一 前置條件說明
1.1 安裝準備概述
Red Hat OpenShift容器平臺是由Red Hat作為RPM包和容器映像兩種型別存在,RPM包使用訂閱管理器從標準Red Hat存盤庫(即Yum存盤庫)下載,容器映像來自Red Hat私有倉庫, OpenShift容器平臺安裝需要多個服務器,支持服務器或虛擬機的多種形式,同時為了簡化OpenShift集群的部署,Red Hat提供了一個基于Ansible的安裝程式,它可以通過互動運行,也可以使用包含環境配置細節的應答檔案以自動的非互動方式運行, 在運行安裝程式之前,需要執行一些預安裝任務,以及安裝后的安裝任務,以獲得功能齊全的OpenShift容器平臺集群,RedHat為安裝OpenShift容器平臺提供了兩種不同的方法,- 第一種方法使用快速安裝程式,可用于簡單的集群設定,
- 第二種方法是較為精細的安裝方式,并使用Ansible playbook來自動化該程序,
1.2 節點準備
需要相應的master和node節點互通,并且配置master至所有節點的免秘鑰登錄,同時能決議所有FQDN,及注冊相應repo庫, 提示:以上準備作業也可通過Ansible直接跑相應的yml完成,二 實驗一:前置條件操作
2.1 環境準備
[student@workstation ~]$ lab install-prepare setup #運行準備腳本提示:本環境基于RedHat RH280環境,所有lab命令為環境自動化準備命令,后續不再贅述,2.2 安裝Ansible
[student@workstation ~]$ rpm -qa | grep ansible [student@workstation ~]$ sudo yum -y install ansible2.3 驗證Ansible
[student@workstation ~]$ cd /home/student/DO280/labs/install-prepare/ [student@workstation ~]$ ansible --version [student@workstation install-prepare]$ cat ansible.cfg
[student@workstation install-prepare]$ cat inventory
Inventory檔案解釋:
Inventory定義了六個主機組:
- workstations:為developer節點,即運行playbook的節點;
- nfs:為集群存盤提供nfs服務的環境中的vm;
- masters:OpenShift集群中用作master角色的節點;
- etcd:用于OpenShift集群的etcd服務的節點,本環境中使用master節點;
- node:OpenShift集群中的node節點;
- OSEv3:組成OpenShift集群的所有接待,包括master、etcd、node或nfs組中的節點,
2.4 檢查節點連通性
[student@workstation install-prepare]$ cat ping.yml1 --- 2 - name: Verify Connectivity 3 hosts: all 4 gather_facts: no 5 tasks: 6 - name: "Test connectivity to machines." 7 shell: "whoami" 8 changed_when: false[student@workstation install-prepare]$ ansible-playbook -v ping.yml
2.5 確認yml
[student@workstation install-prepare]$ cat prepare_install.yml
解釋:如上yml引入了三個role,
docker-storage內容如下,該role定義相關docker的后端存盤驅動以及創建docker所需的image存盤路徑,并最終啟動docker,
[student@workstation install-prepare]$ cat roles/docker-storage/tasks/main.yml
1 --- 2 - block: 3 - name: Customize default /etc/sysconfig/docker-storage-setup 4 template: 5 src: docker-storage-setup 6 dest: /etc/sysconfig/docker-storage-setup 7 owner: root 8 group: root 9 mode: 0644 10 when: not use_overlay2_driver 11 - name: Customize /etc/sysconfig/docker-storage-setup using overlay2 storage driver 12 template: 13 src: docker-storage-setup-overlay2 14 dest: /etc/sysconfig/docker-storage-setup 15 owner: root 16 group: root 17 mode: 0644 18 when: use_overlay2_driver 19 - name: Verify existence of /dev/docker-vg/docker-pool 20 stat: 21 path: /dev/docker-vg/docker-pool 22 register: p 23 - name: Stop docker 24 service: 25 name: docker 26 state: stopped 27 when: p.stat.exists == False 28 - name: Remove loopback docker files 29 file: 30 dest: /var/lib/docker 31 state: absent 32 when: p.stat.exists == False 33 - name: Run docker-storage-setup 34 command: /usr/bin/docker-storage-setup 35 when: p.stat.exists == False 36 - name: Start and enable docker 37 service: 38 name: docker 39 state: started 40 when: p.stat.exists == False 41 when: docker_storage_device is defined 42[student@workstation install-prepare]$ cat roles/docker-storage/templates/docker-storage-setup
