hosts:
- name: openshift-master-0
role: master
bmc:
address: redfish://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
username: <user>
password: <password>
While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True
in the bmc
configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True
configuration parameter within the install-config.yaml
file.
platform:
baremetal:
hosts:
- name: openshift-master-0
role: master
bmc:
address: redfish://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
username: <user>
password: <password>
disableCertificateVerification: True
There is a known issue on Dell iDRAC 9 with firmware version Ensure the OpenShift Container Platform cluster nodes have AutoAttach enabled through the iDRAC console. The menu path is: Configuration → Virtual Media → Attach Mode → AutoAttach . |
The address
field for each bmc
entry is a URL for connecting to the OpenShift Container Platform cluster nodes, including the type of controller in the URL scheme and its location on the network.
platform:
baremetal:
hosts:
- name: <hostname>
role: <master | worker>
bmc:
address: <address> (1)
username: <user>
password: <password>
1 | The address configuration setting specifies the protocol. |
For HPE integrated Lights Out (iLO), Red Hat supports Redfish virtual media, Redfish network boot, and IPMI.
Protocol | Address Format |
---|---|
Redfish virtual media |
|
Redfish network boot |
|
IPMI |
|
See the following sections for additional details.
To enable Redfish virtual media for HPE servers, use redfish-virtualmedia://
in the address
setting. The following example demonstrates using Redfish virtual media within the install-config.yaml
file.
platform:
baremetal:
hosts:
- name: openshift-master-0
role: master
bmc:
address: redfish-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/1
username: <user>
password: <password>
While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True
in the bmc
configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True
configuration parameter within the install-config.yaml
file.
platform:
baremetal:
hosts:
- name: openshift-master-0
role: master
bmc:
address: redfish-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/1
username: <user>
password: <password>
disableCertificateVerification: True
Redfish virtual media is not supported on 9th generation systems running iLO4, because Ironic does not support iLO4 with virtual media. |
To enable Redfish, use redfish://
or redfish+http://
to disable TLS. The installer requires both the hostname or the IP address and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml
file.
platform:
baremetal:
hosts:
- name: openshift-master-0
role: master
bmc:
address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
username: <user>
password: <password>
While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True
in the bmc
configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True
configuration parameter within the install-config.yaml
file.
platform:
baremetal:
hosts:
- name: openshift-master-0
role: master
bmc:
address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
username: <user>
password: <password>
disableCertificateVerification: True
The address
field for each bmc
entry is a URL for connecting to the OpenShift Container Platform cluster nodes, including the type of controller in the URL scheme and its location on the network.
platform:
baremetal:
hosts:
- name: <hostname>
role: <master | worker>
bmc:
address: <address> (1)
username: <user>
password: <password>
1 | The address configuration setting specifies the protocol. |
For Fujitsu hardware, Red Hat supports integrated Remote Management Controller (iRMC) and IPMI.
Protocol | Address Format |
---|---|
iRMC |
|
IPMI |
|
Fujitsu nodes can use irmc://<out-of-band-ip>
and defaults to port 443
. The following example demonstrates an iRMC configuration within the install-config.yaml
file.
platform:
baremetal:
hosts:
- name: openshift-master-0
role: master
bmc:
address: irmc://<out-of-band-ip>
username: <user>
password: <password>
Currently Fujitsu supports iRMC S5 firmware version 3.05P and above for installer-provisioned installation on bare metal. |
The rootDeviceHints
parameter enables the installer to provision the Red Hat Enterprise Linux CoreOS (RHCOS) image to a particular device. The installer examines the devices in the order it discovers them, and compares the discovered values with the hint values. The installer uses the first discovered device that matches the hint value. The configuration can combine multiple hints, but a device must match all hints for the installer to select it.
Subfield | Description |
---|---|
|
A string containing a Linux device name such as |
|
A string containing a SCSI bus address like |
|
A string containing a vendor-specific device identifier. The hint can be a substring of the actual value. |
|
A string containing the name of the vendor or manufacturer of the device. The hint can be a sub-string of the actual value. |
|
A string containing the device serial number. The hint must match the actual value exactly. |
|
An integer representing the minimum size of the device in gigabytes. |
|
A string containing the unique storage identifier. The hint must match the actual value exactly. |
|
A string containing the unique storage identifier with the vendor extension appended. The hint must match the actual value exactly. |
|
A string containing the unique vendor storage identifier. The hint must match the actual value exactly. |
|
A boolean indicating whether the device should be a rotating disk (true) or not (false). |
- name: master-0
role: master
bmc:
address: ipmi://10.10.0.3:6203
username: admin
password: redhat
bootMACAddress: de:ad:be:ef:00:40
rootDeviceHints:
deviceName: "/dev/sda"
To deploy an OpenShift Container Platform cluster using a proxy, make the following changes to the install-config.yaml
file.
apiVersion: v1
baseDomain: <domain>
proxy:
httpProxy: http://USERNAME:PASSWORD@proxy.example.com:PORT
httpsProxy: https://USERNAME:PASSWORD@proxy.example.com:PORT
noProxy: <WILDCARD_OF_DOMAIN>,<PROVISIONING_NETWORK/CIDR>,<BMC_ADDRESS_RANGE/CIDR>
The following is an example of noProxy
with values.
noProxy: .example.com,172.22.0.0/24,10.10.0.0/24
With a proxy enabled, set the appropriate values of the proxy in the corresponding key/value pair.
