diff --git a/4.3/Deployment.html b/4.3/Deployment.html new file mode 100644 index 0000000000..fcfcdbf40f --- /dev/null +++ b/4.3/Deployment.html @@ -0,0 +1,4737 @@ + + + + + + + + + + +Deploying Installer Provisioned Infrastructure (IPI) of OpenShift on Bare Metal - 4.3 + + + + + + + + + + + + + + + + +
+
+
+
+ + + + + +
+ + +
+

Download the PDF version of this document or visit https://openshift-kni.github.io/baremetal-deploy/

+
+
+
+
+
+
+

1. Overview

+
+
+

Installer-provisioned installation provides support for installing OpenShift Container Platform on bare metal nodes. This guide provides a methodology to achieving a successful installation.

+
+
+

During installer-provisioned installation on bare metal, the installer on the bare metal node labeled as provisioner creates a bootstrap virtual machine (VM). The role of the bootstrap VM is to assist in the process of deploying an OpenShift Container Platform cluster. The bootstrap VM connects to the baremetal network and to the provisioning network, if present, via the network bridges.

+
+
+
+Deployment phase one +
+
+
+

When the installation of OpenShift control plane nodes is complete and fully operational, the installer destroys the bootstrap VM automatically and moves the virtual IP addresses (VIPs) to +the appropriate nodes. The API VIP moves to the control plane nodes and the Ingress VIP moves to the worker nodes.

+
+
+

The API and DNS VIPs move into the control plane nodes and the Ingress VIP services applications that reside within the worker nodes.

+
+
+
+Deployment phase two +
+
+
+
+
+

2. Prerequisites

+
+ +
+

Installer-provisioned installation of OpenShift Container Platform requires:

+
+
+
    +
  1. +

    One provisioner node with Red Hat Enterprise Linux (RHEL) 8.x installed.

    +
  2. +
  3. +

    Three control plane nodes.

    +
  4. +
  5. +

    Baseboard Management Controller (BMC) access to each node.

    +
  6. +
  7. +

    At least two networks:

    +
    +
      +
    1. +

      One required routable network

      +
    2. +
    3. +

      One required network for provisioning nodes; and,

      +
    4. +
    5. +

      One optional management network.

      +
    6. +
    +
    +
  8. +
+
+
+

Before starting an installer-provisioned installation of OpenShift Container Platform, ensure the hardware environment meets the following requirements.

+
+
+

2.1. Node requirements

+
+

Installer-provisioned installation involves a number of hardware node requirements:

+
+
+
    +
  • +

    CPU architecture: All nodes must use x86_64 CPU architecture.

    +
  • +
  • +

    Similar nodes: Red Hat recommends nodes have an identical configuration per role. That is, Red Hat recommends nodes be the same brand and model with the same CPU, memory and storage configuration.

    +
  • +
  • +

    Intelligent Platform Management Interface (IPMI): Installer-provisioned installation requires IPMI enabled on each node.

    +
  • +
  • +

    Latest generation: Nodes must be of the most recent generation. Installer-provisioned installation relies on BMC protocols, which must be compatible across nodes. Additionally, RHEL 8 ships with the most recent drivers for RAID controllers. Ensure that the nodes are recent enough to support RHEL 8 for the provisioner node and RHCOS 8 for the control plane and worker nodes.

    +
  • +
  • +

    Registry node: (Optional) If setting up a disconnected mirrored registry, it is recommended the registry reside in its own node.

    +
  • +
  • +

    Provisioner node: Installer-provisioned installation requires one provisioner node.

    +
  • +
  • +

    Control plane: Installer-provisioned installation requires three control plane nodes for high availability.

    +
  • +
  • +

    Worker nodes: While not required, a typical production cluster has one or more worker nodes. Smaller clusters are more resource efficient for administrators and developers during development, production, and testing.

    +
  • +
  • +

    Network interfaces: Each node must have at least one 10GB network interface for the routable baremetal network. Each node must have one 10GB network interface for a provisioning network when using the provisioning network for deployment. Using the provisioning network is the default configuration. Network interface names must follow the same naming convention across all nodes. For example, the first NIC name on a node, such as eth0 or eno1, must be the same name on all of the other nodes. The same principle applies to the remaining NICs on each node.

    +
  • +
+
+
+
+

2.2. Network requirements

+
+

Installer-provisioned installation of OpenShift Container Platform involves several network requirements by default. First, installer-provisioned installation involves a non-routable provisioning network for provisioning the operating system on each bare metal node and a routable baremetal network. Since installer-provisioned installation deploys ironic-dnsmasq, the networks should have no other DHCP servers running on the same broadcast domain. Network administrators must reserve IP addresses for each node in the OpenShift Container Platform cluster.

+
+
+
Network Time Protocol (NTP)
+

Each OpenShift Container Platform node in the cluster must have access to an NTP server. OpenShift Container Platform nodes use NTP to synchronize their clocks. For example, cluster nodes use SSL certificates that require validation, which might fail if the date and time between the nodes are not in sync.

+
+
+ + + + + +
+ + +
+

Define a consistent clock date and time format in each cluster node’s BIOS settings, or installation might fail.

+
+
+
+
+
Configuring NICs
+

OpenShift Container Platform deploys with two networks:

+
+
+
    +
  • +

    provisioning: The provisioning network is an optional non-routable network used for provisioning the underlying operating system on each node that is a part of the OpenShift Container Platform cluster. The network interface for the provisioning network on each cluster node must have the BIOS or UEFI configured to PXE boot. In OpenShift Container Platform 4.3, when deploying using the provisioning network, the first NIC on each node, such as eth0 or eno1, must interface with the provisioning network. In OpenShift Container Platform 4.4 and later releases, you can specify the provisioning network NIC with the provisioningNetworkInterface configuration setting.

    +
  • +
  • +

    baremetal: The baremetal network is a routable network. In OpenShift Container Platform 4.3, when deploying using the provisioning network, the second NIC on each node, such as eth1 or eno2, must interface with the baremetal network. In OpenShift Container Platform 4.4 and later releases, you can use any NIC order to interface with the baremetal network, provided it is the same NIC order across worker and control plane nodes and not the NIC specified in the provisioningNetworkInterface configuration setting for the provisioning network.

    +
  • +
+
+
+ + + + + +
+ + +
+

Use a compatible approach such that cluster nodes use the same NIC ordering on all cluster nodes. NICs must have heterogeneous hardware with the same NIC naming convention such as eth0 or eno1.

+
+
+
+
+ + + + + +
+ + +
+

When using a VLAN, each NIC must be on a separate VLAN corresponding to the appropriate network.

+
+
+
+
+
Configuring the DNS server
+

Clients access the OpenShift Container Platform cluster nodes over the baremetal network. A network administrator must configure a subdomain or subzone where the canonical name extension is the cluster name.

+
+
+
+
<cluster-name>.<domain-name>
+
+
+
+

For example:

+
+
+
+
test-cluster.example.com
+
+
+
+

For assistance in configuring the DNS server, check Appendix section for:

+
+ +
+
Reserving IP addresses for nodes with the DHCP server
+

For the baremetal network, a network administrator must reserve a number of IP addresses, including:

+
+
+
    +
  1. +

    Three virtual IP addresses

    +
    +
      +
    • +

      One IP address for the API endpoint

      +
    • +
    • +

      One IP address for the wildcard ingress endpoint

      +
    • +
    • +

      One IP address for the name server

      +
    • +
    +
    +
  2. +
  3. +

    One IP address for the provisioner node.

    +
  4. +
  5. +

    One IP address for each control plane (master) node.

    +
  6. +
  7. +

    One IP address for each worker node, if applicable.

    +
  8. +
+
+
+

The following table provides an exemplary embodiment of fully qualified domain names. The API and Nameserver addresses begin with canonical name extensions. The host names of the control plane and worker nodes are exemplary, so you can use any host naming convention you prefer.

+
+ +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
UsageHost NameIP

API

api.<cluster-name>.<domain>

<ip>

Ingress LB (apps)

*.apps.<cluster-name>.<domain>

<ip>

Nameserver

ns1.<cluster-name>.<domain>

<ip>

Provisioner node

provisioner.<cluster-name>.<domain>

<ip>

Master-0

openshift-master-0.<cluster-name>.<domain>

<ip>

Master-1

openshift-master-1.<cluster-name>-.<domain>

<ip>

Master-2

openshift-master-2.<cluster-name>.<domain>

<ip>

Worker-0

openshift-worker-0.<cluster-name>.<domain>

<ip>

Worker-1

openshift-worker-1.<cluster-name>.<domain>

<ip>

Worker-n

openshift-worker-n.<cluster-name>.<domain>

<ip>

+
+

For assistance in configuring the DHCP server, check Appendix section for:

+
+ +
+
+

2.3. Configuring nodes

+
+
Configuring nodes when using the provisioning network
+

Each node in the cluster requires the following configuration for proper installation.

+
+
+ + + + + +
+ + +
+

A mismatch between nodes will cause an installation failure.

+
+
+
+
+

While the cluster nodes can contain more than two NICs, the installation process only focuses on the first two NICs:

+
+ +++++ + + + + + + + + + + + + + + + + + +

NIC

Network

VLAN

NIC1

provisioning

<provisioning-vlan>

NIC2

baremetal

<baremetal-vlan>

+
+

NIC1 is a non-routable network (provisioning) that is only used for the installation of the OpenShift Container Platform cluster.

+
+
+

The Red Hat Enterprise Linux (RHEL) 8.x installation process on the provisioner node might vary. To install Red Hat Enterprise Linux (RHEL) 8.x using a local Satellite server or a PXE server, PXE-enable NIC2.

+
+ ++++ + + + + + + + + + + + + + + +

PXE

Boot order

NIC1 PXE-enabled provisioning network

1

NIC2 baremetal network. PXE-enabled is optional.

2

+
+ + + + + +
+ + +
+

Ensure PXE is disabled on all other NICs.

+
+
+
+
+

Configure the control plane and worker nodes as follows:

+
+ ++++ + + + + + + + + + + +

PXE

Boot order

NIC1 PXE-enabled (provisioning network)

1

+
+
+

2.4. Out-of-band management

+
+

Nodes will typically have an additional NIC used by the Baseboard Management Controllers (BMCs). These BMCs must be accessible from the provisioner node.

+
+
+

Each node must be accessible via out-of-band management. When using an out-of-band management network, the provisioner node requires access to the out-of-band management network for a successful OpenShift Container Platform 4 installation.

+
+
+

The out-of-band management setup is out of scope for this document. We recommend setting up a separate management network for out-of-band management. However, using the provisioning network or the baremetal network are valid options.

+
+
+
+

2.5. Required data for installation

+
+

Prior to the installation of the OpenShift Container Platform cluster, gather the following information from all cluster nodes:

+
+
+
    +
  • +

    Out-of-band management IP

    +
    +
      +
    • +

      Examples

      +
      +
        +
      • +

        Dell (iDRAC) IP

        +
      • +
      • +

        HP (iLO) IP

        +
      • +
      +
      +
    • +
    +
    +
  • +
  • +

    NIC1 (provisioning) MAC address

    +
  • +
  • +

    NIC2 (baremetal) MAC address

    +
  • +
  • +

    NICx (baremetal) MAC address

    +
  • +
+
+
+
+

2.6. Validation checklist for nodes

+
+
When using the provisioning network
+
    +
  • +

    NIC1 VLAN is configured for the provisioning network.

    +
  • +
  • +

    NIC2 VLAN is configured for the baremetal network.

    +
  • +
  • +

    NIC1 is PXE-enabled on the provisioner, Control Plane (master), and worker nodes.

    +
  • +
  • +

    PXE has been disabled on all other NICs.

    +
  • +
  • +

    Control plane and worker nodes are configured.

    +
  • +
  • +

    All nodes accessible via out-of-band management.

    +
  • +
  • +

    A separate management network has been created. (optional)

    +
  • +
  • +

    Required data for installation.

    +
  • +
+
+
+
When omitting the provisioning network
+
    +
  • +

    NICx VLAN is configured for the baremetal network.

    +
  • +
  • +

    Control plane and worker nodes are configured.

    +
  • +
  • +

    All nodes accessible via out-of-band management.

    +
  • +
  • +

    A separate management network has been created. (optional)

    +
  • +
  • +

    Required data for installation.

    +
  • +
+
+
+
Summary
+

After an environment has been prepared according to the documented prerequisites, the installation process is the same as other installer-provisioned platforms.

