# useradd kni
×
Setting up the environment for an OpenShift installation
- Installing Fedora on the provisioner node
- Preparing the provisioner node for OKD installation
- Configuring networking
- Retrieving the OKD installer
- Extracting the OKD installer
- Optional: Creating an FCOS images cache
- Configuring the install-config.yaml file
- Configuring the install-config.yaml file
- Additional
install-configparameters - BMC addressing
- BMC addressing for Dell iDRAC
- BMC addressing for HPE iLO
- BMC addressing for Fujitsu iRMC
- Root device hints
- Optional: Setting proxy settings
- Optional: Deploying with no provisioning network
- Optional: Deploying with dual-stack networking
- Optional: Configuring host network interfaces
- Configuring multiple cluster nodes
- Optional: Configuring managed Secure Boot
- Manifest configuration files
- Creating a disconnected registry
- Validation checklist for installation
- Deploying the cluster via the OKD installer
- Following the installation
- Verifying static IP address configuration
- Preparing to reinstall a cluster on bare metal
- Additional resources
Installing Fedora on the provisioner node
With the configuration of the prerequisites complete, the next step is to install Fedora 35 on the provisioner node. The installer uses the provisioner node as the orchestrator while installing the OKD cluster. For the purposes of this document, installing Fedora on the provisioner node is out of scope. However, options include but are not limited to using a RHEL Satellite server, PXE, or installation media.
Preparing the provisioner node for OKD installation
Perform the following steps to prepare the environment.
Procedure
-
Log in to the provisioner node via
ssh. -
Create a non-root user (
kni) and provide that user withsudoprivileges:# passwd kni# echo "kni ALL=(root) NOPASSWD:ALL" | tee -a /etc/sudoers.d/kni# chmod 0440 /etc/sudoers.d/kni -
Create an
sshkey for the new user:# su - kni -c "ssh-keygen -t ed25519 -f /home/kni/.ssh/id_rsa -N ''" -
Log in as the new user on the provisioner node:
# su - kni -
Install the following packages:
$ sudo dnf install -y libvirt qemu-kvm mkisofs python3-devel jq ipmitool -
Modify the user to add the
libvirtgroup to the newly created user:$ sudo usermod --append --groups libvirt <user> -
Restart
firewalldand enable thehttpservice:$ sudo systemctl start firewalld$ sudo firewall-cmd --zone=public --add-service=http --permanent$ sudo firewall-cmd --reload -
Start and enable the
libvirtdservice:$ sudo systemctl enable libvirtd --now -
Create the
defaultstorage pool and start it:$ sudo virsh pool-define-as --name default --type dir --target /var/lib/libvirt/images$ sudo virsh pool-start default$ sudo virsh pool-autostart default -
Create a
pull-secret.txtfile:$ vim pull-secret.txtIn a web browser, navigate to Install OpenShift on Bare Metal with installer-provisioned infrastructure. Click Copy pull secret. Paste the contents into the
pull-secret.txtfile and save the contents in thekniuser’s home directory.
Configuring networking
Before installation, you must configure the networking on the provisioner node. Installer-provisioned clusters deploy with a baremetal bridge and network, and an optional provisioning bridge and network.
|
You can also configure networking from the web console. |
Procedure
-
Export the
baremetalnetwork NIC name:$ export PUB_CONN=<baremetal_nic_name> -
Configure the
baremetalnetwork:The SSH connection might disconnect after executing these steps.
$ sudo nohup bash -c " nmcli con down \"$PUB_CONN\" nmcli con delete \"$PUB_CONN\" # RHEL 8.1 appends the word \"System\" in front of the connection, delete in case it exists nmcli con down \"System $PUB_CONN\" nmcli con delete \"System $PUB_CONN\" nmcli connection add ifname baremetal type bridge con-name baremetal bridge.stp no nmcli con add type bridge-slave ifname \"$PUB_CONN\" master baremetal pkill dhclient;dhclient baremetal " -
Optional: If you are deploying with a
provisioningnetwork, export theprovisioningnetwork NIC name:$ export PROV_CONN=<prov_nic_name> -
Optional: If you are deploying with a
provisioningnetwork, configure theprovisioningnetwork:$ sudo nohup bash -c " nmcli con down \"$PROV_CONN\" nmcli con delete \"$PROV_CONN\" nmcli connection add ifname provisioning type bridge con-name provisioning nmcli con add type bridge-slave ifname \"$PROV_CONN\" master provisioning nmcli connection modify provisioning ipv6.addresses fd00:1101::1/64 ipv6.method manual nmcli con down provisioning nmcli con up provisioning "The ssh connection might disconnect after executing these steps.
The IPv6 address can be any address as long as it is not routable via the
baremetalnetwork.Ensure that UEFI is enabled and UEFI PXE settings are set to the IPv6 protocol when using IPv6 addressing.
-
Optional: If you are deploying with a
provisioningnetwork, configure the IPv4 address on theprovisioningnetwork connection:$ nmcli connection modify provisioning ipv4.addresses 172.22.0.254/24 ipv4.method manual -
sshback into theprovisionernode (if required):# ssh kni@provisioner.<cluster-name>.<domain> -
Verify the connection bridges have been properly created:
$ sudo nmcli con showNAME UUID TYPE DEVICE baremetal 4d5133a5-8351-4bb9-bfd4-3af264801530 bridge baremetal provisioning 43942805-017f-4d7d-a2c2-7cb3324482ed bridge provisioning virbr0 d9bca40f-eee1-410b-8879-a2d4bb0465e7 bridge virbr0 bridge-slave-eno1 76a8ed50-c7e5-4999-b4f6-6d9014dd0812 ethernet eno1 bridge-slave-eno2 f31c3353-54b7-48de-893a-02d2b34c4736 ethernet eno2
Retrieving the OKD installer
Use the stable-4.x version of the installation program and your selected architecture to deploy the generally available stable version of OKD:
$ export VERSION=stable-4.12$ export RELEASE_ARCH=<architecture>$ export RELEASE_IMAGE=$(curl -s https://mirror.openshift.com/pub/openshift-v4/$RELEASE_ARCH/clients/ocp/$VERSION/release.txt | grep 'Pull From: quay.io' | awk -F ' ' '{print $3}')Extracting the OKD installer
After retrieving the installer, the next step is to extract it.