Key considerations:
If the proxy does not have an HTTPS proxy, change the value of httpsProxy
from https://
to http://
.
If using a provisioning network, include it in the noProxy
setting, otherwise the installer will fail.
Set all of the proxy settings as environment variables within the provisioner node. For example, HTTP_PROXY
, HTTPS_PROXY
, and NO_PROXY
.
When provisioning with IPv6, you cannot define a CIDR address block in the |
To deploy an OpenShift Container Platform cluster without a provisioning
network, make the following changes to the install-config.yaml
file.
platform:
baremetal:
apiVIPs:
- <api_VIP>
ingressVIPs:
- <ingress_VIP>
provisioningNetwork: "Disabled" (1)
1 | Add the provisioningNetwork configuration setting, if needed, and set it to Disabled . |
The |
For dual-stack networking in OpenShift Container Platform clusters, you can configure IPv4 and IPv6 address endpoints for cluster nodes. To configure IPv4 and IPv6 address endpoints for cluster nodes, edit the machineNetwork
, clusterNetwork
, and serviceNetwork
configuration settings in the install-config.yaml
file. Each setting must have two CIDR entries each. For a cluster with the IPv4 family as the primary address family, specify the IPv4 setting first. For a cluster with the IPv6 family as the primary address family, specify the IPv6 setting first.
machineNetwork:
- cidr: {{ extcidrnet }}
- cidr: {{ extcidrnet6 }}
clusterNetwork:
- cidr: 10.128.0.0/14
hostPrefix: 23
- cidr: fd02::/48
hostPrefix: 64
serviceNetwork:
- 172.30.0.0/16
- fd03::/112
On a bare-metal platform, if you specified an NMState configuration in the Example NMState YAML configuration file that includes the
wait-ip parameter
|
To provide an interface to the cluster for applications that use IPv4 and IPv6 addresses, configure IPv4 and IPv6 virtual IP (VIP) address endpoints for the Ingress VIP and API VIP services. To configure IPv4 and IPv6 address endpoints, edit the apiVIPs
and ingressVIPs
configuration settings in the install-config.yaml
file . The apiVIPs
and ingressVIPs
configuration settings use a list format. The order of the list indicates the primary and secondary VIP address for each service.
platform:
baremetal:
apiVIPs:
- <api_ipv4>
- <api_ipv6>
ingressVIPs:
- <wildcard_ipv4>
- <wildcard_ipv6>
Before installation, you can set the networkConfig
configuration setting in the install-config.yaml
file to configure host network interfaces using NMState.
The most common use case for this functionality is to specify a static IP address on the bare-metal network, but you can also configure other networks such as a storage network. This functionality supports other NMState features such as VLAN, VXLAN, bridges, bonds, routes, MTU, and DNS resolver settings.
Configure a PTR
DNS record with a valid hostname for each node with a static IP address.
Install the NMState CLI (nmstate
).
Optional: Consider testing the NMState syntax with nmstatectl gc
before including it in the install-config.yaml
file, because the installer will not check the NMState YAML syntax.
Errors in the YAML syntax might result in a failure to apply the network configuration. Additionally, maintaining the validated YAML syntax is useful when applying changes using Kubernetes NMState after deployment or when expanding the cluster. |
Create an NMState YAML file:
interfaces:
- name: <nic1_name> (1)
type: ethernet
state: up
ipv4:
address:
- ip: <ip_address> (1)
prefix-length: 24
enabled: true
dns-resolver:
config:
server:
- <dns_ip_address> (1)
routes:
config:
- destination: 0.0.0.0/0
next-hop-address: <next_hop_ip_address> (1)
next-hop-interface: <next_hop_nic1_name> (1)
1 | Replace <nic1_name> , <ip_address> , <dns_ip_address> , <next_hop_ip_address> and <next_hop_nic1_name> with appropriate values. |
Test the configuration file by running the following command:
$ nmstatectl gc <nmstate_yaml_file>
Replace <nmstate_yaml_file>
with the configuration file name.
