OpenShift 4.3.8 离线安装

概述

在前面一份文档中介绍了如何下载离线镜像并打包镜像仓库文件，接下来将介绍如何使用镜像仓库文件进行离线安装。

环境

一台基础架构节点：172.31.20.100
一台bootstrap节点：172.31.20.101
三台master节点：172.31.20.102-104
两台worker节点：172.31.20.105-106
网关：172.31.20.254
DNS Server：172.31.0.121

搭建本地镜像仓库(在基础架构节点上)

• 安装工具

yum -y install podman httpd-tools

• 创建准备给本地私有镜像仓库的相关目录

mkdir -p /opt/registry/{auth,certs,data}

• 创建证书，然后会提示你输入相关信息，

注意：Common Name (eg, your name or your server's hostname) 字段要填写镜像仓库的域名，不能使用IP。其他的可以空着，这一步我错了几次，如下：

cd /opt/registry/certs
openssl req -newkey rsa:4096 -nodes -sha256 -keyout domain.key -x509 -days 365 -out domain.crt

Generating a 4096 bit RSA private key
....................................++
................................................................................................................................................................................................................................................................................................................++
writing new private key to 'domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]: 
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:registry.ocp4.poc.com
Email Address []:

• 创建密码文件

htpasswd -bBc /opt/registry/auth/htpasswd admin admin

• 准备好镜像压缩文件解压

cd /opt/registry/data/
tar -zxvf ocp4.3.8-images.tar.gz
# ll
drwxr-xr-x. 3 root root         22 Apr 20 07:49 docker
-rw-r--r--. 1 root root 6620484921 Apr 20 22:34 ocp4.3.8-images.tar.gz

• 使用一个镜像来部署私有镜像仓库：

podman run -d --name mirror-registry -p 5000:5000 \
      -v /opt/registry/data:/var/lib/registry:z \
      -v /opt/registry/auth:/auth:z \
      -e "REGISTRY_AUTH=htpasswd" \
      -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
      -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
      -v /opt/registry/certs:/certs:z \
      -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
      -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
      docker.io/library/registry:2

注意需要放行特定的防火墙端口，我这里直接关闭防火墙，所以不开放了，也可以按照官方文档开通防火墙：

firewall-cmd --add-port=5000/tcp --zone=internal --permanent 
firewall-cmd --add-port=5000/tcp --zone=public   --permanent 
firewall-cmd --reload

• 更新Linux系统证书

cp /opt/registry/certs/domain.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust

• 测试镜像仓库是否能正常访问：

需要在/etc/hosts文件中添加域名解析，否则无法解析 registry.ocp4.poc.com地址。

curl -u admin:admin -k https://registry.ocp4.poc.com:5000/v2/_catalog
{"repositories":[]}

• 将镜像仓库的用户名密码镜像base64加密

echo -n ’admin:admin' | base64 -w0
YWRtaW46YWRtaW4=

• 安装jq，为了能够将密钥文件进行json格式化，好看些。

yum install jq

• 去下载pull-secret.text文件，然后json格式化生成新的文件

mkdir -p ~/.openshift
cat ./pull-secret.text | jq .  >  pull-secret

• 文件内容如下：

{
  "auths": {
    "cloud.openshift.com": {
      "auth": "b3BlbnNo...",
      "email": "[email protected]"
    },
    "quay.io": {
      "auth": "b3BlbnNo...",
      "email": "[email protected]"
    },
    "registry.connect.redhat.com": {
      "auth": "NTE3Njg5Nj...",
      "email": "[email protected]"
    },
    "registry.redhat.io": {
      "auth": "NTE3Njg5Nj...",
      "email": "[email protected]"
    }
  }
}

• 然后添加一下私有镜像仓库的内容，用于将quay的镜像同步到私有镜像仓库过程中需要做认证，这就是个认证密码文件，类似如下。

{  "auths": {
    "registry.ocp4.poc.com:5000": {
      "auth": "YWRtaW46YWRtaW4=",
      "email": "[email protected]"
  }
}
}

在基础架构节点上安装相关环境

• 下载github代码

注意要使用新版本的ansible，我使用的是2.9.6，否则ansible会报错ssh-key生成的问题。

yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-$(rpm -E %rhel).noarch.rpm
yum -y install ansible git
git clone https://github.com/RedHatOfficial/ocp4-helpernode
cd ocp4-helpernode

• 准备ansible相关文件

cp docs/examples/vars.yaml .

