Setting up the environment for an OpenShift installation

Installing RHEL on the provisioner node

With the networking configuration complete, the next step is to install Fedora 8.x on the provisioner node. The installer uses the provisioner node as the orchestrator while installing the OKD cluster. For the purposes of this document, installing RHEL on the provisioner node is out of scope. However, options include but are not limited to using a RHEL Satellite server, PXE, or installation media.

Preparing the provisioner node for OKD installation

Perform the following steps to prepare the environment.

Procedure

  1. Log in to the provisioner node via ssh.

  2. Create a non-root user (kni) and provide that user with sudo privileges:

    1. # useradd kni
    2. # passwd kni
    3. # echo "kni ALL=(root) NOPASSWD:ALL" | tee -a /etc/sudoers.d/kni
    4. # chmod 0440 /etc/sudoers.d/kni
  3. Create an ssh key for the new user:

    1. # su - kni -c "ssh-keygen -t ed25519 -f /home/kni/.ssh/id_rsa -N ''"
  4. Log in as the new user on the provisioner node:

    1. # su - kni
    2. $
  5. Use Red Hat Subscription Manager to register the provisioner node:

    1. $ sudo subscription-manager register --username=<user> --password=<pass> --auto-attach
    2. $ sudo subscription-manager repos --enable=rhel-8-for-x86_64-appstream-rpms --enable=rhel-8-for-x86_64-baseos-rpms

    For more information about Red Hat Subscription Manager, see Using and Configuring Red Hat Subscription Manager.

  6. Install the following packages:

    1. $ sudo dnf install -y libvirt qemu-kvm mkisofs python3-devel jq ipmitool
  7. Modify the user to add the libvirt group to the newly created user:

    1. $ sudo usermod --append --groups libvirt <user>
  8. Restart firewalld and enable the http service:

    1. $ sudo systemctl start firewalld
    2. $ sudo firewall-cmd --zone=public --add-service=http --permanent
    3. $ sudo firewall-cmd --reload
  9. Start and enable the libvirtd service:

    1. $ sudo systemctl enable libvirtd --now
  10. Create the default storage pool and start it:

    1. $ sudo virsh pool-define-as --name default --type dir --target /var/lib/libvirt/images
    2. $ sudo virsh pool-start default
    3. $ sudo virsh pool-autostart default
  11. Configure networking.

    You can also configure networking from the web console.

    Export the baremetal network NIC name:

    1. $ export PUB_CONN=<baremetal_nic_name>

    Configure the baremetal network:

    1. $ sudo nohup bash -c "
    2. nmcli con down \"$PUB_CONN\"
    3. nmcli con delete \"$PUB_CONN\"
    4. # RHEL 8.1 appends the word \"System\" in front of the connection, delete in case it exists
    5. nmcli con down \"System $PUB_CONN\"
    6. nmcli con delete \"System $PUB_CONN\"
    7. nmcli connection add ifname baremetal type bridge con-name baremetal
    8. nmcli con add type bridge-slave ifname \"$PUB_CONN\" master baremetal
    9. pkill dhclient;dhclient baremetal
    10. "

    If you are deploying with a provisioning network, export the provisioning network NIC name:

    1. $ export PROV_CONN=<prov_nic_name>

    If you are deploying with a provisioning network, configure the provisioning network:

    1. $ sudo nohup bash -c "
    2. nmcli con down \"$PROV_CONN\"
    3. nmcli con delete \"$PROV_CONN\"
    4. nmcli connection add ifname provisioning type bridge con-name provisioning
    5. nmcli con add type bridge-slave ifname \"$PROV_CONN\" master provisioning
    6. nmcli connection modify provisioning ipv6.addresses fd00:1101::1/64 ipv6.method manual
    7. nmcli con down provisioning
    8. nmcli con up provisioning
    9. "

    The ssh connection might disconnect after executing these steps.

    The IPv6 address can be any address as long as it is not routable via the baremetal network.

    Ensure that UEFI is enabled and UEFI PXE settings are set to the IPv6 protocol when using IPv6 addressing.

  12. ssh back into the provisioner node (if required).

    1. # ssh kni@provisioner.<cluster-name>.<domain>
  13. Verify the connection bridges have been properly created.

    1. $ sudo nmcli con show
    1. NAME UUID TYPE DEVICE
    2. baremetal 4d5133a5-8351-4bb9-bfd4-3af264801530 bridge baremetal
    3. provisioning 43942805-017f-4d7d-a2c2-7cb3324482ed bridge provisioning
    4. virbr0 d9bca40f-eee1-410b-8879-a2d4bb0465e7 bridge virbr0
    5. bridge-slave-eno1 76a8ed50-c7e5-4999-b4f6-6d9014dd0812 ethernet eno1
    6. bridge-slave-eno2 f31c3353-54b7-48de-893a-02d2b34c4736 ethernet eno2
  14. Create a pull-secret.txt file.

    1. $ vim pull-secret.txt

    In a web browser, navigate to Install on Bare Metal with user-provisioned infrastructure, and scroll down to the Downloads section. Click Copy pull secret. Paste the contents into the pull-secret.txt file and save the contents in the kni user’s home directory.

Retrieving the OKD installer

Use the stable-4.x version of the installer to deploy the generally available stable version of OKD:

  1. $ export VERSION=stable-4.9
  2. export RELEASE_IMAGE=$(curl -s https://mirror.openshift.com/pub/openshift-v4/clients/ocp/$VERSION/release.txt | grep 'Pull From: quay.io' | awk -F ' ' '{print $3}')

Extracting the OKD installer

After retrieving the installer, the next step is to extract it.

Procedure

  1. Set the environment variables:

    1. $ export cmd=openshift-baremetal-install
    2. $ export pullsecret_file=~/pull-secret.txt
    3. $ export extract_dir=$(pwd)
  2. Get the oc binary:

    1. $ curl -s https://mirror.openshift.com/pub/openshift-v4/clients/ocp/$VERSION/openshift-client-linux.tar.gz | tar zxvf - oc
  3. Extract the installer:

    1. $ sudo cp oc /usr/local/bin
    2. $ oc adm release extract --registry-config "${pullsecret_file}" --command=$cmd --to "${extract_dir}" ${RELEASE_IMAGE}
    3. $ sudo cp openshift-baremetal-install /usr/local/bin

Creating an FCOS images cache (optional)

To employ image caching, you must download two images: the Fedora CoreOS (FCOS) image used by the bootstrap VM and the FCOS image used by the installer to provision the different nodes. Image caching is optional, but especially useful when running the installer on a network with limited bandwidth.

If you are running the installer on a network with limited bandwidth and the FCOS images download takes more than 15 to 20 minutes, the installer will timeout. Caching images on a web server will help in such scenarios.

Install a container that contains the images.