Use the networkConfig
configuration setting by adding the NMState configuration to hosts within the install-config.yaml
file:
hosts:
- name: openshift-master-0
role: master
bmc:
address: redfish+http://<out_of_band_ip>/redfish/v1/Systems/
username: <user>
password: <password>
disableCertificateVerification: null
bootMACAddress: <NIC1_mac_address>
bootMode: UEFI
rootDeviceHints:
deviceName: "/dev/sda"
networkConfig: (1)
interfaces:
- name: <nic1_name> (2)
type: ethernet
state: up
ipv4:
address:
- ip: <ip_address> (2)
prefix-length: 24
enabled: true
dns-resolver:
config:
server:
- <dns_ip_address> (2)
routes:
config:
- destination: 0.0.0.0/0
next-hop-address: <next_hop_ip_address> (2)
next-hop-interface: <next_hop_nic1_name> (2)
1 | Add the NMState YAML syntax to configure the host interfaces. |
2 | Replace <nic1_name> , <ip_address> , <dns_ip_address> , <next_hop_ip_address> and <next_hop_nic1_name> with appropriate values. |
After deploying the cluster, you cannot modify the |
For edge computing scenarios, it can be beneficial to locate compute nodes closer to the edge. To locate remote nodes in subnets, you might use different network segments or subnets for the remote nodes than you used for the control plane subnet and local compute nodes. You can reduce latency for the edge and allow for enhanced scalability by setting up subnets for edge computing scenarios.
When using the default load balancer, |
If you have established different network segments or subnets for remote nodes as described in the section on "Establishing communication between subnets", you must specify the subnets in the machineNetwork
configuration setting if the workers are using static IP addresses, bonds or other advanced networking. When setting the node IP address in the networkConfig
parameter for each remote node, you must also specify the gateway and the DNS server for the subnet containing the control plane nodes when using static IP addresses. This ensures that the remote nodes can reach the subnet containing the control plane and that they can receive network traffic from the control plane.
Deploying a cluster with multiple subnets requires using virtual media, such as |
Add the subnets to the machineNetwork
in the install-config.yaml
file when using static IP addresses:
networking:
machineNetwork:
- cidr: 10.0.0.0/24
- cidr: 192.168.0.0/24
networkType: OVNKubernetes
Add the gateway and DNS configuration to the networkConfig
parameter of each edge compute node using NMState syntax when using a static IP address or advanced networking such as bonds:
networkConfig:
interfaces:
- name: <interface_name> (1)
type: ethernet
state: up
ipv4:
enabled: true
dhcp: false
address:
- ip: <node_ip> (2)
prefix-length: 24
gateway: <gateway_ip> (3)
dns-resolver:
config:
server:
- <dns_ip> (4)
1 | Replace <interface_name> with the interface name. |
2 | Replace <node_ip> with the IP address of the node. |
3 | Replace <gateway_ip> with the IP address of the gateway. |
4 | Replace <dns_ip> with the IP address of the DNS server. |
For dual-stack clusters that use Stateless Address AutoConfiguration (SLAAC), you must specify a global value for the ipv6.addr-gen-mode
network setting. You can set this value using NMState to configure the ramdisk and the cluster configuration files. If you don’t configure a consistent ipv6.addr-gen-mode
in these locations, IPv6 address mismatches can occur between CSR resources and BareMetalHost
resources in the cluster.
Install the NMState CLI (nmstate
).
Optional: Consider testing the NMState YAML syntax with the nmstatectl gc
command before including it in the install-config.yaml
file because the installation program will not check the NMState YAML syntax.
Create an NMState YAML file:
interfaces:
- name: eth0
ipv6:
addr-gen-mode: <address_mode> (1)
1 | Replace <address_mode> with the type of address generation mode required for IPv6 addresses in the cluster. Valid values are eui64 , stable-privacy , or random . |
Test the configuration file by running the following command:
$ nmstatectl gc <nmstate_yaml_file> (1)
1 | Replace <nmstate_yaml_file> with the name of the test configuration file. |
Add the NMState configuration to the hosts.networkConfig
section within the install-config.yaml file:
hosts:
- name: openshift-master-0
role: master
bmc:
address: redfish+http://<out_of_band_ip>/redfish/v1/Systems/
username: <user>
password: <password>
disableCertificateVerification: null
bootMACAddress: <NIC1_mac_address>
bootMode: UEFI
rootDeviceHints:
deviceName: "/dev/sda"
networkConfig:
interfaces:
- name: eth0
ipv6:
addr-gen-mode: <address_mode> (1)
...
1 | Replace <address_mode> with the type of address generation mode required for IPv6 addresses in the cluster. Valid values are eui64 , stable-privacy , or random . |
Before installation, you can set the networkConfig
configuration setting in the install-config.yaml
file to configure host network interfaces by using NMState to support dual port NIC.
Support for Day 1 operations associated with enabling NIC partitioning for SR-IOV devices is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope. |
OpenShift Virtualization only supports the following bond modes:
mode=1 active-backup
mode=2 balance-xor
mode=4 802.3ad
Configure a PTR
DNS record with a valid hostname for each node with a static IP address.
Install the NMState CLI (nmstate
).