1 DEVS={{ docker_storage_device }} 2 VG=docker-vg 3 SETUP_LVM_THIN_POOL=yesdocker-registry-cert內容如下,該role定義相關docker的使用私有倉庫,并且匯入了相關crt證書,
[student@workstation install-prepare]$ cat roles/docker-registry-cert/tasks/main.yml
1 --- 2 - name: Enable the Trust 3 shell: update-ca-trust enable 4 - name: Retrieve the certificate 5 fetch: 6 src: "{{ cacert }}" 7 dest: "{{ local_destination }}" 8 delegate_to: "{{ registry_host }}" 9 - name: Copy the certificate 10 copy: 11 src: "{{ source }}" 12 dest: "{{ destination }}" 13 owner: root 14 group: root 15 mode: 0755 16 - name: Update the Trust 17 shell: update-ca-trust extract 18 - name: Restart Docker 19 service: 20 name: docker 21 state: restarted 22[student@workstation install-prepare]$ cat roles/docker-registry-cert/vars/main.yml
1 registry_host: services.lab.example.com 2 cacert: /etc/pki/tls/certs/example.com.crt 3 local_destination: /tmp/ 4 source: "/tmp/{{ ansible_fqdn }}/etc/pki/tls/certs/example.com.crt" 5 destination: /etc/pki/ca-trust/source/anchors/example.com.crtopenshift-node內容如下,該role定義相關安裝OpenShift所需的所有依賴包任務,
[student@workstation install-prepare]$ ll roles/openshift-node/files/ total 4 -rw-r--r--. 1 student student 389 Jul 19 2018 id_rsa.pub [student@workstation install-prepare]$ cat roles/openshift-node/meta/main.yml
1 --- 2 dependencies: 3 - { role: docker }[student@workstation install-prepare]$ cat roles/openshift-node/tasks/main.yml
1 --- 2 - name: Deploy ssh key to root at all nodes 3 authorized_key: 4 user: root 5 key: "{{ item }}" 6 with_file: 7 - id_rsa.pub 8 - name: Install required packages 9 yum: 10 name: "{{ item }}" 11 state: latest 12 with_items: 13 - wget 14 - git 15 - net-tools 16 - bind-utils 17 - iptables-services 18 - bridge-utils 19 - bash-completion 20 - kexec-tools 21 - sos 22 - psacct 23 - atomic-openshift-clients 24 - atomic-openshift-utils 25 - atomic-openshift 26
2.6 運行playbook
[student@workstation ~]$ cd /home/student/DO280/labs/install-prepare/ [student@workstation install-prepare]$ ansible-playbook prepare_install.yml
提示:該準備作業將完成如下操作:
- 在每個節點上安裝并運行Docker;
- 在每個節點上Docker使用一個邏輯卷存盤;
- 每個節點使用自簽名證書信任私有Docker倉庫;
- 在每個節點上都會安裝基本包,
2.7 確認驗證
[student@workstation install-prepare]$ for vm in master node1 node2; do echo -e "\n$vm" ssh $vm sudo systemctl status docker | head -n3 done #驗證docker服務
[student@workstation install-prepare]$ for vm in master node1 node2;
do echo -e "\n$vm : lvs"
ssh $vm sudo lvs
echo -e "\n$vm : df -h"
ssh $vm sudo df -h | grep vg-docker
done #查看docker使用的lvm
[student@workstation install-prepare]$ for vm in master node1 node2;
do echo -e "\n$vm"
ssh $vm docker pull rhel7:latest
done #測驗pull image
[student@workstation install-prepare]$ for vm in master node1 node2;
do echo -e "\n$vm"
ssh $vm rpm -qa wget git net-tools bind-utils \
yum-utils iptables-services bridge-utils bash-completion \
kexec-tools sos psacct atomic-openshift-utils
