Openshift single-node Installation Skript

Installiert ein vollwertiges OpenShift Origin Cluster auf einem single Node (VM)
Wichtig zu beachten:
Das Script wird unter dem persönlichen User ausgeführt.
Sudo ist ohne Passworteingabe möglich.
Das Agend-forewarding ist bei einer Key-Authentisierung aktiviert. (Wichtig für Ansible)
Vor dem Ausführen die Grösse des Speicher-yaml anpassen. “storage: 500Gi”
Filename: install_openshift.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
#!/bin/bash
############################################################################################
#*************** OpenShift single Cluster Setup by Michael Reber - v 1.2 ******************#
############################################################################################
 
############################################################################################
 
## Default variables to use
export INTERACTIVE=${INTERACTIVE:="true"}
export PVS=${INTERACTIVE:="true"}
export DOMAIN=${DOMAIN:="blackgate.org"}
export USERNAME=${USERNAME:="$(whoami)"}
export PASSWORD=${PASSWORD:="password"}
export ANSIBLE_USERNAME=${ANSIBLE_USERNAME:="$(whoami)"}
export VERSION=${VERSION:="3.11"}
export IP=${IP:="$(ip route get 8.8.8.8 | awk '{print $NF; exit}')"}
export API_PORT=${API_PORT:="443"}
export LETSENCRYPT=${LETSENCRYPT:="false"}
export MAIL=${MAIL:="example@blackgate.org"}
 
## Make the script interactive to set the variables
if [ "$INTERACTIVE" = "true" ]; then
        read -rp "Domain to use: ($DOMAIN): " choice;
        if [ "$choice" != "" ] ; then
                export DOMAIN="$choice";
        fi
 
        read -rp "OSE-Username: ($USERNAME): " choice;
        if [ "$choice" != "" ] ; then
                export USERNAME="$choice";
        fi
 
        read -rp "OSE-Password: ($PASSWORD): " choice;
        if [ "$choice" != "" ] ; then
                export PASSWORD="$choice";
        fi
        read -rp "Ansible-Username: ($ANSIBLE_USERNAME): " choice;
        if [ "$choice" != "" ] ; then
                export ANSIBLE_USERNAME="$choice";
        fi
        read -rp "OpenShift Version: ($VERSION): " choice;
        if [ "$choice" != "" ] ; then
                export VERSION="$choice";
        fi
        read -rp "IP: ($IP): " choice;
        if [ "$choice" != "" ] ; then
                export IP="$choice";
        fi
 
        read -rp "API Port: ($API_PORT): " choice;
        if [ "$choice" != "" ] ; then
                export API_PORT="$choice";
        fi
 
        echo "Do you wish to enable HTTPS with Let's Encrypt?"
        echo "Warnings: "
        echo "  Let's Encrypt only works if the IP is using publicly accessible IP and custom certificates."
        echo "  This feature doesn't work with OpenShift CLI for now."
        select yn in "Yes" "No"; do
                case $yn in
                        Yes) export LETSENCRYPT=true; break;;
                        No) export LETSENCRYPT=false; break;;
                        *) echo "Please select Yes or No.";;
                esac
        done
 
        if [ "$LETSENCRYPT" = true ] ; then
                read -rp "Email(required for Let's Encrypt): ($MAIL): " choice;
                if [ "$choice" != "" ] ; then
                        export MAIL="$choice";
                fi
        fi
 
        echo
 
fi
 
export METRICS="True"
export LOGGING="True"
 
memory=$(sudo cat /proc/meminfo | grep MemTotal | sed "s/MemTotal:[ ]*\([0-9]*\) kB/\1/")
 
if [ "$memory" -lt "4194304" ]; then
        export METRICS="False"
fi
 
if [ "$memory" -lt "16777216" ]; then
        export LOGGING="False"
fi
 
echo "******"
echo "* Your domain is $DOMAIN "
echo "* Your IP is $IP "
echo "* Your username is $USERNAME "
echo "* Your password is $PASSWORD "
echo "* OpenShift version: $VERSION "
echo "* Enable HTTPS with Let's Encrypt: $LETSENCRYPT "
if [ "$LETSENCRYPT" = true ] ; then
        echo "* Your email is $MAIL "
fi
echo "******"
 
#----------------------------------------------START-INVENTORY---------------------------------------------
cat <<EOF1 > inventory.ini
[OSEv3:children]
masters
nodes
etcd
 
[masters]
${IP} openshift_ip=${IP} openshift_schedulable=true
 
[etcd]
${IP} openshift_ip=${IP}
 
[nodes]
${IP} openshift_ip=${IP} openshift_schedulable=true openshift_node_group_name="node-config-all-in-one"
 