Procedure

  1. Install podman:

    1. $ sudo dnf install -y podman
  2. Open firewall port 8080 to be used for FCOS image caching:

    1. $ sudo firewall-cmd --add-port=8080/tcp --zone=public --permanent
    1. $ sudo firewall-cmd --reload
  3. Create a directory to store the bootstraposimage and clusterosimage:

    1. $ mkdir /home/kni/rhcos_image_cache
  4. Set the appropriate SELinux context for the newly created directory:

    1. $ sudo semanage fcontext -a -t httpd_sys_content_t "/home/kni/rhcos_image_cache(/.*)?"
    1. $ sudo restorecon -Rv rhcos_image_cache/
  5. Get the commit ID from the installer:

    1. $ export COMMIT_ID=$(/usr/local/bin/openshift-baremetal-install version | grep '^built from commit' | awk '{print $4}')

    The ID determines which images the installer needs to download.

  6. Get the URI for the FCOS image that the installer will deploy on the nodes:

    1. $ export RHCOS_OPENSTACK_URI=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json | jq .images.openstack.path | sed 's/"//g')
  7. Get the URI for the FCOS image that the installer will deploy on the bootstrap VM:

    1. $ export RHCOS_QEMU_URI=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json | jq .images.qemu.path | sed 's/"//g')
  8. Get the path where the images are published:

    1. $ export RHCOS_PATH=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json | jq .baseURI | sed 's/"//g')
  9. Get the SHA hash for the FCOS image that will be deployed on the bootstrap VM:

    1. $ export RHCOS_QEMU_SHA_UNCOMPRESSED=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json | jq -r '.images.qemu["uncompressed-sha256"]')
  10. Get the SHA hash for the FCOS image that will be deployed on the nodes:

    1. $ export RHCOS_OPENSTACK_SHA_COMPRESSED=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json | jq -r '.images.openstack.sha256')
  11. Download the images and place them in the /home/kni/rhcos_image_cache directory:

    1. $ curl -L ${RHCOS_PATH}${RHCOS_QEMU_URI} -o /home/kni/rhcos_image_cache/${RHCOS_QEMU_URI}
    1. $ curl -L ${RHCOS_PATH}${RHCOS_OPENSTACK_URI} -o /home/kni/rhcos_image_cache/${RHCOS_OPENSTACK_URI}
  12. Confirm SELinux type is of httpd_sys_content_t for the newly created files:

    1. $ ls -Z /home/kni/rhcos_image_cache
  13. Create the pod:

    1. $ podman run -d --name rhcos_image_cache \
    2. -v /home/kni/rhcos_image_cache:/var/www/html \
    3. -p 8080:8080/tcp \
    4. registry.centos.org/centos/httpd-24-centos7:latest

    The above command creates a caching webserver with the name rhcos_image_cache, which serves the images for deployment. The first image ${RHCOS_PATH}${RHCOS_QEMU_URI}?sha256=${RHCOS_QEMU_SHA_UNCOMPRESSED} is the bootstrapOSImage and the second image ${RHCOS_PATH}${RHCOS_OPENSTACK_URI}?sha256=${RHCOS_OPENSTACK_SHA_COMPRESSED} is the clusterOSImage in the install-config.yaml file.

  14. Generate the bootstrapOSImage and clusterOSImage configuration:

    1. $ export BAREMETAL_IP=$(ip addr show dev baremetal | awk '/inet /{print $2}' | cut -d"/" -f1)
    1. $ export RHCOS_OPENSTACK_SHA256=$(zcat /home/kni/rhcos_image_cache/${RHCOS_OPENSTACK_URI} | sha256sum | awk '{print $1}')
    1. $ export RHCOS_QEMU_SHA256=$(zcat /home/kni/rhcos_image_cache/${RHCOS_QEMU_URI} | sha256sum | awk '{print $1}')
    1. $ export CLUSTER_OS_IMAGE="http://${BAREMETAL_IP}:8080/${RHCOS_OPENSTACK_URI}?sha256=${RHCOS_OPENSTACK_SHA256}"
    1. $ export BOOTSTRAP_OS_IMAGE="http://${BAREMETAL_IP}:8080/${RHCOS_QEMU_URI}?sha256=${RHCOS_QEMU_SHA256}"
    1. $ echo "${RHCOS_OPENSTACK_SHA256} ${RHCOS_OPENSTACK_URI}" > /home/kni/rhcos_image_cache/rhcos-ootpa-latest.qcow2.md5sum
    1. $ echo " bootstrapOSImage=${BOOTSTRAP_OS_IMAGE}"
    1. $ echo " clusterOSImage=${CLUSTER_OS_IMAGE}"
  15. Add the required configuration to the install-config.yaml file under platform.baremetal:

    1. platform:
    2. baremetal:
    3. bootstrapOSImage: http://<BAREMETAL_IP>:8080/<RHCOS_QEMU_URI>?sha256=<RHCOS_QEMU_SHA256>
    4. clusterOSImage: http://<BAREMETAL_IP>:8080/<RHCOS_OPENSTACK_URI>?sha256=<RHCOS_OPENSTACK_SHA256>

    See the “Configuration files” section for additional details.

Configuration files

Configuring the install-config.yaml file

The install-config.yaml file requires some additional details. Most of the information is teaching the installer and the resulting cluster enough about the available hardware so that it is able to fully manage it.

  1. Configure install-config.yaml. Change the appropriate variables to match the environment, including pullSecret and sshKey.

    1. apiVersion: v1
    2. baseDomain: <domain>
    3. metadata:
    4. name: <cluster-name>
    5. networking:
    6. machineCIDR: <public-cidr>
    7. networkType: OVNKubernetes
    8. compute:
    9. - name: worker
    10. replicas: 2 (1)
    11. controlPlane:
    12. name: master
    13. replicas: 3
    14. platform:
    15. baremetal: {}
    16. platform:
    17. baremetal:
    18. apiVIP: <api-ip>
    19. ingressVIP: <wildcard-ip>
    20. provisioningNetworkCIDR: <CIDR>
    21. hosts:
    22. - name: openshift-master-0
    23. role: master
    24. bmc:
    25. address: ipmi://<out-of-band-ip> (2)
    26. username: <user>
    27. password: <password>
    28. bootMACAddress: <NIC1-mac-address>
    29. rootDeviceHints:
    30. deviceName: "/dev/sda"
    31. - name: <openshift-master-1>
    32. role: master
    33. bmc:
    34. address: ipmi://<out-of-band-ip> (2)
    35. username: <user>
    36. password: <password>
    37. bootMACAddress: <NIC1-mac-address>
    38. rootDeviceHints:
    39. deviceName: "/dev/sda"
    40. - name: <openshift-master-2>
    41. role: master
    42. bmc:
    43. address: ipmi://<out-of-band-ip> (2)
    44. username: <user>
    45. password: <password>
    46. bootMACAddress: <NIC1-mac-address>
    47. rootDeviceHints:
    48. deviceName: "/dev/sda"
    49. - name: <openshift-worker-0>
    50. role: worker
    51. bmc:
    52. address: ipmi://<out-of-band-ip> (2)
    53. username: <user>
    54. password: <password>
    55. bootMACAddress: <NIC1-mac-address>
    56. - name: <openshift-worker-1>
    57. role: worker
    58. bmc:
    59. address: ipmi://<out-of-band-ip>
    60. username: <user>
    61. password: <password>
    62. bootMACAddress: <NIC1-mac-address>
    63. rootDeviceHints:
    64. deviceName: "/dev/sda"
    65. pullSecret: '<pull_secret>'
    66. sshKey: '<ssh_pub_key>'
    1Scale the worker machines based on the number of worker nodes that are part of the OKD cluster.
    2See the BMC addressing sections for more options.
  2. Create a directory to store cluster configs.

