首页 > 其他 > 详细

openshift4.7安装手册

时间:2021-02-08 22:14:15      阅读:161      评论:0      收藏:0      [点我收藏+]

Openshift4的安装已不在使用之前的ansible脚本安装,而是采用引导安装的方式,以下是我在虚拟机上安装Openshiift4.7的一些记录,4版本的其他安装方式,大致类似。

一、集群准备

角色 主机名 IP OS 备注
bastion bastion.ocp4.liufeng.cc 192.168.145.181 CentOS7

安装辅助工具:

DNS、HTTP、LB、HARBOR

bootstrap bootstrap.ocp4.liufeng.cc 192.168.145.182 RHCOS 安装引导节点,会临时创建一个K8S集群,负责引导OCP集群的安装,等OCP安装完成后,此节点可以删除
master1 master1.ocp4.liufeng.cc 192.168.145.183 RHCOS  
master2 master2.ocp4.liufeng.cc 192.168.145.184 RHCOS  
master3 master3.ocp4.liufeng.cc 192.168.145.185 RHCOS  
worker1 worker1.ocp4.liufeng.cc 192.168.145.186 RHCOS  
worker2 worker2.ocp4.liufeng.cc 192.168.145.187 RHCOS  

PS:只有bastion是CentOS系统,其他主机的系统为RHCOS,且在安装集群过程中完成系统的安装。

二、bastion主机的准备,主要是安装LB、DNS、HARBOR、HTTP,以便后续集群的安装。

  • 准备LB,使用haproxy实现
    • 安装haproxy
# yum install haproxy
    • 配置负载均衡器,把如下配置追加到haproxy.cfg文件后面。
frontend openshift-api-server              
    bind *:6443
    default_backend openshift-api-server
    mode tcp
    option tcplog

backend openshift-api-server
    balance source
    mode tcp
    server bootstrap 192.168.145.182:6443 check  
    server master1 192.168.145.183:6443 check 
    server master2 192.168.145.184:6443 check
    server master3 192.168.145.185:6443 check
      
frontend machine-config-server          
    bind *:22623
    default_backend machine-config-server
    mode tcp
    option tcplog

backend machine-config-server
    balance source
    mode tcp
    server bootstrap 192.168.145.182:22623 check 
    server master1 192.168.145.183:22623 check   
    server master2 192.168.145.184:22623 check  
    server master3 192.168.145.185:22623 check
    • 启动haproxy并设置开机启动
# systemctl start haproxy
# systemctl enable haproxy
# systemctl status haproxy

如果haproxy没有启动,运行下面的命令后,再次启动haproxy
# setsebool -P haproxy_connect_any=1
    • 开通防火墙以便可以访问到
# firewall-cmd --add-port=6443/tcp --permanent
# firewall-cmd --add-port=22623/tcp --permanent
# firewall-cmd --reload
# firewall-cmd --list-all
  • 准备DNS,使用dnsmasq实现
    • 安装dnsmasq
# yum install dnsmasq
    • 配置dns解析
# ocp4 node
address=/master1.ocp4.liufeng.cc/192.168.145.183
address=/master2.ocp4.liufeng.cc/192.168.145.184
address=/master3.ocp4.liufeng.cc/192.168.145.185
address=/worker1.ocp4.liufeng.cc/192.168.145.186
address=/worker2.ocp4.liufeng.cc/192.168.145.187

# etcd
address=/etcd-0.ocp4.liufeng.cc/192.168.145.183
address=/etcd-1.ocp4.liufeng.cc/192.168.145.184
address=/etcd-2.ocp4.liufeng.cc/192.168.145.185
# etcd srv 
# <name>,<target>,<port>,<priority>,<weight>
srv-host=_etcd-server-ssl._tcp.ocp4.liufeng.cc,etcd-0.ocp4.liufeng.cc,2380,0,10
srv-host=_etcd-server-ssl._tcp.ocp4.liufeng.cc,etcd-1.ocp4.liufeng.cc,2380,0,10
srv-host=_etcd-server-ssl._tcp.ocp4.liufeng.cc,etcd-2.ocp4.liufeng.cc,2380,0,10

# lb
address=/.ocp4.liufeng.cc/192.168.145.186
address=/api.ocp4.liufeng.cc/192.168.145.181
address=/api-int.ocp4.liufeng.cc/192.168.145.181