Errors in the YAML syntax might result in a failure to apply the network configuration. Additionally, maintaining the validated YAML syntax is useful when applying changes by using Kubernetes NMState after deployment or when expanding the cluster. |
Add the NMState configuration to the networkConfig
field to hosts within the install-config.yaml
file:
hosts:
- name: worker-0
role: worker
bmc:
address: redfish+http://<out_of_band_ip>/redfish/v1/Systems/
username: <user>
password: <password>
disableCertificateVerification: false
bootMACAddress: <NIC1_mac_address>
bootMode: UEFI
networkConfig: (1)
interfaces: (2)
- name: eno1 (3)
type: ethernet (4)
state: up
mac-address: 0c:42:a1:55:f3:06
ipv4:
enabled: true
dhcp: false (5)
ethernet:
sr-iov:
total-vfs: 2 (6)
ipv6:
enabled: false
dhcp: false
- name: sriov:eno1:0
type: ethernet
state: up (7)
ipv4:
enabled: false (8)
ipv6:
enabled: false
- name: sriov:eno1:1
type: ethernet
state: down
- name: eno2
type: ethernet
state: up
mac-address: 0c:42:a1:55:f3:07
ipv4:
enabled: true
ethernet:
sr-iov:
total-vfs: 2
ipv6:
enabled: false
- name: sriov:eno2:0
type: ethernet
state: up
ipv4:
enabled: false
ipv6:
enabled: false
- name: sriov:eno2:1
type: ethernet
state: down
- name: bond0
type: bond
state: up
min-tx-rate: 100 (9)
max-tx-rate: 200 (10)
link-aggregation:
mode: active-backup (11)
options:
primary: sriov:eno1:0 (12)
port:
- sriov:eno1:0
- sriov:eno2:0
ipv4:
address:
- ip: 10.19.16.57 (13)
prefix-length: 23
dhcp: false
enabled: true
ipv6:
enabled: false
dns-resolver:
config:
server:
- 10.11.5.160
- 10.2.70.215
routes:
config:
- destination: 0.0.0.0/0
next-hop-address: 10.19.17.254
next-hop-interface: bond0 (14)
table-id: 254
1 | The networkConfig field has information about the network configuration of the host, with subfields including interfaces , dns-resolver , and routes . |
||
2 | The interfaces field is an array of network interfaces defined for the host. |
||
3 | The name of the interface. | ||
4 | The type of interface. This example creates a ethernet interface. | ||
5 | Set this to `false to disable DHCP for the physical function (PF) if it is not strictly required. | ||
6 | Set to the number of SR-IOV virtual functions (VFs) to instantiate. | ||
7 | Set this to up . |
||
8 | Set this to false to disable IPv4 addressing for the VF attached to the bond. |
||
9 | Sets a minimum transmission rate, in Mbps, for the VF. This sample value sets a rate of 100 Mbps.
|
||
10 | Sets a maximum transmission rate, in Mbps, for the VF. This sample value sets a rate of 200 Mbps. | ||
11 | Sets the desired bond mode. | ||
12 | Sets the preferred port of the bonding interface. The bond uses the primary device as the first device of the bonding interfaces. The bond does not abandon the primary device interface unless it fails. This setting is particularly useful when one NIC in the bonding interface is faster and, therefore, able to handle a bigger load. This setting is only valid when the bonding interface is in active-backup mode (mode 1) and balance-tlb (mode 5). | ||
13 | Sets a static IP address for the bond interface. This is the node IP address. | ||
14 | Sets bond0 as the gateway for the default route.
|
You can simultaneously configure OpenShift Container Platform cluster nodes with identical settings. Configuring multiple cluster nodes avoids adding redundant information for each node to the install-config.yaml
file. This file contains specific parameters to apply an identical configuration to multiple nodes in the cluster.
Compute nodes are configured separately from the controller node. However, configurations for both node types use the highlighted parameters in the install-config.yaml
file to enable multi-node configuration. Set the networkConfig
parameters to BOND
, as shown in the following example:
hosts:
- name: ostest-master-0
[...]
networkConfig: &BOND
interfaces:
- name: bond0
type: bond
state: up
ipv4:
dhcp: true
enabled: true
link-aggregation:
mode: active-backup
port:
- enp2s0
- enp3s0
- name: ostest-master-1
[...]
networkConfig: *BOND
- name: ostest-master-2
[...]
