-
Notifications
You must be signed in to change notification settings - Fork 8
Install OpenShift Enterprise with Contrail SDN (OpenShift Ansible)
PLEASE REFER TO NEW DOCS: LINK
* Master Node (x1 / x3 for HA)
IMAGE: RHEL 7.3/7.4
CPU/RAM: 4 CPU / 32 GB RAM
DISK: 250 GB
SEC GRP: Allow all traffic from everywhere
* Slave Node (xN)
IMAGE: RHEL 7.3/7.4
CPU/RAM: 8 CPU / 64 GB RAM
DISK: 250 G
SEC GRP: Allow all traffic from everywhere
* Loadbalancer Node (x1) in case of HA. Ignore this for a single master installation
IMAGE: RHEL 7.3/7.4
CPU/RAM: 2 CPU / 16 GB RAM
DISK: 100 G
SEC GRP: Allow all traffic from everywhere
NOTE: Make sure to launch the instances in the same subnet
-
Register all nodes in cluster using Red Hat Subscription Manager (RHSM)
(all-nodes)# subscription-manager register --username <username> --password <password> --force
-
List the available subscriptions
(all-nodes)# subscription-manager list --available --matches '*OpenShift*'
-
From the previous command, find the pool ID for OpenShift Container Platform subscription & attach it
(all-nodes)# subscription-manager attach --pool=<pool-ID>
-
Disable all yum respositories
(all-nodes)# subscription-manager repos --disable="*"
-
Enable only the repositories required by OpenShift Container Platform 3.7
(all-nodes)# subscription-manager repos \ --enable="rhel-7-server-rpms" \ --enable="rhel-7-server-extras-rpms" \ --enable="rhel-7-server-ose-3.7-rpms" \ --enable="rhel-7-fast-datapath-rpms"
-
Install epel
(all-nodes)# yum install wget -y && wget -O /tmp/epel-release-latest-7.noarch.rpm https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm && rpm -ivh /tmp/epel-release-latest-7.noarch.rpm
-
Update the system to use the latest packages
(all-nodes)# yum update -y
-
Install the following package, which provides OpenShift Container Platform utilities
(all-nodes)# yum install atomic-openshift-excluder atomic-openshift-utils git python-netaddr -y
-
Remove the atomic-openshift packages from the list for the duration of the installation
(all-nodes)# atomic-openshift-excluder unexclude -y
-
Enable SSH access for root user
(all-nodes)# sudo su (all-nodes)# passwd (all-nodes)# sed -i -e 's/#PermitRootLogin yes/PermitRootLogin yes/g' -e 's/PasswordAuthentication no/PasswordAuthentication yes/g' /etc/ssh/sshd_config (all-nodes)# service sshd restart (all-nodes)# logout Logout & login as root user
-
Enforce SELinux security policy
(all-nodes)# vi /etc/selinux/config SELINUX=enforcing
-
Add a static entry for master/slaves in /etc/hosts
(all-nodes)# vi /etc/hosts 10.84.18.1 master.test.net master 10.84.18.2 slave.test.net slave (all-nodes)# ping master (all-nodes)# ping slave
-
Enable passwordless SSH access
(ansible-node)# ssh-keygen -t rsa (ansible-node)# ssh-copy-id root@<master> (ansible-node)# ssh-copy-id root@<slave>
If passwordless SSH doesn't work, make sure to turn set
StrictModes no
in/etc/ssh/sshd_config
& restart SSH service -
Sync NTP
(all-nodes)# service ntpd stop (all-nodes)# ntpdate -s time.nist.gov (all-nodes)# service ntpd start
-
Download the package from Juniper site
Download from here
IMAGE: Redhat 7 + Kubernetes
(ansible-node)# wget <contrail-container-image>.tgz && tar -xvzf <contrail-container-image>.tgz
-
Clone OpenShift-Ansible repo
(ansible-node)# cd /root (ansible-node)# git clone https://github.com/savithruml/openshift-ansible -b contrail-openshift
-
Copy the install files
(ansible-node)# wget -O /root/openshift-ansible/inventory/byo/ose-prerequisites.yml https://raw.githubusercontent.com/savithruml/openshift-contrail/master/openshift/install-files/all-in-one/ose-prerequisites.yml (ansible-node)# wget -O /root/openshift-ansible/inventory/byo/ose-install https://raw.githubusercontent.com/savithruml/openshift-contrail/master/openshift/install-files/all-in-one/ose-install
-
Populate the install file with Contrail related information
Make sure to add the masters under [nodes] section of the inventory as well. This will ensure that the contrail control pods will come up on the OpenShift masters
Example for single master, refer here
Example for HA master, refer here
(ansible-node)# vi /root/openshift-ansible/inventory/byo/ose-install [OSEv3:vars] ... os_sdn_network_plugin_name='cni' openshift_use_contrail=true contrail_os_release=redhat7 contrail_version=4.1.0.0-8 analyticsdb_min_diskgb=50 configdb_min_diskgb=25 vrouter_physical_interface=eno1 contrail_docker_images_path=/root cni_version=v0.5.2 ...