# other
address=/bootstrap.ocp4.liufeng.cc/192.168.145.182
address=/bastion.ocp4.liufeng.cc/192.168.145.181
address=/harbor.ocp4.liufeng.cc/192.168.145.181
    • 启动dnsmasq并设置开机自启
# systemctl start dnsmasq
# systemctl enable dnsmasq
    • 防火墙及设定
# firewall-cmd --add-port=53/tcp --permanent
# firewall-cmd --add-port=53/udp --permanent
# firewall-cmd --reload
# firewall-cmd --list-all
    • 验证dns是否生效,例如:
# dig +short -t A etcd-0.ocp4.baison.cc @192.168.145.181
# dig +short -t SRV _etcd-server-ssl._tcp.ocp4.baison.cc @192.168.145.181 
如果没有dig命令,请使用如下命令安装
# yum install bind-utils
  • Harbor、http服务器的准备
    • harbor的安装
      • 添加docker repo
[docker-ce-stable]
name=Docker CE Stable - $basearch
baseurl=https://mirrors.aliyun.com/docker-ce/linux/centos/7/$basearch/stable
enabled=1
gpgcheck=0
      • 安装harbor
# yum install -y docker-ce-19.03* docker-ce-cli-19.03*
      • 安装docker-compose
# curl -L "https://github.com/docker/compose/releases/download/1.27.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
# chmod +x /usr/local/bin/docker-compose
      • 下载并解压harbor压缩包
# wget https://github.com/goharbor/harbor/releases/download/v2.1.3/harbor-offline-installer-v2.1.3.tgz
# tar xvf harbor-offline-installer-v2.1.3.tgz
      • 准备私有证书(如果使用http连接,可省略此步)
# openssl req -x509 -nodes -days 36500 -newkey rsa:4096 -keyout server.key -out server.crt
      • 准备harbor.yml文件
下载的离线安装包里有模板,此文件是harbor安装的各种配置参数,可按需求修改相应的参数值。
大概几个参数如下:
hostname 
https下的证书路径(如果使用https连接的话)
harbor_admin_password
database下的密码(如果使用外部数据库,则放开external_database的注释)
      • 安装(--with-clair,带镜像扫描功能)
# ./install.sh --with-clair
      • 启动与停止
# docker-compose up -d
# docker-compose down
      • x509: certificate signed by unknown authority错误解决
把再上面生成的server.crt内容追加到/etc/pki/tls/certs/ca-bundle.crt文件中
# cat server.crt >> /etc/pki/tls/certs/ca-bundle.crt
# systemctl daemon-reload
# systemctl restart docker
    • 使用Harbor自带的nginx作为http服务器
      • 修改docker-compose.yml文件,proxy的volumes部分,就是加一个映射(这里是把主机的/home/www目录映射成nginx容器的/var/www/html目录)
proxy:
  image: goharbor/nginx-photon:v2.1.3
  container_name: nginx
  restart: always
  cap_drop:
    - ALL
  cap_add:
    - CHOWN
    - SETGID
    - SETUID
    - NET_BIND_SERVICE
  volumes:
    - ./common/config/nginx:/etc/nginx:z
    - /home/harbor/data/secret/cert:/etc/cert:z
    - /home/www:/var/www/html:z
    - type: bind
      source: ./common/config/shared/trust-certificates
      target: /harbor_cust_cert
  networks:
    - harbor
  dns_search: .
  ports:
    - 80:8080
    - 443:8443
  depends_on:
    - registry
    - core
    - portal
    - log
  logging:
    driver: "syslog"
    options:
      syslog-address: "tcp://127.0.0.1:1514"
      tag: "proxy"
      • 修改nginx.conf,在harbor目录中寻找到nginx的配置文件:common/config/nginx/nginx.conf
修改如下server段,注释掉308跳转,并加一个root目录
  server {
      listen 8080;
      #server_name harbordomain.com;
      #return 308 https://$host:443$request_uri;
      root /var/www/html;
  }
    • 开通防火墙并验证harbor与nginx是否正常
# firewall-cmd --add-port=443/tcp --permanent
# firewall-cmd --add-port=80/tcp --permanent
# firewall-cmd --reload
# docker-compose down
# docker-compose up -d
# systemctl enable docker 

 

openshift4.7安装手册

原文:https://www.cnblogs.com/ooops/p/14389786.html

(0)
(0)
   
举报
评论 一句话评论(0
关于我们 - 联系我们 - 留言反馈 - 联系我们:wmxa8@hotmail.com
© 2014 bubuko.com 版权所有
打开技术之扣,分享程序人生!