OpenShift Enterprise with Contrail Networking
-
Register all nodes in cluster using Red Hat Subscription Manager (RHSM)
(all-nodes)# subscription-manager register --username <username> --password <password> --force -
List the available subscriptions
(all-nodes)# subscription-manager list --available --matches '*OpenShift*' -
From the previous command, find the pool ID for OpenShift Container Platform subscription & attach it
(all-nodes)# subscription-manager attach --pool=<pool-ID> -
Disable all yum respositories
(all-nodes)# subscription-manager repos --disable="*" -
Enable only the repositories required by OpenShift Container Platform 3.6
(all-nodes)# subscription-manager repos \ --enable="rhel-7-server-rpms" \ --enable="rhel-7-server-extras-rpms" \ --enable="rhel-7-server-ose-3.6-rpms" \ --enable="rhel-7-fast-datapath-rpms"
-
Install epel
(all-nodes)# wget -O /tmp/epel-release-latest-7.noarch.rpm https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm && rpm -ivh /tmp/epel-release-latest-7.noarch.rpm -
Update the system to use the latest packages
(all-nodes)# yum update -y -
Install the following package, which provides OpenShift Container Platform utilities
(all-nodes)# yum install atomic-openshift-excluder atomic-openshift-utils git -y -
Remove the atomic-openshift packages from the list for the duration of the installation
(all-nodes)# atomic-openshift-excluder unexclude -y -
Enable SSH access for root user
(all-nodes)# sudo su (all-nodes)# passwd (all-nodes)# sed -i -e 's/#PermitRootLogin yes/PermitRootLogin yes/g' -e 's/PasswordAuthentication no/PasswordAuthentication yes/g' /etc/ssh/sshd_config (all-nodes)# service sshd restart (all-nodes)# logout Logout & login as root user -
Enforce SELinux security policy
(all-nodes)# vi /etc/selinux/config SELINUX=enforcing -
Add a static entry for master/slaves in /etc/hosts
(all-nodes)# vi /etc/hosts 10.84.18.1 master.test.net master 10.84.18.2 slave.test.net slave (all-nodes)# ping master (all-nodes)# ping slave -
Enable passwordless SSH access
(ansible-node)# ssh-keygen -t rsa (ansible-node)# ssh-copy-id root@<master> (ansible-node)# ssh-copy-id root@<slave>
-
Download Contrail-Docker images
IMAGE: contrail-kubernetes-docker_4.0.2.0-34_redhat7.tgz (Red Hat Enterprise Linux 7.X)
Download from here
(all-nodes)# wget http://10.84.5.120/github-build/R4.0/34/redhat70/ocata/artifacts/contrail-kubernetes-docker_4.0.2.0-34_redhat7.tgz -P /root/docker_images && cd /root/docker_images && tar -xvzf contrail-kubernetes-docker_4.0.2.0-34_redhat7.tgz -
Clone OpenShift-Ansible repo
(ansible-node)# cd /root (ansible-node)# git clone https://github.com/savithruml/openshift-ansible -
Copy the install files
(ansible-node)# wget -O /root/openshift-ansible/inventory/byo/ose-prerequisites.yml https://raw.githubusercontent.com/savithruml/openshift-contrail/master/openshift/install-files/all-in-one/ose-prerequisites.yml (ansible-node)# wget -O /root/openshift-ansible/inventory/byo/ose-install https://raw.githubusercontent.com/savithruml/openshift-contrail/master/openshift/install-files/all-in-one/ose-install -
Populate the install file with Contrail related information
Example here
(ansible-node)# vi /root/openshift-ansible/inventory/byo/ose-install [OSEv3:vars] ... os_sdn_network_plugin_name='cni' openshift_use_openshift_sdn=false openshift_use_contrail=true contrail_os_release=redhat7 contrail_version=4.0.2.0-34 analyticsdb_min_diskgb=15 configdb_min_diskgb=10 vrouter_physical_interface=eno1 contrail_docker_images_path=/root/docker_images cni_version=v0.5.2 ... -
Run the ansible-playbook. This will install OpenShift Container Platform with Contrail Networking
(ansible-node)# cd /root/openshift-ansible (ansible-node)# ansible-playbook -i inventory/byo/ose-install inventory/byo/ose-prerequisites.yml (ansible-node)# ansible-playbook -i inventory/byo/ose-install playbooks/byo/openshift_facts.yml (ansible-node)# ansible-playbook -i inventory/byo/ose-install playbooks/byo/config.yml -
Verify Contrail SDN came up fine
(master)# oc get ds -n kube-system (master)# oc get pods -n kube-system -
Create a new project & move into the project context
(master-node)# oc login -u system:admin (master-node)# oc new-project juniper (master-node)# oc project juniper -
Create a service account to access the APIs
(master-node)# oc create serviceaccount useroot -
Bind the service account to the role
(master-node)# oadm policy add-cluster-role-to-user cluster-reader system:serviceaccount:juniper:useroot -
Add the user to a “privileged” security context constraint
(master-node)# oadm policy add-scc-to-user privileged system:serviceaccount:juniper:useroot -
Assign cluster-admin role to admin user
(master-node)# oadm policy add-cluster-role-to-user cluster-admin admin -
Get a token assigned to a service account
(master-node)# oc serviceaccounts get-token useroot -
Copy this token. Login to "Contrail-kube-manager" container & paste this token
(master-node)# oc rsh contrail-kube-manager bash Add the token. Also, make sure cluster project dict object is empty (contrail-kube-manager)# vi /etc/contrail/contrail-kubernetes.conf [VNC] ... cluster_project = {} ... token = <paste your token here> Restart contrail-kube-manager service (contrail-kube-manager)# service contrail-kube-manager restart (contrail-kube-manager)# exit -
Create a password for admin user to login to the UI
(master-node)# htpasswd /etc/origin/master/htpasswd admin (master-node)# oc login -u admin -
Enable Images to Run with USER in the Dockerfile & edit the restricted SCC:
(master-node)# oc edit scc restricted Change the runAsUser.Type strategy to RunAsAny. runAsUser: type: RunAsAny -
Check if you can open & login to Contrail & OpenShift Web-UI, else flush iptables
Contrail: https://<master-node-ip>:8143 OpenShift: https://<master-node-ip>:8443