networkConfig: *BOND
Configuration of multiple cluster nodes is only available for initial deployments on installer-provisioned infrastructure. |
You can enable managed Secure Boot when deploying an installer-provisioned cluster using Redfish BMC addressing, such as redfish
, redfish-virtualmedia
, or idrac-virtualmedia
. To enable managed Secure Boot, add the bootMode
configuration setting to each node:
hosts:
- name: openshift-master-0
role: master
bmc:
address: redfish://<out_of_band_ip> (1)
username: <username>
password: <password>
bootMACAddress: <NIC1_mac_address>
rootDeviceHints:
deviceName: "/dev/sda"
bootMode: UEFISecureBoot (2)
1 | Ensure the bmc.address setting uses redfish , redfish-virtualmedia , or idrac-virtualmedia as the protocol. See "BMC addressing for HPE iLO" or "BMC addressing for Dell iDRAC" for additional details. |
2 | The bootMode setting is UEFI by default. Change it to UEFISecureBoot to enable managed Secure Boot. |
See "Configuring nodes" in the "Prerequisites" to ensure the nodes can support managed Secure Boot. If the nodes do not support managed Secure Boot, see "Configuring nodes for Secure Boot manually" in the "Configuring nodes" section. Configuring Secure Boot manually requires Redfish virtual media. |
Red Hat does not support Secure Boot with IPMI, because IPMI does not provide Secure Boot management facilities. |
Create the OpenShift Container Platform manifests.
$ ./openshift-baremetal-install --dir ~/clusterconfigs create manifests
INFO Consuming Install Config from target directory
WARNING Making control-plane schedulable by setting MastersSchedulable to true for Scheduler cluster settings
WARNING Discarding the OpenShift Manifest that was provided in the target directory because its dependencies are dirty and it needs to be regenerated
OpenShift Container Platform installs the chrony
Network Time Protocol (NTP) service on the cluster nodes.
OpenShift Container Platform nodes must agree on a date and time to run properly. When worker nodes retrieve the date and time from the NTP servers on the control plane nodes, it enables the installation and operation of clusters that are not connected to a routable network and thereby do not have access to a higher stratum NTP server.
Install Butane on your installation host by using the following command:
$ sudo dnf -y install butane
Create a Butane config, 99-master-chrony-conf-override.bu
, including the contents of the chrony.conf
file for the control plane nodes.
See "Creating machine configs with Butane" for information about Butane. |
variant: openshift
version: 4.13.0
metadata:
name: 99-master-chrony-conf-override
labels:
machineconfiguration.openshift.io/role: master
storage:
files:
- path: /etc/chrony.conf
mode: 0644
overwrite: true
contents:
inline: |
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (https://www.pool.ntp.org/join.html).
# The Machine Config Operator manages this file
server openshift-master-0.<cluster-name>.<domain> iburst (1)
server openshift-master-1.<cluster-name>.<domain> iburst
server openshift-master-2.<cluster-name>.<domain> iburst
stratumweight 0
driftfile /var/lib/chrony/drift
rtcsync
makestep 10 3
bindcmdaddress 127.0.0.1
bindcmdaddress ::1
keyfile /etc/chrony.keys
commandkey 1
generatecommandkey
noclientlog
logchange 0.5
logdir /var/log/chrony
# Configure the control plane nodes to serve as local NTP servers
# for all worker nodes, even if they are not in sync with an
# upstream NTP server.
# Allow NTP client access from the local network.
allow all
# Serve time even if not synchronized to a time source.
local stratum 3 orphan
1 | You must replace <cluster-name> with the name of the cluster and replace <domain> with the fully qualified domain name. |
Use Butane to generate a MachineConfig
object file, 99-master-chrony-conf-override.yaml
, containing the configuration to be delivered to the control plane nodes:
$ butane 99-master-chrony-conf-override.bu -o 99-master-chrony-conf-override.yaml
Create a Butane config, 99-worker-chrony-conf-override.bu
, including the contents of the chrony.conf
file for the worker nodes that references the NTP servers on the control plane nodes.
variant: openshift
version: 4.13.0
metadata:
name: 99-worker-chrony-conf-override
labels:
machineconfiguration.openshift.io/role: worker
storage:
files:
- path: /etc/chrony.conf
mode: 0644
overwrite: true
contents:
inline: |
# The Machine Config Operator manages this file.
server openshift-master-0.<cluster-name>.<domain> iburst (1)
server openshift-master-1.<cluster-name>.<domain> iburst
server openshift-master-2.<cluster-name>.<domain> iburst
stratumweight 0
driftfile /var/lib/chrony/drift
rtcsync
makestep 10 3
bindcmdaddress 127.0.0.1
bindcmdaddress ::1
keyfile /etc/chrony.keys
commandkey 1
generatecommandkey
noclientlog
logchange 0.5
logdir /var/log/chrony
1 | You must replace <cluster-name> with the name of the cluster and replace <domain> with the fully qualified domain name. |
Use Butane to generate a MachineConfig
object file, 99-worker-chrony-conf-override.yaml
, containing the configuration to be delivered to the worker nodes:
$ butane 99-worker-chrony-conf-override.bu -o 99-worker-chrony-conf-override.yaml
You can configure networking components to run exclusively on the control plane nodes. By default, OpenShift Container Platform allows any node in the machine config pool to host the ingressVIP
virtual IP address. However, some environments deploy worker nodes in separate subnets from the control plane nodes, which requires configuring the ingressVIP
virtual IP address to run on the control plane nodes.