+
+
+
+
+
+

3. Setting up the environment for an OpenShift installation

+
+ +
+

3.1. Installing RHEL on the provisioner node

+
+

With the networking configuration complete, the next step is to install RHEL 8.X on the provisioner node. The installer uses the provisioner node as the orchestrator while installing the OpenShift Container Platform cluster. For the purposes of this document, installing RHEL on the provisioner node is out of scope. However, options include but are not limited to using a RHEL Satellite server, PXE, or installation media.

+
+
+
+

3.2. Preparing the provisioner node for OpenShift Container Platform installation

+
+

Perform the following steps to prepare the environment.

+
+
+
Procedure
+
    +
  1. +

    Log in to the provisioner node via ssh.

    +
  2. +
  3. +

    Create a non-root user (kni) and provide that user with sudo privileges.

    +
    +
    +
    [root@provisioner ~]# useradd kni
    +[root@provisioner ~]# passwd kni
    +[root@provisioner ~]# echo "kni ALL=(root) NOPASSWD:ALL" | tee -a /etc/sudoers.d/kni
    +[root@provisioner ~]# chmod 0440 /etc/sudoers.d/kni
    +
    +
    +
  4. +
  5. +

    Create an ssh key for the new user.

    +
    +
    +
    [root@provisioner ~]# su - kni -c "ssh-keygen -t rsa -f /home/kni/.ssh/id_rsa -N ''"
    +
    +
    +
  6. +
  7. +

    Log in as the new user on the provisioner node.

    +
    +
    +
    [root@provisioner ~]# su - kni
    +[kni@provisioner ~]$
    +
    +
    +
  8. +
  9. +

    Use Red Hat Subscription Manager to register the provisioner node.

    +
    +
    +
    [kni@provisioner ~]$ sudo subscription-manager register --username=<user> --password=<pass> --auto-attach
    +[kni@provisioner ~]$ sudo subscription-manager repos --enable=rhel-8-for-x86_64-appstream-rpms --enable=rhel-8-for-x86_64-baseos-rpms
    +
    +
    +
    + + + + + +
    + + +
    +

    For more information about Red Hat Subscription Manager, see Using and Configuring Red Hat Subscription Manager.

    +
    +
    +
    +
  10. +
  11. +

    Install the following packages.

    +
    +
    +
    [kni@provisioner ~]$ sudo dnf install -y libvirt qemu-kvm mkisofs python3-devel jq ipmitool
    +
    +
    +
  12. +
  13. +

    Modify the user to add the libvirt group to the newly created user.

    +
    +
    +
    [kni@provisioner ~]$ sudo usermod --append --groups libvirt <user>
    +
    +
    +
  14. +
  15. +

    Restart firewalld and enable the http service.

    +
    +
    +
    [kni@provisioner ~]$ sudo systemctl start firewalld
    +[kni@provisioner ~]$ sudo firewall-cmd --zone=public --add-service=http --permanent
    +[kni@provisioner ~]$ sudo firewall-cmd --add-port=5000/tcp --zone=libvirt  --permanent
    +[kni@provisioner ~]$ sudo firewall-cmd --add-port=5000/tcp --zone=public   --permanent
    +[kni@provisioner ~]$ sudo firewall-cmd --reload
    +
    +
    +
  16. +
  17. +

    Start and enable the libvirtd service.

    +
    +
    +
    [kni@provisioner ~]$ sudo systemctl start libvirtd
    +[kni@provisioner ~]$ sudo systemctl enable libvirtd --now
    +
    +
    +
  18. +
  19. +

    Create the default storage pool and start it.

    +
    +
    +
    [kni@provisioner ~]$ sudo virsh pool-define-as --name default --type dir --target /var/lib/libvirt/images
    +[kni@provisioner ~]$ sudo virsh pool-start default
    +[kni@provisioner ~]$ sudo virsh pool-autostart default
    +
    +
    +
  20. +
  21. +

    Configure networking.

    +
    + + + + + +
    + + +
    +

    This step can also be run from the web console.

    +
    +
    +
    +
    +
    +
    [kni@provisioner ~]$ export PUB_CONN=<baremetal_nic_name>
    +[kni@provisioner ~]$ export PROV_CONN=<prov_nic_name>
    +[kni@provisioner ~]$ sudo nohup bash -c "
    +    nmcli con down \"$PROV_CONN\"
    +    nmcli con down \"$PUB_CONN\"
    +    nmcli con delete \"$PROV_CONN\"
    +    nmcli con delete \"$PUB_CONN\"
    +    # RHEL 8.1 appends the word \"System\" in front of the connection, delete in case it exists
    +    nmcli con down \"System $PUB_CONN\"
    +    nmcli con delete \"System $PUB_CONN\"
    +    nmcli connection add ifname provisioning type bridge con-name provisioning
    +    nmcli con add type bridge-slave ifname \"$PROV_CONN\" master provisioning
    +    nmcli connection add ifname baremetal type bridge con-name baremetal
    +    nmcli con add type bridge-slave ifname \"$PUB_CONN\" master baremetal
    +    nmcli con down \"$PUB_CONN\";pkill dhclient;dhclient baremetal
    +    nmcli connection modify provisioning ipv4.addresses 172.22.0.1/24 ipv4.method manual
    +    nmcli con down provisioning
    +    nmcli con up provisioning"
    +
    +
    +
    + + + + + +
    + + +
    +

    The ssh connection may disconnect after executing this step. You will want to have some sort +of out-of-band connection to your host (eg., a serial console, local keyboard, or dedicated +management interface) in the event that something goes wrong while executing these commands.

    +
    +
    +
    +
  22. +
  23. +

    ssh back into the provisioner node (if required).

    +
    +
    +
    # ssh kni@provisioner.<cluster-name>.<domain>
    +
    +
    +
  24. +
  25. +

    Verify the connection bridges have been properly created.

    +
    +
    +
    [kni@provisioner ~]$ nmcli con show
    +
    +
    +
    +
    +
    NAME               UUID                                  TYPE      DEVICE
    +baremetal          4d5133a5-8351-4bb9-bfd4-3af264801530  bridge    baremetal
    +provisioning       43942805-017f-4d7d-a2c2-7cb3324482ed  bridge    provisioning
    +virbr0             d9bca40f-eee1-410b-8879-a2d4bb0465e7  bridge    virbr0
    +bridge-slave-eno1  76a8ed50-c7e5-4999-b4f6-6d9014dd0812  ethernet  eno1
    +bridge-slave-eno2  f31c3353-54b7-48de-893a-02d2b34c4736  ethernet  eno2
    +
    +
    +
  26. +
  27. +

    Create a pull-secret.txt file.

    +
    +
    +
    [kni@provisioner ~]$ vim pull-secret.txt
    +
    +
    +
    +

    In a web browser, navigate to Install on Bare Metal with user-provisioned infrastructure, and scroll down to the Downloads section. Click Copy pull secret. Paste the contents into the pull-secret.txt file and save the contents in the kni user’s home directory.

    +
    +
  28. +
+
+
+
+

3.3. Retrieving the OpenShift Container Platform installer (GA Release)

+
+

Use the latest-4.x version of the installer to deploy the latest generally +available version of OpenShift Container Platform:

+
+
+
+
[kni@provisioner ~]$ export VERSION=latest-4.3
+export RELEASE_IMAGE=$(curl -s https://mirror.openshift.com/pub/openshift-v4/clients/ocp/$VERSION/release.txt | grep 'Pull From: quay.io' | awk -F ' ' '{print $3}')
+
+
+
+
+

3.4. Extracting the OpenShift Container Platform installer (GA Release)

+
+

After retrieving the installer, the next step is to extract it.

+
+
+
Procedure
+
    +
  1. +

    Set the environment variables:

    +
    +
    +
    [kni@provisioner ~]$ export cmd=openshift-baremetal-install
    +[kni@provisioner ~]$ export pullsecret_file=~/pull-secret.txt
    +[kni@provisioner ~]$ export extract_dir=$(pwd)
    +
    +
    +
  2. +
  3. +

    Get the oc binary:

    +
    +
    +
    [kni@provisioner ~]$ curl -s https://mirror.openshift.com/pub/openshift-v4/clients/ocp/$VERSION/openshift-client-linux.tar.gz | tar zxvf - oc
    +
    +
    +
  4. +
  5. +

    Extract the installer:

    +
    +
    +
    [kni@provisioner ~]$ sudo cp oc /usr/local/bin
    +[kni@provisioner ~]$ oc adm release extract --registry-config "${pullsecret_file}" --command=$cmd --to "${extract_dir}" ${RELEASE_IMAGE}
    +[kni@provisioner ~]$ sudo cp openshift-baremetal-install /usr/local/bin
    +
    +
    +
  6. +
+
+
+
+

3.5. Creating an RHCOS images cache (optional)

+
+

To employ image caching, you must download two images: the Red Hat Enterprise Linux CoreOS (RHCOS) image used by the bootstrap VM and the RHCOS image used by the installer to provision the different nodes. Image caching is optional, but especially useful when running the installer on a network with limited bandwidth.

+
+
+

If you are running the installer on a network with limited bandwidth and the RHCOS images download takes more than 15 to 20 minutes, the installer will timeout. Caching images on a web server will help in such scenarios.

+
+
+

Use the following steps to install a container that contains the images.

+
+
+
    +
  1. +

    Install podman.

    +
    +
    +
    $ sudo dnf install -y podman
    +
    +
    +
  2. +
  3. +

    Open firewall port 8080 to be used for RHCOS image caching.

    +
    +
    +
    $ sudo firewall-cmd --add-port=8080/tcp --zone=public --permanent
    +$ sudo firewall-cmd --reload
    +
    +
    +
  4. +
  5. +

    Create a directory to store the bootstraposimage and clusterosimage.

    +
    +
    +
    $ mkdir /home/kni/rhcos_image_cache
    +
    +
    +
  6. +
  7. +

    Set the appropriate SELinux context for the newly created directory.

    +
    +
    +
    $ sudo semanage fcontext -a -t httpd_sys_content_t "/home/kni/rhcos_image_cache(/.*)?"
    +$ sudo restorecon -Rv rhcos_image_cache/
    +
    +
    +
  8. +
  9. +

    Get the commit ID from the installer. The ID determines which images the installer needs to download.

    +
    +
    +
    $ export COMMIT_ID=$(/usr/local/bin/openshift-baremetal-install version | grep '^built from commit' | awk '{print $4}')
    +
    +
    +
  10. +
  11. +

    Get the URI for the RHCOS image that the installer will deploy on the nodes.

    +
    +
    +
    $ export RHCOS_OPENSTACK_URI=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json  | jq .images.openstack.path | sed 's/"//g')
    +
    +
    +
  12. +
  13. +

    Get the URI for the RHCOS image that the installer will deploy on the bootstrap VM.

    +
    +
    +
    $ export RHCOS_QEMU_URI=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json  | jq .images.qemu.path | sed 's/"//g')
    +
    +
    +
  14. +
  15. +

    Get the path where the images are published.

    +
    +
    +
    $ export RHCOS_PATH=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json | jq .baseURI | sed 's/"//g')
    +
    +
    +
  16. +
  17. +

    Get the SHA hash for the RHCOS image that will be deployed on the bootstrap VM.

    +
    +
    +
    $ export RHCOS_QEMU_SHA_UNCOMPRESSED=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json  | jq -r '.images.qemu["uncompressed-sha256"]')
    +
    +
    +
  18. +
  19. +

    Get the SHA hash for the RHCOS image that will be deployed on the nodes.

    +
    +
    +
    $ export RHCOS_OPENSTACK_SHA_COMPRESSED=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json  | jq -r '.images.openstack.sha256')
    +
    +
    +
  20. +
  21. +

    Download the images and place them in the /home/kni/rhcos_image_cache directory.

    +
    +
    +
    $ curl -L ${RHCOS_PATH}${RHCOS_QEMU_URI} -o /home/kni/rhcos_image_cache/${RHCOS_QEMU_URI}
    +$ curl -L ${RHCOS_PATH}${RHCOS_OPENSTACK_URI} -o /home/kni/rhcos_image_cache/${RHCOS_OPENSTACK_URI}
    +
    +
    +
  22. +
  23. +

    Confirm SELinux type is of httpd_sys_content_t for the newly created files.

    +
    +
    +
    $ ls -Z /home/kni/rhcos_image_cache
    +
    +
    +
  24. +
  25. +

    Create the pod.

    +
    +
    +
    $ podman run -d --name rhcos_image_cache \
    +-v /home/kni/rhcos_image_cache:/var/www/html \
    +-p 8080:8080/tcp \
    +quay.io/centos7/httpd-24-centos7:latest
    +
    +
    +
  26. +
  27. +

    Generate the bootstrapOSImage and clusterOSImage configuration.