Procedure
-
Set the environment variables:
$ export cmd=openshift-baremetal-install$ export pullsecret_file=~/pull-secret.txt$ export extract_dir=$(pwd) -
Get the
ocbinary:$ curl -s https://mirror.openshift.com/pub/openshift-v4/clients/ocp/$VERSION/openshift-client-linux.tar.gz | tar zxvf - oc -
Extract the installer:
$ sudo cp oc /usr/local/bin$ oc adm release extract --registry-config "${pullsecret_file}" --command=$cmd --to "${extract_dir}" ${RELEASE_IMAGE}$ sudo cp openshift-baremetal-install /usr/local/bin
Optional: Creating an FCOS images cache
To employ image caching, you must download the Fedora CoreOS (FCOS) image used by the bootstrap VM to provision the cluster nodes. Image caching is optional, but it is especially useful when running the installation program on a network with limited bandwidth.
|
The installation program no longer needs the |
If you are running the installation program on a network with limited bandwidth and the FCOS images download takes more than 15 to 20 minutes, the installation program will timeout. Caching images on a web server will help in such scenarios.
|
If you enable TLS for the HTTPD server, you must confirm the root certificate is signed by an authority trusted by the client and verify the trusted certificate chain between your OKD hub and spoke clusters and the HTTPD server. Using a server configured with an untrusted certificate prevents the images from being downloaded to the image creation service. Using untrusted HTTPS servers is not supported. |
Install a container that contains the images.
Procedure
-
Install
podman:$ sudo dnf install -y podman -
Open firewall port
8080to be used for FCOS image caching:$ sudo firewall-cmd --add-port=8080/tcp --zone=public --permanent$ sudo firewall-cmd --reload -
Create a directory to store the
bootstraposimage:$ mkdir /home/kni/rhcos_image_cache -
Set the appropriate SELinux context for the newly created directory:
$ sudo semanage fcontext -a -t httpd_sys_content_t "/home/kni/rhcos_image_cache(/.*)?"$ sudo restorecon -Rv /home/kni/rhcos_image_cache/ -
Get the URI for the FCOS image that the installation program will deploy on the bootstrap VM:
$ export RHCOS_QEMU_URI=$(/usr/local/bin/openshift-baremetal-install coreos print-stream-json | jq -r --arg ARCH "$(arch)" '.architectures[$ARCH].artifacts.qemu.formats["qcow2.gz"].disk.location') -
Get the name of the image that the installation program will deploy on the bootstrap VM:
$ export RHCOS_QEMU_NAME=${RHCOS_QEMU_URI##*/} -
Get the SHA hash for the FCOS image that will be deployed on the bootstrap VM:
$ export RHCOS_QEMU_UNCOMPRESSED_SHA256=$(/usr/local/bin/openshift-baremetal-install coreos print-stream-json | jq -r --arg ARCH "$(arch)" '.architectures[$ARCH].artifacts.qemu.formats["qcow2.gz"].disk["uncompressed-sha256"]') -
Download the image and place it in the
/home/kni/rhcos_image_cachedirectory:$ curl -L ${RHCOS_QEMU_URI} -o /home/kni/rhcos_image_cache/${RHCOS_QEMU_NAME} -
Confirm SELinux type is of
httpd_sys_content_tfor the new file:$ ls -Z /home/kni/rhcos_image_cache -
Create the pod:
$ podman run -d --name rhcos_image_cache \ (1) -v /home/kni/rhcos_image_cache:/var/www/html \ -p 8080:8080/tcp \ quay.io/centos7/httpd-24-centos7:latest1 Creates a caching webserver with the name rhcos_image_cache. This pod serves thebootstrapOSImageimage in theinstall-config.yamlfile for deployment. -
Generate the
bootstrapOSImageconfiguration:$ export BAREMETAL_IP=$(ip addr show dev baremetal | awk '/inet /{print $2}' | cut -d"/" -f1)$ export BOOTSTRAP_OS_IMAGE="http://${BAREMETAL_IP}:8080/${RHCOS_QEMU_NAME}?sha256=${RHCOS_QEMU_UNCOMPRESSED_SHA256}"$ echo " bootstrapOSImage=${BOOTSTRAP_OS_IMAGE}" -
Add the required configuration to the
install-config.yamlfile underplatform.baremetal:platform: baremetal: bootstrapOSImage: <bootstrap_os_image> (1)1 Replace <bootstrap_os_image>with the value of$BOOTSTRAP_OS_IMAGE.See the "Configuring the install-config.yaml file" section for additional details.
Configuring the install-config.yaml file
Configuring the install-config.yaml file
The install-config.yaml file requires some additional details.
Most of the information teaches the installation program and the resulting cluster enough about the available hardware that it is able to fully manage it.
|
The installation program no longer needs the |
-
Configure
install-config.yaml. Change the appropriate variables to match the environment, includingpullSecretandsshKey:apiVersion: v1 baseDomain: <domain> metadata: name: <cluster_name> networking: machineNetwork: - cidr: <public_cidr> networkType: OVNKubernetes compute: - name: worker replicas: 2 (1) controlPlane: name: master replicas: 3 platform: baremetal: {} platform: baremetal: apiVIPs: - <api_ip> ingressVIPs: - <wildcard_ip> provisioningNetworkCIDR: <CIDR> bootstrapExternalStaticIP: <bootstrap_static_ip_address> (2) bootstrapExternalStaticGateway: <bootstrap_static_gateway> (3) hosts: - name: openshift-master-0 role: master bmc: address: ipmi://<out_of_band_ip> (4) username: <user> password: <password> bootMACAddress: <NIC1_mac_address> rootDeviceHints: deviceName: "/dev/disk/by-id/<disk_id>" (5) - name: <openshift_master_1> role: master bmc: address: ipmi://<out_of_band_ip> (4) username: <user> password: <password> bootMACAddress: <NIC1_mac_address> rootDeviceHints: deviceName: "/dev/disk/by-id/<disk_id>" (5) - name: <openshift_master_2> role: master bmc: address: ipmi://<out_of_band_ip> (4) username: <user> password: <password> bootMACAddress: <NIC1_mac_address> rootDeviceHints: deviceName: "/dev/disk/by-id/<disk_id>" (5) - name: <openshift_worker_0> role: worker bmc: address: ipmi://<out_of_band_ip> (4) username: <user> password: <password> bootMACAddress: <NIC1_mac_address> - name: <openshift_worker_1> role: worker bmc: address: ipmi://<out_of_band_ip> username: <user> password: <password> bootMACAddress: <NIC1_mac_address> rootDeviceHints: deviceName: "/dev/disk/by-id/<disk_id>" (5) pullSecret: '<pull_secret>' sshKey: '<ssh_pub_key>'1 Scale the worker machines based on the number of worker nodes that are part of the OKD cluster. Valid options for the replicasvalue are0and integers greater than or equal to2. Set the number of replicas to0to deploy a three-node cluster, which contains only three control plane machines. A three-node cluster is a smaller, more resource-efficient cluster that can be used for testing, development, and production. You cannot install the cluster with only one worker.2 When deploying a cluster with static IP addresses, you must set the bootstrapExternalStaticIPconfiguration setting to specify the static IP address of the bootstrap VM when there is no DHCP server on thebaremetalnetwork.3 When deploying a cluster with static IP addresses, you must set the bootstrapExternalStaticGatewayconfiguration setting to specify the gateway IP address for the bootstrap VM when there is no DHCP server on thebaremetalnetwork.4 See the BMC addressing sections for more options. 5 Set the path to the installation disk drive, for example, /dev/disk/by-id/wwn-0x64cd98f04fde100024684cf3034da5c2.