When deploying remote workers in separate subnets, you must place the |
Change to the directory storing the install-config.yaml
file:
$ cd ~/clusterconfigs
Switch to the manifests
subdirectory:
$ cd manifests
Create a file named cluster-network-avoid-workers-99-config.yaml
:
$ touch cluster-network-avoid-workers-99-config.yaml
Open the cluster-network-avoid-workers-99-config.yaml
file in an editor and enter a custom resource (CR) that describes the Operator configuration:
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
name: 50-worker-fix-ipi-rwn
labels:
machineconfiguration.openshift.io/role: worker
spec:
config:
ignition:
version: 3.2.0
storage:
files:
- path: /etc/kubernetes/manifests/keepalived.yaml
mode: 0644
contents:
source: data:,
This manifest places the ingressVIP
virtual IP address on the control plane nodes. Additionally, this manifest deploys the following processes on the control plane nodes only:
openshift-ingress-operator
keepalived
Save the cluster-network-avoid-workers-99-config.yaml
file.
Create a manifests/cluster-ingress-default-ingresscontroller.yaml
file:
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
name: default
namespace: openshift-ingress-operator
spec:
nodePlacement:
nodeSelector:
matchLabels:
node-role.kubernetes.io/master: ""
Consider backing up the manifests
directory. The installer deletes the manifests/
directory when creating the cluster.
Modify the cluster-scheduler-02-config.yml
manifest to make the control plane nodes schedulable by setting the mastersSchedulable
field to true
. Control plane nodes are not schedulable by default. For example:
$ sed -i "s;mastersSchedulable: false;mastersSchedulable: true;g" clusterconfigs/manifests/cluster-scheduler-02-config.yml
If control plane nodes are not schedulable after completing this procedure, deploying the cluster will fail. |
During installation, the installer deploys router pods on worker nodes. By default, the installer installs two router pods. If a deployed cluster requires additional routers to handle external traffic loads destined for services within the OpenShift Container Platform cluster, you can create a yaml
file to set an appropriate number of router replicas.
Deploying a cluster with only one worker node is not supported. While modifying the router replicas will address issues with the |
By default, the installer deploys two routers. If the cluster has no worker nodes, the installer deploys the two routers on the control plane nodes by default. |
Create a router-replicas.yaml
file:
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
name: default
namespace: openshift-ingress-operator
spec:
replicas: <num-of-router-pods>
endpointPublishingStrategy:
type: HostNetwork
nodePlacement:
nodeSelector:
matchLabels:
node-role.kubernetes.io/worker: ""
Replace |
Save and copy the router-replicas.yaml
file to the clusterconfigs/openshift
directory:
$ cp ~/router-replicas.yaml clusterconfigs/openshift/99_router-replicas.yaml
The following procedure configures the BIOS during the installation process.
Create the manifests.
Modify the BareMetalHost
resource file corresponding to the node:
$ vim clusterconfigs/openshift/99_openshift-cluster-api_hosts-*.yaml
Add the BIOS configuration to the spec
section of the BareMetalHost
resource:
spec:
firmware:
simultaneousMultithreadingEnabled: true
sriovEnabled: true
virtualizationEnabled: true
Red Hat supports three BIOS configurations. Only servers with BMC type |
Create the cluster.
The following procedure configures a redundant array of independent disks (RAID) during the installation process.
|
Create the manifests.
Modify the BareMetalHost
resource corresponding to the node:
$ vim clusterconfigs/openshift/99_openshift-cluster-api_hosts-*.yaml
The following example uses a hardware RAID configuration because OpenShift Container Platform 4.13 does not support software RAID. |
If you added a specific RAID configuration to the spec
section, this causes the node to delete the original RAID configuration in the preparing
phase and perform a specified configuration on the RAID. For example:
spec:
raid:
hardwareRAIDVolumes:
- level: "0" (1)
name: "sda"
numberOfPhysicalDisks: 1
rotational: true
sizeGibibytes: 0
1 | level is a required field, and the others are optional fields. |
If you added an empty RAID configuration to the spec
section, the empty configuration causes the node to delete the original RAID configuration during the preparing
phase, but does not perform a new configuration. For example:
spec:
raid:
hardwareRAIDVolumes: []
If you do not add a raid
field in the spec
section, the original RAID configuration is not deleted, and no new configuration will be performed.
Create the cluster.
You can make changes to operating systems on OpenShift Container Platform nodes by creating MachineConfig
objects that are managed by the Machine Config Operator (MCO).
The MachineConfig
specification includes an ignition config for configuring the machines at first boot. This config object can be used to modify files, systemd services, and other operating system features running on OpenShift Container Platform machines.
Use the ignition config to configure storage on nodes. The following MachineSet
manifest example demonstrates how to add a partition to a device on a primary node. In this example, apply the manifest before installation to have a partition named recovery
with a size of 16 GiB on the primary node.