    1. $ mkdir ~/clusterconfigs
    2. $ cp install-config.yaml ~/clusterconfigs
  3. Ensure all bare metal nodes are powered off prior to installing the OKD cluster.

    1. $ ipmitool -I lanplus -U <user> -P <password> -H <management-server-ip> power off
  4. Remove old bootstrap resources if any are left over from a previous deployment attempt.

    1. for i in $(sudo virsh list | tail -n +3 | grep bootstrap | awk {'print $2'});
    2. do
    3. sudo virsh destroy $i;
    4. sudo virsh undefine $i;
    5. sudo virsh vol-delete $i --pool $i;
    6. sudo virsh vol-delete $i.ign --pool $i;
    7. sudo virsh pool-destroy $i;
    8. sudo virsh pool-undefine $i;
    9. done

Setting proxy settings within the install-config.yaml file (optional)

To deploy an OKD cluster using a proxy, make the following changes to the install-config.yaml file.

  1. apiVersion: v1
  2. baseDomain: <domain>
  3. proxy:
  4. httpProxy: http://USERNAME:PASSWORD@proxy.example.com:PORT
  5. httpsProxy: https://USERNAME:PASSWORD@proxy.example.com:PORT
  6. noProxy: <WILDCARD_OF_DOMAIN>,<PROVISIONING_NETWORK/CIDR>,<BMC_ADDRESS_RANGE/CIDR>

The following is an example of noProxy with values.

  1. noProxy: .example.com,172.22.0.0/24,10.10.0.0/24

With a proxy enabled, set the appropriate values of the proxy in the corresponding key/value pair.

Key considerations:

  • If the proxy does not have an HTTPS proxy, change the value of httpsProxy from https:// to http://.

  • If using a provisioning network, include it in the noProxy setting, otherwise the installer will fail.

  • Set all of the proxy settings as environment variables within the provisioner node. For example, HTTP_PROXY, HTTPS_PROXY, and NO_PROXY.

Modifying the install-config.yaml file for no provisioning network (optional)

To deploy an OKD cluster without a provisioning network, make the following changes to the install-config.yaml file.

  1. platform:
  2. baremetal:
  3. apiVIP: <api_VIP>
  4. ingressVIP: <ingress_VIP>
  5. provisioningNetwork: "Disabled" (1)
1Add the provisioningNetwork configuration setting, if needed, and set it to Disabled.

The provisioning network is required for PXE booting. If you deploy without a provisioning network, you must use a virtual media BMC addressing option such as redfish-virtualmedia or idrac-virtualmedia. See “Redfish virtual media for HPE iLO” in the “BMC addressing for HPE iLO” section or “Redfish virtual media for Dell iDRAC” in the “BMC addressing for Dell iDRAC” section for additional details.

Modifying the install-config.yaml file for dual-stack network (optional)

To deploy an OKD cluster with dual-stack networking, edit the machineNetwork, clusterNetwork, and serviceNetwork configuration settings in the install-config.yaml file. Each setting must have two CIDR entries each. Ensure the first CIDR entry is the IPv4 setting and the second CIDR entry is the IPv6 setting.

  1. machineNetwork:
  2. - cidr: {{ extcidrnet }}
  3. - cidr: {{ extcidrnet6 }}
  4. clusterNetwork:
  5. - cidr: 10.128.0.0/14
  6. hostPrefix: 23
  7. - cidr: fd02::/48
  8. hostPrefix: 64
  9. serviceNetwork:
  10. - 172.30.0.0/16
  11. - fd03::/112

The API VIP IP address and the Ingress VIP address must be of the primary IP address family when using dual-stack networking. Currently, Red Hat does not support dual-stack VIPs or dual-stack networking with IPv6 as the primary IP address family. However, Red Hat does support dual-stack networking with IPv4 as the primary IP address family. Therefore, the IPv4 entries must go before the IPv6 entries.

Configuring managed Secure Boot in the install-config.yaml file (optional)

You can enable managed Secure Boot when deploying an installer-provisioned cluster using Redfish BMC addressing, such as redfish, redfish-virtualmedia, or idrac-virtualmedia. To enable managed Secure Boot, add the bootMode configuration setting to each node:

Example

  1. hosts:
  2. - name: openshift-master-0
  3. role: master
  4. bmc:
  5. address: redfish://<out_of_band_ip> (1)
  6. username: <user>
  7. password: <password>
  8. bootMACAddress: <NIC1_mac_address>
  9. rootDeviceHints:
  10. deviceName: "/dev/sda"
  11. bootMode: UEFISecureBoot (2)
1Ensure the bmc.address setting uses redfish, redfish-virtualmedia, or idrac-virtualmedia as the protocol. See “BMC addressing for HPE iLO” or “BMC addressing for Dell iDRAC” for additional details.
2The bootMode setting is UEFI by default. Change it to UEFISecureBoot to enable managed Secure Boot.

See “Configuring nodes” in the “Prerequisites” to ensure the nodes can support managed Secure Boot. If the nodes do not support managed Secure Boot, see “Configuring nodes for Secure Boot manually” in the “Configuring nodes” section. Configuring Secure Boot manually requires Redfish virtual media.

Red Hat does not support Secure Boot with IPMI, because IPMI does not provide Secure Boot management facilities.

Additional install-config parameters

See the following tables for the required parameters, the hosts parameter, and the bmc parameter for the install-config.yaml file.

Table 1. Required parameters
ParametersDefaultDescription

baseDomain

The domain name for the cluster. For example, example.com.

bootMode

UEFI

The boot mode for a node. Options are legacy, UEFI, and UEFISecureBoot. If bootMode is not set, Ironic sets it while inspecting the node.

sshKey

The sshKey configuration setting contains the key in the ~/.ssh/id_rsa.pub file required to access the control plane nodes and worker nodes. Typically, this key is from the provisioner node.

pullSecret

The pullSecret configuration setting contains a copy of the pull secret downloaded from the Install OpenShift on Bare Metal page when preparing the provisioner node.

  1. metadata:
  2. name:

The name to be given to the OKD cluster. For example, openshift.

  1. networking:
  2. machineCIDR:

The public CIDR (Classless Inter-Domain Routing) of the external network. For example, 10.0.0.0/24 .

  1. compute:
  2. - name: worker

The OKD cluster requires a name be provided for worker (or compute) nodes even if there are zero nodes.

