Install OpenShift Enterprise with Contrail SDN (OpenShift Ansible)

==========DEPRICATED==========

PLEASE REFER TO NEW DOCS: LINK

OpenShift Enterprise 3.7

Install OpenShift + Contrail SDN

Launch Instances (Azure/AWS/Baremetal)

* Master Node   (x1 / x3 for HA)

    IMAGE:      RHEL 7.3/7.4
    CPU/RAM:    4 CPU / 32 GB RAM
    DISK:       250 GB
    SEC GRP:    Allow all traffic from everywhere

* Slave Node    (xN)

    IMAGE:      RHEL 7.3/7.4
    CPU/RAM:    8 CPU / 64 GB RAM
    DISK:       250 G
    SEC GRP:    Allow all traffic from everywhere

* Loadbalancer Node (x1) in case of HA. Ignore this for a single master installation

    IMAGE:      RHEL 7.3/7.4
    CPU/RAM:    2 CPU / 16 GB RAM
    DISK:       100 G
    SEC GRP:    Allow all traffic from everywhere

NOTE: Make sure to launch the instances in the same subnet

Host Registration

Register all nodes in cluster using Red Hat Subscription Manager (RHSM)

 (all-nodes)# subscription-manager register --username <username> --password <password> --force

List the available subscriptions

 (all-nodes)# subscription-manager list --available --matches '*OpenShift*'

From the previous command, find the pool ID for OpenShift Container Platform subscription & attach it
```
 (all-nodes)# subscription-manager attach --pool=<pool-ID>
```

Disable all yum respositories

 (all-nodes)# subscription-manager repos --disable="*"

Enable only the repositories required by OpenShift Container Platform 3.7

 (all-nodes)# subscription-manager repos \
                --enable="rhel-7-server-rpms" \
                --enable="rhel-7-server-extras-rpms" \
                --enable="rhel-7-server-ose-3.7-rpms" \
                --enable="rhel-7-fast-datapath-rpms"

Installing Base packages

Install epel

 (all-nodes)# yum install wget -y && wget -O /tmp/epel-release-latest-7.noarch.rpm https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm && rpm -ivh /tmp/epel-release-latest-7.noarch.rpm

Update the system to use the latest packages
```
 (all-nodes)# yum update -y
```

Install the following package, which provides OpenShift Container Platform utilities

 (all-nodes)# yum install atomic-openshift-excluder atomic-openshift-utils git python-netaddr -y

Remove the atomic-openshift packages from the list for the duration of the installation
```
 (all-nodes)# atomic-openshift-excluder unexclude -y
```

Enable SSH access for root user

 (all-nodes)# sudo su
 (all-nodes)# passwd
 (all-nodes)# sed -i -e 's/#PermitRootLogin yes/PermitRootLogin yes/g' -e 's/PasswordAuthentication no/PasswordAuthentication yes/g' /etc/ssh/sshd_config 
 (all-nodes)# service sshd restart
 (all-nodes)# logout

 Logout & login as root user

Enforce SELinux security policy

 (all-nodes)# vi /etc/selinux/config

        SELINUX=enforcing

Add a static entry for master/slaves in /etc/hosts

 (all-nodes)# vi /etc/hosts
           
        10.84.18.1 master.test.net master
        10.84.18.2 slave.test.net  slave

 (all-nodes)# ping master
 (all-nodes)# ping slave

Enable passwordless SSH access
```
 (ansible-node)# ssh-keygen -t rsa
 (ansible-node)# ssh-copy-id root@<master>
 (ansible-node)# ssh-copy-id root@<slave>
```
If passwordless SSH doesn't work, make sure to turn set StrictModes no in /etc/ssh/sshd_config & restart SSH service

Sync NTP

 (all-nodes)# service ntpd stop
 (all-nodes)# ntpdate -s time.nist.gov
 (all-nodes)# service ntpd start

Install OpenShift with Contrail Networking

Download the package from Juniper site

Download from here

IMAGE: Redhat 7 + Kubernetes

 (ansible-node)# wget <contrail-container-image>.tgz && tar -xvzf <contrail-container-image>.tgz

Clone OpenShift-Ansible repo

 (ansible-node)# cd /root
 (ansible-node)# git clone https://github.com/savithruml/openshift-ansible -b contrail-openshift