[OSEv3:vars]
openshift_additional_repos=[{'id': 'centos-paas', 'name': 'centos-paas', 'baseurl' :'https://buildlogs.centos.org/centos/7/paas/x86_64/openshift-origin311', 'gpgcheck' :'0', 'enabled' :'1'}]
 
ansible_ssh_user=${ANSIBLE_USERNAME}
 
# If ansible_ssh_user is not root, ansible_become must be set to true
ansible_become=true
 
enable_excluders=False
enable_docker_excluder=False
ansible_service_broker_install=False
 
containerized=True
os_sdn_network_plugin_name='redhat/openshift-ovs-multitenant'
openshift_disable_check=disk_availability,docker_storage,memory_availability,docker_image_availability
 
deployment_type=origin
openshift_deployment_type=origin
 
template_service_broker_selector={"region":"infra"}
openshift_metrics_image_version="v${VERSION}"
openshift_logging_image_version="v${VERSION}"
openshift_logging_elasticsearch_proxy_image_version="v1.0.0"
openshift_logging_es_nodeselector={"node-role.kubernetes.io/infra":"true"}
logging_elasticsearch_rollout_override=false
osm_use_cockpit=true
 
openshift_metrics_install_metrics=${METRICS}
openshift_logging_install_logging=${LOGGING}
 
openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider'}]
openshift_master_htpasswd_users={"${USERNAME}": "$(openssl passwd -apr1 ${PASSWORD})"}
 
openshift_master_api_port=${API_PORT}
openshift_public_hostname=console.${DOMAIN}
openshift_master_cluster_hostname=$(hostname)
openshift_master_default_subdomain=apps.${DOMAIN}
openshift_master_console_port=${API_PORT}
 
#openshift_master_logout_url=https://example.com/logout
EOF1
 
#----------------------------------------------END-INVENTORY---------------------------------------------
 
 
# install updates
sudo yum update -y
 
# install the following base packages
sudo yum install -y  wget git zile nano net-tools docker-1.13.1\
                                bind-utils iptables-services \
                                bridge-utils bash-completion \
                                kexec-tools sos psacct openssl-devel \
                                httpd-tools NetworkManager \
                                python-cryptography python2-pip python-devel  python-passlib \
                                java-1.8.0-openjdk-headless "@Development Tools"
 
#install epel
sudo yum -y install epel-release
 
# Disable the EPEL repository globally so that is not accidentally used during later steps of the installation
sudo sed -i -e "s/^enabled=1/enabled=0/" /etc/yum.repos.d/epel.repo
 
sudo systemctl | grep "NetworkManager.*running"
if [ $? -eq 1 ]; then
        sudo systemctl start NetworkManager
        sudo systemctl enable NetworkManager
fi
 
# install the packages for Ansible
sudo yum -y --enablerepo=epel install pyOpenSSL
 
curl -o ansible.rpm https://releases.ansible.com/ansible/rpm/release/epel-7-x86_64/ansible-2.6.5-1.el7.ans.noarch.rpm
sudo yum -y --enablerepo=epel install ansible.rpm
 
[ ! -d openshift-ansible ] && git clone https://github.com/openshift/openshift-ansible.git
 
cd openshift-ansible && git fetch && git checkout release-${VERSION} && cd ..
 
sudo bash -c "cat <<EOF2 > /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
${IP}           $(hostname) console console.${DOMAIN}
EOF2"
 
if [ -z $DISK ]; then
        echo "Not setting the Docker storage."
else
        sudo cp /etc/sysconfig/docker-storage-setup /etc/sysconfig/docker-storage-setup.bk
 
        sudo echo DEVS=$DISK > /etc/sysconfig/docker-storage-setup
        sudo echo VG=DOCKER >> /etc/sysconfig/docker-storage-setup
        sudo echo SETUP_LVM_THIN_POOL=yes >> /etc/sysconfig/docker-storage-setup
        sudo echo DATA_SIZE="100%FREE" >> /etc/sysconfig/docker-storage-setup
 
        sudo systemctl stop docker
 
        sudo rm -rf /var/lib/docker
        sudo wipefs --all $DISK
#       docker-storage-setup
        container-storage-setup
 
        systemctl restart docker
fi
 
#sudo systemctl restart docker
sudo systemctl enable docker
 
# add proxy in inventory.ini if proxy variables are set
if [ ! -z "${HTTPS_PROXY:-${https_proxy:-${HTTP_PROXY:-${http_proxy}}}}" ]; then
        echo >> inventory.ini
        echo "openshift_http_proxy=\"${HTTP_PROXY:-${http_proxy:-${HTTPS_PROXY:-${https_proxy}}}}\"" >> inventory.ini
        echo "openshift_https_proxy=\"${HTTPS_PROXY:-${https_proxy:-${HTTP_PROXY:-${http_proxy}}}}\"" >> inventory.ini
        if [ ! -z "${NO_PROXY:-${no_proxy}}" ]; then
                __no_proxy="${NO_PROXY:-${no_proxy}},${IP},.${DOMAIN}"
        else
                __no_proxy="${IP},.${DOMAIN}"
        fi
        echo "openshift_no_proxy=\"${__no_proxy}\"" >> inventory.ini
fi
 
