Openshift single-node Installation Skript
Installiert ein vollwertiges OpenShift Origin Cluster auf einem single Node (VM)
Wichtig zu beachten:
- Das Script wird unter dem persönlichen User ausgeführt.
Sudo
ist ohne Passworteingabe möglich.- Das Agend-forewarding ist bei einer Key-Authentisierung aktiviert. (Wichtig für Ansible)
- Vor dem Ausführen die Grösse des Speicher-yaml anpassen. “
storage: 500Gi
”
Skript Sourcecode
Filename: install_openshift.sh
#!/bin/bash ############################################################################################ #*************** OpenShift single Cluster Setup by Michael Reber - v 1.2 ******************# ############################################################################################ ############################################################################################ ## Default variables to use export INTERACTIVE=${INTERACTIVE:="true"} export PVS=${INTERACTIVE:="true"} export DOMAIN=${DOMAIN:="blackgate.org"} export USERNAME=${USERNAME:="$(whoami)"} export PASSWORD=${PASSWORD:="password"} export ANSIBLE_USERNAME=${ANSIBLE_USERNAME:="$(whoami)"} export VERSION=${VERSION:="3.11"} export IP=${IP:="$(ip route get 8.8.8.8 | awk '{print $NF; exit}')"} export API_PORT=${API_PORT:="443"} export LETSENCRYPT=${LETSENCRYPT:="false"} export MAIL=${MAIL:="example@blackgate.org"} ## Make the script interactive to set the variables if [ "$INTERACTIVE" = "true" ]; then read -rp "Domain to use: ($DOMAIN): " choice; if [ "$choice" != "" ] ; then export DOMAIN="$choice"; fi read -rp "OSE-Username: ($USERNAME): " choice; if [ "$choice" != "" ] ; then export USERNAME="$choice"; fi read -rp "OSE-Password: ($PASSWORD): " choice; if [ "$choice" != "" ] ; then export PASSWORD="$choice"; fi read -rp "Ansible-Username: ($ANSIBLE_USERNAME): " choice; if [ "$choice" != "" ] ; then export ANSIBLE_USERNAME="$choice"; fi read -rp "OpenShift Version: ($VERSION): " choice; if [ "$choice" != "" ] ; then export VERSION="$choice"; fi read -rp "IP: ($IP): " choice; if [ "$choice" != "" ] ; then export IP="$choice"; fi read -rp "API Port: ($API_PORT): " choice; if [ "$choice" != "" ] ; then export API_PORT="$choice"; fi echo "Do you wish to enable HTTPS with Let's Encrypt?" echo "Warnings: " echo " Let's Encrypt only works if the IP is using publicly accessible IP and custom certificates." echo " This feature doesn't work with OpenShift CLI for now." select yn in "Yes" "No"; do case $yn in Yes) export LETSENCRYPT=true; break;; No) export LETSENCRYPT=false; break;; *) echo "Please select Yes or No.";; esac done if [ "$LETSENCRYPT" = true ] ; then read -rp "Email(required for Let's Encrypt): ($MAIL): " choice; if [ "$choice" != "" ] ; then export MAIL="$choice"; fi fi echo fi export METRICS="True" export LOGGING="True" memory=$(sudo cat /proc/meminfo | grep MemTotal | sed "s/MemTotal:[ ]*\([0-9]*\) kB/\1/") if [ "$memory" -lt "4194304" ]; then export METRICS="False" fi if [ "$memory" -lt "16777216" ]; then export LOGGING="False" fi echo "******" echo "* Your domain is $DOMAIN " echo "* Your IP is $IP " echo "* Your username is $USERNAME " echo "* Your password is $PASSWORD " echo "* OpenShift version: $VERSION " echo "* Enable HTTPS with Let's Encrypt: $LETSENCRYPT " if [ "$LETSENCRYPT" = true ] ; then echo "* Your email is $MAIL " fi echo "******" #----------------------------------------------START-INVENTORY--------------------------------------------- cat <<EOF1 > inventory.ini [OSEv3:children] masters nodes etcd [masters] ${IP} openshift_ip=${IP} openshift_schedulable=true [etcd] ${IP} openshift_ip=${IP} [nodes] ${IP} openshift_ip=${IP} openshift_schedulable=true openshift_node_group_name="node-config-all-in-one" [OSEv3:vars] openshift_additional_repos=[{'id': 