Copy the install files

 (ansible-node)# wget -O /root/openshift-ansible/inventory/byo/ose-prerequisites.yml https://raw.githubusercontent.com/savithruml/openshift-contrail/master/openshift/install-files/all-in-one/ose-prerequisites.yml
 (ansible-node)# wget -O /root/openshift-ansible/inventory/byo/ose-install https://raw.githubusercontent.com/savithruml/openshift-contrail/master/openshift/install-files/all-in-one/ose-install

Populate the install file with Contrail related information

Make sure to add the masters under [nodes] section of the inventory as well. This will ensure that the contrail control pods will come up on the OpenShift masters

Example for single master, refer here

Example for HA master, refer here

 (ansible-node)# vi /root/openshift-ansible/inventory/byo/ose-install

        [OSEv3:vars]
        ...
        os_sdn_network_plugin_name='cni'
        openshift_use_contrail=true
        contrail_os_release=redhat7
        contrail_version=4.1.0.0-8
        analyticsdb_min_diskgb=50
        configdb_min_diskgb=25
        vrouter_physical_interface=eno1
        contrail_docker_images_path=/root
        cni_version=v0.5.2
        ...

NOTE: To understand each of the above parameters, refer to this doc

Run the ansible-playbook. This will install OpenShift Container Platform with Contrail Networking

 (ansible-node)# cd /root/openshift-ansible
 (ansible-node)# ansible-playbook -i inventory/byo/ose-install inventory/byo/ose-prerequisites.yml
 (ansible-node)# ansible-playbook -i inventory/byo/ose-install playbooks/byo/openshift_facts.yml
 (ansible-node)# ansible-playbook -i inventory/byo/ose-install playbooks/byo/config.yml

Verify Contrail SDN came up fine

 (master)# oc get ds -n kube-system
 (master)# oc get pods -n kube-system

Create a password for admin user to login to the UI

(master-node)# htpasswd /etc/origin/master/htpasswd admin

Assign cluster-admin role to admin user

(master-node)# oadm policy add-cluster-role-to-user cluster-admin admin
(master-node)# oc login -u admin

Check if you can open & login to Contrail & OpenShift Web-UI, else flush iptables

 Contrail: https://<master-node-ip>:8143

 OpenShift: https://<master-node-ip>:8443

Test by launching pods, services, namespaces, network-policies, ingress, etc., by looking at these examples

Install Contrail SDN on an existing OpenShift setup

Remove the existing SDN (OVS, calico, nuage, etc). Refer to respective manuals for help

Download the package from Juniper site. Untar & load the containers

Download from here

IMAGE: Redhat 7 + Containers - OpenShift

(all-instances)# wget <contrail-container-image>.tgz && tar -xvzf <contrail-container-image>.tgz
(all-instances)# docker load < <contrail-container-image>.tgz

On masters, we need the following docker containers

 1. contrail-controller
 2. contrail-analytics
 3. contrail-analyticsdb
 4. contrail-kube-manager

On minions, we need the following docker containers

 1. contrail-agent
 2. contrail-kubernetes-agent

Add contrail, daemon-set-controller to privileged scc

 (master)# oadm policy add-scc-to-user privileged system:serviceaccount:kube-system:contrail
 (master)# oadm policy add-scc-to-user privileged system:serviceaccount:kube-system:daemon-set-controller

Label the masters, so we can launch Contrail pods

 (master)# oc label nodes <all-master-nodes> opencontrail.org/controller=true

Make masters schedulable

 (master)# oadm manage <all-master-nodes> --schedulable

Open relevant Contrail SDN ports in iptables
1. On master instances, open the following ports
2. On node instances, open the following ports

Populate the single YAML file based on your setup

 (master)# wget https://raw.githubusercontent.com/savithruml/openshift-contrail/master/openshift/install-files/all-in-one/contrail-installer.yaml

Refer to this example file & populate the YAML file

Launch the installer

 (master)# oc create –f contrail-installer.yml

Verify services are all up & running

 (master)# oc get ds –n kube-system
 (master)# oc get pods –n kube-system
 (master)# oc exec <contrail-pod-name> contrail-status –n kube-system