Create a custom-partitions.yaml
file and include a MachineConfig
object that contains your partition layout:
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: primary
name: 10_primary_storage_config
spec:
config:
ignition:
version: 3.2.0
storage:
disks:
- device: </dev/xxyN>
partitions:
- label: recovery
startMiB: 32768
sizeMiB: 16384
filesystems:
- device: /dev/disk/by-partlabel/recovery
label: recovery
format: xfs
Save and copy the custom-partitions.yaml
file to the clusterconfigs/openshift
directory:
$ cp ~/<MachineConfig_manifest> ~/clusterconfigs/openshift
In some cases, you might want to install an OpenShift Container Platform cluster using a local copy of the installation registry. This could be for enhancing network efficiency because the cluster nodes are on a network that does not have access to the internet.
A local, or mirrored, copy of the registry requires the following:
A certificate for the registry node. This can be a self-signed certificate.
A web server that a container on a system will serve.
An updated pull secret that contains the certificate and local repository information.
Creating a disconnected registry on a registry node is optional. If you need to create a disconnected registry on a registry node, you must complete all of the following sub-sections. |
If you have already prepared a mirror registry for Mirroring images for a disconnected installation, you can skip directly to Modify the install-config.yaml file to use the disconnected registry.
The following steps must be completed prior to hosting a mirrored registry on bare metal.
Open the firewall port on the registry node:
$ sudo firewall-cmd --add-port=5000/tcp --zone=libvirt --permanent
$ sudo firewall-cmd --add-port=5000/tcp --zone=public --permanent
$ sudo firewall-cmd --reload
Install the required packages for the registry node:
$ sudo yum -y install python3 podman httpd httpd-tools jq
Create the directory structure where the repository information will be held:
$ sudo mkdir -p /opt/registry/{auth,certs,data}
Complete the following steps to mirror the OpenShift Container Platform image repository for a disconnected registry.
Your mirror host has access to the internet.
You configured a mirror registry to use in your restricted network and can access the certificate and credentials that you configured.
You downloaded the pull secret from the Red Hat OpenShift Cluster Manager and modified it to include authentication to your mirror repository.
Review the OpenShift Container Platform downloads page to determine the version of OpenShift Container Platform that you want to install and determine the corresponding tag on the Repository Tags page.
Set the required environment variables:
Export the release version:
$ OCP_RELEASE=<release_version>
For <release_version>
, specify the tag that corresponds to the version of OpenShift Container Platform to
install, such as 4.5.4
.
Export the local registry name and host port:
$ LOCAL_REGISTRY='<local_registry_host_name>:<local_registry_host_port>'
For <local_registry_host_name>
, specify the registry domain name for your mirror
repository, and for <local_registry_host_port>
, specify the port that it
serves content on.
Export the local repository name:
$ LOCAL_REPOSITORY='<local_repository_name>'
For <local_repository_name>
, specify the name of the repository to create in your
registry, such as ocp4/openshift4
.
Export the name of the repository to mirror:
$ PRODUCT_REPO='openshift-release-dev'
For a production release, you must specify openshift-release-dev
.
Export the path to your registry pull secret:
$ LOCAL_SECRET_JSON='<path_to_pull_secret>'
For <path_to_pull_secret>
, specify the absolute path to and file name of the pull secret for your mirror registry that you created.
Export the release mirror:
$ RELEASE_NAME="ocp-release"
For a production release, you must specify ocp-release
.
Export the type of architecture for your cluster:
$ ARCHITECTURE=<cluster_architecture> (1)
1 | Specify the architecture of the cluster, such as x86_64 , aarch64 , s390x , or ppc64le . |
Export the path to the directory to host the mirrored images:
$ REMOVABLE_MEDIA_PATH=<path> (1)
1 | Specify the full path, including the initial forward slash (/) character. |
Mirror the version images to the mirror registry:
If your mirror host does not have internet access, take the following actions:
Connect the removable media to a system that is connected to the internet.
Review the images and configuration manifests to mirror:
$ oc adm release mirror -a ${LOCAL_SECRET_JSON} \
--from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} \
--to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \
--to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE} --dry-run
Record the entire imageContentSources
section from the output of the previous
command. The information about your mirrors is unique to your mirrored repository, and you must add the imageContentSources
section to the install-config.yaml
file during installation.
Mirror the images to a directory on the removable media:
$ oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE}
Take the media to the restricted network environment and upload the images to the local container registry.
$ oc image mirror -a ${LOCAL_SECRET_JSON} --from-dir=${REMOVABLE_MEDIA_PATH}/mirror "file://openshift/release:${OCP_RELEASE}*" ${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} (1)
1 | For REMOVABLE_MEDIA_PATH , you must use the same path that you specified when you mirrored the images. |
If the local container registry is connected to the mirror host, take the following actions:
Directly push the release images to the local registry by using following command:
$ oc adm release mirror -a ${LOCAL_SECRET_JSON} \
--from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE}-${ARCHITECTURE} \
--to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \
--to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}
This command pulls the release information as a digest, and its output includes
the imageContentSources
data that you require when you install your cluster.