  1. compute:
  2. replicas: 2

Replicas sets the number of worker (or compute) nodes in the OKD cluster.

  1. controlPlane:
  2. name: master

The OKD cluster requires a name for control plane (master) nodes.

  1. controlPlane:
  2. replicas: 3

Replicas sets the number of control plane (master) nodes included as part of the OKD cluster.

provisioningNetworkInterface

The name of the network interface on nodes connected to the provisioning network. For OKD 4.9 and later releases, use the bootMACAddress configuration setting to enable Ironic to identify the IP address of the NIC instead of using the provisioningNetworkInterface configuration setting to identify the name of the NIC.

defaultMachinePlatform

The default configuration used for machine pools without a platform configuration.

apiVIP

api.<clustername.clusterdomain>

The VIP to use for internal API communication.

This setting must either be provided or pre-configured in the DNS so that the default name resolves correctly.

disableCertificateVerification

False

redfish and redfish-virtualmedia need this parameter to manage BMC addresses. The value should be True when using a self-signed certificate for BMC addresses.

ingressVIP

test.apps.<clustername.clusterdomain>

The VIP to use for ingress traffic.

Table 2. Optional Parameters
ParametersDefaultDescription

provisioningDHCPRange

172.22.0.10,172.22.0.100

Defines the IP range for nodes on the provisioning network.

provisioningNetworkCIDR

172.22.0.0/24

The CIDR for the network to use for provisioning. This option is required when not using the default address range on the provisioning network.

clusterProvisioningIP

The third IP address of the provisioningNetworkCIDR.

The IP address within the cluster where the provisioning services run. Defaults to the third IP address of the provisioning subnet. For example, 172.22.0.3.

bootstrapProvisioningIP

The second IP address of the provisioningNetworkCIDR.

The IP address on the bootstrap VM where the provisioning services run while the installer is deploying the control plane (master) nodes. Defaults to the second IP address of the provisioning subnet. For example, 172.22.0.2 or 2620:52:0:1307::2.

externalBridge

baremetal

The name of the baremetal bridge of the hypervisor attached to the baremetal network.

provisioningBridge

provisioning

The name of the provisioning bridge on the provisioner host attached to the provisioning network.

defaultMachinePlatform

The default configuration used for machine pools without a platform configuration.

bootstrapOSImage

A URL to override the default operating system image for the bootstrap node. The URL must contain a SHA-256 hash of the image. For example: https://mirror.openshift.com/rhcos-<version>-qemu.qcow2.gz?sha256=<uncompressed_sha256>;.

clusterOSImage

A URL to override the default operating system for cluster nodes. The URL must include a SHA-256 hash of the image. For example, https://mirror.openshift.com/images/rhcos-<version>-openstack.qcow2.gz?sha256=<compressed_sha256>;.

provisioningNetwork

The provisioningNetwork configuration setting determines whether the cluster uses the provisioning network. If it does, the configuration setting also determines if the cluster manages the network.

Disabled: Set this parameter to Disabled to disable the requirement for a provisioning network. When set to Disabled, you must only use virtual media based provisioning, or bring up the cluster using the assisted installer. If Disabled and using power management, BMCs must be accessible from the baremetal network. If Disabled, you must provide two IP addresses on the baremetal network that are used for the provisioning services.

Managed: Set this parameter to Managed, which is the default, to fully manage the provisioning network, including DHCP, TFTP, and so on.

Unmanaged: Set this parameter to Unmanaged to enable the provisioning network but take care of manual configuration of DHCP. Virtual media provisioning is recommended but PXE is still available if required.

httpProxy

Set this parameter to the appropriate HTTP proxy used within your environment.

httpsProxy

Set this parameter to the appropriate HTTPS proxy used within your environment.

noProxy

Set this parameter to the appropriate list of exclusions for proxy usage within your environment.

Hosts

The hosts parameter is a list of separate bare metal assets used to build the cluster.

Table 3. Hosts
NameDefaultDescription

name

The name of the BareMetalHost resource to associate with the details. For example, openshift-master-0.

role

The role of the bare metal node. Either master or worker.

bmc

Connection details for the baseboard management controller. See the BMC addressing section for additional details.

bootMACAddress

The MAC address of the NIC that the host uses for the provisioning network. Ironic retrieves the IP address using the bootMACAddress configuration setting. Then, it binds to the host.

BMC addressing

Most vendors support Baseboard Management Controller (BMC) addressing with the Intelligent Platform Management Interface (IPMI). IPMI does not encrypt communications. It is suitable for use within a data center over a secured or dedicated management network. Check with your vendor to see if they support Redfish network boot. Redfish delivers simple and secure management for converged, hybrid IT and the Software Defined Data Center (SDDC). Redfish is human readable and machine capable, and leverages common internet and web services standards to expose information directly to the modern tool chain. If your hardware does not support Redfish network boot, use IPMI.

IPMI

Hosts using IPMI use the ipmi://<out-of-band-ip>:<port> address format, which defaults to port 623 if not specified. The following example demonstrates an IPMI configuration within the install-config.yaml file.

  1. platform:
  2. baremetal:
  3. hosts:
  4. - name: openshift-master-0
  5. role: master
  6. bmc:
  7. address: ipmi://<out-of-band-ip>
  8. username: <user>
  9. password: <password>

The provisioning network is required when PXE booting using IPMI for BMC addressing. It is not possible to PXE boot hosts without a provisioning network. If you deploy without a provisioning network, you must use a virtual media BMC addressing option such as redfish-virtualmedia or idrac-virtualmedia. See “Redfish virtual media for HPE iLO” in the “BMC addressing for HPE iLO” section or “Redfish virtual media for Dell iDRAC” in the “BMC addressing for Dell iDRAC” section for additional details.

Redfish network boot

To enable Redfish, use redfish:// or redfish+http:// to disable TLS. The installer requires both the hostname or the IP address and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.

  1. platform:
  2. baremetal:
  3. hosts:
  4. - name: openshift-master-0
  5. role: master
  6. bmc:
  7. address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
  8. username: <user>
  9. password: <password>

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

  1. platform:
  2. baremetal:
  3. hosts:
  4. - name: openshift-master-0
  5. role: master
  6. bmc:
  7. address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
  8. username: <user>
  9. password: <password>
  10. disableCertificateVerification: True

BMC addressing for Dell iDRAC

The address field for each bmc entry is a URL for connecting to the OKD cluster nodes, including the type of controller in the URL scheme and its location on the network.

  1. platform:
  2. baremetal:
  3. hosts:
  4. - name: <hostname>
  5. role: <master | worker>
  6. bmc:
  7. address: <address> (1)
  8. username: <user>
  9. password: <password>
1The address configuration setting specifies the protocol.

For Dell hardware, Red Hat supports integrated Dell Remote Access Controller (iDRAC) virtual media, Redfish network boot, and IPMI.

