OpenShift 3.6 Basic Guest Template: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
(Created page with "=Internal= * OpenShift 3.6 Installation =Overview= This is the simplest possible guest template, which will be used as a...")
 
No edit summary
 
(59 intermediate revisions by the same user not shown)
Line 1: Line 1:
=Internal=
=Internal=


* [[OpenShift_3.6_Installation#Template_Preparation|OpenShift 3.6 Installation]]
* [[OpenShift_3.6_Installation#Guest_Template_Preparation|OpenShift 3.6 Installation]]


=Overview=
=Overview=


This is the simplest possible guest template, which will be used as a base for various other types of guests or more complex templates.
This is the simplest possible guest template, which will be used as a base for various other types of guests or more complex templates. The basic template can be used to generate the ingress node directly.


=Virtual Machine Creation=


==KVM Virtual Machine Creation==


We are building an ingress guest template using a different procedure than [[OpenShift_3.6_Generic_Guest_Template|the generic guest template]] because the ingress host is different from any other host in the environment in three aspects:
Make sure the required storage pools have been configured as described in the [[OpenShift_3.6_Virtualization_Host_Preparation|Virtualization Host Preparation]] page.
* the network configuration is more complex - it has two different network interfaces, one public and one environment-facing.
* it requires significantly fewer software packages.
* it is security hardened.


=Procedure=
The template creation procedure is described in detail in the [[Virt-install|virt-install]] page. Drive the installation from the procedure described there, as it contains critical details.


==Provision the Guest Virtual Machine==
The actual command is:


The virsh command is available below. For more details. For more details ...
virt-install
  --name ocp36.basic-template
  --memory 1024
  --vcpus 2
  --os-variant=rhel7.4
  --location /iso-images/rhel-server-7.4-x86_64-'''dvd'''.iso
  --extra-args="console=tty0 console=ttyS0,115200n8"
  --disk=/iso-images/rhel-server-7.4-x86_64-'''dvd'''.iso,device=cdrom
  --disk=/main-storage-pool/ocp36.basic-template.qcow2,size=7
  --network default
  --graphics none


Note that the ingress guest must have at least two network interfaces, one for public access and the other one for communication with the cluster. The procedure is described here:
The command will enter in text interactive mode.
 
==VMware Fusion Virtual Machine Creation==
 
{{Internal|VMware Fusion Virtual Machine Provisioning#Procedure|VMware Fusion Virtual Machine Provisioning}}
 
==VirtualBox Virtual Machine Creation==
 
{{Internal|VirtualBox_Virtual_Machine_Creation#Display|VirtualBox VMs}}
 
=First-Boot Configuration=
 
* English/American
* Network
** Host name: basic-template.ocp36.local
** eth0: 192.168.122.21/255.255.255.0/192.168.1.1, IPV6 ignore, nameservers: 8.8.8.8, connect automatically after reboot, apply configuration in installer.
 
{{Warn|Use a neutral address. The static IP address will be changed when the template is cloned into actual virtual machine instances.}}
 
* Timezone 3 82, NTP server 129.6.15.28
* Software selection: minimal install
* Installation destination: vda, use all space, Standard partition.
* Disable kdump
* root password
 
More details about RHEL Minimal installation:
 
{{Internal|RHEL_7/Centos_7_Installation#Overview|RHEL 7 Installation}}
 
=Configuration and Validation=
 
==IP Address==
 
ip addr
 
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:03:c4:35 brd ff:ff:ff:ff:ff:ff
    inet '''192.168.122.21'''/24 brd 192.168.122.255 scope global eth0
      valid_lft forever preferred_lft forever
    ...
 
==NetworkManager==
 
OpenShift requires [[NetworkManager]] to be operational on all nodes (see https://docs.openshift.com/container-platform/3.6/install_config/install/prerequisites.html#prereq-networkmanager).  Verify it works:
 
nmcli g
 
==Attach the Node to a RHEL Subscription==
 
Follow the procedure described here:
 
{{Internal|Red_Hat_Subscription_Manager#Register_a_Linux_System|Register a Linux System}}
 
and
 
{{Internal|Red_Hat_Subscription_Manager#Register_a_Standard_RHEL_Subscription|Register a Standard RHEL Subscription}}
 
The summary is available below:
 
subscription-manager register
subscription-manager refresh
subscription-manager list --available --all
subscription-manager attach --pool=<''pool-id''> --quantity=1
 
==Install Required Base Packages==
 
yum install wget git net-tools bind-utils iptables-services bridge-utils bash-completion kexec kexec-tools sos psacct zip unzip rpcbind nfs-utils haproxy
 