NOTE: To understand each of the above parameters, refer to this doc
-
Run the ansible-playbook. This will install OpenShift Container Platform with Contrail Networking
(ansible-node)# cd /root/openshift-ansible (ansible-node)# ansible-playbook -i inventory/byo/ose-install inventory/byo/ose-prerequisites.yml (ansible-node)# ansible-playbook -i inventory/byo/ose-install playbooks/byo/openshift_facts.yml (ansible-node)# ansible-playbook -i inventory/byo/ose-install playbooks/byo/config.yml
-
Verify Contrail SDN came up fine
(master)# oc get ds -n kube-system (master)# oc get pods -n kube-system
-
Create a password for admin user to login to the UI
(master-node)# htpasswd /etc/origin/master/htpasswd admin
-
Assign cluster-admin role to admin user
(master-node)# oadm policy add-cluster-role-to-user cluster-admin admin (master-node)# oc login -u admin
-
Check if you can open & login to Contrail & OpenShift Web-UI, else flush iptables
Contrail: https://<master-node-ip>:8143 OpenShift: https://<master-node-ip>:8443
-
Test by launching pods, services, namespaces, network-policies, ingress, etc., by looking at these examples
-
Remove the existing SDN (OVS, calico, nuage, etc). Refer to respective manuals for help
-
Download the package from Juniper site. Untar & load the containers
Download from here
IMAGE: Redhat 7 + Containers - OpenShift
(all-instances)# wget <contrail-container-image>.tgz && tar -xvzf <contrail-container-image>.tgz (all-instances)# docker load < <contrail-container-image>.tgz
-
On masters, we need the following docker containers
1. contrail-controller 2. contrail-analytics 3. contrail-analyticsdb 4. contrail-kube-manager
-
On minions, we need the following docker containers
1. contrail-agent 2. contrail-kubernetes-agent
-
Add contrail, daemon-set-controller to privileged scc
(master)# oadm policy add-scc-to-user privileged system:serviceaccount:kube-system:contrail (master)# oadm policy add-scc-to-user privileged system:serviceaccount:kube-system:daemon-set-controller
-
Label the masters, so we can launch Contrail pods
(master)# oc label nodes <all-master-nodes> opencontrail.org/controller=true
-
Make masters schedulable
(master)# oadm manage <all-master-nodes> --schedulable
-
Open relevant Contrail SDN ports in iptables
-
On master instances, open the following ports
-
On node instances, open the following ports
-
-
Populate the single YAML file based on your setup
(master)# wget https://raw.githubusercontent.com/savithruml/openshift-contrail/master/openshift/install-files/all-in-one/contrail-installer.yaml
Refer to this example file & populate the YAML file
-
Launch the installer
(master)# oc create –f contrail-installer.yml
-
Verify services are all up & running
(master)# oc get ds –n kube-system (master)# oc get pods –n kube-system (master)# oc exec <contrail-pod-name> contrail-status –n kube-system
-
Create a password for admin user to login to the UI
(master-node)# htpasswd /etc/origin/master/htpasswd admin
-
Assign cluster-admin role to admin user
(master-node)# oadm policy add-cluster-role-to-user cluster-admin admin (master-node)# oc login -u admin
-
Patch restricted SCC
(master-node)# oc patch scc restricted --patch='{ "runAsUser": { "type": "RunAsAny" } }'
-
Check if you can open & login to Contrail & OpenShift Web-UI, else flush iptables
Contrail: https://<master-node-ip>:8143 OpenShift: https://<master-node-ip>:8443
-
Test by launching pods, services, namespaces, network-policies, ingress, etc., by looking at these examples
Copyright (c) 2018 Juniper Networks, Inc. All rights reserved