    +
    +
    +
    $ export BAREMETAL_IP=$(ip addr show dev baremetal | awk '/inet /{print $2}' | cut -d"/" -f1)
    +$ export RHCOS_OPENSTACK_SHA256=$(zcat /home/kni/rhcos_image_cache/${RHCOS_OPENSTACK_URI} | sha256sum | awk '{print $1}')
    +$ export RHCOS_QEMU_SHA256=$(zcat /home/kni/rhcos_image_cache/${RHCOS_QEMU_URI} | sha256sum | awk '{print $1}')
    +$ export CLUSTER_OS_IMAGE="http://${BAREMETAL_IP}:8080/${RHCOS_OPENSTACK_URI}?sha256=${RHCOS_OPENSTACK_SHA256}"
    +$ export BOOTSTRAP_OS_IMAGE="http://${BAREMETAL_IP}:8080/${RHCOS_QEMU_URI}?sha256=${RHCOS_QEMU_SHA256}"
    +$ echo "${RHCOS_OPENSTACK_SHA256}  ${RHCOS_OPENSTACK_URI}" > /home/kni/rhcos_image_cache/rhcos-ootpa-latest.qcow2.md5sum
    +$ echo "    bootstrapOSImage=${BOOTSTRAP_OS_IMAGE}"
    +$ echo "    clusterOSImage=${CLUSTER_OS_IMAGE}"
    +
    +
    +
  28. +
  29. +

    Add the required configuration to the install-config.yaml file under platform.baremetal.

    +
    +
    +
    platform:
    +  baremetal:
    +    bootstrapOSImage: http://<BAREMETAL_IP>:8080/<RHCOS_QEMU_URI>?sha256=<RHCOS_QEMU_SHA256>
    +    clusterOSImage: http://<BAREMETAL_IP>:8080/<RHCOS_OPENSTACK_URI>?sha256=<RHCOS_OPENSTACK_SHA256>
    +
    +
    +
    +

    See the Configuring the install-config.yaml file section for additional details.

    +
    +
  30. +
+
+
+
+

3.6. Configuration files

+
+

3.6.1. Configuring the install-config.yaml file

+
+

The install-config.yaml file requires some additional details. +Most of the information is teaching the installer and the resulting cluster enough about the available hardware so that it is able to fully manage it.

+
+
+
    +
  1. +

    Configure install-config.yaml. Change the appropriate variables to match the environment, including pullSecret and sshKey.

    +
    +
    +
    apiVersion: v1
    +basedomain: <domain>
    +metadata:
    +  name: <cluster-name>
    +networking:
    +  machineCIDR: <public-cidr>
    +  networkType: OVNKubernetes
    +compute:
    +- name: worker
    +  replicas: 2 (1)
    +controlPlane:
    +  name: master
    +  replicas: 3
    +  platform:
    +    baremetal: {}
    +platform:
    +  baremetal:
    +    apiVIP: <api-ip>
    +    ingressVIP: <wildcard-ip>
    +    dnsVIP: <dns-ip>
    +    hosts:
    +      - name: openshift-master-0
    +        role: master
    +        bmc:
    +          address: ipmi://<out-of-band-ip> (2)
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: default
    +      - name: openshift-master-1
    +        role: master
    +        bmc:
    +          address: ipmi://<out-of-band-ip>
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: default
    +      - name: openshift-master-2
    +        role: master
    +        bmc:
    +          address: ipmi://<out-of-band-ip>
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: default
    +      - name: openshift-worker-0
    +        role: worker
    +        bmc:
    +          address: ipmi://<out-of-band-ip>
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: unknown
    +      - name: openshift-worker-1
    +        role: worker
    +        bmc:
    +          address: ipmi://<out-of-band-ip>
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: unknown
    +pullSecret: '<pull_secret>'
    +sshKey: '<ssh_pub_key>'
    +
    +
    +
    + + + + + + + + + +
    1Scale the worker machines based on the number of worker nodes that are part of the OpenShift Container Platform cluster.
    2Refer to the BMC addressing for more options
    +
    +
  2. +
  3. +

    Create a directory to store cluster configs.

    +
    +
    +
    [kni@provisioner ~]$ mkdir ~/clusterconfigs
    +[kni@provisioner ~]$ cp install-config.yaml ~/clusterconfigs
    +
    +
    +
  4. +
  5. +

    Ensure all bare metal nodes are powered off prior to installing the OpenShift Container Platform cluster.

    +
    +
    +
    [kni@provisioner ~]$ ipmitool -I lanplus -U <user> -P <password> -H <management-server-ip> power off
    +
    +
    +
  6. +
  7. +

    Remove old bootstrap resources if any are left over from a previous deployment attempt.

    +
    +
    +
    for i in $(sudo virsh list | tail -n +3 | grep bootstrap | awk {'print $2'});
    +do
    +  sudo virsh destroy $i;
    +  sudo virsh undefine $i;
    +  sudo virsh vol-delete $i --pool default;
    +  sudo virsh vol-delete $i.ign --pool default;
    +done
    +
    +
    +
  8. +
+
+
+
+

3.6.2. Setting proxy settings within the install-config.yaml file (optional)

+
+

To deploy an OpenShift Container Platform cluster using a proxy, make the following changes to the install-config.yaml file.

+
+
+
+
apiVersion: v1
+baseDomain: <domain>
+proxy:
+  httpProxy: http://USERNAME:PASSWORD@proxy.example.com:PORT
+  httpsProxy: https://USERNAME:PASSWORD@proxy.example.com:PORT
+  noProxy: <WILDCARD_OF_DOMAIN>,<PROVISIONING_NETWORK/CIDR>,<BMC_ADDRESS_RANGE/CIDR>
+
+
+
+

See below for an example of noProxy with values.

+
+
+
+
noProxy: .example.com,172.22.0.0/24,10.10.0.0/24
+
+
+
+

With a proxy enabled, set the appropriate values of the proxy in the corresponding key/value pair.

+
+
+

Key considerations:

+
+
+
    +
  • +

    If the proxy does not have an HTTPS proxy, change the value of httpsProxy from https:// to http://.

    +
  • +
  • +

    If using a provisioning network, include it in the noProxy setting, otherwise the installer will fail.

    +
  • +
  • +

    Set all of the proxy settings as environment variables within the provisioner node. For example, HTTP_PROXY, HTTPS_PROXY, and NO_PROXY.

    +
  • +
+
+
+
+

3.6.3. Modifying the install-config.yaml file for no provisioning network (optional)

+
+

To deploy an OpenShift Container Platform cluster without a provisioning network, make the following changes to the install-config.yaml file.

+
+
+
+

3.6.4. Additional install-config parameters

+
+

See the following tables for the required parameters, the hosts parameter, +and the bmc parameter for the install-config.yaml file.

+
+ + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 1. Required parameters
ParametersDefaultDescription

baseDomain

The domain name for the cluster. For example, example.com.

bootMode

legacy

The boot mode for a node. Options are legacy, UEFI and UEFISecureBoot.

sshKey

The sshKey configuration setting contains the key in the ~/.ssh/id_rsa.pub file required to access the control plane nodes and worker nodes. Typically, this key is from the provisioner node.

pullSecret

The pullSecret configuration setting contains a copy of the pull secret downloaded from the Install OpenShift on Bare Metal page when preparing the provisioner node.

+
+
metadata:
+    name:
+
+

The name to be given to the OpenShift Container Platform cluster. For example, openshift.

+
+
networking:
+    machineCIDR:
+
+

The public CIDR (Classless Inter-Domain Routing) of the external network. For example, 10.0.0.0/24 +.

+
+
compute:
+  - name: worker
+
+

The OpenShift Container Platform cluster requires a name be provided for worker (or compute) nodes even if there are zero nodes.

+
+
compute:
+    replicas: 2
+
+

Replicas sets the number of worker (or compute) nodes in the OpenShift Container Platform cluster.

+
+
controlPlane:
+    name: master
+
+

The OpenShift Container Platform cluster requires a name for control plane (master) nodes.

+
+
controlPlane:
+    replicas: 3
+
+

Replicas sets the number of control plane (master) nodes included as part of the OpenShift Container Platform cluster.

defaultMachinePlatform

The default configuration used for machine pools without a platform configuration.

apiVIP

api.<clustername.clusterdomain>

The VIP to use for internal API communication.

+

This setting must either be provided or pre-configured in the DNS so that the +default name resolves correctly.

disableCertificateVerification

False

redfish and redfish-virtualmedia need this parameter to manage BMC addresses. The value should be True when using a self-signed certificate for BMC addresses.

ingressVIP

test.apps.<clustername.clusterdomain>

The VIP to use for ingress traffic.

+

Provide this setting or pre-configure it in the DNS so that the default name resolves correctly.

dnsVIP

The VIP to use for internal DNS communication.

+

This setting has no default and must always be provided.

+ + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 2. Optional Parameters
ParametersDefaultDescription

provisioningDHCPRange

172.22.0.10,172.22.0.100

Defines the IP range for nodes on the provisioning network.

+

provisioningNetworkCIDR

+

172.22.0.0/24

The CIDR for the network to use for provisioning. This option is required when not using the default address range on the provisioning network.

clusterProvisioningIP

The third IP address of the provisioningNetworkCIDR.

The IP address within the cluster where the provisioning services run. Defaults to the third IP address of the provisioning subnet. For example, 172.22.0.3.

bootstrapProvisioningIP

The second IP address of the provisioningNetworkCIDR.

The IP address on the bootstrap VM where the provisioning services run while the installer is deploying the control plane (master) nodes. Defaults to the second IP address of the provisioning subnet. For example, 172.22.0.2 +.

externalBridge

baremetal

The name of the baremetal bridge of the hypervisor attached to the baremetal network.

provisioningBridge

provisioning

The name of the provisioning bridge on the provisioner host attached to the provisioning network.

defaultMachinePlatform

The default configuration used for machine pools without a platform configuration.

bootstrapOSImage

A URL to override the default operating system image for the bootstrap node. The URL must contain a SHA-256 hash of the image. For example: +https://mirror.openshift.com/rhcos-<version>-qemu.qcow2.gz?sha256=<uncompressed_sha256>; +.

clusterOSImage

A URL to override the default operating system for cluster nodes. The URL must include a SHA-256 hash of the image. For example, https://mirror.openshift.com/images/rhcos-<version>-openstack.qcow2.gz?sha256=<compressed_sha256>;.

provisioningNetwork

Set this parameter to Disabled to disable the requirement for a provisioning network. User may only do virtual media based provisioning, or bring up the cluster using assisted installation. If using power management, BMC’s must be accessible from the machine networks. User must provide two IP addresses on the external network that are used for the provisioning services.

+
+
Hosts
+

The hosts parameter is a list of separate bare metal assets used to build the cluster.

+
+ +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Name

Default

Description

name

The name of the BareMetalHost resource to associate with the details. For example, openshift-master-0.

role

The role of the bare metal node. Either master or worker.

bmc

Connection details for the baseboard management controller. See the BMC addressing section for additional details.

bootMACAddress

The MAC address of the NIC the host will use to boot on the provisioning network.

hardwareProfile

default

This parameter exposes the device name that the installer attempts to deploy the OpenShift Container Platform cluster for the control plane and worker nodes. The value defaults to default for control plane nodes and unknown for worker nodes. The list of profiles includes: default, libvirt, dell, dell-raid, and openstack. The default parameter attempts to install on /dev/sda of the OpenShift Container Platform cluster nodes.

+
+
+

3.6.5. BMC addressing

+
+

Most vendors support BMC addressing with the Intelligent Platform Management Interface or IPMI. IPMI does not encrypt communications. It is suitable for use within a data center over a secured or dedicated management network. Check with your vendor to see if they support Redfish network boot. Redfish delivers simple and secure management for converged, hybrid IT and the Software Defined Data Center or SDDC. Redfish is human readable and machine capable, and leverages common Internet and web services standards to expose information directly to the modern tool chain. If your hardware does not support Redfish network boot, use IPMI.

+
+
+
IPMI
+

Hosts using IPMI use the ipmi://<out-of-band-ip>:<port> address format, which defaults to port 623 if not specified. The following example demonstrates an IPMI configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: ipmi://<out-of-band-ip>
+          username: <user>
+          password: <password>
+
+
+
+
Redfish network boot
+

To enable Redfish, use redfish:// or redfish+http:// to disable TLS. The installer requires both the host name or the IP address and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+
BMC addressing for Dell iDRAC
+
+

The address field for each bmc entry is a URL for connecting to the OpenShift Container Platform cluster nodes, including the type of controller in the URL scheme and its location on the network.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: <host name>
+        role: <master | worker>
+        bmc:
+          address: <address> (1)
+          username: <user>
+          password: <password>
+
+
+
+ + + + + +
1The address configuration setting specifies the protocol.
+
+
+

For Dell hardware, Red Hat supports integrated Dell Remote Access Controller (iDRAC) virtual media, Redfish network boot, and IPMI.