Also see https://docs.openshift.com/container-platform/3.6/install_config/install/host_preparation.html#installing-base-packages
 
==Update the Entire System==
 
yum update -y
 
==Reboot==
 
systemctl reboot
 
==Configure DNS==
 
Configure the DNS client with [[NetworkManager_Operations#Configure_DNS_with_nmcli|with nmcli]]:
 
nmcli dev status
# get the connection name
nmcli con mod <''connection-name''> ipv4.dns-search "ocp36.local"
nmcli con mod <''connection-name''> ipv4.dns "''<ip-address-of-the-support-DNS-server>'' 8.8.8.8"
 
{{Warn|Note that the support may not be up at times while the environment is being setup, so the network operations may be slow.}}
 
==Turn Off ssh Client Name DNS Verification==
 
{{Internal|Sshd_Configuration#Turn_Off_Client_Name_DNS_Verification|Turn off sshd client name DNS verification}}
 
==Authorize Virtualization Host root's Public Key==
 
cd
mkdir .ssh
echo "..." > .ssh/authorized_keys
chmod -R go-rwx .ssh
 
==SELinux==
 
Make sure SELinux [[SELinux_Operations#How_to_Find_Out_Whether_SELinux_is_Enabled|is enabled]] on all hosts:
 
  sestatus
 
If is not, enable it.
 
Also make sure <tt>SELINUXTYPE</tt> is "[[SELinux_Concepts#type_targeted|targeted]]" in /etc/selinux/config.
 
cat /etc/selinux/config
 
==Firewall Configuration==
 
firewalld must be disabled and replaced with iptables. Follow this [[RHEL_7/Centos_7_Installation#Turn_off_firewalld_and_configure_the_iptables_service|procedure]]. The summary is presented below:
 
systemctl stop firewalld
systemctl disable firewalld
systemctl is-enabled firewalld
yum remove firewalld
 
OpenShift needs iptables running:
 
systemctl enable iptables
systemctl start iptables
 
==Configure the OpenShift Installation User==
 
All environment hosts must expose an "ansible" installation user that can be used by the OpenShift advanced installation procedure to install OpenShift. For that:
 
1. Create the user on the template, as shown below:
 
groupadd -g 2200 ansible
useradd -m -g ansible -u 2200 ansible
 
2. As "ansible", [[Ssh_Configure_Public/Private_Key_Authentication#Create_the_OpenSSH_Private.2FPublic_Key_Pair|create the passwordless public/private key ssh key pair]] on the template host.
 
su - ansible
ssh-keygen -q -b 2048 -f ~/.ssh/id_rsa -t rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
 
3. Move the key pair in the environment's directory on the virtualization host and name them ansible-id_rsa and ansible-id_rsa.pub.
 
pwd
/root/environments/ocp36
ls -l
-rw-------. 1 root root 1675 Nov  7 17:26 ansible-id_rsa
-rw-r--r--. 1 root root  416 Nov  7 17:26 ansible-id_rsa.pub
 
4. Remove both the keys from the template.
 
cd .ssh
rm id_rsa
rm id_rsa.pub
 
5. Add the "ansible" user's public key into ~ansible/.ssh/authorized_keys
 
echo "..." > ~ansible/.ssh/authorized_keys
 
6. Enable [[Sudo#Allow_a_user_to_run_all_commands_as_root_without_a_password|passwordless sudo]] for "ansible".
 
==Other Miscellaneous Configuration==
 
Configure log rotation (/etc/logrotate.conf):
 
# rotate log files daily
daily
# keep 2 days worth of backlogs
rotate 2

Latest revision as of 20:16, 29 April 2018

Internal

Overview

This is the simplest possible guest template, which will be used as a base for various other types of guests or more complex templates. The basic template can be used to generate the ingress node directly.

Virtual Machine Creation

KVM Virtual Machine Creation

Make sure the required storage pools have been configured as described in the Virtualization Host Preparation page.

The template creation procedure is described in detail in the virt-install page. Drive the installation from the procedure described there, as it contains critical details.

The actual command is:

virt-install 
  --name ocp36.basic-template
  --memory 1024 
  --vcpus 2 
  --os-variant=rhel7.4
  --location /iso-images/rhel-server-7.4-x86_64-dvd.iso
  --extra-args="console=tty0 console=ttyS0,115200n8"
  --disk=/iso-images/rhel-server-7.4-x86_64-dvd.iso,device=cdrom
  --disk=/main-storage-pool/ocp36.basic-template.qcow2,size=7
  --network default
  --graphics none

The command will enter in text interactive mode.