• 修改mac地址等相关参数如下：

---
disk: sda
helper:
  name: "helper"
  ipaddr: "172.31.20.100"
dns:
  domain: "poc.com"
  clusterid: "ocp4"
  forwarder1: "172.31.0.121"
  forwarder2: "8.8.4.4"
dhcp:
  router: "172.31.20.254"
  bcast: "172.31.20.255"
  netmask: "255.255.255.0"
  poolstart: "172.31.20.101"
  poolend: "172.31.20.109"
  ipid: "172.31.20.0"
  netmaskid: "255.255.255.0"
bootstrap:
  name: "bootstrap"
  ipaddr: "172.31.20.101"
  macaddr: "00:50:56:b7:fa:e1"
masters:
  - name: "master00"
    ipaddr: "172.31.20.102"
    macaddr: "00:50:56:b7:87:b4"
  - name: "master01"
    ipaddr: "172.31.20.103"
    macaddr: "00:50:56:b7:87:95"
  - name: "master02"
    ipaddr: "172.31.20.104"
    macaddr: "00:50:56:b7:a8:32"
workers:
  - name: "worker00"
    ipaddr: "172.31.20.105"
    macaddr: "00:50:56:b7:db:1e"
  - name: "worker01"
    ipaddr: "172.31.20.106"
    macaddr: "00:50:56:b7:29:74"

• 先下载相关文件基础文件，再导入基础架构节点，否则在执行ansible下载非常慢

ocp_bios: "https://mirror.openshift.com/pub/openshift-v4/dependencies/rhcos/4.3/4.3.8/rhcos-4.3.8-x86_64-metal.x86_64.raw.gz"
ocp_initramfs: "https://mirror.openshift.com/pub/openshift-v4/dependencies/rhcos/4.3/4.3.8/rhcos-4.3.8-x86_64-installer-initramfs.x86_64.img"
ocp_install_kernel: "https://mirror.openshift.com/pub/openshift-v4/dependencies/rhcos/4.3/4.3.8/rhcos-4.3.8-x86_64-installer-kernel-x86_64"
ocp_client: "https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.3.8/openshift-client-linux-4.3.8.tar.gz"
ocp_installer: "https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.3.8/openshift-install-linux-4.3.8.tar.gz"

• 将下载好的文件导入的路径，如果没有对应的路径，手动创建。

mkdir -p /var/www/html/install/
mkdir -p /var/lib/tftpboot/rhcos/
cp openshift-client-linux-4.3.8.tar.gz /usr/local/src/openshift-client-linux.tar.gz
cp openshift-install-linux-4.3.8.tar.gz /usr/local/src/openshift-install-linux.tar.gz
cp rhcos-4.3.8-x86_64-metal.x86_64.raw.gz /var/www/html/install/bios.raw.gz
cp rhcos-4.3.8-x86_64-installer-initramfs.x86_64.img /var/lib/tftpboot/rhcos/initramfs.img
cp rhcos-4.3.8-x86_64-installer-kernel-x86_64 /var/lib/tftpboot/rhcos/kernel

• 执行ansible

ansible-playbook -e @vars.yaml tasks/main.yml

• 在named里面添加一条解析registry的dns的A记录

cat /var/named/zonefile.db
$TTL 1W
@   IN  SOA ns1.ocp4.poc.com.   root (
            2020042803  ; serial
            3H      ; refresh (3 hours)
            30M     ; retry (30 minutes)
            2W      ; expiry (2 weeks)
            1W )        ; minimum (1 week)
    IN  NS  ns1.ocp4.poc.com.
    IN  MX 10   smtp.ocp4.poc.com.
;
;
ns1 IN  A   172.31.20.100
smtp    IN  A   172.31.20.100
;
helper  IN  A   172.31.20.100
registry    IN  A   172.31.20.100
;

• 重启named

systemctl restart named

• 查看环境的工具使用

/usr/local/bin/helpernodecheck
Usage:
helpernodecheck {dns-masters|dns-workers|dns-etcd|dns-other|install-info|haproxy|services|nfs-info}