+
+ + ++++ + + + + + + + + + + + + + + + + + + + + +
Table 3. BMC address formats for Dell iDRAC
ProtocolAddress Format

iDRAC virtual media

idrac-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1

Redfish network boot

redfish://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1

IPMI

ipmi://<out-of-band-ip>

+
+ + + + + +
+ + +
+

Use idrac-virtualmedia as the protocol for Redfish virtual media. redfish-virtualmedia will not work on Dell hardware. Dell’s idrac-virtualmedia uses the Redfish standard with Dell’s OEM extensions.

+
+
+
+
+

See the following sections for additional details.

+
+
+
Redfish virtual media for Dell iDRAC
+

For Redfish virtual media on Dell servers, use idrac-virtualmedia:// in the address setting. Using redfish-virtualmedia:// will not work.

+
+
+

The following example demonstrates using iDRAC virtual media within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: idrac-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: idrac-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+ + + + + +
+ + +
+

Currently, Redfish is only supported on Dell with iDRAC firmware versions 4.20.20.20 through 04.40.00.00 for installer-provisioned installations on bare metal deployments. There is a known issue with version 04.40.00.00. With iDRAC 9 firmware version 04.40.00.00, the Virtual Console plug-in defaults to eHTML5, which causes problems with the InsertVirtualMedia workflow. Set the plug-in to HTML5 to avoid this issue. The menu path is: ConfigurationVirtual consolePlug-in TypeHTML5 .

+
+
+

Ensure the OpenShift Container Platform cluster nodes have AutoAttach Enabled through the iDRAC console. The menu path is: ConfigurationVirtual MediaAttach ModeAutoAttach .

+
+
+

Use idrac-virtualmedia:// as the protocol for Redfish virtual media. Using redfish-virtualmedia:// will not work on Dell hardware, because the idrac-virtualmedia:// protocol corresponds to the idrac hardware type and the Redfish protocol in Ironic. Dell’s idrac-virtualmedia:// protocol uses the Redfish standard with Dell’s OEM extensions. Ironic also supports the idrac type with the WSMAN protocol. Therefore, you must specify idrac-virtualmedia:// to avoid unexpected behavior when electing to use Redfish with virtual media on Dell hardware.

+
+
+
+
+
Redfish network boot for iDRAC
+

To enable Redfish, use redfish:// or redfish+http:// to disable transport layer security (TLS). The installer requires both the host name or the IP address and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+ + + + + +
+ + +
+

Currently, Redfish is only supported on Dell hardware with iDRAC firmware versions 4.20.20.20 through 04.40.00.00 for installer-provisioned installations on bare metal deployments. There is a known issue with version 04.40.00.00. With iDRAC 9 firmware version 04.40.00.00, the Virtual Console plug-in defaults to eHTML5, which causes problems with the InsertVirtualMedia workflow. Set the plug-in to HTML5 to avoid this issue. The menu path is: ConfigurationVirtual consolePlug-in TypeHTML5 .

+
+
+

Ensure the OpenShift Container Platform cluster nodes have AutoAttach Enabled through the iDRAC console. The menu path is: ConfigurationVirtual MediaAttach ModeAutoAttach .

+
+
+

The redfish:// URL protocol corresponds to the redfish hardware type in Ironic.

+
+
+
+
+
+
BMC addressing for HPE iLO
+
+

The address field for each bmc entry is a URL for connecting to the OpenShift Container Platform cluster nodes, including the type of controller in the URL scheme and its location on the network.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: <host name>
+        role: <master | worker>
+        bmc:
+          address: <address> (1)
+          username: <user>
+          password: <password>
+
+
+
+ + + + + +
1The address configuration setting specifies the protocol.
+
+
+

For HPE integrated Lights Out (iLO), Red Hat supports Redfish virtual media, Redfish network boot, and IPMI.

+
+ + ++++ + + + + + + + + + + + + + + + + + + + + +
Table 4. BMC address formats for HPE iLO
ProtocolAddress Format

Redfish virtual media

redfish-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/1

Redfish network boot

redfish://<out-of-band-ip>/redfish/v1/Systems/1

IPMI

ipmi://<out-of-band-ip>

+
+

See the following sections for additional details.

+
+
+
Redfish virtual media for HPE iLO
+

To enable Redfish virtual media for HPE servers, use redfish-virtualmedia:// in the address setting. The following example demonstrates using Redfish virtual media within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+ + + + + +
+ + +
+

Redfish virtual media is not supported on 9th generation systems running iLO4, because Ironic does not support iLO4 with virtual media.

+
+
+
+
+
Redfish network boot for HPE iLO
+

To enable Redfish, use redfish:// or redfish+http:// to disable TLS. The installer requires both the host name or the IP address and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+
+
BMC addressing for KVM with sushy-tools Redfish emulator
+
+

The address field for each bmc entry is a URL for connecting to the OpenShift Container Platform cluster nodes, including the type of controller in the URL scheme and its location on the network.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: <host name>
+        role: <master | worker>
+        bmc:
+          address: <address> (1)
+          username: <user>
+          password: <password>
+
+
+
+ + + + + +
1The address configuration setting specifies the protocol.
+
+
+

For KVM working with sushy-tools Redfish emulator, Red Hat supports Redfish virtual media and Redfish network boot.

+
+ + ++++ + + + + + + + + + + + + + + + + +
Table 5. BMC address formats for KVM with sushy-tools Redfish emulator
ProtocolAddress Format

Redfish virtual media

redfish-virtualmedia://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>

Redfish network boot

redfish://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>

+
+ + + + + +
+ + +
+

The sushy-tools Redfish emulator runs from the KVM hypervisor and a single instance acts as the virtual BMC for all the guest machines. This means both the out of band IP address and port, will be same and each individual machine must be identified by its System ID.

+
+
+

You may retrieve the System ID of your guest machines with the following command:

+
+
+
+
---
+$ virsh list --all --name --uuid
+d8ac6bf8-3062-4954-84c3-e097faa17025 compute-0
+84971a71-3935-4a92-8d90-a9f8440dac09 compute-1
+92430f42-8805-4412-959a-2a7252c7c540 compute-2
+0fea5296-db95-41d7-9295-f57cfa50255f control-plane-0
+4986e405-fd3a-483d-9210-8cb120b98f80 control-plane-1
+26bf228c-44fd-4c49-9e6f-44f4b5968b34 control-plane-2
+---
+
+
+
+
+
+

See the following sections for additional details.

+
+
+
Redfish virtual media for KVM with sushy-tools Redfish emulator
+

To enable Redfish virtual media for KVM environments running the sushy-tools Redfish emulator, use redfish-virtualmedia:// in the address setting. The following example demonstrates using Redfish virtual media within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish-virtualmedia://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish-virtualmedia://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+
Redfish network boot for KVM with sushy-tools Redfish emulator
+

To enable Redfish, use redfish:// or redfish+http:// to disable TLS. The installer requires the host name or the IP address, the Redfish emulator listening port and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+
+
+

3.6.6. Root device hints

+
+

The rootDeviceHints parameter enables the installer to provision the Red Hat Enterprise Linux CoreOS (RHCOS) image to a particular device. The installer examines the devices in the order it discovers them, and compares the discovered values with the hint values. The installer uses the first discovered device that matches the hint value. The configuration can combine multiple hints, but a device must match all hints for the installer to select it.

+
+ + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 6. Subfields
SubfieldDescription

deviceName

A string containing a Linux device name like /dev/vda. The hint must match the actual value exactly.

hctl

A string containing a SCSI bus address like 0:0:0:0. The hint must match the actual value exactly.

model

A string containing a vendor-specific device identifier. The hint can be a substring of the actual value.

vendor

A string containing the name of the vendor or manufacturer of the device. The hint can be a sub-string of the actual value.

serialNumber

A string containing the device serial number. The hint must match the actual value exactly.

minSizeGigabytes

An integer representing the minimum size of the device in gigabytes.

wwn

A string containing the unique storage identifier. The hint must match the actual value exactly.

wwnWithExtension

A string containing the unique storage identifier with the vendor extension appended. The hint must match the actual value exactly.

wwnVendorExtension

A string containing the unique vendor storage identifier. The hint must match the actual value exactly.

rotational

A Boolean indicating whether the device should be a rotating disk (true) or not (false).

+
+
Example usage
+
+
     - name: master-0
+       role: master
+       bmc:
+         address: ipmi://10.10.0.3:6203
+         username: admin
+         password: redhat
+       bootMACAddress: de:ad:be:ef:00:40
+       rootDeviceHints:
+         deviceName: "/dev/sda"
+
+
+
+
+

3.6.7. Creating the OpenShift Container Platform manifests

+
+
    +
  1. +

    Create the OpenShift Container Platform manifests.

    +
    +
    +
    [kni@provisioner ~]$ ./openshift-baremetal-install --dir ~/clusterconfigs create manifests
    +
    +
    +
    +
    +
    INFO Consuming Install Config from target directory
    +WARNING Making control-plane schedulable by setting MastersSchedulable to true for Scheduler cluster settings
    +WARNING Discarding the Openshift Manifest that was provided in the target directory because its dependencies are dirty and it needs to be regenerated
    +
    +
    +
  2. +
  3. +

    Copy the metal3-config.yaml file to the clusterconfigs/openshift directory.

    +
    +
    +
    [kni@provisioner ~]$ cp ~/metal3-config.yaml clusterconfigs/openshift/99_metal3-config.yaml
    +
    +
    +
  4. +
+
+
+
+
+

3.7. Creating a disconnected registry (optional)

+
+

In some cases, you might want to install an OpenShift Container Platform cluster using a local copy of the installation registry. This could be for enhancing network efficiency because the cluster nodes are on a network that does not have access to the internet.

+
+
+

A local, or mirrored, copy of the registry requires the following:

+
+
+
    +
  • +

    A certificate for the registry node. This can be a self-signed certificate.

    +
  • +
  • +

    A web server that a container on a system will serve.

    +
  • +
  • +

    An updated pull secret that contains the certificate and local repository information.

    +
  • +
+
+
+ + + + + +
+ + +
+

Creating a disconnected registry on a registry node is optional. The subsequent sections indicate that they are optional since they are steps you need to execute only when creating a disconnected registry on a registry node. You should execute all of the subsequent sub-sections labeled "(optional)" when creating a disconnected registry on a registry node.

+
+
+
+
+

3.7.1. Preparing the registry node to host the mirrored registry (optional)

+
+

Make the following changes to the registry node.

+
+
+
Procedure
+
    +
  1. +

    Open the firewall port on the registry node.

    +
    +
    +
    [user@registry ~]$ sudo firewall-cmd --add-port=5000/tcp --zone=libvirt  --permanent
    +[user@registry ~]$ sudo firewall-cmd --add-port=5000/tcp --zone=public   --permanent
    +[user@registry ~]$ sudo firewall-cmd --reload
    +
    +
    +
  2. +
  3. +

    Install the required packages for the registry node.

    +
    +
    +
    [user@registry ~]$ sudo yum -y install python3 podman httpd httpd-tools jq
    +
    +
    +
  4. +
  5. +

    Create the directory structure where the repository information will be held.

    +
    +
    +
    [user@registry ~]$ sudo mkdir -p /opt/registry/{auth,certs,data}
    +
    +
    +
  6. +
+
+
+
+

3.7.2. Generating the self-signed certificate (optional)

+
+

Generate a self-signed certificate for the registry node and put it in the /opt/registry/certs directory.

+
+
+
Procedure
+
    +
  1. +

    Adjust the certificate information as appropriate.

    +
    +
    +
    [user@registry ~]$ host_fqdn=$( hostname --long )
    +[user@registry ~]$ cert_c="<Country Name>"   # Country Name (C, 2 letter code)
    +[user@registry ~]$ cert_s="<State>"          # Certificate State (S)
    +[user@registry ~]$ cert_l="<Locality>"       # Certificate Locality (L)
    +[user@registry ~]$ cert_o="<Organization>"   # Certificate Organization (O)
    +[user@registry ~]$ cert_ou="<Org Unit>"      # Certificate Organizational Unit (OU)
    +[user@registry ~]$ cert_cn="${host_fqdn}"    # Certificate Common Name (CN)
    +
    +[user@registry ~]$ openssl req \
    +    -newkey rsa:4096 \
    +    -nodes \
    +    -sha256 \
    +    -keyout /opt/registry/certs/domain.key \
    +    -x509 \
    +    -days 365 \
    +    -out /opt/registry/certs/domain.crt \
    +    -addext "subjectAltName = DNS:${host_fqdn}" \
    +    -subj "/C=${cert_c}/ST=${cert_s}/L=${cert_l}/O=${cert_o}/OU=${cert_ou}/CN=${cert_cn}"
    +
    +
    +
    + + + + + +
    + + +When replacing <Country Name>, ensure that it only contains two letters. For example, US. +
    +
    +
  2. +
  3. +

    Update the registry node’s ca-trust with the new certificate.