VMware Fusion Virtual Machine Creation

VMware Fusion Virtual Machine Provisioning

VirtualBox Virtual Machine Creation

VirtualBox VMs

First-Boot Configuration

  • English/American
  • Network
    • Host name: basic-template.ocp36.local
    • eth0: 192.168.122.21/255.255.255.0/192.168.1.1, IPV6 ignore, nameservers: 8.8.8.8, connect automatically after reboot, apply configuration in installer.

Use a neutral address. The static IP address will be changed when the template is cloned into actual virtual machine instances.

  • Timezone 3 82, NTP server 129.6.15.28
  • Software selection: minimal install
  • Installation destination: vda, use all space, Standard partition.
  • Disable kdump
  • root password

More details about RHEL Minimal installation:

RHEL 7 Installation

Configuration and Validation

IP Address

ip addr
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
   link/ether 52:54:00:03:c4:35 brd ff:ff:ff:ff:ff:ff
   inet 192.168.122.21/24 brd 192.168.122.255 scope global eth0
      valid_lft forever preferred_lft forever
   ...

NetworkManager

OpenShift requires NetworkManager to be operational on all nodes (see https://docs.openshift.com/container-platform/3.6/install_config/install/prerequisites.html#prereq-networkmanager). Verify it works:

nmcli g

Attach the Node to a RHEL Subscription

Follow the procedure described here:

Register a Linux System

and

Register a Standard RHEL Subscription

The summary is available below:

subscription-manager register
subscription-manager refresh 
subscription-manager list --available --all
subscription-manager attach --pool=<pool-id> --quantity=1

Install Required Base Packages

yum install wget git net-tools bind-utils iptables-services bridge-utils bash-completion kexec kexec-tools sos psacct zip unzip rpcbind nfs-utils haproxy

Also see https://docs.openshift.com/container-platform/3.6/install_config/install/host_preparation.html#installing-base-packages

Update the Entire System

yum update -y

Reboot

systemctl reboot

Configure DNS

Configure the DNS client with with nmcli:

nmcli dev status
# get the connection name
nmcli con mod <connection-name> ipv4.dns-search "ocp36.local"
nmcli con mod <connection-name> ipv4.dns "<ip-address-of-the-support-DNS-server> 8.8.8.8"

Note that the support may not be up at times while the environment is being setup, so the network operations may be slow.

Turn Off ssh Client Name DNS Verification

Turn off sshd client name DNS verification

Authorize Virtualization Host root's Public Key

cd
mkdir .ssh
echo "..." > .ssh/authorized_keys
chmod -R go-rwx .ssh

SELinux

Make sure SELinux is enabled on all hosts:

 sestatus

If is not, enable it.

Also make sure SELINUXTYPE is "targeted" in /etc/selinux/config.

cat /etc/selinux/config

Firewall Configuration

firewalld must be disabled and replaced with iptables. Follow this procedure. The summary is presented below:

systemctl stop firewalld
systemctl disable firewalld
systemctl is-enabled firewalld
yum remove firewalld

OpenShift needs iptables running:

systemctl enable iptables
systemctl start iptables

Configure the OpenShift Installation User

All environment hosts must expose an "ansible" installation user that can be used by the OpenShift advanced installation procedure to install OpenShift. For that:

1. Create the user on the template, as shown below:

groupadd -g 2200 ansible
useradd -m -g ansible -u 2200 ansible

2. As "ansible", create the passwordless public/private key ssh key pair on the template host.

su - ansible
ssh-keygen -q -b 2048 -f ~/.ssh/id_rsa -t rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again:

3. Move the key pair in the environment's directory on the virtualization host and name them ansible-id_rsa and ansible-id_rsa.pub.

pwd
/root/environments/ocp36
ls -l
-rw-------. 1 root root 1675 Nov  7 17:26 ansible-id_rsa
-rw-r--r--. 1 root root  416 Nov  7 17:26 ansible-id_rsa.pub

4. Remove both the keys from the template.

cd .ssh
rm id_rsa
rm id_rsa.pub

5. Add the "ansible" user's public key into ~ansible/.ssh/authorized_keys

echo "..." > ~ansible/.ssh/authorized_keys

6. Enable passwordless sudo for "ansible".

Other Miscellaneous Configuration

Configure log rotation (/etc/logrotate.conf):

# rotate log files daily
daily

# keep 2 days worth of backlogs
rotate 2