• 创建Ignition文件

mkdir ~/ocp4
cd ~/ocp4
mkdir -p ~/.openshift

• 查看helper_rsa文件是否存在

现在的ansible会帮助我们创建密钥文件，也可以关闭：

ls -1 ~/.ssh/helper_rsa

• 准备创建install-config文件

cd ~/ocp4

cat < install-config.yaml
apiVersion: v1
baseDomain: poc.com
compute:
- hyperthreading: Enabled
  name: worker
  replicas: 0
controlPlane:
  hyperthreading: Enabled
  name: master
  replicas: 3
metadata:
  name: ocp4
networking:
  clusterNetworks:
  - cidr: 10.254.0.0/16
    hostPrefix: 24
  networkType: OpenShiftSDN
  serviceNetwork:
  - 172.30.0.0/16
platform:
  none: {}
pullSecret: '$(< ~/.openshift/pull-secret)'
sshKey: '$(< ~/.ssh/helper_rsa.pub)'
EOF

• 补充install-config.yaml的内容

主要增加修改镜像仓地址为内部镜像仓库地址，已经相应的https证书。注意additionalTrustBundle证书那里需要空两格。

additionalTrustBundle: |
  -----BEGIN CERTIFICATE-----
  MIIFzTCCA7WgAwIBAgIJALtWkVirVDe2MA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNV
  BAYTAmNuMREwDwYDVQQIDAhzaGFuZ2hhaTEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5
  MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMSYwJAYDVQQDDB1yZWdpc3Ry
  eS5vY3A0Lm9mZmxpbmUuenNwLmNvbTAeFw0yMDA0MjAxMzMwMjFaFw0yMTA0MjAx
  MzMwMjFaMH0xCzAJBgNVBAYTAmNuMREwDwYDVQQIDAhzaGFuZ2hhaTEVMBMGA1UE
  BwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMSYw
  JAYDVQQDDB1yZWdpc3RyeS5vY3A0Lm9mZmxpbmUuenNwLmNvbTCCAiIwDQYJKoZI
  hvcNAQEBBQADggIPADCCAgoCggIBAMLfCbYdD9vciz1IEBauLNo38zwWqUX5HKJm
  OARTkAA4CUsmCsa37oFpgKxy4Q8v2kwL3xvyMz5PtO2hBCiHUL07JOpaUn9o4lHC
  Nn0+gABFEJIcTe0INPY0DwYXR9w3Nwo3AghMtNCPlaNWvedf4yGYOAVnHHZtj42h
  zQnZtnD6ML8YR59xXWlb7zdHIICcwKwxAJLmHoy0zHqQiXskvEh2GKIOeWT1cM1h
  vYwchlZbQM6zVbj4udONWkLnn8VWzzuCu1Aeqha4xEd5zkER4wcfR2Vhqn1gCKyH
  VylFOBIUNVBQ8dVAQFlHGns+vJWGUMofiB074RvW4dumMui8CEJdwWvo7NeJZk+S
  inyCNx5tGg2EgQ43IBV3aP8Q7xFz3/J0FSfcLBDj7Qa0mdtXqPyZRpqRILccvfpg
  wjewXbPlDwfR5Iu2R3BjKxzpyRtc9YvG4M6y5J2kfFCQNPx9l4MbTGQxCycpH0CN
  ocMSVIdPum76eNFDdXZDloM5LBndsuNRkHhB3RsNutCG47nG6C9JGgUxnfPJGnAI
  l5ZBAppSBWMw2q9zi4JZDiU6TgUZfYja5fxa4G4bjNDTLjADyJfIDyPpDrDeA2uV
  JRUZeif2+vxn1DtlDliTklL+ywPT4RsojqrCgNd0Q4qFvChb2BJgPwsMYqiLlON5
  S4AF2tJNAgMBAAGjUDBOMB0GA1UdDgQWBBR1yN1IwiEnVIX8OwWPYhZicKzDMzAf
  BgNVHSMEGDAWgBR1yN1IwiEnVIX8OwWPYhZicKzDMzAMBgNVHRMEBTADAQH/MA0G
  CSqGSIb3DQEBCwUAA4ICAQCVl05IwjiY0D/IYpzI+lsmogejIekH9umIV7YEZ7Yk
  npLpJxsrBdDYD0itShKkJhDPHbw8H3wU9H3m//mzWf1zdZB/Qa0ZqpcaIz+EeTnZ
  TMSSoGEXXfr8jdlYgYaz+4pDUeqpUAbceboWFtrLBuG4dWoAGbL0/Err1odL+wjH
  dYiiKQR4cdk1kH3ziwGgJRdAKk+WlRE5wx6+H5KfXVVoiSbFxFxZ8yJfIVZQR7yw
  SqXeF8w97WGaMXpX/Ly9VcjjpKy5rnKk7KRpyZPSOSJC198LCS91tOdOriMRdMVS
  4jlnRcXsIRUiwVENxlOEOKJLfH1cNFJZpelH1NrZP0pR/aSQs7+JYHTVb9f8xKxx
  +yeZ3WlLsVDFjf0tDFHjKuxDoKWSbMClKS3IKJygKe+Q6faOogoMKLssoyZ7M3U6
  JHysCVci5MnH0OA+aZTEgyYu8tW5wExcMRNjWnh8oB7bghTDTm6T3DZdDZGyOfcF
  RdPRPNFWr4j9Qy96MCVUzyoEC5vKu+UrPSDj2HPjtr0CW31/DKN0rXUbH1oPhPtQ
  Yv00nleDBH3x3MDG1lL0mcee4d580pXDSMG1kFl+RHwyyue5oPcwxOWTP2gR5Su/
  noMCFwVx/9HWo1BVHJXHrBIXKa7NUbgQmrsorVz+3EXGKKVPdXigRozq/4wjeu8J
  3Q==
  -----END CERTIFICATE-----
imageContentSources:
- mirrors:
  - registry.ocp4.poc.com:5000/ocp4/openshift4
  source: quay.io/openshift-release-dev/ocp-release
- mirrors:
  - registry.ocp4.poc.com:5000/ocp4/openshift4
  source: quay.io/openshift-release-dev/ocp-v4.0-art-dev