    +
    +
    +
    [user@registry ~]$ sudo cp /opt/registry/certs/domain.crt /etc/pki/ca-trust/source/anchors/
    +[user@registry ~]$ sudo update-ca-trust extract
    +
    +
    +
  4. +
+
+
+
+

3.7.3. Creating the registry podman container (optional)

+
+

The registry container uses the /opt/registry directory for certificates, authentication files, and to store its data files.

+
+
+

The registry container uses httpd and needs an htpasswd file for authentication.

+
+
+
Procedure
+
    +
  1. +

    Create an htpasswd file in /opt/registry/auth for the container to use.

    +
    +
    +
    [user@registry ~]$ htpasswd -bBc /opt/registry/auth/htpasswd <user> <passwd>
    +
    +
    +
    +

    Replace <user> with the user name and <passwd> with the password.

    +
    +
  2. +
  3. +

    Create and start the registry container.

    +
    +
    +
    [user@registry ~]$ podman create \
    +  --name ocpdiscon-registry \
    +  -p 5000:5000 \
    +  -e "REGISTRY_AUTH=htpasswd" \
    +  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry" \
    +  -e "REGISTRY_HTTP_SECRET=ALongRandomSecretForRegistry" \
    +  -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \
    +  -e "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt" \
    +  -e "REGISTRY_HTTP_TLS_KEY=/certs/domain.key" \
    +  -e "REGISTRY_COMPATIBILITY_SCHEMA1_ENABLED=true" \
    +  -v /opt/registry/data:/var/lib/registry:z \
    +  -v /opt/registry/auth:/auth:z \
    +  -v /opt/registry/certs:/certs:z \
    +  docker.io/library/registry:2
    +
    +
    +
    +
    +
    [user@registry ~]$ podman start ocpdiscon-registry
    +
    +
    +
  4. +
+
+
+
+

3.7.4. Copy and update the pull-secret (optional)

+
+

Copy the pull secret file from the provisioner node to the registry node and modify it to include the authentication information for the new registry node.

+
+
+
Procedure
+
    +
  1. +

    Copy the pull-secret.txt file.

    +
    +
    +
    [user@registry ~]$ scp kni@provisioner:/home/kni/pull-secret.txt pull-secret.txt
    +
    +
    +
  2. +
  3. +

    Update the host_fqdn environment variable with the fully qualified domain name of the registry node.

    +
    +
    +
    [user@registry ~]$ host_fqdn=$( hostname --long )
    +
    +
    +
  4. +
  5. +

    Update the b64auth environment variable with the base64 encoding of the http credentials used to create the htpasswd file.

    +
    +
    +
    [user@registry ~]$ b64auth=$( echo -n '<username>:<passwd>' | openssl base64 )
    +
    +
    +
    +

    Replace <username> with the user name and <passwd> with the password.

    +
    +
  6. +
  7. +

    Set the AUTHSTRING environment variable to use the base64 authorization string. The $USER variable is an environment variable containing the name of the current user.

    +
    +
    +
    [user@registry ~]$ AUTHSTRING="{\"$host_fqdn:5000\": {\"auth\": \"$b64auth\",\"email\": \"$USER@redhat.com\"}}"
    +
    +
    +
  8. +
  9. +

    Update the pull-secret.txt file.

    +
    +
    +
    [user@registry ~]$ jq ".auths += $AUTHSTRING" < pull-secret.txt > pull-secret-update.txt
    +
    +
    +
  10. +
+
+
+
+

3.7.5. Mirroring the repository (optional)

+
+
Procedure
+
    +
  1. +

    Copy the oc binary from the provisioner node to the registry node.

    +
    +
    +
    [user@registry ~]$ sudo scp kni@provisioner:/usr/local/bin/oc /usr/local/bin
    +
    +
    +
  2. +
  3. +

    Get the release image and mirror the remote install images to the local repository.

    +
    +
    +
    [user@registry ~]$ export VERSION=latest-4.3
    +[user@registry ~]$ UPSTREAM_REPO=$(curl -s https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/$VERSION/release.txt | awk  '/Pull From/ {print $3}')
    +[user@registry ~]$ /usr/local/bin/oc adm release mirror \
    +  -a pull-secret-update.txt
    +  --from=$UPSTREAM_REPO \
    +  --to-release-image=$LOCAL_REG/$LOCAL_REPO:${VERSION} \
    +  --to=$LOCAL_REG/$LOCAL_REPO
    +
    +
    +
  4. +
+
+
+
+

3.7.6. Modify the install-config.yaml file to use the disconnected registry (optional)

+
+

On the provisioner node, the install-config.yaml file should use the newly created pull-secret from the pull-secret-update.txt file. The install-config.yaml file must also contain the disconnected registry node’s certificate and registry information.

+
+
+
Procedure
+
    +
  1. +

    Add the disconnected registry node’s certificate to the install-config.yaml file. The certificate should follow the "additionalTrustBundle: |" line and be properly indented, usually by two spaces.

    +
    +
    +
    $ echo "additionalTrustBundle: |" >> install-config.yaml
    +$ sed -e 's/^/  /' /opt/registry/certs/domain.crt >> install-config.yaml
    +
    +
    +
  2. +
  3. +

    Add the mirror information for the registry to the install-config.yaml file.

    +
    +
    +
    $ cat <<EOF >> install-config.yaml
    +<image-config>: (1)
    +- mirrors:
    +  - registry.example.com:5000/ocp4/openshift4
    +  source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
    +- mirrors:
    +  - registry.example.com:5000/ocp4/openshift4
    +  source: registry.svc.ci.openshift.org/ocp/release
    +- mirrors:
    +  - registry.example.com:5000/ocp4/openshift4
    +  source: quay.io/openshift-release-dev/ocp-release
    +EOF
    +
    +
    +
    +

    Where:

    +
    +
    + + + + + +
    1You must replace <image-config> with imageContentSources for OpenShift 4.13 and below, or imageDigestSources for Openshift 4.14 and above. +
    + + + + + +
    + + +Replace registry.example.com with the registry’s fully qualified domain name. +
    +
    +
    +
  4. +
+
+
+
+
+

3.8. Deploying routers on worker nodes

+
+

During installation, the installer deploys router pods on worker nodes. By default, the installer installs two router pods. If the initial cluster has only one worker node, or if a deployed cluster requires additional routers to handle external traffic loads destined for services within the OpenShift Container Platform cluster, you can create a yaml file to set an appropriate number of router replicas.

+
+
+ + + + + +
+ + +
+

By default, the installer deploys two routers. +If the cluster has at least two worker nodes, you can skip this section. +For more information on the Ingress Operator see: Ingress Operator in OpenShift Container Platform.

+
+
+
+
+ + + + + +
+ + +
+

If the cluster has no worker nodes, the installer deploys the two routers on the control plane nodes by default. If the cluster has no worker nodes, you can skip this section.

+
+
+
+
+
Procedure
+
    +
  1. +

    Create a router-replicas.yaml file.

    +
    +
    +
    apiVersion: operator.openshift.io/v1
    +kind: IngressController
    +metadata:
    +  name: default
    +  namespace: openshift-ingress-operator
    +spec:
    +  replicas: <num-of-router-pods>
    +  endpointPublishingStrategy:
    +    type: HostNetwork
    +  nodePlacement:
    +    nodeSelector:
    +      matchLabels:
    +        node-role.kubernetes.io/worker: ""
    +
    +
    +
    + + + + + +
    + + +
    +

    Replace <num-of-router-pods> with an appropriate value. If working with just one worker node, set replicas: to 1. If working with more than 3 worker nodes, you can increase replicas: from the default value 2 as appropriate.

    +
    +
    +
    +
  2. +
  3. +

    Save and copy the router-replicas.yaml file to the clusterconfigs/openshift directory.

    +
    +
    +
    cp ~/router-replicas.yaml clusterconfigs/openshift/99_router-replicas.yaml
    +
    +
    +
  4. +
+
+
+
+

3.9. Validation checklist for installation

+
+
    +
  • +

    OpenShift Container Platform installer has been retrieved.

    +
  • +
  • +

    OpenShift Container Platform installer has been extracted.

    +
  • +
  • +

    Required parameters for the install-config.yaml have been configured.

    +
  • +
  • +

    The hosts parameter for the install-config.yaml has been configured.

    +
  • +
  • +

    The bmc parameter for the install-config.yaml has been configured.

    +
  • +
  • +

    Conventions for the values configured in the bmc address field have been applied.

    +
  • +
  • +

    Created a disconnected registry (optional).

    +
  • +
  • +

    Validate disconnected registry settings if in use. (optional)

    +
  • +
  • +

    Deployed routers on worker nodes. (optional)

    +
  • +
+
+
+
+

3.10. Deploying the cluster via the OpenShift Container Platform installer

+
+

Run the OpenShift Container Platform installer:

+
+
+
+
[kni@provisioner ~]$ ./openshift-baremetal-install --dir ~/clusterconfigs --log-level debug create cluster
+
+
+
+
+

3.11. Following the installation

+
+

During the deployment process, you can check the installation’s overall status by issuing the tail command to the .openshift_install.log log file in the install directory folder.

+
+
+
+
[kni@provisioner ~]$ tail -f /path/to/install-dir/.openshift_install.log
+
+
+
+
+
+
+

4. Day 2 operations

+
+
+

The following sections are optional, but may be of interest after the initial deployment has been completed.

+
+
+

4.1. Accessing the web console

+
+

The web console runs as a pod on the master. The static assets required to run +the web console are served by the pod. Once OpenShift Container Platform is successfully +installed, find the URL for the web console and login credentials for your +installed cluster in the CLI output of the installation program. For example:

+
+
+
Example output
+
+
INFO Install complete!
+INFO Run 'export KUBECONFIG=<your working directory>/auth/kubeconfig' to manage the cluster with 'oc', the OpenShift CLI.
+INFO The cluster is ready when 'oc login -u kubeadmin -p <provided>' succeeds (wait a few minutes).
+INFO Access the OpenShift web-console here: https://console-openshift-console.apps.demo1.openshift4-beta-abcorp.com
+INFO Login to the console with user: kubeadmin, password: <provided>
+
+
+
+

Use those details to log in and access the web console.

+
+
+

Additionally, you can execute:

+
+
+
+
oc whoami --show-console
+
+
+
+

To obtain the url for the console.

+
+
+
+

4.2. Backing up the cluster configuration

+
+

At this point you have a working OpenShift 4 cluster on baremetal. +In order to take advantage of the baremetal hardware that was the provision node, +you can repurpose the provisioning node as a worker. +Prior to reprovisioning the node, it is recommended to backup some existing files.

+
+
+
Procedure
+
    +
  1. +

    Tar the clusterconfig folder and download it to your local machine.

    +
    +
    +
    tar cvfz clusterconfig.tar.gz ~/clusterconfig
    +
    +
    +
  2. +
  3. +

    Copy the Private part for the SSH Key configured on the install-config.yaml file to your local machine.

    +
    +
    +
    tar cvfz clusterconfigsh.tar.gz ~/.ssh/id_rsa*
    +
    +
    +
  4. +
  5. +

    Copy the install-config.yaml and metal3-config.yaml files.

    +
    +
    +
    tar cvfz yamlconfigs.tar.gz install-config.yaml metal3-config.yaml
    +
    +
    +
  6. +
+
+
+
+

4.3. Expanding the cluster

+
+

After deploying an installer-provisioned OpenShift Container Platform cluster, you can use the following procedures to expand the number of worker nodes. Ensure that each prospective worker node meets the prerequisites.

+
+
+ + + + + +
+ + +
+

Expanding the cluster using RedFish Virtual Media involves meeting minimum firmware requirements. See Firmware requirements for installing with virtual media in the Prerequisites section for additional details when expanding the cluster using RedFish Virtual Media.

+
+
+
+
+

4.3.1. Preparing the bare metal node

+
+

Expanding the cluster requires a DHCP server. Each node must have a DHCP reservation.

+
+
+

Preparing the bare metal node requires executing the following procedure from the provisioner node.

+
+
+
Procedure
+
    +
  1. +

    Get the oc binary, if needed. It should already exist on the provisioner node.