# Let's Encrypt setup
if [ "$LETSENCRYPT" = true ] ; then
        # Install CertBot
        sudo yum install --enablerepo=epel -y certbot
 
        # Configure Let's Encrypt certificate
        certbot certonly --manual \
                        --preferred-challenges dns \
                        --email $MAIL \
                        --server https://acme-v02.api.letsencrypt.org/directory \
                        --agree-tos \
                        -d $DOMAIN \
                        -d *.$DOMAIN \
                        -d *.apps.$DOMAIN
 
        ## Modify inventory.ini
        # Declare usage of Custom Certificate
        # Configure Custom Certificates for the Web Console or CLI => Doesn't Work for CLI
        # Configure a Custom Master Host Certificate
        # Configure a Custom Wildcard Certificate for the Default Router
        # Configure a Custom Certificate for the Image Registry
        ## See here for more explanation: https://docs.okd.io/latest/install_config/certificate_customization.html
        cat <<EOF3 >> inventory.ini
 
        openshift_master_overwrite_named_certificates=true
 
        openshift_master_cluster_hostname=console-internal.${DOMAIN}
        openshift_master_cluster_public_hostname=console.${DOMAIN}
 
        openshift_master_named_certificates=[{"certfile": "/etc/letsencrypt/live/${DOMAIN}/fullchain.pem", "keyfile": "/etc/letsencrypt/live/${DOMAIN}/privkey.pem", "cafile": "/etc/letsencrypt/live/${DOMAIN}/chain.pem", "names": ["console.${DOMAIN}"]}]
 
        openshift_hosted_router_certificate={"certfile": "/etc/letsencrypt/live/${DOMAIN}/fullchain.pem", "keyfile": "/etc/letsencrypt/live/${DOMAIN}/privkey.pem", "cafile": "/etc/letsencrypt/live/${DOMAIN}/chain.pem"}
 
        openshift_hosted_registry_routehost=registry.apps.${DOMAIN}
        openshift_hosted_registry_routecertificates={"certfile": "/etc/letsencrypt/live/${DOMAIN}/fullchain.pem", "keyfile": "/etc/letsencrypt/live/${DOMAIN}/privkey.pem", "cafile": "/etc/letsencrypt/live/${DOMAIN}/chain.pem"}
        openshift_hosted_registry_routetermination=reencrypt
EOF3
 
        # Add Cron Task to renew certificate
        echo "@weekly  certbot renew --pre-hook=\"oc scale --replicas=0 dc router\" --post-hook=\"oc scale --replicas=1 dc router\"" > certbotcron
        crontab certbotcron
        rm certbotcron
fi
 
sudo mkdir -p /etc/origin/master/
#sudo touch /etc/origin/master/htpasswd
#sudo htpasswd -b /etc/origin/master/htpasswd ${USERNAME} ${PASSWORD}
 
ansible-playbook -i inventory.ini openshift-ansible/playbooks/prerequisites.yml
ansible-playbook -i inventory.ini openshift-ansible/playbooks/deploy_cluster.yml
 
sudo oc adm policy add-cluster-role-to-user cluster-admin ${USERNAME}
 
if [ "$PVS" = "true" ]; then
 
        cat <<EOF4 > vol.yaml
apiVersion: v1
kind: PersistentVolume
metadata:
  name: vol
spec:
  capacity:
    storage: 500Gi
  accessModes:
    - ReadWriteOnce
    - ReadWriteMany
  persistentVolumeReclaimPolicy: Retain
  hostPath:
    path: /mnt/data/vol
EOF4
 
        for i in `seq 1 200`;
        do
                DIRNAME="vol$i"
                sudo mkdir -p /mnt/data/$DIRNAME
                sudo chcon -Rt svirt_sandbox_file_t /mnt/data/$DIRNAME
                sudo chmod 777 /mnt/data/$DIRNAME
 
                sed "s/name: vol/name: vol$i/g" vol.yaml > oc_vol.yaml
                sed -i "s/path: \/mnt\/data\/vol/path: \/mnt\/data\/vol$i/g" oc_vol.yaml
                sudo oc create -f oc_vol.yaml
                echo "created volume $i"
        done
        sudo rm oc_vol.yaml
fi
 
echo "******"
echo "* Your console is https://console.$DOMAIN:$API_PORT"
echo "* Your username is $USERNAME "
echo "* Your password is $PASSWORD "
echo "*"
echo "* Login using:"
echo "*"
echo "$ oc login -u ${USERNAME} -p ${PASSWORD} https://console.$DOMAIN:$API_PORT/"
echo "******"
 
sudo oc login -u ${USERNAME} -p ${PASSWORD} https://console.$DOMAIN:$API_PORT/
Openshift single-node Installation Skript

Skript Sourcecode