|
Before OKD 4.12, the cluster installation program only accepted an IPv4 address or and IPv6 address for the |
-
Create a directory to store the cluster configuration:
$ mkdir ~/clusterconfigs -
Copy the
install-config.yamlfile to the new directory:$ cp install-config.yaml ~/clusterconfigs -
Ensure all bare metal nodes are powered off prior to installing the OKD cluster:
$ ipmitool -I lanplus -U <user> -P <password> -H <management-server-ip> power off -
Remove old bootstrap resources if any are left over from a previous deployment attempt:
for i in $(sudo virsh list | tail -n +3 | grep bootstrap | awk {'print $2'}); do sudo virsh destroy $i; sudo virsh undefine $i; sudo virsh vol-delete $i --pool $i; sudo virsh vol-delete $i.ign --pool $i; sudo virsh pool-destroy $i; sudo virsh pool-undefine $i; done
Additional install-config parameters
See the following tables for the required parameters, the hosts parameter,
and the bmc parameter for the install-config.yaml file.
| Parameters | Default | Description | ||
|---|---|---|---|---|
|
The domain name for the cluster. For example, |
|||
|
|
The boot mode for a node. Options are |
||
|
The static IP address for the bootstrap VM. You must set this value when deploying a cluster with static IP addresses when there is no DHCP server on the |
|||
|
The static IP address of the gateway for the bootstrap VM. You must set this value when deploying a cluster with static IP addresses when there is no DHCP server on the |
|||
|
The |
|||
|
The |
|||
metadata:
name:
|
The name to be given to the OKD cluster. For example, |
|||
networking:
machineNetwork:
- cidr:
|
The public CIDR (Classless Inter-Domain Routing) of the external network. For example, |
|||
compute: - name: worker |
The OKD cluster requires a name be provided for worker (or compute) nodes even if there are zero nodes. |
|||
compute:
replicas: 2
|
Replicas sets the number of worker (or compute) nodes in the OKD cluster. |
|||
controlPlane:
name: master
|
The OKD cluster requires a name for control plane (master) nodes. |
|||
controlPlane:
replicas: 3
|
Replicas sets the number of control plane (master) nodes included as part of the OKD cluster. |
|||
|
The name of the network interface on nodes connected to the |
|||
|
The default configuration used for machine pools without a platform configuration. |
|||
|
(Optional) The virtual IP address for Kubernetes API communication. This setting must either be provided in the
|
|||
|
|
|
||
|
(Optional) The virtual IP address for ingress traffic. This setting must either be provided in the
|
| Parameters | Default | Description |
|---|---|---|
|
|
Defines the IP range for nodes on the |
|
|
The CIDR for the network to use for provisioning. This option is required when not using the default address range on the |
|
The third IP address of the |
The IP address within the cluster where the provisioning services run. Defaults to the third IP address of the |
|
The second IP address of the |
The IP address on the bootstrap VM where the provisioning services run while the installer is deploying the control plane (master) nodes. Defaults to the second IP address of the |
|
|
The name of the |
|
|
The name of the |
|
Defines the host architecture for your cluster. Valid values are |
|
|
The default configuration used for machine pools without a platform configuration. |
|
|
A URL to override the default operating system image for the bootstrap node. The URL must contain a SHA-256 hash of the image. For example:
|
|
|
The
|
|
|
Set this parameter to the appropriate HTTP proxy used within your environment. |
|
|
Set this parameter to the appropriate HTTPS proxy used within your environment. |
|
|
Set this parameter to the appropriate list of exclusions for proxy usage within your environment. |
Hosts
The hosts parameter is a list of separate bare metal assets used to build the cluster.
| Name | Default | Description | ||
|---|---|---|---|---|
|
The name of the |
|||
|
The role of the bare metal node. Either |
|||
|
Connection details for the baseboard management controller. See the BMC addressing section for additional details. |
|||
|
The MAC address of the NIC that the host uses for the
|
|||
|
Set this optional parameter to configure the network interface of a host. See "(Optional) Configuring host network interfaces" for additional details. |
BMC addressing
Most vendors support Baseboard Management Controller (BMC) addressing with the Intelligent Platform Management Interface (IPMI). IPMI does not encrypt communications. It is suitable for use within a data center over a secured or dedicated management network. Check with your vendor to see if they support Redfish network boot. Redfish delivers simple and secure management for converged, hybrid IT and the Software Defined Data Center (SDDC). Redfish is human readable and machine capable, and leverages common internet and web services standards to expose information directly to the modern tool chain. If your hardware does not support Redfish network boot, use IPMI.
IPMI
Hosts using IPMI use the ipmi://<out-of-band-ip>:<port> address format, which defaults to port 623 if not specified. The following example demonstrates an IPMI configuration within the install-config.yaml file.
platform:
baremetal:
hosts:
- name: openshift-master-0
role: master
bmc:
address: ipmi://<out-of-band-ip>
username: <user>
password: <password>|
The |
Redfish network boot
To enable Redfish, use redfish:// or redfish+http:// to disable TLS. The installer requires both the hostname or the IP address and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.
platform:
baremetal:
hosts:
- name: openshift-master-0
role: master
bmc:
address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
username: <user>
password: <password>While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.
platform:
baremetal:
hosts:
- name: openshift-master-0
role: master
bmc:
address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
username: <user>
password: <password>
disableCertificateVerification: TrueRedfish APIs
Several redfish API endpoints are called onto your BCM when using the bare-metal installer-provisioned infrastructure.