done #檢查相關依賴包是否安裝成功
三 正式安裝說明
3.1 安裝步驟
安裝準備完成后正式安裝包括四個步驟:- 撰寫一個目錄檔案來描述所需的集群特性和體系結構;
- 執行prerequisites.yml的playbook;
- 執行deploy_cluster,yml的playbook;
- 驗證安裝,
3.2 安裝和配置節點
OpenShift Inventory定義了以下主機組, master:對于OpenShift,這是必須的組,定義了OpenShift集群中哪些主機充當master節點; node:對于OpenShift,這是必須的組,它定義了OpenShift集群中哪些主機充當node節點; etcd:[master]部分中列出的所有主機也應屬于etcd; nfs:這個組是可選的,應該只包含一個主機,如果Inventory檔案中存在特定的變數,OpenShift playbook將在這臺機器上安裝并配置NFS; OSEv3:這個組包含任何屬于OpenShift集群的機器,安裝劇本參考這個組來運行在集群全范圍內的任務, [student@workstation install-prepare]$ cat inventory
說明:
- 安裝所需版本的OpenShift容器平臺;
- 用戶使用htpasswd身份驗證對集群進行身份驗證;
- DNS條目apps.lab.example.com用作OpenShift應用程式的子域;
- NFS存盤用于OpenShift etcd服務和OpenShift 內部倉庫;
- classroom container registry用作倉庫,
- 一個內部容器倉庫;
- Gluster、Ceph等以便于提供持久性存盤;
- 集群日志;
- 自定義集群證書,
3.3 配置OpenShift版本
可通過在[OSEv3:vars]中指定如下配置確定OpenShift所安裝的版本: openshift_deployment_type=openshift-enterprise openshift_release=v3.9 指定OpenShift部署型別,可選值為openshift-enterprise和origin, openshift_image_tag=v3.9.14 openshift_disable_check=disk_availability,docker_storage,memory_availability 容器化的OpenShift服務使用帶有“v3.9.14”標記的影像,這將阻止集群自動升級到更新的容器映像; 對于非生產集群,可以禁用對系統需求的檢查,3.4 配置驗證
OpenShift容器平臺身份驗證基于OAuth, OAuth提供了一個基于HTTP的APl,用于對互動式和非互動式客戶端進行身份驗證, OpenShift master運行一個OAuth服務器,OpenShift可以支持多種Provider,這些Provider可以與特定于組織的身份管理產品集成,支持的OpenShift身份驗證的Provider:- HTTP Basic,外部單點登錄(SSO)系統;
- 使用GitHub和GitLab帳號;
- OpenID連接,使用OpenID-compatible SSO和谷歌帳戶;
- OpenStack Keystone v3;
- LDAP v3服務器,
3.5 配置htpasswd驗證
OpenShift HTPasswdPasswordIdentityProvider根據Apache HTTPD htpasswd程式生成的檔案驗證用戶和密碼, htpasswd程式將用戶名和密碼保存在純文本檔案中,每行一條記錄,欄位用冒號分隔,密碼使用MD5散列,如果將此檔案添加或洗掉用戶,或更改用戶密碼,OpenShift OAuth服務器將自動重新讀取該檔案, 要將OpenShift master配置使用HTPasswdPasswordIdentityProvider,需要配置openshift_master_identity_providers,1 openshift_master_identity_providers, 2 openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 3 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider', #配置后端驅動 4 'filename': '/etc/origin/master/htpasswd'}] #制定master主機上也支持在組態檔中直接指定初始的用戶名和密碼, openshift_master_htpasswd_users="{'user1':'$apr1$.NHMsZYc$MdmfWN5DM3q280/W7c51c/', 'user2':'$apr1$.NHMsZYc$MdmfWN5DM3q280/W7c51c/'}" 生產hash密碼可參考如下:
1 [student@workstation ~]$ htpasswd -nb admin redhat 2 [student@workstation ~]$ openssl passwd -apr1 redhat
3.6 網路要求
集群節點的通配符DNS條目允許任何新創建的路由自動路由到subdomain的集群,通配符DNS條目必須存在于唯一的子域中,例如apps.mycluster.com,并決議為主機名或集群節點的IP地址,inventory檔案中通配符DNS條目是通過變數openshift_master_default_subdomain進行設定 , openshift_master_default_subdomain=apps.mycluster.com3.7 master服務埠
主服務埠openshift_master_api_port變數定義主API的監聽埠,預設埠8443,當master使用SSL時,也可以使用443埠,從而在連接的時候省略埠號, master console埠由openshift_master_console_port變數的值設定,默認埠是8443,master console埠也可以設定為443,從而在連接的時候省略埠號, 3.8 防火墻 OpenShift節點上的默認防火墻服務是iptables,若要在所有節點上使用firewalld作為防火墻服務,需要將作業系統防火墻使用firewalld變數設定為true,即os_firewall_use_firewalld=true,四 配置持久化存盤
4.1 持久存盤配置