BMC address formats for Dell iDRAC

ProtocolAddress Format

iDRAC virtual media

idrac-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1

Redfish network boot

redfish://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1

IPMI

ipmi://<out-of-band-ip>

Use idrac-virtualmedia as the protocol for Redfish virtual media. redfish-virtualmedia will not work on Dell hardware. Dell’s idrac-virtualmedia uses the Redfish standard with Dell’s OEM extensions.

See the following sections for additional details.

Redfish virtual media for Dell iDRAC

For Redfish virtual media on Dell servers, use idrac-virtualmedia:// in the address setting. Using redfish-virtualmedia:// will not work.

The following example demonstrates using iDRAC virtual media within the install-config.yaml file.

  1. platform:
  2. baremetal:
  3. hosts:
  4. - name: openshift-master-0
  5. role: master
  6. bmc:
  7. address: idrac-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
  8. username: <user>
  9. password: <password>

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

  1. platform:
  2. baremetal:
  3. hosts:
  4. - name: openshift-master-0
  5. role: master
  6. bmc:
  7. address: idrac-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
  8. username: <user>
  9. password: <password>
  10. disableCertificateVerification: True

Currently, Redfish is only supported on Dell with iDRAC firmware versions 4.20.20.20 through 04.40.00.00 for installer-provisioned installations on bare metal deployments. There is a known issue with version 04.40.00.00. With iDRAC 9 firmware version 04.40.00.00, the Virtual Console plug-in defaults to eHTML5, which causes problems with the InsertVirtualMedia workflow. Set the plug-in to HTML5 to avoid this issue. The menu path is: ConfigurationVirtual consolePlug-in TypeHTML5 .

Ensure the OKD cluster nodes have AutoAttach Enabled through the iDRAC console. The menu path is: ConfigurationVirtual MediaAttach ModeAutoAttach .

Use idrac-virtualmedia:// as the protocol for Redfish virtual media. Using redfish-virtualmedia:// will not work on Dell hardware, because the idrac-virtualmedia:// protocol corresponds to the idrac hardware type and the Redfish protocol in Ironic. Dell’s idrac-virtualmedia:// protocol uses the Redfish standard with Dell’s OEM extensions. Ironic also supports the idrac type with the WSMAN protocol. Therefore, you must specify idrac-virtualmedia:// to avoid unexpected behavior when electing to use Redfish with virtual media on Dell hardware.

Redfish network boot for iDRAC

To enable Redfish, use redfish:// or redfish+http:// to disable transport layer security (TLS). The installer requires both the hostname or the IP address and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.

  1. platform:
  2. baremetal:
  3. hosts:
  4. - name: openshift-master-0
  5. role: master
  6. bmc:
  7. address: redfish://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
  8. username: <user>
  9. password: <password>

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

  1. platform:
  2. baremetal:
  3. hosts:
  4. - name: openshift-master-0
  5. role: master
  6. bmc:
  7. address: redfish://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
  8. username: <user>
  9. password: <password>
  10. disableCertificateVerification: True

Currently, Redfish is only supported on Dell hardware with iDRAC firmware versions 4.20.20.20 through 04.40.00.00 for installer-provisioned installations on bare metal deployments. There is a known issue with version 04.40.00.00. With iDRAC 9 firmware version 04.40.00.00, the Virtual Console plug-in defaults to eHTML5, which causes problems with the InsertVirtualMedia workflow. Set the plug-in to HTML5 to avoid this issue. The menu path is: ConfigurationVirtual consolePlug-in TypeHTML5 .

Ensure the OKD cluster nodes have AutoAttach Enabled through the iDRAC console. The menu path is: ConfigurationVirtual MediaAttach ModeAutoAttach .

The redfish:// URL protocol corresponds to the redfish hardware type in Ironic.

BMC addressing for HPE iLO

The address field for each bmc entry is a URL for connecting to the OKD cluster nodes, including the type of controller in the URL scheme and its location on the network.

  1. platform:
  2. baremetal:
  3. hosts:
  4. - name: <hostname>
  5. role: <master | worker>
  6. bmc:
  7. address: <address> (1)
  8. username: <user>
  9. password: <password>
1The address configuration setting specifies the protocol.

For HPE integrated Lights Out (iLO), Red Hat supports Redfish virtual media, Redfish network boot, and IPMI.

Table 4. BMC address formats for HPE iLO
ProtocolAddress Format

Redfish virtual media

redfish-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/1

Redfish network boot

redfish://<out-of-band-ip>/redfish/v1/Systems/1

IPMI

ipmi://<out-of-band-ip>

See the following sections for additional details.

Redfish virtual media for HPE iLO

To enable Redfish virtual media for HPE servers, use redfish-virtualmedia:// in the address setting. The following example demonstrates using Redfish virtual media within the install-config.yaml file.

  1. platform:
  2. baremetal:
  3. hosts:
  4. - name: openshift-master-0
  5. role: master
  6. bmc:
  7. address: redfish-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/1
  8. username: <user>
  9. password: <password>

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

  1. platform:
  2. baremetal:
  3. hosts:
  4. - name: openshift-master-0
  5. role: master
  6. bmc:
  7. address: redfish-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/1
  8. username: <user>
  9. password: <password>
  10. disableCertificateVerification: True

Redfish virtual media is not supported on 9th generation systems running iLO4, because Ironic does not support iLO4 with virtual media.

Redfish network boot for HPE iLO

To enable Redfish, use redfish:// or redfish+http:// to disable TLS. The installer requires both the hostname or the IP address and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.

  1. platform:
  2. baremetal:
  3. hosts:
  4. - name: openshift-master-0
  5. role: master
  6. bmc:
  7. address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
  8. username: <user>
  9. password: <password>

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

  1. platform:
  2. baremetal:
  3. hosts:
  4. - name: openshift-master-0
  5. role: master
  6. bmc:
  7. address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
  8. username: <user>
  9. password: <password>
  10. disableCertificateVerification: True

BMC addressing for Fujitsu iRMC

The address field for each bmc entry is a URL for connecting to the OKD cluster nodes, including the type of controller in the URL scheme and its location on the network.

  1. platform:
  2. baremetal:
  3. hosts:
  4. - name: <hostname>
  5. role: <master | worker>
  6. bmc:
  7. address: <address> (1)
  8. username: <user>
  9. password: <password>
1The address configuration setting specifies the protocol.

For Fujitsu hardware, Red Hat supports integrated Remote Management Controller (iRMC) and IPMI.

Table 5. BMC address formats for Fujitsu iRMC
ProtocolAddress Format

iRMC

irmc://<out-of-band-ip>

IPMI

ipmi://<out-of-band-ip>

iRMC

Fujitsu nodes can use irmc://<out-of-band-ip> and defaults to port 623. The following example demonstrates an iRMC configuration within the install-config.yaml file.

  1. platform:
  2. baremetal:
  3. hosts:
  4. - name: openshift-master-0
  5. role: master
  6. bmc:
  7. address: irmc://<out-of-band-ip>
  8. username: <user>
  9. password: <password>

Currently Fujitsu supports iRMC S5 firmware version 3.05P and above for installer-provisioned installation on bare metal.