|
You need to ensure that your BMC supports all of the redfish APIs before installation. |
- List of redfish APIs
-
-
Power on
curl -u $USER:$PASS -X POST -H'Content-Type: application/json' -H'Accept: application/json' -d '{"Action": "Reset", "ResetType": "On"}' https://$SERVER/redfish/v1/Systems/$SystemID/Actions/ComputerSystem.Reset -
Power off
curl -u $USER:$PASS -X POST -H'Content-Type: application/json' -H'Accept: application/json' -d '{"Action": "Reset", "ResetType": "ForceOff"}' https://$SERVER/redfish/v1/Systems/$SystemID/Actions/ComputerSystem.Reset -
Temporary boot using
pxecurl -u $USER:$PASS -X PATCH -H "Content-Type: application/json" https://$Server/redfish/v1/Systems/$SystemID/ -d '{"Boot": {"BootSourceOverrideTarget": "pxe", "BootSourceOverrideEnabled": "Once"}} -
Set BIOS boot mode using
LegacyorUEFIcurl -u $USER:$PASS -X PATCH -H "Content-Type: application/json" https://$Server/redfish/v1/Systems/$SystemID/ -d '{"Boot": {"BootSourceOverrideMode":"UEFI"}}
-
- List of redfish-virtualmedia APIs
-
-
Set temporary boot device using
cdordvdcurl -u $USER:$PASS -X PATCH -H "Content-Type: application/json" https://$Server/redfish/v1/Systems/$SystemID/ -d '{"Boot": {"BootSourceOverrideTarget": "cd", "BootSourceOverrideEnabled": "Once"}}' -
Mount virtual media
curl -u $USER:$PASS -X PATCH -H "Content-Type: application/json" -H "If-Match: *" https://$Server/redfish/v1/Managers/$ManagerID/VirtualMedia/$VmediaId -d '{"Image": "https://example.com/test.iso", "TransferProtocolType": "HTTPS", "UserName": "", "Password":""}'
-
|
The |
|
|
BMC addressing for Dell iDRAC
The address field for each bmc entry is a URL for connecting to the OKD cluster nodes, including the type of controller in the URL scheme and its location on the network.
platform:
baremetal:
hosts:
- name: <hostname>
role: <master | worker>
bmc:
address: <address> (1)
username: <user>
password: <password>| 1 | The address configuration setting specifies the protocol. |
For Dell hardware, Red Hat supports integrated Dell Remote Access Controller (iDRAC) virtual media, Redfish network boot, and IPMI.
BMC address formats for Dell iDRAC
| Protocol | Address Format |
|---|---|
iDRAC virtual media |
|
Redfish network boot |
|
IPMI |
|
|
Use |
See the following sections for additional details.
Redfish virtual media for Dell iDRAC
For Redfish virtual media on Dell servers, use idrac-virtualmedia:// in the address setting. Using redfish-virtualmedia:// will not work.
The following example demonstrates using iDRAC virtual media within the install-config.yaml file.
platform:
baremetal:
hosts:
- name: openshift-master-0
role: master
bmc:
address: idrac-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
username: <user>
password: <password>While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.
platform:
baremetal:
hosts:
- name: openshift-master-0
role: master
bmc:
address: idrac-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
username: <user>
password: <password>
disableCertificateVerification: True|
There is a known issue on Dell iDRAC 9 with firmware version Ensure the OKD cluster nodes have AutoAttach enabled through the iDRAC console. The menu path is: Configuration → Virtual Media → Attach Mode → AutoAttach . Use |
Redfish network boot for iDRAC
To enable Redfish, use redfish:// or redfish+http:// to disable transport layer security (TLS). The installer requires both the hostname or the IP address and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.
platform:
baremetal:
hosts:
- name: openshift-master-0
role: master
bmc:
address: redfish://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
username: <user>
password: <password>While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.
platform:
baremetal:
hosts:
- name: openshift-master-0
role: master
bmc:
address: redfish://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
username: <user>
password: <password>
disableCertificateVerification: True|
There is a known issue on Dell iDRAC 9 with firmware version Ensure the OKD cluster nodes have AutoAttach enabled through the iDRAC console. The menu path is: Configuration → Virtual Media → Attach Mode → AutoAttach . The |
BMC addressing for HPE iLO
The address field for each bmc entry is a URL for connecting to the OKD cluster nodes, including the type of controller in the URL scheme and its location on the network.
platform:
baremetal:
hosts:
- name: <hostname>
role: <master | worker>
bmc:
address: <address> (1)
username: <user>
password: <password>| 1 | The address configuration setting specifies the protocol. |
For HPE integrated Lights Out (iLO), Red Hat supports Redfish virtual media, Redfish network boot, and IPMI.
| Protocol | Address Format |
|---|---|
Redfish virtual media |
|
Redfish network boot |
|
IPMI |
|
See the following sections for additional details.
Redfish virtual media for HPE iLO
To enable Redfish virtual media for HPE servers, use redfish-virtualmedia:// in the address setting. The following example demonstrates using Redfish virtual media within the install-config.yaml file.
platform:
baremetal:
hosts:
- name: openshift-master-0
role: master
bmc:
address: redfish-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/1
username: <user>
password: <password>While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.
platform:
baremetal:
hosts:
- name: openshift-master-0
role: master
bmc:
address: redfish-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/1
username: <user>
password: <password>
disableCertificateVerification: True|
Redfish virtual media is not supported on 9th generation systems running iLO4, because Ironic does not support iLO4 with virtual media. |
Redfish network boot for HPE iLO
To enable Redfish, use redfish:// or redfish+http:// to disable TLS. The installer requires both the hostname or the IP address and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.
platform:
baremetal:
hosts:
- name: openshift-master-0
role: master
bmc:
address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
username: <user>
password: <password>While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.
platform:
baremetal:
hosts:
- name: openshift-master-0
role: master
bmc:
address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
username: <user>
password: <password>
disableCertificateVerification: TrueBMC addressing for Fujitsu iRMC
The address field for each bmc entry is a URL for connecting to the OKD cluster nodes, including the type of controller in the URL scheme and its location on the network.
platform:
baremetal:
hosts:
- name: <hostname>
role: <master | worker>
bmc:
address: <address> (1)
username: <user>
password: <password>| 1 | The address configuration setting specifies the protocol. |
For Fujitsu hardware, Red Hat supports integrated Remote Management Controller (iRMC) and IPMI.
| Protocol | Address Format |
|---|---|
iRMC |
|
IPMI |
|
iRMC
Fujitsu nodes can use irmc://<out-of-band-ip> and defaults to port 443. The following example demonstrates an iRMC configuration within the install-config.yaml file.
platform:
baremetal:
hosts:
- name: openshift-master-0
role: master
bmc:
address: irmc://<out-of-band-ip>
username: <user>
password: <password>|
Currently Fujitsu supports iRMC S5 firmware version 3.05P and above for installer-provisioned installation on bare metal. |
Root device hints
The rootDeviceHints parameter enables the installer to provision the Fedora CoreOS (FCOS) image to a particular device. The installer examines the devices in the order it discovers them, and compares the discovered values with the hint values. The installer uses the first discovered device that matches the hint value. The configuration can combine multiple hints, but a device must match all hints for the installer to select it.