默認情況下,容器資料是臨時的,并且在容器被銷毀時丟失,Kubernetes持久卷框架為容器請求和使用持久存盤提供了一種機制,為了避免資料丟失,這些服務被配置為使用持久卷, OpenShift支持多個插件,使用各種存盤技術創建持久卷,可以使用NFS、iSCSI、GlusterFS、Ceph或其他商業云存盤, 本環境中,OpenShift容器registry和OpenShift Ansible Broker服務被配置為使用NFS持久性存盤, 提示:生產環境默認OpenShift不支持NFS持久存盤集群,要允許NFS在非生產集群上持久存盤,需要配置openshift_enable_unsupported_configurations=true,4.2 container倉庫
要為OpenShift容器registry配置NFS持久性存盤,請將以下內容添加到Inventory檔案中:1 openshift_hosted_registry_storage_kind=nfs 2 openshift_hosted_registry_storage_nfs_directory=/exports 3 openshift_hosted_registry_storage_volume_name=registry 4 openshift_hosted_registry_storage_nfs_options='*(rw,root_squash)' 5 openshift_hosted_registry_storage_volume_size=40G 6 openshift_hosted_registry_storage_access_modes=['ReadWriteMany']
4.3 OpenShift Ansible Broker
OpenShift Ansible Broker(OAB)是一個容器化的OpenShift服務,部署自己的etcd服務,持久Etcd存盤所需的配置與registry所需的配置類似,1 openshift_hosted_etcd_storage_kind=nfs 2 openshift_hosted_etcd_storage_nfs_directory=/exports 3 openshift_hosted_etcd_storage_volume_name=etcd-vol2 4 openshift_hosted_etcd_storage_nfs_options="*(rw,root_squash,sync,no_wdelay)" 5 openshift_hosted_etcd_storage_volume_size=1G 6 openshift_hosted_etcd_storage_access_modes=["ReadWriteOnce"] 7 openshift_hosted_etcd_storage_labels={'storage': 'etcd'}
五 OpenShift其他配置
5.1 配置離線本地registry
本環境OpenShift使用容器倉庫為registry.lab.example.com,要將集群配置為從內部倉庫pull image,需要在Inventory中進行如下配置:1 #Modifications Needed for a Disconnected Install 2 oreg_url=registry.lab.example.com/openshift3/ose-${component}:${version} 3 #可訪問image倉庫的位置,必須以ose-${component}:${version}結尾, 4 openshift_examples_modify_imagestreams=true 5 #OpenShift安裝了用于部署示例應用程式的模板,這個變數指示playbook修改所有示例的IS,使其指向私有倉庫,而不是registry.access.redhat.com, 6 openshift_docker_additional_registries=registry.lab.example.com 7 #此變數用于將本地可訪問倉庫添加到每個節點上的docker配置中, 8 openshift_docker_blocked_registries=registry.access.redhat.com,docker.io 9 #此變數用于在OpenShift節點上配置docker的blocked_registries,
1 #Image Prefix Modifications 2 openshift_web_console_prefix=registry.lab.example.com/openshift3/oseopenshift_cockpit_deployer_prefix='registry.lab.example.com/openshift3/' 3 openshift_service_catalog_image_prefix=registry.lab.example.com/openshift3/osetemplate_service_broker_prefix=registry.lab.example.com/openshift3/oseansible_service_broker_image_prefix=registry.lab.example.com/openshift3/oseansible_service_broker_etcd_image_prefix=registry.lab.example.com/rhel7/#通過在容器image名稱前面加上registry.lab.example.com以確保OpenShift服務的容器image可以從私有內部倉庫下載,
5.2 配置NODE labels
節點label是分配給每個節點的任意key/value描述,node label通常用于區分地理資料中心或標識節點上的可用資源的有意義的描述, 應用程式可以在其deployment中根據node lables配置一個選擇器,如果匹配到,應用程式的pod必須部署在其符合node labels的節點上, 使用主機變數openshift_node_tags在Inventory檔案中設定節點標簽,1 [nodes] 2 ...output omitted... 3 nodeX.example.com openshift_node_labels="{'zone':'west', 'gpu':'true'}" 4 ...output omitted...如上所示配置給nodeX.example.com配置兩個labels,zone=west和gpu=true, OpenShift集群的一個常見架構是區分master、infrastructure node和compute node, 在此架構中,infrastructure node承載OpenShift Pod的registry和路由器,而compute node承載來自用戶專案的應用程式pod, master節點不承載應用程式或infrastructure pod, 可使用 node label 來標識特定節點的角色,通常master node label 為 node-role.kubernetes.io/master=true,infrastructure node label 為 region=infra,compute node label 為 noderole.kubernetes.io/compute=true,