Record the entire imageContentSources
section from the output of the previous
command. The information about your mirrors is unique to your mirrored repository, and you must add the imageContentSources
section to the install-config.yaml
file during installation.
The image name gets patched to Quay.io during the mirroring process, and the podman images will show Quay.io in the registry on the bootstrap virtual machine. |
To create the installation program that is based on the content that you mirrored, extract it and pin it to the release:
If your mirror host does not have internet access, run the following command:
$ oc adm release extract -a ${LOCAL_SECRET_JSON} --command=openshift-baremetal-install "${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}"
If the local container registry is connected to the mirror host, run the following command:
$ oc adm release extract -a ${LOCAL_SECRET_JSON} --command=openshift-baremetal-install "${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}-${ARCHITECTURE}"
To ensure that you use the correct images for the version of OpenShift Container Platform that you selected, you must extract the installation program from the mirrored content. You must perform this step on a machine with an active internet connection. If you are in a disconnected environment, use the |
For clusters using installer-provisioned infrastructure, run the following command:
$ openshift-baremetal-install
On the provisioner node, the install-config.yaml
file should use the newly created pull-secret from the pull-secret-update.txt
file. The install-config.yaml
file must also contain the disconnected registry node’s certificate and registry information.
Add the disconnected registry node’s certificate to the install-config.yaml
file:
$ echo "additionalTrustBundle: |" >> install-config.yaml
The certificate should follow the "additionalTrustBundle: |"
line and be properly indented, usually by two spaces.
$ sed -e 's/^/ /' /opt/registry/certs/domain.crt >> install-config.yaml
Add the mirror information for the registry to the install-config.yaml
file:
$ echo "imageContentSources:" >> install-config.yaml
$ echo "- mirrors:" >> install-config.yaml
$ echo " - registry.example.com:5000/ocp4/openshift4" >> install-config.yaml
Replace registry.example.com
with the registry’s fully qualified domain name.
$ echo " source: quay.io/openshift-release-dev/ocp-release" >> install-config.yaml
$ echo "- mirrors:" >> install-config.yaml
$ echo " - registry.example.com:5000/ocp4/openshift4" >> install-config.yaml
Replace registry.example.com
with the registry’s fully qualified domain name.
$ echo " source: quay.io/openshift-release-dev/ocp-v4.0-art-dev" >> install-config.yaml
If you are deploying OpenShift Container Platform without a DHCP server on the baremetal
network, you must configure a static IP address for the bootstrap VM using Ignition.
Create the ignition configuration files:
$ ./openshift-baremetal-install --dir <cluster_configs> create ignition-configs
Replace <cluster_configs>
with the path to your cluster configuration files.
Create the bootstrap_config.sh
file:
#!/bin/bash
BOOTSTRAP_CONFIG="[connection]
type=ethernet
interface-name=ens3
[ethernet]
[ipv4]
method=manual
addresses=<ip_address>/<cidr>
gateway=<gateway_ip_address>
dns=<dns_ip_address>"
cat <<_EOF_ > bootstrap_network_config.ign
{
"path": "/etc/NetworkManager/system-connections/ens3.nmconnection",
"mode": 384,
"contents": {
"source": "data:text/plain;charset=utf-8;base64,$(echo "${BOOTSTRAP_CONFIG}" | base64 -w 0)"
}
}
_EOF_
mv <cluster_configs>/bootstrap.ign <cluster_configs>/bootstrap.ign.orig
jq '.storage.files += $input' <cluster_configs>/bootstrap.ign.orig --slurpfile input bootstrap_network_config.ign > <cluster_configs>/bootstrap.ign
Replace <ip_address>
and <cidr>
with the IP address and CIDR of the address range. Replace <gateway_ip_address>
with the IP address of the gateway on the baremetal
network. Replace <dns_ip_address>
with the IP address of the DNS server on the baremetal
network. Replace <cluster_configs>
with the path to your cluster configuration files.
Make the bootstrap_config.sh
file executable:
$ chmod 755 bootstrap_config.sh
Run the bootstrap_config.sh
script to create the bootstrap_network_config.ign
file:
$ ./bootstrap_config.sh
OpenShift Container Platform installer has been retrieved.
OpenShift Container Platform installer has been extracted.
Required parameters for the install-config.yaml
have been configured.
The hosts
parameter for the install-config.yaml
has been configured.
The bmc
parameter for the install-config.yaml
has been configured.
Conventions for the values configured in the bmc
address
field have been applied.
Created the OpenShift Container Platform manifests.
(Optional) Deployed routers on worker nodes.
(Optional) Created a disconnected registry.
(Optional) Validate disconnected registry settings if in use.