| Subfield | Description |
|---|---|
|
A string containing a Linux device name like |
|
A string containing a SCSI bus address like |
|
A string containing a vendor-specific device identifier. The hint can be a substring of the actual value. |
|
A string containing the name of the vendor or manufacturer of the device. The hint can be a sub-string of the actual value. |
|
A string containing the device serial number. The hint must match the actual value exactly. |
|
An integer representing the minimum size of the device in gigabytes. |
|
A string containing the unique storage identifier. The hint must match the actual value exactly. |
|
A string containing the unique storage identifier with the vendor extension appended. The hint must match the actual value exactly. |
|
A string containing the unique vendor storage identifier. The hint must match the actual value exactly. |
|
A boolean indicating whether the device should be a rotating disk (true) or not (false). |
Example usage
- name: master-0
role: master
bmc:
address: ipmi://10.10.0.3:6203
username: admin
password: redhat
bootMACAddress: de:ad:be:ef:00:40
rootDeviceHints:
deviceName: "/dev/sda"Optional: Setting proxy settings
To deploy an OKD cluster using a proxy, make the following changes to the install-config.yaml file.
apiVersion: v1
baseDomain: <domain>
proxy:
httpProxy: http://USERNAME:PASSWORD@proxy.example.com:PORT
httpsProxy: https://USERNAME:PASSWORD@proxy.example.com:PORT
noProxy: <WILDCARD_OF_DOMAIN>,<PROVISIONING_NETWORK/CIDR>,<BMC_ADDRESS_RANGE/CIDR>The following is an example of noProxy with values.
noProxy: .example.com,172.22.0.0/24,10.10.0.0/24With a proxy enabled, set the appropriate values of the proxy in the corresponding key/value pair.
Key considerations:
-
If the proxy does not have an HTTPS proxy, change the value of
httpsProxyfromhttps://tohttp://. -
If using a provisioning network, include it in the
noProxysetting, otherwise the installer will fail. -
Set all of the proxy settings as environment variables within the provisioner node. For example,
HTTP_PROXY,HTTPS_PROXY, andNO_PROXY.
|
When provisioning with IPv6, you cannot define a CIDR address block in the |
Optional: Deploying with no provisioning network
To deploy an OKD cluster without a provisioning network, make the following changes to the install-config.yaml file.
platform:
baremetal:
apiVIPs:
- <api_VIP>
ingressVIPs:
- <ingress_VIP>
provisioningNetwork: "Disabled" (1)| 1 | Add the provisioningNetwork configuration setting, if needed, and set it to Disabled. |
|
The |
Optional: Deploying with dual-stack networking
For dual-stack networking in OKD clusters, you can configure IPv4 and IPv6 address endpoints for cluster nodes. To configure IPv4 and IPv6 address endpoints for cluster nodes, edit the machineNetwork, clusterNetwork, and serviceNetwork configuration settings in the install-config.yaml file. Each setting must have two CIDR entries each. Ensure the first CIDR entry is the IPv4 setting and the second CIDR entry is the IPv6 setting.
machineNetwork:
- cidr: {{ extcidrnet }}
- cidr: {{ extcidrnet6 }}
clusterNetwork:
- cidr: 10.128.0.0/14
hostPrefix: 23
- cidr: fd02::/48
hostPrefix: 64
serviceNetwork:
- 172.30.0.0/16
- fd03::/112|
The API VIP IP address and the Ingress VIP address must be of the primary IP address family when using dual-stack networking. Currently, Red Hat does not support dual-stack VIPs or dual-stack networking with IPv6 as the primary IP address family. However, Red Hat does support dual-stack networking with IPv4 as the primary IP address family. Therefore, the IPv4 entries must go before the IPv6 entries. |
To provide an interface to the cluster for applications that use IPv4 and IPv6 addresses, configure IPv4 and IPv6 virtual IP (VIP) address endpoints for the Ingress VIP and API VIP services. To configure IPv4 and IPv6 address endpoints, edit the apiVIPs and ingressVIPs configuration settings in the install-config.yaml file . The apiVIPs and ingressVIPs configuration settings use a list format. The order of the list indicates the primary and secondary VIP address for each service.
platform:
baremetal:
apiVIPs:
- <api_ipv4>
- <api_ipv6>
ingressVIPs:
- <wildcard_ipv4>
- <wildcard_ipv6>Optional: Configuring host network interfaces
Before installation, you can set the networkConfig configuration setting in the install-config.yaml file to configure host network interfaces using NMState.
The most common use case for this functionality is to specify a static IP address on the baremetal network, but you can also configure other networks such as a storage network. This functionality supports other NMState features such as VLAN, VXLAN, bridges, bonds, routes, MTU, and DNS resolver settings.
Prequisites
-
Configure a
PTRDNS record with a valid hostname for each node with a static IP address. -
Install the NMState CLI (
nmstate).
Procedure
-
Optional: Consider testing the NMState syntax with
nmstatectl gcbefore including it in theinstall-config.yamlfile, because the installer will not check the NMState YAML syntax.Errors in the YAML syntax might result in a failure to apply the network configuration. Additionally, maintaining the validated YAML syntax is useful when applying changes using Kubernetes NMState after deployment or when expanding the cluster.
-
Create an NMState YAML file:
interfaces: - name: <nic1_name> (1) type: ethernet state: up ipv4: address: - ip: <ip_address> (1) prefix-length: 24 enabled: true dns-resolver: config: server: - <dns_ip_address> (1) routes: config: - destination: 0.0.0.0/0 next-hop-address: <next_hop_ip_address> (1) next-hop-interface: <next_hop_nic1_name> (1)1 Replace <nic1_name>,<ip_address>,<dns_ip_address>,<next_hop_ip_address>and<next_hop_nic1_name>with appropriate values. -
Test the configuration file by running the following command:
$ nmstatectl gc <nmstate_yaml_file>Replace
<nmstate_yaml_file>with the configuration file name.
-
-
Use the
networkConfigconfiguration setting by adding the NMState configuration to hosts within theinstall-config.yamlfile:hosts: - name: openshift-master-0 role: master bmc: address: redfish+http://<out_of_band_ip>/redfish/v1/Systems/ username: <user> password: <password> disableCertificateVerification: null bootMACAddress: <NIC1_mac_address> bootMode: UEFI rootDeviceHints: deviceName: "/dev/sda" networkConfig: (1) interfaces: - name: <nic1_name> (2) type: ethernet state: up ipv4: address: - ip: <ip_address> (2) prefix-length: 24 enabled: true dns-resolver: config: server: - <dns_ip_address> (2) routes: config: - destination: 0.0.0.0/0 next-hop-address: <next_hop_ip_address> (2) next-hop-interface: <next_hop_nic1_name> (2)1 Add the NMState YAML syntax to configure the host interfaces. 2 Replace <nic1_name>,<ip_address>,<dns_ip_address>,<next_hop_ip_address>and<next_hop_nic1_name>with appropriate values.After deploying the cluster, you cannot modify the
networkConfigconfiguration setting ofinstall-config.yamlfile to make changes to the host network interface. Use the Kubernetes NMState Operator to make changes to the host network interface after deployment.
