環(huán)境介紹
兩個(gè)節(jié)點(diǎn)镇眷,一個(gè)master節(jié)點(diǎn)咬最,另一個(gè)當(dāng)做compute和infra節(jié)點(diǎn)翎嫡,使用的操作系統(tǒng)為rhel 7.4,沒有安裝EFK永乌、service broker惑申、service catalog、metric翅雏,promethues在3.11正式GA圈驼,默認(rèn)就會(huì)安裝。因?yàn)楸救擞屑t帽的訂閱賬號(hào)望几,所以可以從紅帽的源進(jìn)行yum安裝绩脆,需要提醒的是,從3.11開始橄抹,紅帽官方的鏡像倉庫從registry.access.redhat.com變?yōu)閞egistry.redhat.io靴迫,且拉取鏡像也需要紅帽的訂閱賬號(hào)了。
配置域名解析(在每臺(tái)操作)
本環(huán)境沒有外部的DNS server作為域名解析楼誓,所以使用/etc/hosts進(jìn)行主機(jī)的解析玉锌,在兩臺(tái)主機(jī)/etc/hosts添加如下解析
172.16.37.21 master.test1.com
172.16.37.21 openshift-cluster.test1.com
172.16.37.22 node.test1.com
172.16.37.22 infra.test1.com
開啟selinux(在每臺(tái)操作)
# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
在deploy節(jié)點(diǎn)上創(chuàng)建密鑰(master)
ssh-keygen ## 一路回車即可
for host in master.test1.com \
node.test1.com \
infra.test1.com; \
do ssh-copy-id -i $host; \
done
向紅帽注冊yum源(參考自openshift文檔,在每臺(tái)操作)
Registering hosts
To access the installation packages, you must register each host with Red Hat Subscription Manager (RHSM) and attach an active OpenShift Container Platform subscription.
- On each host, register with RHSM:
subscription-manager register --username=<user_name> --password=<password>
- Pull the latest subscription data from RHSM:
subscription-manager refresh
- List the available subscriptions:
subscription-manager list --available --matches '*OpenShift*'
- In the output for the previous command, find the pool ID for an OpenShift Container Platform subscription and attach it:
subscription-manager attach --pool=<pool_id>
Disable all yum repositories:
`Disable all the enabled RHSM repositories:
subscription-manager repos --disable="*"
- List the remaining yum repositories and note their names under repo id, if any:
yum repolist
- Use yum-config-manager to disable the remaining yum repositories:
yum-config-manager --disable <repo_id>
- Alternatively, disable all repositories:
yum-config-manager --disable \*
- Note that this might take a few minutes if you have a large number of available repositories
- Enable only the repositories required by OpenShift Container Platform 3.11:
subscription-manager repos \
--enable="rhel-7-server-rpms" \
--enable="rhel-7-server-extras-rpms" \
--enable="rhel-7-server-ose-3.11-rpms" \
--enable="rhel-7-server-ansible-2.6-rpms"
安裝軟件包(在每臺(tái)操作)
- 安裝基礎(chǔ)軟件包
yum install wget git net-tools bind-utils yum-utils iptables-services bridge-utils bash-completion kexec-tools sos psacct
- 更新及重啟
yum update
reboot
- 安裝openshift-ansible軟件包(在master上操作)
yum install openshift-ansible -y
- 安裝docker及驗(yàn)證
yum install docker-1.13.1 -y
rpm -V docker-1.13.1
docker version
- 重啟docker并且開機(jī)自啟
systemctl restart docker
systemctl enable docker
配置inventory疟羹,(在master上操作)
- /etc/ansible/hosts:
# Create an OSEv3 group that contains the masters, nodes, and etcd groups
[OSEv3:children]
masters
nodes
etcd
# Set variables common for all OSEv3 hosts
[OSEv3:vars]
# SSH user, this user should allow ssh based auth without requiring a password
ansible_ssh_user=root
openshift_deployment_type=openshift-enterprise
# If ansible_ssh_user is not root, ansible_become must be set to true
#ansible_become=true
# default selectors for router and registry services
# openshift_router_selector='node-role.kubernetes.io/infra=true'
# openshift_registry_selector='node-role.kubernetes.io/infra=true'
# uncomment the following to enable htpasswd authentication; defaults to DenyAllPasswordIdentityProvider
openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider', 'filename': '/etc/origin/master/htpasswd'}]
openshift_master_default_subdomain=test1.com
openshift_disable_check=memory_availability,disk_availability,docker_image_availability
os_sdn_network_plugin_name=redhat/openshift-ovs-multitenant
openshift_master_cluster_method=native
openshift_master_cluster_hostname=openshift-cluster.test1.com
openshift_master_cluster_public_hostname=openshift-cluster.test1.com
# false
ansible_service_broker_install=false
openshift_enable_service_catalog=false
template_service_broker_install=false
openshift_logging_install_logging=false
# registry passwd
oreg_url=registry.redhat.io/openshift3/ose-${component}:${version}
oreg_auth_user=XXX
oreg_auth_password=XXX
# docker config
openshift_docker_additional_registries=registry.redhat.io
#openshift_docker_insecure_registries
#openshift_docker_blocked_registries
openshift_docker_options="--log-driver json-file --log-opt max-size=1M --log-opt max-file=3"
# openshift_cluster_monitoring_operator_install=false
# openshift_metrics_install_metrics=true
# openshift_enable_unsupported_configurations=True
#openshift_logging_es_nodeselector='node-role.kubernetes.io/infra: "true"'
#openshift_logging_kibana_nodeselector='node-role.kubernetes.io/infra: "true"'
# host group for masters
[masters]
master.test1.com
# host group for etcd
[etcd]
master.test1.com
# host group for nodes, includes region info
[nodes]
master.test1.com openshift_node_group_name='node-config-master'
node.test1.com openshift_node_group_name='node-config-compute'
infra.test1.com openshift_node_group_name='node-config-infra'
- 鏡像認(rèn)證說明:
因?yàn)?.11鏡像倉庫變了主守,并且需要認(rèn)證,使用紅帽訂閱相關(guān)的賬戶榄融,生成一個(gè)username和token参淫,參考一下鏈接:
https://docs.openshift.com/container-platform/3.11/install_config/configuring_red_hat_registry.html
開始部署(在master節(jié)點(diǎn)上操作)
ansible-playbook /usr/share/ansible/openshift-ansible/playbooks/deploy_cluster.yml
部署結(jié)束后(在master節(jié)點(diǎn)上操作)
- 創(chuàng)建用戶
htpasswd -cb /etc/origin/master/htpasswd admin 123456
- 給用戶分配一個(gè)集群管理員角色
oc adm policy add-role-to-user cluster-admin admin
- 訪問openshift集群頁面
需要先在本機(jī)hosts文件中解析openshift-cluster.test1.com為172.16.37.21,然后在瀏覽器中輸入https://openshift-cluster.test1.com:8443