1 [nodes] 2 master.lab.example.com 3 node1.lab.example.com openshift_node_labels="{'region':'infra'}" 4 node2.lab.example.com提示:如果一個節點設計為同時承載infrastructure 和 application pods,則必須顯式定義兩個節點標簽, [nodes] ... nodeX.example.com openshift_node_labels="{'region':'infra', 'noderole.kubernetes.io/compute':'true'}" ...
六 執行劇本
6.1 劇本說明
安裝OpenShift需要執行prerequisites.yml 和deploy_cluster.yml,由 atomic-openshift-utils 軟體包安裝, 首先執行 prequisites.yml playbook 檢查所有主機能夠滿足OpenShift 的部署,同時嘗試修改主機以滿足部署需求,然后執行 doploy_cluster.yml playbook 開始正式集群部署6.2 驗證OpenShift
部署完成后,可訪問:https://master.lab.example.com 進行驗證,七 正式安裝OpenShift
7.1 前置準備
[student@workstation ~]$ lab install-prepare setup [student@workstation ~]$ sudo yum -y install ansible [student@workstation ~]$ cd /home/student/do280-ansible/ [student@workstation do280-ansible]$ ansible-playbook playbooks/prepare_install.yml #設定相關環境 [student@workstation do280-ansible]$ lab install-run setup [student@workstation do280-ansible]$ cd /home/student/DO280/labs/install-run/7.2 安裝atomic
[student@workstation install-run]$ sudo yum -y install atomic-openshift-utils 提示:atomic-openshift-utils提供了安裝OpenShift所需的Ansible playbook和role,7.3 創建Inventory
[student@workstation install-run]$ cp inventory.initial inventory [student@workstation install-run]$ cat inventory
[student@workstation install-run]$ echo -e "\n[OSEv3:vars]" >> inventory
7.4 配置相關安裝版本
1 [student@workstation install-run]$ vi general_vars.txt 2 #General Cluster Variables 3 openshift_deployment_type=openshift-enterprise #配置為openshift-enterprise版本 4 openshift_release=v3.9 #配置版本為v3.9 5 openshift_image_tag=v3.9.14 6 openshift_disable_check=disk_availability,docker_storage,memory_availability #禁用check
7.5 設定htpasswd認證
1 [student@workstation install-run]$ openssl passwd -apr1 redhat 2 $apr1$/d1L7fdX$duViLRE.JG012VkZDq8bs0 3 [student@workstation install-run]$ openssl passwd -apr1 redhat 4 $apr1$rUMMfQfD$J8CEqQK.YenyNwYwKN1lA1 #創建兩個用戶密碼都為redhat 5 [student@workstation install-run]$ vi authentication_vars.txt 6 #Cluster Authentication Variables 7 openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider', 'filename': '/etc/origin/master/htpasswd'}] 8 openshift_master_htpasswd_users={'admin':'$apr1$/d1L7fdX$duViLRE.JG012VkZDq8bs0', 'developer':'$apr1$rUMMfQfD$J8CEqQK.YenyNwYwKN1lA1'}
7.6 配置集群網路
1 [student@workstation install-run]$ vi networking_vars.txt 2 #OpenShift Networking Variables 3 os_firewall_use_firewalld=true #開啟firewall防火墻 4 openshift_master_api_port=443 #啟用埠 5 openshift_master_console_port=443 #啟用控制埠 6 openshift_master_default_subdomain=apps.lab.example.com #指定subdomain
7.7 配置NFS