Configuring multiple cluster nodes
You can simultaneously configure OKD cluster nodes with identical settings. Configuring multiple cluster nodes avoids adding redundant information for each node to the install-config.yaml file. This file contains specific parameters to apply an identical configuration to multiple nodes in the cluster.
Compute nodes are configured separately from the controller node. However, configurations for both node types use the highlighted parameters in the install-config.yaml file to enable multi-node configuration. Set the networkConfig parameters to BOND, as shown in the following example:
hosts:
- name: ostest-master-0
[...]
networkConfig: &BOND
interfaces:
- name: bond0
type: bond
state: up
ipv4:
dhcp: true
enabled: true
link-aggregation:
mode: active-backup
port:
- enp2s0
- enp3s0
- name: ostest-master-1
[...]
networkConfig: *BOND
- name: ostest-master-2
[...]
networkConfig: *BOND|
Configuration of multiple cluster nodes is only available for initial deployments on installer-provisioned infrastructure. |
Optional: Configuring managed Secure Boot
You can enable managed Secure Boot when deploying an installer-provisioned cluster using Redfish BMC addressing, such as redfish, redfish-virtualmedia, or idrac-virtualmedia. To enable managed Secure Boot, add the bootMode configuration setting to each node:
Example
hosts:
- name: openshift-master-0
role: master
bmc:
address: redfish://<out_of_band_ip> (1)
username: <user>
password: <password>
bootMACAddress: <NIC1_mac_address>
rootDeviceHints:
deviceName: "/dev/sda"
bootMode: UEFISecureBoot (2)| 1 | Ensure the bmc.address setting uses redfish, redfish-virtualmedia, or idrac-virtualmedia as the protocol. See "BMC addressing for HPE iLO" or "BMC addressing for Dell iDRAC" for additional details. |
| 2 | The bootMode setting is UEFI by default. Change it to UEFISecureBoot to enable managed Secure Boot. |
|
See "Configuring nodes" in the "Prerequisites" to ensure the nodes can support managed Secure Boot. If the nodes do not support managed Secure Boot, see "Configuring nodes for Secure Boot manually" in the "Configuring nodes" section. Configuring Secure Boot manually requires Redfish virtual media. |
|
Red Hat does not support Secure Boot with IPMI, because IPMI does not provide Secure Boot management facilities. |
Manifest configuration files
Creating the OKD manifests
-
Create the OKD manifests.
$ ./openshift-baremetal-install --dir ~/clusterconfigs create manifestsINFO Consuming Install Config from target directory WARNING Making control-plane schedulable by setting MastersSchedulable to true for Scheduler cluster settings WARNING Discarding the OpenShift Manifest that was provided in the target directory because its dependencies are dirty and it needs to be regenerated
Optional: Configuring NTP for disconnected clusters
OKD installs the chrony Network Time Protocol (NTP) service on the cluster nodes.
OKD nodes must agree on a date and time to run properly. When worker nodes retrieve the date and time from the NTP servers on the control plane nodes, it enables the installation and operation of clusters that are not connected to a routable network and thereby do not have access to a higher stratum NTP server.
Procedure
-
Create a Butane config,
99-master-chrony-conf-override.bu, including the contents of thechrony.conffile for the control plane nodes.See "Creating machine configs with Butane" for information about Butane.
Butane config examplevariant: openshift version: 4.12.0 metadata: name: 99-master-chrony-conf-override labels: machineconfiguration.openshift.io/role: master storage: files: - path: /etc/chrony.conf mode: 0644 overwrite: true contents: inline: | # Use public servers from the pool.ntp.org project. # Please consider joining the pool (https://www.pool.ntp.org/join.html). # The Machine Config Operator manages this file server openshift-master-0.<cluster-name>.<domain> iburst (1) server openshift-master-1.<cluster-name>.<domain> iburst server openshift-master-2.<cluster-name>.<domain> iburst stratumweight 0 driftfile /var/lib/chrony/drift rtcsync makestep 10 3 bindcmdaddress 127.0.0.1 bindcmdaddress ::1 keyfile /etc/chrony.keys commandkey 1 generatecommandkey noclientlog logchange 0.5 logdir /var/log/chrony # Configure the control plane nodes to serve as local NTP servers # for all worker nodes, even if they are not in sync with an # upstream NTP server. # Allow NTP client access from the local network. allow all # Serve time even if not synchronized to a time source. local stratum 3 orphan1 You must replace <cluster-name>with the name of the cluster and replace<domain>with the fully qualified domain name. -
Use Butane to generate a
MachineConfigobject file,99-master-chrony-conf-override.yaml, containing the configuration to be delivered to the control plane nodes:$ butane 99-master-chrony-conf-override.bu -o 99-master-chrony-conf-override.yaml -
Create a Butane config,
99-worker-chrony-conf-override.bu, including the contents of thechrony.conffile for the worker nodes that references the NTP servers on the control plane nodes.Butane config examplevariant: openshift version: 4.12.0 metadata: name: 99-worker-chrony-conf-override labels: machineconfiguration.openshift.io/role: worker storage: files: - path: /etc/chrony.conf mode: 0644 overwrite: true contents: inline: | # The Machine Config Operator manages this file. server openshift-master-0.<cluster-name>.<domain> iburst (1) server openshift-master-1.<cluster-name>.<domain> iburst server openshift-master-2.<cluster-name>.<domain> iburst stratumweight 0 driftfile /var/lib/chrony/drift rtcsync makestep 10 3 bindcmdaddress 127.0.0.1 bindcmdaddress ::1 keyfile /etc/chrony.keys commandkey 1 generatecommandkey noclientlog logchange 0.5 logdir /var/log/chrony1 You must replace <cluster-name>with the name of the cluster and replace<domain>with the fully qualified domain name. -
Use Butane to generate a
MachineConfigobject file,99-worker-chrony-conf-override.yaml, containing the configuration to be delivered to the worker nodes:$ butane 99-worker-chrony-conf-override.bu -o 99-worker-chrony-conf-override.yaml
Configuring network components to run on the control plane
You can configure networking components to run exclusively on the control plane nodes. By default, OKD allows any node in the machine config pool to host the ingressVIP virtual IP address. However, some environments deploy worker nodes in separate subnets from the control plane nodes, which requires configuring the ingressVIP virtual IP address to run on the control plane nodes.