Root device hints

The rootDeviceHints parameter enables the installer to provision the Fedora CoreOS (FCOS) image to a particular device. The installer examines the devices in the order it discovers them, and compares the discovered values with the hint values. The installer uses the first discovered device that matches the hint value. The configuration can combine multiple hints, but a device must match all hints for the installer to select it.

Table 6. Subfields
SubfieldDescription

deviceName

A string containing a Linux device name like /dev/vda. The hint must match the actual value exactly.

hctl

A string containing a SCSI bus address like 0:0:0:0. The hint must match the actual value exactly.

model

A string containing a vendor-specific device identifier. The hint can be a substring of the actual value.

vendor

A string containing the name of the vendor or manufacturer of the device. The hint can be a sub-string of the actual value.

serialNumber

A string containing the device serial number. The hint must match the actual value exactly.

minSizeGigabytes

An integer representing the minimum size of the device in gigabytes.

wwn

A string containing the unique storage identifier. The hint must match the actual value exactly.

wwnWithExtension

A string containing the unique storage identifier with the vendor extension appended. The hint must match the actual value exactly.

wwnVendorExtension

A string containing the unique vendor storage identifier. The hint must match the actual value exactly.

rotational

A boolean indicating whether the device should be a rotating disk (true) or not (false).

Example usage

  1. - name: master-0
  2. role: master
  3. bmc:
  4. address: ipmi://10.10.0.3:6203
  5. username: admin
  6. password: redhat
  7. bootMACAddress: de:ad:be:ef:00:40
  8. rootDeviceHints:
  9. deviceName: "/dev/sda"

Creating the OKD manifests

  1. Create the OKD manifests.

    1. $ ./openshift-baremetal-install --dir ~/clusterconfigs create manifests
    1. INFO Consuming Install Config from target directory
    2. WARNING Making control-plane schedulable by setting MastersSchedulable to true for Scheduler cluster settings
    3. WARNING Discarding the OpenShift Manifest that was provided in the target directory because its dependencies are dirty and it needs to be regenerated

Configuring NTP for disconnected clusters (optional)

OKD installs the chrony Network Time Protocol (NTP) service on the cluster nodes. Use the following procedure to configure NTP servers on the control plane nodes and configure worker nodes as NTP clients of the control plane nodes before deployment.

Configuring NTP for disconnected clusters

OKD nodes must agree on a date and time to run properly. When worker nodes retrieve the date and time from the NTP servers on the control plane nodes, it enables the installation and operation of clusters that are not connected to a routable network and thereby do not have access to a higher stratum NTP server.

Procedure

  1. Create a Butane config, 99-master-chrony-conf-override.bu, including the contents of the chrony.conf file for the control plane nodes.

    See “Creating machine configs with Butane” for information about Butane.

    Butane config example

    1. variant: openshift
    2. version: 4.9.0
    3. metadata:
    4. name: 99-master-chrony-conf-override
    5. labels:
    6. machineconfiguration.openshift.io/role: master
    7. storage:
    8. files:
    9. - path: /etc/chrony.conf
    10. mode: 0644
    11. overwrite: true
    12. contents:
    13. inline: |
    14. # Use public servers from the pool.ntp.org project.
    15. # Please consider joining the pool (https://www.pool.ntp.org/join.html).
    16. # The Machine Config Operator manages this file
    17. server openshift-master-0.<cluster-name>.<domain> iburst (1)
    18. server openshift-master-1.<cluster-name>.<domain> iburst
    19. server openshift-master-2.<cluster-name>.<domain> iburst
    20. stratumweight 0
    21. driftfile /var/lib/chrony/drift
    22. rtcsync
    23. makestep 10 3
    24. bindcmdaddress 127.0.0.1
    25. bindcmdaddress ::1
    26. keyfile /etc/chrony.keys
    27. commandkey 1
    28. generatecommandkey
    29. noclientlog
    30. logchange 0.5
    31. logdir /var/log/chrony
    32. # Configure the control plane nodes to serve as local NTP servers
    33. # for all worker nodes, even if they are not in sync with an
    34. # upstream NTP server.
    35. # Allow NTP client access from the local network.
    36. allow all
    37. # Serve time even if not synchronized to a time source.
    38. local stratum 3 orphan
    1You must replace <cluster-name> with the name of the cluster and replace <domain> with the fully qualified domain name.
  2. Use Butane to generate a MachineConfig object file, 99-master-chrony-conf-override.yaml, containing the configuration to be delivered to the control plane nodes:

    1. $ butane 99-master-chrony-conf-override.bu -o 99-master-chrony-conf-override.yaml
  3. Create a Butane config, 99-worker-chrony-conf-override.bu, including the contents of the chrony.conf file for the worker nodes that references the NTP servers on the control plane nodes.

    Butane config example

    1. variant: openshift
    2. version: 4.9.0
    3. metadata:
    4. name: 99-worker-chrony-conf-override
    5. labels:
    6. machineconfiguration.openshift.io/role: worker
    7. storage:
    8. files:
    9. - path: /etc/chrony.conf
    10. mode: 0644
    11. overwrite: true
    12. contents:
    13. inline: |
    14. # The Machine Config Operator manages this file.
    15. server openshift-master-0.<cluster-name>.<domain> iburst (1)
    16. server openshift-master-1.<cluster-name>.<domain> iburst
    17. server openshift-master-2.<cluster-name>.<domain> iburst
    18. stratumweight 0
    19. driftfile /var/lib/chrony/drift
    20. rtcsync
    21. makestep 10 3
    22. bindcmdaddress 127.0.0.1
    23. bindcmdaddress ::1
    24. keyfile /etc/chrony.keys
    25. commandkey 1
    26. generatecommandkey
    27. noclientlog
    28. logchange 0.5
    29. logdir /var/log/chrony
    1You must replace <cluster-name> with the name of the cluster and replace <domain> with the fully qualified domain name.
  4. Use Butane to generate a MachineConfig object file, 99-worker-chrony-conf-override.yaml, containing the configuration to be delivered to the worker nodes:

    1. $ butane 99-worker-chrony-conf-override.bu -o 99-worker-chrony-conf-override.yaml
  5. Copy the 99-master-chrony-conf-override.yaml file to the ~/clusterconfigs/manifests directory.

    1. $ cp 99-master-chrony-conf-override.yaml ~/clusterconfigs/manifests
  6. Copy the 99-worker-chrony-conf-override.yaml file to the ~/clusterconfigs/manifests directory.

    1. $ cp 99-worker-chrony-conf-override.yaml ~/clusterconfigs/manifests

Configure network components to run on the control plane

Configure networking components to run exclusively on the control plane nodes. By default, OKD allows any node in the machine config pool to host the apiVIP and ingressVIP virtual IP addresses. However, many environments deploy worker nodes in separate subnets from the control plane nodes. Consequently, you must place the apiVIP and ingressVIP virtual IP addresses exclusively with the control plane nodes.