1 [student@workstation install-run]$ vi persistence_vars.txt 2 #NFS is an unsupported configuration 3 openshift_enable_unsupported_configurations=true 4 5 #OCR configuration variables 6 openshift_hosted_registry_storage_kind=nfs 7 openshift_hosted_registry_storage_access_modes=['ReadWriteMany'] 8 openshift_hosted_registry_storage_nfs_directory=/exports 9 openshift_hosted_registry_storage_nfs_options='*(rw,root_squash)' 10 openshift_hosted_registry_storage_volume_name=registry 11 openshift_hosted_registry_storage_volume_size=40Gi 12 13 #OAB's etcd configuration variables 14 openshift_hosted_etcd_storage_kind=nfs 15 openshift_hosted_etcd_storage_nfs_options="*(rw,root_squash,sync,no_wdelay)" 16 openshift_hosted_etcd_storage_nfs_directory=/exports 17 openshift_hosted_etcd_storage_volume_name=etcd-vol2 18 openshift_hosted_etcd_storage_access_modes=["ReadWriteOnce"] 19 openshift_hosted_etcd_storage_volume_size=1G 20 openshift_hosted_etcd_storage_labels={'storage': 'etcd'}
7.8 配置離線倉庫
1 #Modifications Needed for a Disconnected Install 2 oreg_url=registry.lab.example.com/openshift3/ose-${component}:${version} #添加內部倉庫 3 openshift_examples_modify_imagestreams=true #修改IS 4 openshift_docker_additional_registries=registry.lab.example.com #內部倉庫至docker配置 5 openshift_docker_blocked_registries=registry.access.redhat.com,docker.io #禁止外部官方倉庫 6 #Image Prefixes 7 openshift_web_console_prefix=registry.lab.example.com/openshift3/ose- 8 openshift_cockpit_deployer_prefix='registry.lab.example.com/openshift3/' 9 openshift_service_catalog_image_prefix=registry.lab.example.com/openshift3/ose- 10 template_service_broker_prefix=registry.lab.example.com/openshift3/ose- 11 ansible_service_broker_image_prefix=registry.lab.example.com/openshift3/ose- 12 ansible_service_broker_etcd_image_prefix=registry.lab.example.com/rhel7/
7.9 設定label
[student@workstation install-run]$ vi inventory1 …… 2 [nodes] 3 master.lab.example.com 4 node1.lab.example.com openshift_node_labels="{'region':'infra', 'node-role.kubernetes.io/compute':'true'}" 5 node2.lab.example.com openshift_node_labels="{'region':'infra', 'node-role.kubernetes.io/compute':'true'}"
7.10 合并并校對Inventory
[student@workstation install-run]$ cat general_vars.txt networking_vars.txt authentication_vars.txt persistence_vars.txt disconnected_vars.txt >> inventory [student@workstation install-run]$ lab install-run grade #本環境提供檢查Inventory的腳本 [student@workstation install-run]$ cat inventory1 [student@workstation install-run]$ cat general_vars.txt networking_vars.txt authentication_vars.txt persistence_vars.txt disconnected_vars.txt >> inventory 2 [student@workstation install-run]$ lab install-run grade #本環境提供檢查Inventory的腳本 3 [student@workstation install-run]$ cat inventory 4 [workstations] 5 workstation.lab.example.com 6 7 [nfs] 8 services.lab.example.com 9 10 [masters] 11 master.lab.example.com 12 13 [etcd] 14 master.lab.example.com 15 16 [nodes] 17 master.lab.example.com 18 node1.lab.example.com openshift_node_labels="{'region':'infra', 'node-role.kubernetes.io/compute':'true'}" 19 node2.lab.example.com openshift_node_labels="{'region':'infra', 'node-role.kubernetes.io/compute':'true'}" 20 21 [OSEv3:children] 22 masters 23 etcd 24 nodes 25 nfs 26 27 #Variables needed by classroom host preparation playbooks. 