|
When deploying remote workers in separate subnets, you must place the |
Procedure
-
Change to the directory storing the
install-config.yamlfile:$ cd ~/clusterconfigs -
Switch to the
manifestssubdirectory:$ cd manifests -
Create a file named
cluster-network-avoid-workers-99-config.yaml:$ touch cluster-network-avoid-workers-99-config.yaml -
Open the
cluster-network-avoid-workers-99-config.yamlfile in an editor and enter a custom resource (CR) that describes the Operator configuration:apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig metadata: name: 50-worker-fix-ipi-rwn labels: machineconfiguration.openshift.io/role: worker spec: config: ignition: version: 3.2.0 storage: files: - path: /etc/kubernetes/manifests/keepalived.yaml mode: 0644 contents: source: data:,This manifest places the
ingressVIPvirtual IP address on the control plane nodes. Additionally, this manifest deploys the following processes on the control plane nodes only:-
openshift-ingress-operator -
keepalived
-
-
Save the
cluster-network-avoid-workers-99-config.yamlfile. -
Create a
manifests/cluster-ingress-default-ingresscontroller.yamlfile:apiVersion: operator.openshift.io/v1 kind: IngressController metadata: name: default namespace: openshift-ingress-operator spec: nodePlacement: nodeSelector: matchLabels: node-role.kubernetes.io/master: "" -
Consider backing up the
manifestsdirectory. The installer deletes themanifests/directory when creating the cluster. -
Modify the
cluster-scheduler-02-config.ymlmanifest to make the control plane nodes schedulable by setting themastersSchedulablefield totrue. Control plane nodes are not schedulable by default. For example:$ sed -i "s;mastersSchedulable: false;mastersSchedulable: true;g" clusterconfigs/manifests/cluster-scheduler-02-config.yml
If control plane nodes are not schedulable after completing this procedure, deploying the cluster will fail.
Optional: Deploying routers on worker nodes
During installation, the installer deploys router pods on worker nodes. By default, the installer installs two router pods. If a deployed cluster requires additional routers to handle external traffic loads destined for services within the OKD cluster, you can create a yaml file to set an appropriate number of router replicas.
|
Deploying a cluster with only one worker node is not supported. While modifying the router replicas will address issues with the |
|
By default, the installer deploys two routers. If the cluster has no worker nodes, the installer deploys the two routers on the control plane nodes by default. |
Procedure
-
Create a
router-replicas.yamlfile:apiVersion: operator.openshift.io/v1 kind: IngressController metadata: name: default namespace: openshift-ingress-operator spec: replicas: <num-of-router-pods> endpointPublishingStrategy: type: HostNetwork nodePlacement: nodeSelector: matchLabels: node-role.kubernetes.io/worker: ""Replace
<num-of-router-pods>with an appropriate value. If working with just one worker node, setreplicas:to1. If working with more than 3 worker nodes, you can increasereplicas:from the default value2as appropriate. -
Save and copy the
router-replicas.yamlfile to theclusterconfigs/openshiftdirectory:$ cp ~/router-replicas.yaml clusterconfigs/openshift/99_router-replicas.yaml
Optional: Configuring the BIOS
The following procedure configures the BIOS during the installation process.
Procedure
-
Create the manifests.
-
Modify the
BareMetalHostresource file corresponding to the node:$ vim clusterconfigs/openshift/99_openshift-cluster-api_hosts-*.yaml -
Add the BIOS configuration to the
specsection of theBareMetalHostresource:spec: firmware: simultaneousMultithreadingEnabled: true sriovEnabled: true virtualizationEnabled: trueRed Hat supports three BIOS configurations. Only servers with BMC type
irmcare supported. Other types of servers are currently not supported. -
Create the cluster.
Additional resources
Optional: Configuring the RAID
The following procedure configures a redundant array of independent disks (RAID) during the installation process.
|
Procedure
-
Create the manifests.
-
Modify the
BareMetalHostresource corresponding to the node:$ vim clusterconfigs/openshift/99_openshift-cluster-api_hosts-*.yamlThe following example uses a hardware RAID configuration because OKD 4.12 does not support software RAID.
-
If you added a specific RAID configuration to the
specsection, this causes the node to delete the original RAID configuration in thepreparingphase and perform a specified configuration on the RAID. For example:spec: raid: hardwareRAIDVolumes: - level: "0" (1) name: "sda" numberOfPhysicalDisks: 1 rotational: true sizeGibibytes: 01 levelis a required field, and the others are optional fields. -
If you added an empty RAID configuration to the
specsection, the empty configuration causes the node to delete the original RAID configuration during thepreparingphase, but does not perform a new configuration. For example:spec: raid: hardwareRAIDVolumes: [] -
If you do not add a
raidfield in thespecsection, the original RAID configuration is not deleted, and no new configuration will be performed.
-
-
Create the cluster.
Additional resources
Creating a disconnected registry
In some cases, you might want to install an OKD cluster using a local copy of the installation registry. This could be for enhancing network efficiency because the cluster nodes are on a network that does not have access to the internet.
A local, or mirrored, copy of the registry requires the following:
-
A certificate for the registry node. This can be a self-signed certificate.
-
A web server that a container on a system will serve.
-
An updated pull secret that contains the certificate and local repository information.
|
Creating a disconnected registry on a registry node is optional. If you need to create a disconnected registry on a registry node, you must complete all of the following sub-sections. |
Prerequisites
-
If you have already prepared a mirror registry for Mirroring images for a disconnected installation, you can skip directly to Modify the install-config.yaml file to use the disconnected registry.
Preparing the registry node to host the mirrored registry
The following steps must be completed prior to hosting a mirrored registry on bare metal.
Procedure
-
Open the firewall port on the registry node:
$ sudo firewall-cmd --add-port=5000/tcp --zone=libvirt --permanent$ sudo firewall-cmd --add-port=5000/tcp --zone=public --permanent$ sudo firewall-cmd --reload -
Install the required packages for the registry node:
$ sudo yum -y install python3 podman httpd httpd-tools jq -
Create the directory structure where the repository information will be held:
$ sudo mkdir -p /opt/registry/{auth,certs,data}
Mirroring the OKD image repository for a disconnected registry
Complete the following steps to mirror the OKD image repository for a disconnected registry.
Prerequisites
-
Your mirror host has access to the internet.
-
You configured a mirror registry to use in your restricted network and can access the certificate and credentials that you configured.
-
You have created a pull secret for your mirror repository.
Procedure
-
Review the OKD downloads page to determine the version of OKD that you want to install and determine the corresponding tag on the Repository Tags page.
-
Set the required environment variables:
-
Export the release version:
$ OCP_RELEASE=<release_version>For
<release_version>, specify the tag that corresponds to the version of OKD to install, such as4.5.4. -
Export the local registry name and host port:
$ LOCAL_REGISTRY='<local_registry_host_name>:<local_registry_host_port>'For
<local_registry_host_name>, specify the registry domain name for your mirror repository, and for<local_registry_host_port>, specify the port that it serves content on. -
Export the local repository name:
$ LOCAL_REPOSITORY='<local_repository_name>'For
<local_repository_name>, specify the name of the repository to create in your registry, such asocp4/openshift4. -
Export the name of the repository to mirror:
$ PRODUCT_REPO='openshift' -
Export the path to your registry pull secret:
$ LOCAL_SECRET_JSON='<path_to_pull_secret>'For
<path_to_pull_secret>, specify the absolute path to and file name of the pull secret for your mirror registry that you created. -
Export the release mirror:
$ RELEASE_NAME="okd" -
Export the path to the directory to host the mirrored images:
$ REMOVABLE_MEDIA_PATH=<path> (1)1 Specify the full path, including the initial forward slash (/) character.