Procedure

  1. Change to the directory storing the install-config.yaml file:

    1. $ cd ~/clusterconfigs
  2. Switch to the manifests subdirectory:

    1. $ cd manifests
  3. Create a file named cluster-network-avoid-workers-99-config.yaml:

    1. $ touch cluster-network-avoid-workers-99-config.yaml
  4. Open the cluster-network-avoid-workers-99-config.yaml file in an editor and enter a custom resource (CR) that describes the Operator configuration:

    1. apiVersion: machineconfiguration.openshift.io/v1
    2. kind: MachineConfig
    3. metadata:
    4. name: 50-worker-fix-ipi-rwn
    5. labels:
    6. machineconfiguration.openshift.io/role: worker
    7. spec:
    8. config:
    9. ignition:
    10. version: 3.2.0
    11. systemd:
    12. units:
    13. - name: nodeip-configuration.service
    14. enabled: true
    15. contents: |
    16. [Unit]
    17. Description=Writes IP address configuration so that kubelet and crio services select a valid node IP
    18. Wants=network-online.target
    19. After=network-online.target ignition-firstboot-complete.service
    20. Before=kubelet.service crio.service
    21. [Service]
    22. Type=oneshot
    23. ExecStart=/bin/bash -c "exit 0 "
    24. [Install]
    25. WantedBy=multi-user.target
    26. storage:
    27. files:
    28. - path: /etc/kubernetes/manifests/keepalived.yaml
    29. mode: 0644
    30. contents:
    31. source: data:,
    32. - path: /etc/kubernetes/manifests/mdns-publisher.yaml
    33. mode: 0644
    34. contents:
    35. source: data:,
    36. - path: /etc/kubernetes/manifests/coredns.yaml
    37. mode: 0644
    38. contents:
    39. source: data:,

    This manifest places the apiVIP and ingressVIP virtual IP addresses on the control plane nodes. Additionally, this manifest deploys the following processes on the control plane nodes only:

    • openshift-ingress-operator

    • keepalived

  5. Save the cluster-network-avoid-workers-99-config.yaml file.

  6. Create a manifests/cluster-ingress-default-ingresscontroller.yaml file:

    1. apiVersion: operator.openshift.io/v1
    2. kind: IngressController
    3. metadata:
    4. name: default
    5. namespace: openshift-ingress-operator
    6. spec:
    7. nodePlacement:
    8. nodeSelector:
    9. matchLabels:
    10. node-role.kubernetes.io/master: ""
  7. Consider backing up the manifests directory. The installer deletes the manifests/ directory when creating the cluster.

  8. Modify the cluster-scheduler-02-config.yml manifest to make the control plane nodes schedulable by setting the mastersSchedulable field to true. Control plane nodes are not schedulable by default. For example:

    1. $ sed -i "s;mastersSchedulable: false;mastersSchedulable: true;g" clusterconfigs/manifests/cluster-scheduler-02-config.yml

    If control plane nodes are not schedulable, deploying the cluster will fail.

  9. Before deploying the cluster, ensure that the api.<cluster-name>.<domain> domain name is resolvable in the external DNS server. When you configure network components to run exclusively on the control plane, the internal DNS resolution no longer works for worker nodes, which is an expected outcome.

    Failure to create a DNS record for the api.<cluster-name>.<domain> domain name in the external DNS server precludes worker nodes from joining the cluster.

Configuring BIOS for worker node

The following procedure configures BIOS for the worker node during the installation process.

Procedure

  1. Create manifests.

  2. Modify the BMH file corresponding to the worker:

    1. $ vim clusterconfigs/openshift/99_openshift-cluster-api_hosts-3.yaml
  3. Add the BIOS configuration to the spec section of the BMH file:

    1. spec:
    2. firmware:
    3. simultaneousMultithreadingEnabled: true
    4. sriovEnabled: true
    5. virtualizationEnabled: true
    1. Red Hat supports three BIOS configurations. See the BMH documentation for details. Only servers with bmc type irmc are supported. Other types of servers are currently not supported.

  4. Create cluster.

Creating a disconnected registry (optional)

In some cases, you might want to install an OKD cluster using a local copy of the installation registry. This could be for enhancing network efficiency because the cluster nodes are on a network that does not have access to the internet.

A local, or mirrored, copy of the registry requires the following:

  • A certificate for the registry node. This can be a self-signed certificate.

  • A web server that a container on a system will serve.

  • An updated pull secret that contains the certificate and local repository information.

Creating a disconnected registry on a registry node is optional. The subsequent sections indicate that they are optional since they are steps you need to execute only when creating a disconnected registry on a registry node. You should execute all of the subsequent sub-sections labeled “(optional)” when creating a disconnected registry on a registry node.

Preparing the registry node to host the mirrored registry (optional)

Make the following changes to the registry node.

Procedure

  1. Open the firewall port on the registry node.

    1. $ sudo firewall-cmd --add-port=5000/tcp --zone=libvirt --permanent
    2. $ sudo firewall-cmd --add-port=5000/tcp --zone=public --permanent
    3. $ sudo firewall-cmd --reload
  2. Install the required packages for the registry node.

    1. $ sudo yum -y install python3 podman httpd httpd-tools jq
  3. Create the directory structure where the repository information will be held.

    1. $ sudo mkdir -p /opt/registry/{auth,certs,data}

Generating the self-signed certificate (optional)

Generate a self-signed certificate for the registry node and put it in the /opt/registry/certs directory.

Procedure

  1. Adjust the certificate information as appropriate.

    1. $ host_fqdn=$( hostname --long )
    2. $ cert_c="<Country Name>" # Country Name (C, 2 letter code)
    3. $ cert_s="<State>" # Certificate State (S)
    4. $ cert_l="<Locality>" # Certificate Locality (L)
    5. $ cert_o="<Organization>" # Certificate Organization (O)
    6. $ cert_ou="<Org Unit>" # Certificate Organizational Unit (OU)
    7. $ cert_cn="${host_fqdn}" # Certificate Common Name (CN)
    8. $ openssl req \
    9. -newkey rsa:4096 \
    10. -nodes \
    11. -sha256 \
    12. -keyout /opt/registry/certs/domain.key \
    13. -x509 \
    14. -days 365 \
    15. -out /opt/registry/certs/domain.crt \
    16. -addext "subjectAltName = DNS:${host_fqdn}" \
    17. -subj "/C=${cert_c}/ST=${cert_s}/L=${cert_l}/O=${cert_o}/OU=${cert_ou}/CN=${cert_cn}"
    When replacing <Country Name>, ensure that it only contains two letters. For example, US.
  2. Update the registry node’s ca-trust with the new certificate.

    1. $ sudo cp /opt/registry/certs/domain.crt /etc/pki/ca-trust/source/anchors/
    2. $ sudo update-ca-trust extract

Creating the registry podman container (optional)

The registry container uses the /opt/registry directory for certificates, authentication files, and to store its data files.