'centos-paas', 'name': 'centos-paas', 'baseurl' :'https://buildlogs.centos.org/centos/7/paas/x86_64/openshift-origin311', 'gpgcheck' :'0', 'enabled' :'1'}] ansible_ssh_user=${ANSIBLE_USERNAME} # If ansible_ssh_user is not root, ansible_become must be set to true ansible_become=true enable_excluders=False enable_docker_excluder=False ansible_service_broker_install=False containerized=True os_sdn_network_plugin_name='redhat/openshift-ovs-multitenant' openshift_disable_check=disk_availability,docker_storage,memory_availability,docker_image_availability deployment_type=origin openshift_deployment_type=origin template_service_broker_selector={"region":"infra"} openshift_metrics_image_version="v${VERSION}" openshift_logging_image_version="v${VERSION}" openshift_logging_elasticsearch_proxy_image_version="v1.0.0" openshift_logging_es_nodeselector={"node-role.kubernetes.io/infra":"true"} logging_elasticsearch_rollout_override=false osm_use_cockpit=true openshift_metrics_install_metrics=${METRICS} openshift_logging_install_logging=${LOGGING} openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider'}] openshift_master_htpasswd_users={"${USERNAME}": "$(openssl passwd -apr1 ${PASSWORD})"} openshift_master_api_port=${API_PORT} openshift_public_hostname=console.${DOMAIN} openshift_master_cluster_hostname=$(hostname) openshift_master_default_subdomain=apps.${DOMAIN} openshift_master_console_port=${API_PORT} #openshift_master_logout_url=https://example.com/logout EOF1 #----------------------------------------------END-INVENTORY--------------------------------------------- # install updates sudo yum update -y # install the following base packages sudo yum install -y wget git zile nano net-tools docker-1.13.1\ bind-utils iptables-services \ bridge-utils bash-completion \ kexec-tools sos psacct openssl-devel \ httpd-tools NetworkManager \ python-cryptography python2-pip python-devel python-passlib \ java-1.8.0-openjdk-headless "@Development Tools" #install epel sudo yum -y install epel-release # Disable the EPEL repository globally so that is not accidentally used during later steps of the installation sudo sed -i -e "s/^enabled=1/enabled=0/" /etc/yum.repos.d/epel.repo sudo systemctl | grep "NetworkManager.*running" if [ $? -eq 1 ]; then sudo systemctl start NetworkManager sudo systemctl enable NetworkManager fi # install the packages for Ansible sudo yum -y --enablerepo=epel install pyOpenSSL curl -o ansible.rpm https://releases.ansible.com/ansible/rpm/release/epel-7-x86_64/ansible-2.6.5-1.el7.ans.noarch.rpm sudo yum -y --enablerepo=epel install ansible.rpm [ ! -d openshift-ansible ] && git clone https://github.com/openshift/openshift-ansible.git cd openshift-ansible && git fetch && git checkout release-${VERSION} && cd .. sudo bash -c "cat <<EOF2 > /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 ${IP} $(hostname) console console.${DOMAIN} EOF2" if [ -z $DISK ]; then echo "Not setting the Docker storage." else sudo cp /etc/sysconfig/docker-storage-setup /etc/sysconfig/docker-storage-setup.bk sudo echo DEVS=$DISK > /etc/sysconfig/docker-storage-setup sudo echo VG=DOCKER >> /etc/sysconfig/docker-storage-setup sudo echo SETUP_LVM_THIN_POOL=yes >> /etc/sysconfig/docker-storage-setup sudo echo DATA_SIZE="100%FREE" >> /etc/sysconfig/docker-storage-setup sudo systemctl stop docker sudo rm -rf /var/lib/docker sudo wipefs --all $DISK # docker-storage-setup container-storage-setup systemctl restart docker fi #sudo systemctl restart docker sudo systemctl enable docker # add proxy in inventory.ini if proxy variables are set if [ ! -z "${HTTPS_PROXY:-${https_proxy:-${HTTP_PROXY:-${http_proxy}}}}" ]; then echo >> inventory.ini echo "openshift_http_proxy=\"${HTTP_PROXY:-${http_proxy:-${HTTPS_PROXY:-${https_proxy}}}}\"" >> inventory.ini echo "openshift_https_proxy=\"${HTTPS_PROXY:-${https_proxy:-${HTTP_PROXY:-${http_proxy}}}}\"" >> inventory.ini if [ ! -z "${NO_PROXY:-${no_proxy}}" ]; then __no_proxy="${NO_PROXY:-${no_proxy}},${IP},.