28 [nodes:vars] 29 registry_local=registry.lab.example.com 30 use_overlay2_driver=true 31 insecure_registry=false 32 run_docker_offline=true 33 docker_storage_device=/dev/vdb 34 35 36 [OSEv3:vars] 37 #General Cluster Variables 38 openshift_deployment_type=openshift-enterprise 39 openshift_release=v3.9 40 openshift_image_tag=v3.9.14 41 openshift_disable_check=disk_availability,docker_storage,memory_availability 42 #OpenShift Networking Variables 43 os_firewall_use_firewalld=true 44 openshift_master_api_port=443 45 openshift_master_console_port=443 46 openshift_master_default_subdomain=apps.lab.example.com 47 #Cluster Authentication Variables 48 openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider', 'filename': '/etc/origin/master/htpasswd'}] 49 openshift_master_htpasswd_users={'admin':'$apr1$/d1L7fdX$duViLRE.JG012VkZDq8bs0', 'developer':'$apr1$rUMMfQfD$J8CEqQK.YenyNwYwKN1lA1'} 50 51 #NFS is an unsupported configuration 52 openshift_enable_unsupported_configurations=true 53 54 #OCR configuration variables 55 openshift_hosted_registry_storage_kind=nfs 56 openshift_hosted_registry_storage_access_modes=['ReadWriteMany'] 57 openshift_hosted_registry_storage_nfs_directory=/exports 58 openshift_hosted_registry_storage_nfs_options='*(rw,root_squash)' 59 openshift_hosted_registry_storage_volume_name=registry 60 openshift_hosted_registry_storage_volume_size=40Gi 61 62 #OAB's etcd configuration variables 63 openshift_hosted_etcd_storage_kind=nfs 64 openshift_hosted_etcd_storage_nfs_options="*(rw,root_squash,sync,no_wdelay)" 65 openshift_hosted_etcd_storage_nfs_directory=/exports 66 openshift_hosted_etcd_storage_volume_name=etcd-vol2 67 openshift_hosted_etcd_storage_access_modes=["ReadWriteOnce"] 68 openshift_hosted_etcd_storage_volume_size=1G 69 openshift_hosted_etcd_storage_labels={'storage': 'etcd'} 70 71 #Modifications Needed for a Disconnected Install 72 oreg_url=registry.lab.example.com/openshift3/ose-${component}:${version} 73 openshift_examples_modify_imagestreams=true 74 openshift_docker_additional_registries=registry.lab.example.com 75 openshift_docker_blocked_registries=registry.access.redhat.com,docker.io 76 77 #Image Prefixes 78 openshift_web_console_prefix=registry.lab.example.com/openshift3/ose- 79 openshift_cockpit_deployer_prefix='registry.lab.example.com/openshift3/' 80 openshift_service_catalog_image_prefix=registry.lab.example.com/openshift3/ose- 81 template_service_broker_prefix=registry.lab.example.com/openshift3/ose- 82 ansible_service_broker_image_prefix=registry.lab.example.com/openshift3/ose- 83 ansible_service_broker_etcd_image_prefix=registry.lab.example.com/rhel7/
7.11 執行安裝劇本
[student@workstation install-run]$ ansible-playbook /usr/share/ansible/openshift-ansible/playbooks/prerequisites.yml #執行準備作業playbook
