环境介绍
两个节点,一个master节点,另一个当做compute和infra节点,使用的操作系统为rhel 7.4,没有安装EFK、service broker、service catalog、metric,promethues在3.11正式GA,默认就会安装。因为本人有红帽的订阅账号,所以可以从红帽的源进行yum安装,需要提醒的是,从3.11开始,红帽官方的镜像仓库从registry.access.redhat.com变为registry.redhat.io,且拉取镜像也需要红帽的订阅账号了。
配置域名解析(在每台操作)
本环境没有外部的DNS server作为域名解析,所以使用/etc/hosts进行主机的解析,在两台主机/etc/hosts添加如下解析
172.16.37.21 master.test1.com
172.16.37.21 openshift-cluster.test1.com
172.16.37.22 node.test1.com
172.16.37.22 infra.test1.com
开启selinux(在每台操作)
# cat etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
在deploy节点上创建密钥(master)
ssh-keygen ## 一路回车即可
for host in master.test1.com \ node.test1.com \ infra.test1.com; \ do ssh-copy-id -i $host; \ done
向红帽注册yum源(参考自openshift文档,在每台操作)
Registering hosts
To access the installation packages, you must register each host with Red Hat Subscription Manager (RHSM) and attach an active OpenShift Container Platform subscription.
On each host, register with RHSM:
subscription-manager register --username=<user_name> --password=<password>
Pull the latest subscription data from RHSM:
subscription-manager refresh
List the available subscriptions:
subscription-manager list --available --matches '*OpenShift*'
In the output for the previous command, find the pool ID for an OpenShift Container Platform subscription and attach it:
subscription-manager attach --pool=<pool_id>
Disable all yum repositories:
`Disable all the enabled RHSM repositories:
subscription-manager repos --disable="*"
List the remaining yum repositories and note their names under repo id, if any:
yum repolist
Use yum-config-manager to disable the remaining yum repositories:
yum-config-manager --disable <repo_id>
Alternatively, disable all repositories:
yum-config-manager --disable \*
Note that this might take a few minutes if you have a large number of available repositories
Enable only the repositories required by OpenShift Container Platform 3.11:
subscription-manager repos \ --enable="rhel-7-server-rpms" \ --enable="rhel-7-server-extras-rpms" \ --enable="rhel-7-server-ose-3.11-rpms" \ --enable="rhel-7-server-ansible-2.6-rpms"
安装软件包(在每台操作)
安装基础软件包
yum install wget git net-tools bind-utils yum-utils iptables-services bridge-utils bash-completion kexec-tools sos psacct
更新及重启
yum update reboot
安装openshift-ansible软件包(在master上操作)
yum install openshift-ansible -y
安装docker及验证
yum install docker-1.13.1 -yrpm -V docker-1.13.1docker version
重启docker并且开机自启
systemctl restart docker systemctl enable docker
配置inventory,(在master上操作)
/etc/ansible/hosts:
# Create an OSEv3 group that contains the masters, nodes, and etcd groups
[OSEv3:children] masters nodes etcd
# Set variables common for all OSEv3 hosts
[OSEv3:vars]
# SSH user, this user should allow ssh based auth without requiring a password
ansible_ssh_user=root openshift_deployment_type=openshift-enterprise
# If ansible_ssh_user is not root, ansible_become must be set to true#ansible_become=true# default selectors for router and registry services# openshift_router_selector='node-role.kubernetes.io/infra=true'# openshift_registry_selector='node-role.kubernetes.io/infra=true'# uncomment the following to enable htpasswd authentication; defaults to DenyAllPasswordIdentityProvideropenshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider', 'filename': '/etc/origin/master/htpasswd'}] openshift_master_default_subdomain=test1.com openshift_disable_check=memory_availability,disk_availability,docker_image_availability os_sdn_network_plugin_name=redhat/openshift-ovs-multitenant openshift_master_cluster_method=native openshift_master_cluster_hostname=openshift-cluster.test1.com openshift_master_cluster_public_hostname=openshift-cluster.test1.com
# false
ansible_service_broker_install=false
openshift_enable_service_catalog=false
template_service_broker_install=false
openshift_logging_install_logging=false
# registry passwd
oreg_url=registry.redhat.io/openshift3/ose-${component}:${version}
oreg_auth_user=XXX oreg_auth_password=XXX
# docker config
openshift_docker_additional_registries=registry.redhat.io
#openshift_docker_insecure_registries#openshift_docker_blocked_registries
openshift_docker_options="--log-driver json-file --log-opt max-size=1M --log-opt max-file=3"
# openshift_cluster_monitoring_operator_install=false
# openshift_metrics_install_metrics=true
# openshift_enable_unsupported_configurations=True
#openshift_logging_es_nodeselector='node-role.kubernetes.io/infra: "true"'
#openshift_logging_kibana_nodeselector='node-role.kubernetes.io/infra: "true"'
# host group for masters
[masters] master.test1.com
# host group for etcd
[etcd] master.test1.com
# host group for nodes, includes region info
[nodes] master.test1.com openshift_node_group_name='node-config-master'
node.test1.com openshift_node_group_name='node-config-compute'
infra.test1.com openshift_node_group_name='node-config-infra'
镜像认证说明:
因为3.11镜像仓库变了,并且需要认证,使用红帽订阅相关的账户,生成一个username和token,参考一下链接:
https://docs.openshift.com/container-platform/3.11/install_config/configuring_red_hat_registry.html
开始部署(在master节点上操作)
ansible-playbook usr/share/ansible/openshift-ansible/playbooks/deploy_cluster.yml
部署结束后(在master节点上操作)
创建用户
htpasswd -cb /etc/origin/master/htpasswd admin 123456
给用户分配一个集群管理员角色
oc adm policy add-role-to-user cluster-admin admin
访问openshift集群页面
需要先在本机hosts文件中解析openshift-cluster.test1.com为172.16.37.21,然后在浏览器中输入https://openshift-cluster.test1.com:8443