${DOMAIN}" else __no_proxy="${IP},.${DOMAIN}" fi echo "openshift_no_proxy=\"${__no_proxy}\"" >> inventory.ini fi # Let's Encrypt setup if [ "$LETSENCRYPT" = true ] ; then # Install CertBot sudo yum install --enablerepo=epel -y certbot # Configure Let's Encrypt certificate certbot certonly --manual \ --preferred-challenges dns \ --email $MAIL \ --server https://acme-v02.api.letsencrypt.org/directory \ --agree-tos \ -d $DOMAIN \ -d *.$DOMAIN \ -d *.apps.$DOMAIN ## Modify inventory.ini # Declare usage of Custom Certificate # Configure Custom Certificates for the Web Console or CLI => Doesn't Work for CLI # Configure a Custom Master Host Certificate # Configure a Custom Wildcard Certificate for the Default Router # Configure a Custom Certificate for the Image Registry ## See here for more explanation: https://docs.okd.io/latest/install_config/certificate_customization.html cat <<EOF3 >> inventory.ini openshift_master_overwrite_named_certificates=true openshift_master_cluster_hostname=console-internal.${DOMAIN} openshift_master_cluster_public_hostname=console.${DOMAIN} openshift_master_named_certificates=[{"certfile": "/etc/letsencrypt/live/${DOMAIN}/fullchain.pem", "keyfile": "/etc/letsencrypt/live/${DOMAIN}/privkey.pem", "cafile": "/etc/letsencrypt/live/${DOMAIN}/chain.pem", "names": ["console.${DOMAIN}"]}] openshift_hosted_router_certificate={"certfile": "/etc/letsencrypt/live/${DOMAIN}/fullchain.pem", "keyfile": "/etc/letsencrypt/live/${DOMAIN}/privkey.pem", "cafile": "/etc/letsencrypt/live/${DOMAIN}/chain.pem"} openshift_hosted_registry_routehost=registry.apps.${DOMAIN} openshift_hosted_registry_routecertificates={"certfile": "/etc/letsencrypt/live/${DOMAIN}/fullchain.pem", "keyfile": "/etc/letsencrypt/live/${DOMAIN}/privkey.pem", "cafile": "/etc/letsencrypt/live/${DOMAIN}/chain.pem"} openshift_hosted_registry_routetermination=reencrypt EOF3 # Add Cron Task to renew certificate echo "@weekly certbot renew --pre-hook=\"oc scale --replicas=0 dc router\" --post-hook=\"oc scale --replicas=1 dc router\"" > certbotcron crontab certbotcron rm certbotcron fi sudo mkdir -p /etc/origin/master/ #sudo touch /etc/origin/master/htpasswd #sudo htpasswd -b /etc/origin/master/htpasswd ${USERNAME} ${PASSWORD} ansible-playbook -i inventory.ini openshift-ansible/playbooks/prerequisites.yml ansible-playbook -i inventory.ini openshift-ansible/playbooks/deploy_cluster.yml sudo oc adm policy add-cluster-role-to-user cluster-admin ${USERNAME} if [ "$PVS" = "true" ]; then cat <<EOF4 > vol.yaml apiVersion: v1 kind: PersistentVolume metadata: name: vol spec: capacity: storage: 500Gi accessModes: - ReadWriteOnce - ReadWriteMany persistentVolumeReclaimPolicy: Retain hostPath: path: /mnt/data/vol EOF4 for i in `seq 1 200`; do DIRNAME="vol$i" sudo mkdir -p /mnt/data/$DIRNAME sudo chcon -Rt svirt_sandbox_file_t /mnt/data/$DIRNAME sudo chmod 777 /mnt/data/$DIRNAME sed "s/name: vol/name: vol$i/g" vol.yaml > oc_vol.yaml sed -i "s/path: \/mnt\/data\/vol/path: \/mnt\/data\/vol$i/g" oc_vol.yaml sudo oc create -f oc_vol.yaml echo "created volume $i" done sudo rm oc_vol.yaml fi echo "******" echo "* Your console is https://console.$DOMAIN:$API_PORT" echo "* Your username is $USERNAME " echo "* Your password is $PASSWORD " echo "*" echo "* Login using:" echo "*" echo "$ oc login -u ${USERNAME} -p ${PASSWORD} https://console.$DOMAIN:$API_PORT/" echo "******" sudo oc login -u ${USERNAME} -p ${PASSWORD} https://console.$DOMAIN:$API_PORT/