[student@workstation install-run]$ ansible-playbook /usr/share/ansible/openshift-ansible/playbooks/deploy_cluster.yml
提示:整個部署log保存至本地目錄的ansible.log中,
八 驗證測驗
8.1 確認驗證說明
要驗證OpenShift安裝,必須測驗和驗證所有OpenShift組件,僅僅從示例容器映像啟動pod是不夠的,因為這并不使用OpenShift builders、deployer、router或內部registry,- 建議通過以下方式完整驗證OpenShift:
- 檢查所有OpenShift節點狀態;
- 檢查相應的OpenShift registry和router的pod;
- 使用OpenShift從源代碼構建一個應用程式,OpenShift從構建結果生成容器image,并從該映像啟動pod;
- 創建一個service,以便可以從內部容器網路和OpenShift節點訪問應用程式;
- 創建一個route,以便可以從OpenShift集群外部的計算機訪問應用程式,
8.2 登錄測驗
瀏覽器訪問:https://master.lab.example.com
8.3 驗證OpenShift功能
[student@workstation ~]$ oc login -uadmin -predhat https://master.lab.example.com
提示:賬號權限需要單獨授予,安裝程序中創建的adminn并沒有集群的administration特權,
8.4 授予權限
system:admin是唯一一個擁有集群administration權限的賬戶,master節點的root用戶被都為集群的system:admin用戶, [root@master ~]# oc whoami system:admin [root@master ~]# oc adm policy add-cluster-role-to-user cluster-admin admin #添加admin為集群管理員 提示:cluster-admin角色權限非常高,允許管理用戶銷毀和修改集群資源,必須謹慎使用,8.5 查看節點狀態
再次使用命令登錄, [student@workstation ~]$ oc login -uadmin -predhat https://master.lab.example.com
[student@workstation ~]$ oc get nodes
NAME STATUS ROLES AGE VERSION
master.lab.example.com Ready master 14h v1.9.1+a0ce1bc657
node1.lab.example.com Ready compute 14h v1.9.1+a0ce1bc657
node2.lab.example.com Ready compute 14h v1.9.1+a0ce1bc657
[student@workstation ~]$ oc get pods
NAME READY STATUS RESTARTS AGE
docker-registry-1-4w5tb 1/1 Running 1 14h
docker-registry-1-j7k59 1/1 Running 1 14h
registry-console-1-mtkxc 1/1 Running 1 14h
router-4-9dfxc 1/1 Running 0 4h
router-4-kh7th 1/1 Running 0 5h
8.6 創建專案
[student@workstation ~]$ oc new-project smoke-test8.7 創建應用
[student@workstation ~]$ oc new-app --name=hello -i php:7.0 http://registry.lab.example.com/php-helloworld [student@workstation ~]$ oc get pods -w #監視pod創建8.8 查看route
[student@workstation ~]$ oc get routes NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD hello hello-smoke-test.apps.lab.example.com hello 8080-tcp None8.9 公開服務
[student@workstation ~]$ oc expose service hello #向外部網路公開服務8.10 測驗服務
[student@workstation ~]$ curl http://hello-smoke-test.apps.lab.example.com Hello, World! php version is 7.0.10 [student@workstation ~]$ oc delete project install-post #洗掉專案8.11 測驗developer
[student@workstation ~]$ oc login -u developer #使用redhat密碼登錄 [student@workstation ~]$ oc new-project smoke-test [student@workstation ~]$ oc new-app php:5.6~http://services.lab.example.com/php-helloworld --name hello [student@workstation ~]$ oc logs -f bc/hello #監視構建程序 提示:輸出表明OpenShift能夠從倉庫clone代碼、并且構建image,同時將新image推入內部倉庫, [student@workstation ~]$ oc expose svc hello route "hello" exposed [student@workstation ~]$ oc get routes NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD hello hello-smoke-test.apps.lab.example.com hello 8080-tcp None [student@workstation ~]$ curl hello-smoke-test.apps.lab.example.com Hello, World! php version is 5.6.25轉載請註明出處,本文鏈接:https://www.uj5u.com/caozuo/52923.html
標籤:Linux
上一篇:k8s:py專案發布完整流程
下一篇:003.OpenShift網路