    +
    +
    +
    [kni@provisioner ~]$ export VERSION=latest-4.3
    +[kni@provisioner ~]$ curl -s https://mirror.openshift.com/pub/openshift-v4/clients/ocp/$VERSION/openshift-client-linux-$VERSION.tar.gz | tar zxvf - oc
    +
    +
    +
    +
    +
    [kni@provisioner ~]$ sudo cp oc /usr/local/bin
    +
    +
    +
  2. +
  3. +

    Power off the bare metal node via the baseboard management controller and ensure it is off.

    +
  4. +
  5. +

    Retrieve the user name and password of the bare metal node’s baseboard management controller. Then, create base64 strings from the user name and password. In the following example, the user name is root and the password is calvin.

    +
    +
    +
    [kni@provisioner ~]$ echo -ne "root" | base64
    +
    +
    +
    +
    +
    [kni@provisioner ~]$ echo -ne "calvin" | base64
    +
    +
    +
  6. +
  7. +

    Create a configuration file for the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ vim bmh.yaml
    +
    +
    +
    +
    +
    ---
    +apiVersion: v1
    +kind: Secret
    +metadata:
    +  name: openshift-worker-<num>-bmc-secret
    +type: Opaque
    +data:
    +  username: <base64-of-uid>
    +  password: <base64-of-pwd>
    +---
    +apiVersion: metal3.io/v1alpha1
    +kind: BareMetalHost
    +metadata:
    +  name: openshift-worker-<num>
    +spec:
    +  online: true
    +  bootMACAddress: <NIC1-mac-address>
    +  bmc:
    +    address: <protocol>://<bmc-ip>
    +    credentialsName: openshift-worker-<num>-bmc-secret
    +
    +
    +
    +

    Replace <num> for the worker number of the bare metal node in the two name fields and the credentialsName field. Replace <base64-of-uid> with the base64 string of the user name. Replace <base64-of-pwd> with the base64 string of the password. Replace <NIC1-mac-address> with the MAC address of the bare metal node’s first NIC.

    +
    +
    +

    Refer to the BMC addressing section for additional BMC configuration options. Replace <protocol> with the BMC protocol, such as IPMI, RedFish, or others. +Replace <bmc-ip> with the IP address of the bare metal node’s baseboard management controller.

    +
    +
    + + + + + +
    + + +
    +

    If the MAC address of an existing bare metal node matches the MAC address of a bare metal host that you are attempting to provision, then the Ironic installation will fail. If the host enrollment, inspection, cleaning, or other Ironic steps fail, the metal3-baremetal-operator will continuously retry. See Diagnosing a host duplicate MAC address for more information.

    +
    +
    +
    +
  8. +
  9. +

    Create the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api create -f bmh.yaml
    +
    +
    +
    +
    +
    secret/openshift-worker-<num>-bmc-secret created
    +baremetalhost.metal3.io/openshift-worker-<num> created
    +
    +
    +
    +

    Where <num> will be the worker number.

    +
    +
  10. +
  11. +

    Power up and inspect the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  12. +
+
+
+
+

4.3.2. Preparing to deploy with Virtual Media on the baremetal network

+
+

If the provisioning network is enabled, and you want to expand the cluster using Virtual Media on the baremetal network, execute the following procedure.

+
+
+
Procedure
+
    +
  1. +

    Edit the provisioning configuration resource (CR) to enable deploying with Virtual Media on the baremetal network.

    +
    +
    +
    oc edit provisioning
    +
    +
    +
    +
    +
      apiVersion: metal3.io/v1alpha1
    +  kind: Provisioning
    +  metadata:
    +    creationTimestamp: "2021-08-05T18:51:50Z"
    +    finalizers:
    +    - provisioning.metal3.io
    +    generation: 8
    +    name: provisioning-configuration
    +    resourceVersion: "551591"
    +    uid: f76e956f-24c6-4361-aa5b-feaf72c5b526
    +  spec:
    +    preProvisioningOSDownloadURLs: {}
    +    provisioningDHCPRange: 172.22.0.10,172.22.0.254
    +    provisioningIP: 172.22.0.3
    +    provisioningInterface: enp1s0
    +    provisioningNetwork: Managed
    +    provisioningNetworkCIDR: 172.22.0.0/24
    +    provisioningOSDownloadURL: http://192.168.111.1/images/rhcos-49.84.202107010027-0-openstack.x86_64.qcow2.gz?sha256=c7dde5f96826c33c97b5a4ad34110212281916128ae11100956f400db3d5299e
    +    virtualMediaViaExternalNetwork: true (1)
    +  status:
    +    generations:
    +    - group: apps
    +      hash: ""
    +      lastGeneration: 7
    +      name: metal3
    +      namespace: openshift-machine-api
    +      resource: deployments
    +    - group: apps
    +      hash: ""
    +      lastGeneration: 1
    +      name: metal3-image-cache
    +      namespace: openshift-machine-api
    +      resource: daemonsets
    +    observedGeneration: 8
    +    readyReplicas: 0
    +
    +
    +
    + + + + + +
    1Add virtualMediaViaExternalNetwork: true to the provisioning CR.
    +
    +
  2. +
  3. +

    Edit the machine set to use the API VIP address.

    +
    +
    +
    oc edit machineset
    +
    +
    +
    +
    +
      apiVersion: machine.openshift.io/v1beta1
    +  kind: MachineSet
    +  metadata:
    +    creationTimestamp: "2021-08-05T18:51:52Z"
    +    generation: 11
    +    labels:
    +      machine.openshift.io/cluster-api-cluster: ostest-hwmdt
    +      machine.openshift.io/cluster-api-machine-role: worker
    +      machine.openshift.io/cluster-api-machine-type: worker
    +    name: ostest-hwmdt-worker-0
    +    namespace: openshift-machine-api
    +    resourceVersion: "551513"
    +    uid: fad1c6e0-b9da-4d4a-8d73-286f78788931
    +  spec:
    +    replicas: 2
    +    selector:
    +      matchLabels:
    +        machine.openshift.io/cluster-api-cluster: ostest-hwmdt
    +        machine.openshift.io/cluster-api-machineset: ostest-hwmdt-worker-0
    +    template:
    +      metadata:
    +        labels:
    +          machine.openshift.io/cluster-api-cluster: ostest-hwmdt
    +          machine.openshift.io/cluster-api-machine-role: worker
    +          machine.openshift.io/cluster-api-machine-type: worker
    +          machine.openshift.io/cluster-api-machineset: ostest-hwmdt-worker-0
    +      spec:
    +        metadata: {}
    +        providerSpec:
    +          value:
    +            apiVersion: baremetal.cluster.k8s.io/v1alpha1
    +            hostSelector: {}
    +            image:
    +              checksum: http:/172.22.0.3:6181/images/rhcos-49.84.202107010027-0-openstack.x86_64.qcow2/cached-rhcos-49.84.202107010027-0-openstack.x86_64.qcow2.md5sum (1)
    +              url: http://172.22.0.3:6181/images/rhcos-49.84.202107010027-0-openstack.x86_64.qcow2/cached-rhcos-49.84.202107010027-0-openstack.x86_64.qcow2 (2)
    +            kind: BareMetalMachineProviderSpec
    +            metadata:
    +              creationTimestamp: null
    +            userData:
    +              name: worker-user-data
    +  status:
    +    availableReplicas: 2
    +    fullyLabeledReplicas: 2
    +    observedGeneration: 11
    +    readyReplicas: 2
    +    replicas: 2
    +
    +
    +
    + + + + + + + + + +
    1Edit the checksum URL to use the API VIP address.
    2Edit the url URL to use the API VIP address.
    +
    +
  4. +
+
+
+
Diagnosing a duplicate MAC address when provisioning a new host in the cluster
+
+

If the MAC address of an existing bare-metal node in the cluster matches the MAC address of a bare-metal host you are attempting to add to the cluster, the Bare Metal Operator associates the host with the existing node. If the host enrollment, inspection, cleaning, or other Ironic steps fail, the Bare Metal Operator retries the installation continuously. A registration error is displayed for the failed bare-metal host.

+
+
+

You can diagnose a duplicate MAC address by examining the bare-metal hosts that are running in the openshift-machine-api namespace.

+
+
+
Prerequisites
+
    +
  • +

    Install an OpenShift Container Platform cluster on bare metal.

    +
  • +
  • +

    Install the OpenShift Container Platform CLI oc.

    +
  • +
  • +

    Log in as a user with cluster-admin privileges.

    +
  • +
+
+
+
Procedure
+

To determine whether a bare-metal host that fails provisioning has the same MAC address as an existing node, do the following:

+
+
+
    +
  1. +

    Get the bare-metal hosts running in the openshift-machine-api namespace:

    +
    +
    +
    $ oc get bmh -n openshift-machine-api
    +
    +
    +
    +
    Example output
    +
    +
    NAME                 STATUS   PROVISIONING STATUS      CONSUMER
    +openshift-master-0   OK       externally provisioned   openshift-zpwpq-master-0
    +openshift-master-1   OK       externally provisioned   openshift-zpwpq-master-1
    +openshift-master-2   OK       externally provisioned   openshift-zpwpq-master-2
    +openshift-worker-0   OK       provisioned              openshift-zpwpq-worker-0-lv84n
    +openshift-worker-1   OK       provisioned              openshift-zpwpq-worker-0-zd8lm
    +openshift-worker-2   error    registering
    +
    +
    +
  2. +
  3. +

    To see more detailed information about the status of the failing host, run the following command replacing <bare_metal_host_name> with the name of the host:

    +
    +
    +
    $ oc get -n openshift-machine-api bmh <bare_metal_host_name> -o yaml
    +
    +
    +
    +
    Example output
    +
    +
    ...
    +status:
    +  errorCount: 12
    +  errorMessage: MAC address b4:96:91:1d:7c:20 conflicts with existing node openshift-worker-1
    +  errorType: registration error
    +...
    +
    +
    +
  4. +
+
+
+
+
+

4.3.3. Provisioning the bare metal node

+
+

Provisioning the bare metal node requires executing the following procedure from the provisioner node.

+
+
+
Procedure
+
    +
  1. +

    Ensure the PROVISIONING STATUS is ready before provisioning the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$  oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  2. +
  3. +

    Get a count of the number of worker nodes.

    +
    +
    +
    [kni@provisioner ~]$ oc get nodes
    +
    +
    +
    +
    +
    NAME                                                STATUS   ROLES           AGE     VERSION
    +provisioner.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-1.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-2.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-3.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-worker-0.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-worker-1.openshift.example.com            Ready    master          30h     v1.16.2
    +
    +
    +
  4. +
  5. +

    Get the machine set.

    +
    +
    +
    [kni@provisioner ~]$ oc get machinesets -n openshift-machine-api
    +
    +
    +
    +
    +
    NAME                                DESIRED   CURRENT   READY   AVAILABLE   AGE
    +...
    +openshift-worker-0.example.com      1         1         1       1           55m
    +openshift-worker-1.example.com      1         1         1       1           55m
    +
    +
    +
  6. +
  7. +

    Increase the number of worker nodes by one.

    +
    +
    +
    [kni@provisioner ~]$ oc scale --replicas=<num> machineset <machineset> -n openshift-machine-api
    +
    +
    +
    +

    Replace <num> with the new number of worker nodes. Replace <machineset> with the name of the machine set from the previous step.

    +
    +
  8. +
  9. +

    Check the status of the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number. The status changes from ready to provisioning.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       provisioning          openshift-worker-<num>-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
    +

    The provisioning status remains until the OpenShift Container Platform cluster provisions the node. This can take 30 minutes or more. Once complete, the status will change to provisioned.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       provisioned           openshift-worker-<num>-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  10. +
  11. +

    Once provisioned, ensure the bare metal node is ready.

    +
    +
    +
    [kni@provisioner ~]$ oc get nodes
    +
    +
    +
    +
    +
    NAME                                          STATUS   ROLES   AGE     VERSION
    +provisioner.openshift.example.com             Ready    master  30h     v1.16.2
    +openshift-master-1.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-master-2.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-master-3.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-worker-0.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-worker-1.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-worker-<num>.openshift.example.com  Ready    worker  3m27s   v1.16.2
    +
    +
    +
    +

    You can also check the kubelet.

    +
    +
    +
    +
    [kni@provisioner ~]$ ssh openshift-worker-<num>
    +
    +
    +
    +
    +
    [kni@openshift-worker-<num>]$ journalctl -fu kubelet
    +
    +
    +
  12. +
+
+
+
+

4.3.4. Preparing the provisioner node to be deployed as a worker node

+
+
Procedure
+

Perform the following steps prior to converting the provisioner node to a worker node.