The registry container uses httpd and needs an htpasswd file for authentication.

Procedure

  1. Create an htpasswd file in /opt/registry/auth for the container to use.

    1. $ htpasswd -bBc /opt/registry/auth/htpasswd <user> <passwd>

    Replace <user> with the user name and <passwd> with the password.

  2. Create and start the registry container.

    1. $ podman create \
    2. --name ocpdiscon-registry \
    3. -p 5000:5000 \
    4. -e "REGISTRY_AUTH=htpasswd" \
    5. -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry" \
    6. -e "REGISTRY_HTTP_SECRET=ALongRandomSecretForRegistry" \
    7. -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \
    8. -e "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt" \
    9. -e "REGISTRY_HTTP_TLS_KEY=/certs/domain.key" \
    10. -e "REGISTRY_COMPATIBILITY_SCHEMA1_ENABLED=true" \
    11. -v /opt/registry/data:/var/lib/registry:z \
    12. -v /opt/registry/auth:/auth:z \
    13. -v /opt/registry/certs:/certs:z \
    14. docker.io/library/registry:2
    1. $ podman start ocpdiscon-registry

Copy and update the pull-secret (optional)

Copy the pull secret file from the provisioner node to the registry node and modify it to include the authentication information for the new registry node.

Procedure

  1. Copy the pull-secret.txt file.

    1. $ scp kni@provisioner:/home/kni/pull-secret.txt pull-secret.txt
  2. Update the host_fqdn environment variable with the fully qualified domain name of the registry node.

    1. $ host_fqdn=$( hostname --long )
  3. Update the b64auth environment variable with the base64 encoding of the http credentials used to create the htpasswd file.

    1. $ b64auth=$( echo -n '<username>:<passwd>' | openssl base64 )

    Replace <username> with the user name and <passwd> with the password.

  4. Set the AUTHSTRING environment variable to use the base64 authorization string. The $USER variable is an environment variable containing the name of the current user.

    1. $ AUTHSTRING="{\"$host_fqdn:5000\": {\"auth\": \"$b64auth\",\"email\": \"$USER@redhat.com\"}}"
  5. Update the pull-secret.txt file.

    1. $ jq ".auths += $AUTHSTRING" < pull-secret.txt > pull-secret-update.txt

Mirroring the repository (optional)

Procedure

  1. Copy the oc binary from the provisioner node to the registry node.

    1. $ sudo scp kni@provisioner:/usr/local/bin/oc /usr/local/bin
  2. Mirror the remote install images to the local repository.

    1. $ /usr/local/bin/oc adm release mirror \
    2. -a pull-secret-update.txt
    3. --from=$UPSTREAM_REPO \
    4. --to-release-image=$LOCAL_REG/$LOCAL_REPO:${VERSION} \
    5. --to=$LOCAL_REG/$LOCAL_REPO

Modify the install-config.yaml file to use the disconnected registry (optional)

On the provisioner node, the install-config.yaml file should use the newly created pull-secret from the pull-secret-update.txt file. The install-config.yaml file must also contain the disconnected registry node’s certificate and registry information.

Procedure

  1. Add the disconnected registry node’s certificate to the install-config.yaml file. The certificate should follow the "additionalTrustBundle: |" line and be properly indented, usually by two spaces.

    1. $ echo "additionalTrustBundle: |" >> install-config.yaml
    2. $ sed -e 's/^/ /' /opt/registry/certs/domain.crt >> install-config.yaml
  2. Add the mirror information for the registry to the install-config.yaml file.

    1. $ echo "imageContentSources:" >> install-config.yaml
    2. $ echo "- mirrors:" >> install-config.yaml
    3. $ echo " - registry.example.com:5000/ocp4/openshift4" >> install-config.yaml
    4. $ echo " source: quay.io/openshift-release-dev/ocp-release" >> install-config.yaml
    5. $ echo "- mirrors:" >> install-config.yaml
    6. $ echo " - registry.example.com:5000/ocp4/openshift4" >> install-config.yaml
    7. $ echo " source: quay.io/openshift-release-dev/ocp-v4.0-art-dev" >> install-config.yaml
    Replace registry.example.com with the registry’s fully qualified domain name.

Deploying routers on worker nodes

During installation, the installer deploys router pods on worker nodes. By default, the installer installs two router pods. If the initial cluster has only one worker node, or if a deployed cluster requires additional routers to handle external traffic loads destined for services within the OKD cluster, you can create a yaml file to set an appropriate number of router replicas.

By default, the installer deploys two routers. If the cluster has at least two worker nodes, you can skip this section.

If the cluster has no worker nodes, the installer deploys the two routers on the control plane nodes by default. If the cluster has no worker nodes, you can skip this section.

Procedure

  1. Create a router-replicas.yaml file.

    1. apiVersion: operator.openshift.io/v1
    2. kind: IngressController
    3. metadata:
    4. name: default
    5. namespace: openshift-ingress-operator
    6. spec:
    7. replicas: <num-of-router-pods>
    8. endpointPublishingStrategy:
    9. type: HostNetwork
    10. nodePlacement:
    11. nodeSelector:
    12. matchLabels:
    13. node-role.kubernetes.io/worker: ""

    Replace <num-of-router-pods> with an appropriate value. If working with just one worker node, set replicas: to 1. If working with more than 3 worker nodes, you can increase replicas: from the default value 2 as appropriate.

  2. Save and copy the router-replicas.yaml file to the clusterconfigs/openshift directory.

    1. cp ~/router-replicas.yaml clusterconfigs/openshift/99_router-replicas.yaml

Validation checklist for installation

  • OKD installer has been retrieved.

  • OKD installer has been extracted.

  • Required parameters for the install-config.yaml have been configured.

  • The hosts parameter for the install-config.yaml has been configured.

  • The bmc parameter for the install-config.yaml has been configured.

  • Conventions for the values configured in the bmc address field have been applied.

  • Created a disconnected registry (optional).

  • (optional) Validate disconnected registry settings if in use.

  • (optional) Deployed routers on worker nodes.

Deploying the cluster via the OKD installer

Run the OKD installer:

  1. $ ./openshift-baremetal-install --dir ~/clusterconfigs --log-level debug create cluster

Following the installation

During the deployment process, you can check the installation’s overall status by issuing the tail command to the .openshift_install.log log file in the install directory folder.

  1. $ tail -f /path/to/install-dir/.openshift_install.log

Verifying static IP address configuration

If the DHCP reservation for a cluster node specifies an infinite lease, after the installer successfully provisions the node, the dispatcher script checks the node’s network configuration. If the script determines that the network configuration contains an infinite DHCP lease, it creates a new connection using the IP address of the DHCP lease as a static IP address.

The dispatcher script might run on successfully provisioned nodes while the provisioning of other nodes in the cluster is ongoing.

Verify the network configuration is working properly.

Procedure

  1. Check the network interface configuration on the node.

  2. Turn off the DHCP server and reboot the OKD node and ensure that the network configuration works properly.

Additional resources