OKD 4 : Install #12022/04/19

Install OKD 4 that is the upstream version of Red Hat OpenShift 4.
This example is based on the environment like follows.

--------------+----------------+-----------------+--------------
              |10.0.0.25       |                 |10.0.0.24
+-------------+-------------+  |  +--------------+-------------+
|   [mgr.okd4.srv.world]    |  |  | [bootstrap.okd4.srv.world] |
|        Manager Node       |  |  |       Bootstrap Node       |
|           DNS             |  |  |                            |
|          Nginx            |  |  |                            |
+---------------------------+  |  +----------------------------+
                               |
--------------+----------------+-----------------+--------------
              |10.0.0.40       |                 |10.0.0.41
+-------------+-------------+  |  +--------------+-------------+
| [master-0.okd4.srv.world] |  |  |  [master-1.okd4.srv.world] |
|      Control Plane#1      |  |  |      Control Plane#2       | 
|                           |  |  |                            |
|                           |  |  |                            |
+---------------------------+  |  +----------------------------+
                               |
--------------+----------------+
              |10.0.0.42
+-------------+-------------+
| [master-2.okd4.srv.world] |
|      Control Plane#3      |
|                           |
|                           |
+---------------------------+

	The system minimum requirements are follows. (by official doc) * Bootstrap Node ⇒ 4 CPU, 16 GB RAM, 100 GB Storage, Fedora CoreOS * Control Plane Node ⇒ 4 CPU, 16 GB RAM, 100 GB Storage, Fedora CoreOS * Compute Node ⇒ 2 CPU, 8 GB RAM, 100 GB Storage, Fedora CoreOS
	* Bootstrap Node is needed only when bootstraping cluster.
	Configure Manager Node, first.
[1]	Install Dnsmasqon on Manager Node, refer to here of [1], [2].
[2]	Install Nginx on Manager Node, refer to here of [1], [2].
[3]	Add required settings for OKD Cluster to Dnsmasq.

[root@mgr ~]#

vi /etc/dnsmasq.conf

# line 80 : add
# apps.(any cluster name).(domain name)/IP address
# [*.apps.okd4.srv.world] is resolved to [10.0.0.25]
address=/apps.okd4.srv.world/10.0.0.25

# line 145 : add domain name
domain=okd4.srv.world

[root@mgr ~]#

vi /etc/hosts

# [api], [api-int], [bootstrap] ⇒ fixed name
# [master-0] ⇒ hostname of each node you set
# [etcd-0], [_etcd-server-ssl._tcp] ⇒ CNAME of [master-0] and they are fixed name
# if adding more Control Planes : specify [etcd-(n)]
# ⇒ (IP address) (Hostname) etcd-1 _etcd-server-ssl._tcp
10.0.0.24   bootstrap
10.0.0.25   api api-int
10.0.0.40   master-0 etcd-0 _etcd-server-ssl._tcp
10.0.0.41   master-1 etcd-1 _etcd-server-ssl._tcp
10.0.0.42   master-2 etcd-2 _etcd-server-ssl._tcp

[root@mgr ~]#

systemctl restart dnsmasq

# change DNS setting
# replace device name or IP address to your environment

[root@mgr ~]#

DNS=$(nmcli device show enp1s0 | grep ^IP4.DNS | awk '{print $2}')

[root@mgr ~]#

nmcli connection modify enp1s0 ipv4.dns "10.0.0.25 $DNS"

[root@mgr ~]#

nmcli connection modify enp1s0 ipv4.dns-search "okd4.srv.world"

[root@mgr ~]#

nmcli connection up enp1s0

[4]	Add required settings for OKD Cluster to Nginx.

[root@mgr ~]#

dnf -y install nginx-mod-stream

[root@mgr ~]#

vi /etc/nginx/nginx.conf

    server {
    	# lie 39 : change listening port
        listen       8080 default_server;
        listen       [::]:8080 default_server;

# add to the end
stream {
    upstream k8s-api {
        server 10.0.0.24:6443;
        server 10.0.0.40:6443;
        server 10.0.0.41:6443;
        server 10.0.0.42:6443;
    }
    upstream machine-config {
        server 10.0.0.24:22623;
        server 10.0.0.40:22623;
        server 10.0.0.41:22623;
        server 10.0.0.42:22623;
    }
    upstream ingress-http {
        server 10.0.0.40:80;
        server 10.0.0.41:80;
        server 10.0.0.42:80;
    }
    upstream ingress-https {
        server 10.0.0.40:443;
        server 10.0.0.41:443;
        server 10.0.0.42:443;
    }
    upstream ingress-health {
        server 10.0.0.40:1936;
        server 10.0.0.41:1936;
        server 10.0.0.42:1936;
    }
    server {
        listen 6443;
        proxy_pass k8s-api;
    }
    server {
        listen 22623;
        proxy_pass machine-config;
    }
    server {
        listen 80;
        proxy_pass ingress-http;
    }
    server {
        listen 443;
        proxy_pass ingress-https;
    }
    server {
        listen 1936;
        proxy_pass ingress-health;
    }
}

[root@mgr ~]#

systemctl restart nginx

[5]	If SELinux is enabled, change policy.

[root@mgr ~]#

setsebool -P httpd_can_network_connect on

[root@mgr ~]#

setsebool -P httpd_graceful_shutdown on

[root@mgr ~]#

setsebool -P httpd_can_network_relay on

[root@mgr ~]#

setsebool -P nis_enabled on

[root@mgr ~]#

semanage port -a -t http_port_t -p tcp 6443

[root@mgr ~]#

semanage port -a -t http_port_t -p tcp 22623

[root@mgr ~]#

semanage port -a -t http_port_t -p tcp 1936

[6]	If Firewalld is running, allow service ports.

[root@mgr ~]#

firewall-cmd --add-service={dns,http,https}

success
[root@mgr ~]#

firewall-cmd --add-port={6443/tcp,22623/tcp,1936/tcp,8080/tcp}

success
[root@mgr ~]#

firewall-cmd --runtime-to-permanent

success

Matched Content