+
+
+
    +
  1. +

    ssh to a system (for example, a laptop) that can access the out of band management network of the current provisioner node.

    +
  2. +
  3. +

    Copy the backups clusterconfig.tar.gz, clusterconfigsh.tar.gz, and amlconfigs.tar.gz to the new system.

    +
  4. +
  5. +

    Copy the oc binary from the existing provisioning node to the new system.

    +
  6. +
  7. +

    Make a note of the mac addresses, the baremetal network IP used for the provisioner node, and the IP address of +the Out of band Management Network.

    +
  8. +
  9. +

    Reboot the system and ensure that PXE is enabled on the provisioning network and PXE is disabled for all other NICs.

    +
  10. +
  11. +

    If installation was performed using a Satellite server, remove the Host entry for the existing provisioning node.

    +
  12. +
  13. +

    Install the ipmitool on the new system in order to power off the provisioner node.

    +
  14. +
+
+
+
+

4.3.5. Adding a worker node to an existing cluster

+
+
Procedure
+
    +
  1. +

    Retrieve the username and password of the bare metal node’s baseboard management controller. Then, create base64 strings from the username and password. In the following example, the username is root and the password is calvin.

    +
    +
    +
    [kni@provisioner ~]$ echo -ne "root" | base64
    +
    +
    +
    +
    +
    [kni@provisioner ~]$ echo -ne "calvin" | base64
    +
    +
    +
  2. +
  3. +

    Create a configuration file for the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ vim bmh.yaml
    +
    +
    +
    +
    +
    ---
    +apiVersion: v1
    +kind: Secret
    +metadata:
    +  name: openshift-worker-<num>-bmc-secret
    +type: Opaque
    +data:
    +  username: <base64-of-uid>
    +  password: <base64-of-pwd>
    +---
    +apiVersion: metal3.io/v1alpha1
    +kind: BareMetalHost
    +metadata:
    +  name: openshift-worker-<num>
    +spec:
    +  online: true
    +  bootMACAddress: <NIC1-mac-address>
    +  bmc:
    +    address: ipmi://<bmc-ip>
    +    credentialsName: openshift-worker-<num>-bmc-secret
    +
    +
    +
    +

    Replace <num> for the worker number of bare metal node in two name fields and credentialsName field. Replace <base64-of-uid> with the base64 string of the username. Replace <base64-of-pwd> with the base64 string of the password. Replace <NIC1-mac-address> with the MAC address of the bare metal node’s first NIC. Replace <bmc-ip> with the IP address of the bare metal node’s baseboard management controller.

    +
    +
  4. +
+
+
+ + + + + +
+ + +
+

When using redfish or redfish-virtualmedia, add the +appropriate addressing as described in the BMC addressing section. See BMC addressing for details.

+
+
+
+
+
    +
  1. +

    Create the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api create -f bmh.yaml
    +
    +
    +
    +
    +
    secret/openshift-worker-<num>-bmc-secret created
    +baremetalhost.metal3.io/openshift-worker-<num> created
    +
    +
    +
    +

    Where <num> will be the worker number.

    +
    +
  2. +
  3. +

    Power up and inspect the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  4. +
  5. +

    Ensure the PROVISIONING STATUS is ready before provisioning the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$  oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  6. +
  7. +

    Get a count of the number of worker nodes.

    +
    +
    +
    [kni@provisioner ~]$ oc get nodes
    +
    +
    +
  8. +
  9. +

    Get the machine set.

    +
    +
    +
    [kni@provisioner ~]$ oc get machinesets -n openshift-machine-api
    +
    +
    +
    +
    +
    NAME                                DESIRED   CURRENT   READY   AVAILABLE   AGE
    +openshift-worker-0.example.com      1         1         1       1           55m
    +openshift-worker-1.example.com      1         1         1       1           55m
    +openshift-worker-2.example.com      1         1         1       1           55m
    +
    +
    +
  10. +
  11. +

    Increase the number of worker nodes by 1.

    +
    +
    +
    [kni@provisioner ~]$ oc scale --replicas=<num> machineset <machineset> -n openshift-machine-api
    +
    +
    +
    +

    Replace <num> with the new number of worker nodes. Replace <machineset> with the name of the machine set from the previous step.

    +
    +
  12. +
  13. +

    Check the status of the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number. The status changes from ready to provisioning.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       provisioning          openshift-worker-<num>-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
    +

    The provisioning status remains until the OpenShift Container Platform cluster provisions the node. This may take 30 minutes or more. Once complete, the status will change to provisioned.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       provisioned           openshift-worker-<num>-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  14. +
  15. +

    Once provisioned, ensure the bare metal node is ready.

    +
    +
    +
    [kni@provisioner ~]$ oc get nodes
    +
    +
    +
    +
    +
    NAME                                                STATUS   ROLES           AGE     VERSION
    +provisioner.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-1.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-2.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-worker-<num>.openshift.example.com        Ready    worker          3m27s   v1.16.2
    +
    +
    +
    +

    You can also check the kubelet.

    +
    +
    +
    +
    [kni@provisioner ~]$ ssh openshift-worker-<num>
    +
    +
    +
    +
    +
    [kni@openshift-worker-<num>]$ journalctl -fu kubelet
    +
    +
    +
  16. +
+
+
+
Appending DNS records
+
+
Configuring Bind (Option 1)
+
+
Procedure
+
    +
  1. +

    Login to the DNS server using ssh.

    +
  2. +
  3. +

    Suspend updates to all dynamic zones: rndc freeze.

    +
  4. +
  5. +

    Edit /var/named/dynamic/example.com.

    +
    +
    +
    $ORIGIN openshift.example.com.
    +<OUTPUT_OMITTED>
    +openshift-worker-1      A       <ip-of-worker-1>
    +openshift-worker-2      A       <ip-of-worker-2>
    +
    +
    +
    + + + + + +
    + + +
    +

    Remove the provisioner as it is replaced by openshift-worker-2.

    +
    +
    +
    +
  6. +
  7. +

    Increase the SERIAL value by 1.

    +
  8. +
  9. +

    Edit /var/named/dynamic/1.0.10.in-addr.arpa.

    +
    + + + + + +
    + + +
    +

    The filename 1.0.10.in-addr.arpa is the reverse of the public CIDR example 10.0.1.0/24.

    +
    +
    +
    +
  10. +
  11. +

    Increase the SERIAL value by 1.

    +
  12. +
  13. +

    Enable updates to all dynamic zones and reload them: rndc thaw.

    +
  14. +
+
+
+
+
Configuring dnsmasq (Option 2)
+
+
Procedure
+

Append the following DNS record to the /etc/hosts file on the server hosting the dnsmasq service.

+
+
+
+
<OUTPUT_OMITTED>
+<NIC2-IP> openshift-worker-1.openshift.example.com openshift-worker-1
+<NIC2-IP> openshift-worker-2.openshift.example.com openshift-worker-2
+
+
+
+ + + + + +
+ + +
+

Remove the provisioner.openshift.example.com entry as it is replaced by worker-2

+
+
+
+
+
+
+
Appending DHCP reservations
+
+
Configuring dhcpd (Option 1)
+
+
Procedure
+
    +
  1. +

    Login to the DHCP server using ssh.

    +
  2. +
  3. +

    Edit /etc/dhcp/dhcpd.hosts.

    +
    +
    +
    host openshift-worker-2 {
    +     option host-name "worker-2";
    +     hardware ethernet <NIC2-mac-address>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +
    +
    +
    + + + + + +
    + + +
    +

    Remove the provisioner as it is replaced by openshift-worker-2.

    +
    +
    +
    +
  4. +
  5. +

    Restart the dhcpd service.

    +
    +
    +
    systemctl restart dhcpd
    +
    +
    +
  6. +
+
+
+
+
Configuring dnsmasq (Option 2)
+
+
Procedure
+
    +
  1. +

    Append the following DHCP reservation to the /etc/dnsmasq.d/example.dns file on the server hosting the dnsmasq service.

    +
    +
    +
    <OUTPUT_OMITTED>
    +dhcp-host=<NIC2-mac-address>,openshift-worker-1.openshift.example.com,<ip-of-worker-1>
    +dhcp-host=<NIC2-mac-address>,openshift-worker-2.openshift.example.com,<ip-of-worker-2>
    +
    +
    +
    + + + + + +
    + + +
    +

    Remove the provisioner.openshift.example.com entry as it is replaced by worker-2

    +
    +
    +
    +
  2. +
  3. +

    Restart the dnsmasq service.

    +
    +
    +
    systemctl restart dnsmasq
    +
    +
    +
  4. +
+
+
+
+
+
Deploying the provisioner node as a worker node using Metal3
+
+

After you have completed the prerequisites, perform the deployment process.

+
+
+
Procedure
+
    +
  1. +

    Power off the node using ipmitool and confirm the provisioning node is powered off.

    +
    +
    +
    ssh <server-with-access-to-management-net>
    +# Use the user, password and Management net IP adddress to shutdown the system
    +ipmitool -I lanplus -U <user> -P <password> -H <management-server-ip> power off
    +# Confirm the server is powered down
    +ipmitool -I lanplus -U <user> -P <password> -H <management-server-ip> power status
    +Chassis Power is off
    +
    +
    +
  2. +
  3. +

    Get base64 strings for the Out of band Management credentials. In this example, the user is root and the password is calvin.

    +
    +
    +
    # Use echo -ne, otherwise you will get your secrets with \n which will cause issues
    +# Get root username in base64
    +echo -ne "root" | base64
    +# Get root password in base64
    +echo -ne "calvin" | base64
    +
    +
    +
  4. +
  5. +

    Configure the BaremetalHost bmh.yaml file.

    +
    +
    +
    ---
    +apiVersion: v1
    +kind: Secret
    +metadata:
    +  name: openshift-worker-2-bmc-secret
    +type: Opaque
    +data:
    +  username: ca2vdAo=
    +  password: MWAwTWdtdC0K
    +---
    +apiVersion: metal3.io/v1alpha1
    +kind: BareMetalHost
    +metadata:
    +  name: openshift-worker-2
    +spec:
    +  online: true
    +  bootMACAddress: <NIC1-mac-address>
    +  bmc:
    +    address: ipmi://<out-of-band-ip>
    +    credentialsName: openshift-worker-2-bmc-secret
    +
    +
    +
  6. +
  7. +

    Create the BaremetalHost.

    +
    +
    +
    ./oc -n openshift-machine-api create -f bmh.yaml
    +secret/openshift-worker-2-bmc-secret created
    +baremetalhost.metal3.io/openshift-worker-2 created
    +
    +
    +
  8. +
  9. +

    Power up and inspect the node.

    +
    +
    +
    ./oc -n openshift-machine-api get bmh openshift-worker-2
    +
    +NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-2   OK       inspecting                       ipmi://<out-of-band-ip>                      true
    +
    +
    +
  10. +
  11. +

    After finishing the inspection, the node is ready to be provisioned.

    +
    +
    +
    ./oc -n openshift-machine-api get bmh openshift-worker-2
    +
    +NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-2   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  12. +
  13. +

    Scale the workers machineset. Previously, there were two replicas during original installation.

    +
    +
    +
    ./oc get machineset -n openshift-machine-api
    +NAME            DESIRED   CURRENT   READY   AVAILABLE   AGE
    +openshift-worker-2   0         0                             21h
    +
    +./oc -n openshift-machine-api scale machineset openshift-worker-2 --replicas=3
    +
    +
    +
  14. +
  15. +

    The baremetal host moves to provisioning status. This can take as long as 30 minutes. You can follow the status +from the node console.

    +
    +
    +
    oc -n openshift-machine-api get bmh openshift-worker-2
    +
    +NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-2   OK       provisioning          openshift-worker-0-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  16. +
  17. +

    When the node is provisioned it moves to provisioned status.

    +
    +
    +
    oc -n openshift-machine-api get bmh openshift-worker-2
    +
    +NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-2   OK       provisioned           openshift-worker-2-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  18. +
  19. +

    When the kubelet finishes initialization the node is ready for use. +You can connect to the node and run journalctl -fu kubelet to check the process.

    +
    +
    +
    oc get node
    +NAME                                            STATUS   ROLES           AGE     VERSION
    +openshift-master-0.openshift.example.com        Ready    master          30h     v1.16.2
    +openshift-master-1.openshift.example.com        Ready    master          30h     v1.16.2
    +openshift-master-2.openshift.example.com        Ready    master          30h     v1.16.2
    +openshift-worker-0.openshift.example.com        Ready    worker          3m27s   v1.16.2
    +openshift-worker-1.openshift.example.com        Ready    worker          3m27s   v1.16.2
    +openshift-worker-2.openshift.example.com        Ready    worker          3m27s   v1.16.2
    +
    +
    +
  20. +
+
+
+
+
+
+
+
+

5. Appendix

+
+
+

In this section of the document, extra information is provided that is outside of the regular workflow.