-
-
Mirror the version images to the mirror registry:
-
If your mirror host does not have internet access, take the following actions:
-
Connect the removable media to a system that is connected to the internet.
-
Review the images and configuration manifests to mirror:
$ oc adm release mirror -a ${LOCAL_SECRET_JSON} \ --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE} \ --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \ --to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE} --dry-run -
Record the entire
imageContentSourcessection from the output of the previous command. The information about your mirrors is unique to your mirrored repository, and you must add theimageContentSourcessection to theinstall-config.yamlfile during installation. -
Mirror the images to a directory on the removable media:
$ oc adm release mirror -a ${LOCAL_SECRET_JSON} --to-dir=${REMOVABLE_MEDIA_PATH}/mirror quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE} -
Take the media to the restricted network environment and upload the images to the local container registry.
$ oc image mirror -a ${LOCAL_SECRET_JSON} --from-dir=${REMOVABLE_MEDIA_PATH}/mirror "file://openshift/release:${OCP_RELEASE}*" ${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} (1)1 For REMOVABLE_MEDIA_PATH, you must use the same path that you specified when you mirrored the images.
-
-
If the local container registry is connected to the mirror host, take the following actions:
-
Directly push the release images to the local registry by using following command:
$ oc adm release mirror -a ${LOCAL_SECRET_JSON} \ --from=quay.io/${PRODUCT_REPO}/${RELEASE_NAME}:${OCP_RELEASE} \ --to=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY} \ --to-release-image=${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}This command pulls the release information as a digest, and its output includes the
imageContentSourcesdata that you require when you install your cluster. -
Record the entire
imageContentSourcessection from the output of the previous command. The information about your mirrors is unique to your mirrored repository, and you must add theimageContentSourcessection to theinstall-config.yamlfile during installation.The image name gets patched to Quay.io during the mirroring process, and the podman images will show Quay.io in the registry on the bootstrap virtual machine.
-
-
-
To create the installation program that is based on the content that you mirrored, extract it and pin it to the release:
-
If your mirror host does not have internet access, run the following command:
$ oc adm release extract -a ${LOCAL_SECRET_JSON} --command=openshift-baremetal-install "${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}" -
If the local container registry is connected to the mirror host, run the following command:
$ oc adm release extract -a ${LOCAL_SECRET_JSON} --command=openshift-baremetal-install "${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}"To ensure that you use the correct images for the version of OKD that you selected, you must extract the installation program from the mirrored content.
You must perform this step on a machine with an active internet connection.
If you are in a disconnected environment, use the
--imageflag as part of must-gather and point to the payload image.
-
-
For clusters using installer-provisioned infrastructure, run the following command:
$ openshift-baremetal-install
Modify the install-config.yaml file to use the disconnected registry
On the provisioner node, the install-config.yaml file should use the newly created pull-secret from the pull-secret-update.txt file. The install-config.yaml file must also contain the disconnected registry node’s certificate and registry information.
Procedure
-
Add the disconnected registry node’s certificate to the
install-config.yamlfile:$ echo "additionalTrustBundle: |" >> install-config.yamlThe certificate should follow the
"additionalTrustBundle: |"line and be properly indented, usually by two spaces.$ sed -e 's/^/ /' /opt/registry/certs/domain.crt >> install-config.yaml -
Add the mirror information for the registry to the
install-config.yamlfile:$ echo "imageContentSources:" >> install-config.yaml$ echo "- mirrors:" >> install-config.yaml$ echo " - registry.example.com:5000/ocp4/openshift4" >> install-config.yamlReplace
registry.example.comwith the registry’s fully qualified domain name.$ echo " source: quay.io/openshift-release-dev/ocp-release" >> install-config.yaml$ echo "- mirrors:" >> install-config.yaml$ echo " - registry.example.com:5000/ocp4/openshift4" >> install-config.yamlReplace
registry.example.comwith the registry’s fully qualified domain name.$ echo " source: quay.io/openshift-release-dev/ocp-v4.0-art-dev" >> install-config.yaml
Validation checklist for installation
-
OKD installer has been retrieved.
-
OKD installer has been extracted.
-
Required parameters for the
install-config.yamlhave been configured. -
The
hostsparameter for theinstall-config.yamlhas been configured. -
The
bmcparameter for theinstall-config.yamlhas been configured. -
Conventions for the values configured in the
bmcaddressfield have been applied. -
Created the OKD manifests.
-
(Optional) Deployed routers on worker nodes.
-
(Optional) Created a disconnected registry.
-
(Optional) Validate disconnected registry settings if in use.
Deploying the cluster via the OKD installer
Run the OKD installer:
$ ./openshift-baremetal-install --dir ~/clusterconfigs --log-level debug create clusterFollowing the installation
During the deployment process, you can check the installation’s overall status by issuing the tail command to the .openshift_install.log log file in the install directory folder:
$ tail -f /path/to/install-dir/.openshift_install.logVerifying static IP address configuration
If the DHCP reservation for a cluster node specifies an infinite lease, after the installer successfully provisions the node, the dispatcher script checks the node’s network configuration. If the script determines that the network configuration contains an infinite DHCP lease, it creates a new connection using the IP address of the DHCP lease as a static IP address.
|
The dispatcher script might run on successfully provisioned nodes while the provisioning of other nodes in the cluster is ongoing. |
Verify the network configuration is working properly.
Procedure
-
Check the network interface configuration on the node.
-
Turn off the DHCP server and reboot the OKD node and ensure that the network configuration works properly.
Preparing to reinstall a cluster on bare metal
Before you reinstall a cluster on bare metal, you must perform cleanup operations.
Procedure
-
Remove or reformat the disks for the bootstrap, control plane node, and worker nodes. If you are working in a hypervisor environment, you must add any disks you removed.
-
Delete the artifacts that the previous installation generated:
$ cd ; /bin/rm -rf auth/ bootstrap.ign master.ign worker.ign metadata.json \ .openshift_install.log .openshift_install_state.json -
Generate new manifests and Ignition config files. See “Creating the Kubernetes manifest and Ignition config files" for more information.
-
Upload the new bootstrap, control plane, and compute node Ignition config files that the installation program created to your HTTP server. This will overwrite the previous Ignition files.