• 创建manifests文件：

openshift-install create manifests

• 将master设置为不可调度

sed -i 's/mastersSchedulable: true/mastersSchedulable: false/g' manifests/cluster-scheduler-02-config.yml

• 创建ignition文件：

openshift-install create ignition-configs

• 放到对应路径：

cp ~/ocp4/*.ign /var/www/html/ignition/
restorecon -vR /var/www/html/
chmod o+r /var/www/html/ignition/*.ign

• 开始安装

openshift-install wait-for bootstrap-complete --log-level debug

• 输出日志：

DEBUG OpenShift Installer 4.3.8
DEBUG Built from commit f7a2f7cf9ec3201bb8c9ebb677c05d21c72e3cc5
INFO Waiting up to 30m0s for the Kubernetes API at https://api.ocp4.poc.com:6443...
DEBUG Still waiting for the Kubernetes API: Get https://api.ocp4.poc.com:6443/version?timeout=32s: EOF
INFO API v1.16.2 up
INFO Waiting up to 30m0s for bootstrapping to complete...
DEBUG Bootstrap status: complete
INFO It is now safe to remove the bootstrap resources

安装结束后

• 准备认证文件

export KUBECONFIG=/root/ocp4/auth/kubeconfig
# 或
cp ~/ocp4/auth/kubeconfig ~/.kube/config

• 查看csr请求

oc get csr
oc get csr --no-headers | awk '{print $1}' | xargs oc adm certificate approve
oc get csr | grep 'system:node'

• 部署nfs storageclass

helpernodecheck nfs-setup

• 将镜像仓库设置为可管理

oc patch configs.imageregistry.operator.openshift.io cluster --type merge --patch '{"spec":{"managementState":"Managed"}}'

• 将镜像仓库以route暴露出去

oc patch configs.imageregistry.operator.openshift.io/cluster --type merge -p '{"spec":{"defaultRoute":true}}'

• 设置镜像仓库的存储为pvc

$ oc edit configs.imageregistry.operator.openshift.io

storage:
  pvc:
    claim:

• 查看image-registry是否ready：

oc get clusteroperator image-registry

• 查看pvc是否创建：

oc get pvc --all-namespaces

• 拿到集群输出信息去登录：

openshift-install wait-for install-complete

参考链接

https://github.com/RedHatOfficial/ocp4-helpernode/blob/master/docs/quickstart.md
https://docs.openshift.com/container-platform/4.3/installing/installing_bare_metal/installing-restricted-networks-bare-metal.html