+
+
+

5.1. Troubleshooting

+
+

Troubleshooting the installation is out of scope of the Deployment Guide. For more details on troubleshooting deployment, refer to our Troubleshooting guide.

+
+
+
+

5.2. Creating DNS Records

+
+

Two options are documented for configuring DNS records:

+
+ +
+

5.2.1. Configuring Bind (Option 1)

+
+

Use Option 1 if access to the appropriate DNS server for the baremetal network is accessible or a request +to your network admin to create the DNS records is an option. +If this is not an option, skip this section and go to section Create DNS records using dnsmasq (Option 2).

+
+
+

Create a subzone with the name of the cluster that is going to be used on your domain. +In our example, the domain used is example.com and the cluster name used is openshift. +Make sure to change these according to your environment specifics.

+
+
+
Procedure
+
    +
  1. +

    Login to the DNS server using ssh.

    +
  2. +
  3. +

    Suspend updates to all dynamic zones: rndc freeze.

    +
  4. +
  5. +

    Edit /var/named/dynamic/example.com.

    +
    +
    +
    $ORIGIN openshift.example.com.
    +$TTL 300        ; 5 minutes
    +@  IN  SOA  dns1.example.com.  hostmaster.example.com. (
    +       2001062501  ; serial
    +       21600       ; refresh after 6 hours
    +       3600        ; retry after 1 hour
    +       604800      ; expire after 1 week
    +       86400 )     ; minimum TTL of 1 day
    +;
    +api                     A       <api-ip>
    +ns1                     A       <dns-vip-ip>
    +$ORIGIN apps.openshift.example.com.
    +*                       A       <wildcard-ingress-lb-ip>
    +$ORIGIN openshift.example.com.
    +provisioner             A       <NIC2-ip-of-provision>
    +openshift-master-0      A       <NIC2-ip-of-openshift-master-0>
    +openshift-master-1      A       <NIC2-ip-of-openshift-master-1>
    +openshift-master-2      A       <NIC2-ip-of-openshift-master-2>
    +openshift-worker-0      A       <NIC2-ip-of-openshift-worker-0>
    +openshift-worker-1      A       <NIC2-ip-of-openshift-worker-1>
    +
    +
    +
  6. +
  7. +

    Increase the serial value by 1.

    +
  8. +
  9. +

    Edit /var/named/dynamic/1.0.10.in-addr.arpa.

    +
    +
    +
    $ORIGIN 1.0.10.in-addr.arpa.
    +$TTL 300
    +@  IN  SOA  dns1.example.com.  hostmaster.example.com. (
    +       2001062501  ; serial
    +       21600       ; refresh after 6 hours
    +       3600        ; retry after 1 hour
    +       604800      ; expire after 1 week
    +       86400 )     ; minimum TTL of 1 day
    +;
    +126 IN      PTR      provisioner.openshift.example.com.
    +127	IN        	PTR    	openshift-master-0.openshift.example.com.
    +128	IN        	PTR    	openshift-master-1.openshift.example.com.
    +129	IN 	        PTR   	openshift-master-2.openshift.example.com.
    +130	IN 	        PTR   	openshift-worker-0.openshift.example.com.
    +131	IN        	PTR    	openshift-worker-1.openshift.example.com.
    +132 IN      PTR     api.openshift.example.com.
    +133 IN      PTR     ns1.openshift.example.com.
    +
    +
    +
    + + + + + +
    + + +
    +

    In this example, the IP addresses 10.0.1.126-133 are pointed to the corresponding fully qualified domain name.

    +
    +
    +
    +
    + + + + + +
    + + +
    +

    The filename 1.0.10.in-addr.arpa is the reverse of the public CIDR example 10.0.1.0/24.

    +
    +
    +
    +
  10. +
  11. +

    Increase the serial value by 1.

    +
  12. +
  13. +

    Enable updates to all dynamic zones and reload them: rndc thaw.

    +
  14. +
+
+
+
+

5.2.2. Configuring dnsmasq (Option 2)

+
+

To create DNS records, open the /etc/hosts file and add the NIC2 (baremetal net) IP followed by the hostname. +In our example, the domain used is example.com and the cluster name used is openshift. +Make sure to change these according to your environment specifics.

+
+
+
Procedure
+
    +
  1. +

    Edit /etc/hosts and add the NIC2 (baremetal net) IP followed by the hostname.

    +
    +
    +
    cat /etc/hosts
    +127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
    +::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
    +<NIC2-IP> provisioner.openshift.example.com provisioner
    +<NIC2-IP> openshift-master-0.openshift.example.com openshift-master-0
    +<NIC2-IP> openshift-master-1.openshift.example.com openshift-master-1
    +<NIC2-IP> openshift-master-2.openshift.example.com openshift-master-2
    +<NIC2-IP> openshift-worker-0.openshift.example.com openshift-worker-0
    +<NIC2-IP> openshift-worker-1.openshift.example.com openshift-worker-1
    +<API-IP>  api.openshift.example.com api
    +<DNS-VIP-IP> ns1.openshift.example.com ns1
    +
    +
    +
  2. +
  3. +

    Open the appropriate firewalld DNS service and reload the rules.

    +
    +
    +
    systemctl restart firewalld
    +firewall-cmd --add-service=dns --permanent
    +firewall-cmd --reload
    +
    +
    +
  4. +
+
+
+
+
+

5.3. Creating DHCP reservations

+
+

Two options are documented for configuring DHCP:

+
+ +
+

5.3.1. Configuring dhcpd (Option 1)

+
+

Use Option 1 if access to the appropriate DHCP server for the baremetal network is accessible or a request +to your network admin to create the DHCP reservations is an option. +If this is not an option, skip this section and go to section Create DHCP records using dnsmasq (Option 2).

+
+
+
    +
  1. +

    Login to the DHCP server using ssh.

    +
  2. +
  3. +

    Edit /etc/dhcp/dhcpd.hosts.

    +
    +
    +
    host provisioner {
    +     option host-name "provisioner";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +host openshift-master-0 {
    +     option host-name "openshift-master-0";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +
    +host openshift-master-1 {
    +     option host-name "openshift-master-1";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +
    +host openshift-master-2 {
    +     option host-name "openshift-master-2";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +host openshift-worker-0 {
    +     option host-name "openshift-worker-0";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +host openshift-worker-1 {
    +     option host-name "openshift-worker-1";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +
    +
    +
  4. +
  5. +

    Restart the dhcpd service.

    +
    +
    +
    systemctl restart dhcpd
    +
    +
    +
  6. +
+
+
+
+

5.3.2. Configuring dnsmasq (Option 2)

+
+

Set up dnsmasq on a server that can access the baremetal network.

+
+
+
Procedure
+
    +
  1. +

    Install dnsmasq.

    +
    +
    +
    dnf install -y dnsmasq
    +
    +
    +
  2. +
  3. +

    Change to the /etc/dnsmasq.d directory.

    +
    +
    +
    cd /etc/dnsmasq.d
    +
    +
    +
  4. +
  5. +

    Create a file that reflects your OpenShift cluster appended by .dns.

    +
    +
    +
    touch <filename>.dns
    +
    +
    +
  6. +
  7. +

    Open the appropriate firewalld DHCP service.

    +
    +
    +
    systemctl restart firewalld
    +firewall-cmd --add-service=dhcp --permanent
    +firewall-cmd --reload
    +
    +
    +
  8. +
  9. +

    Define DNS configuration file

    +
    IPv4
    +
    +

    Here is an example of the .dns file for IPv4.

    +
    +
    +
    +
    domain-needed
    +bind-dynamic
    +bogus-priv
    +domain=openshift.example.com
    +dhcp-range=<baremetal-net-starting-ip,baremetal-net-ending-ip>
    +#dhcp-range=10.0.1.4,10.0.14
    +dhcp-option=3,<baremetal-net-gateway-ip>
    +#dhcp-option=3,10.0.1.254
    +resolv-file=/etc/resolv.conf.upstream
    +interface=<nic-with-access-to-baremetal-net>
    +#interface=em2
    +server=<ip-of-existing-server-on-baremetal-net>
    +
    +
    +#Wildcard for apps -- make changes to cluster-name (openshift) and domain (example.com)
    +address=/.apps.openshift.example.com/<wildcard-ingress-lb-ip>
    +
    +#Static IPs for Masters
    +dhcp-host=<NIC2-mac-address>,provisioner.openshift.example.com,<ip-of-provisioner>
    +dhcp-host=<NIC2-mac-address>,openshift-master-0.openshift.example.com,<ip-of-openshift-master-0>
    +dhcp-host=<NIC2-mac-address>,openshift-master-1.openshift.example.com,<ip-of-openshift-master-1>
    +dhcp-host=<NIC2-mac-address>,openshift-master-2.openshift.example.com,<ip-of-openshift-master-2>
    +dhcp-host=<NIC2-mac-address>,openshift-worker-0.openshift.example.com,<ip-of-openshift-worker-0>
    +dhcp-host=<NIC2-mac-address>,openshift-worker-1.openshift.example.com,<ip-of-openshift-worker-1>
    +
    +
    +
  10. +
  11. +

    Create the resolv.conf.upstream file to provide DNS fowarding to an existing DNS server for resolution +to the outside world.

    +
    +
    +
    search <domain.com>
    +nameserver <ip-of-my-existing-dns-nameserver>
    +
    +
    +
  12. +
  13. +

    Restart the dnsmasq service.

    +
    +
    +
    systemctl restart dnsmasq
    +
    +
    +
  14. +
  15. +

    Verify the dnsmasq service is running.

    +
    +
    +
    systemctl status dnsmasq
    +
    +
    +
  16. +
+
+
+
+
+
+
+ + + \ No newline at end of file diff --git a/4.3/Deployment.pdf b/4.3/Deployment.pdf new file mode 100644 index 0000000000..c6b8afbb35 Binary files /dev/null and b/4.3/Deployment.pdf differ diff --git a/4.3/Troubleshooting.html b/4.3/Troubleshooting.html new file mode 100644 index 0000000000..5af6753a34 --- /dev/null +++ b/4.3/Troubleshooting.html @@ -0,0 +1,2208 @@ + + + + + + + + + + +Troubleshooting Guide for IPI Installation + + + + + + + + + + + + + + + + +
+
+
+
+ + + + + +
+ + +
+

Download the PDF version of this document or visit https://openshift-kni.github.io/baremetal-deploy/

+
+
+
+
+

While attempting to deploy Installer Provisioned Infrastructure (IPI) of OpenShift on Bare Metal (BM), you may run into a situation where you need to troubleshoot your environment. This document provides troubleshooting guidance and tips in solving common issues that may arise.

+
+
+
+
+

1. Troubleshooting the installer workflow

+
+
+

Prior to troubleshooting the installation environment, it is critical to understand the overall flow of the IPI installation on bare metal. The diagrams below provide a troubleshooting flow with a step-by-step breakdown for the environment.

+
+
+

Flow-Diagram-1

+
+
+

Workflow 1 of 4 illustrates a troubleshooting workflow when the install-config.yaml file has errors or the Red Hat Enterprise Linux CoreOS (RHCOS) images are inaccessible. Troubleshooting suggestions can be found at +Troubleshooting `install-config.yaml and Post-installation Pod errors.

+
+
+

Flow-Diagram-2

+
+
+

Workflow 2 of 4 illustrates a troubleshooting workflow for bootstrap VM issues, bootstrap VMs that cannot boot up the cluster nodes, and inspecting logs.

+
+
+

Flow-Diagram-3

+
+
+

Workflow 3 of 4 illustrates a troubleshooting workflow for cluster nodes that will not PXE boot.

+
+
+

Flow-Diagram-4

+
+
+

Workflow 4 of 4 illustrates a troubleshooting workflow from + a non-accessible API to a validated installation.

+
+
+
+
+

2. Troubleshooting install-config.yaml

+
+
+

The install-config.yaml configuration file represents all of the nodes that are part of the OpenShift Container Platform cluster. The file contains the necessary options consisting of but not limited to apiVersion, baseDomain, imageContentSources (OpenShift 4.13 and below) or imageDigestSources (OpenShirt 4.14 and above), and virtual IP addresses. If errors occur early in the deployment of the OpenShift Container Platform cluster, the errors are likely in the install-config.yaml configuration file.

+
+
+
Procedure
+
    +
  1. +

    Use the guidelines in YAML-tips.

    +
  2. +
  3. +

    Verify the YAML syntax is correct using syntax-check.

    +
  4. +
  5. +

    Verify the Red Hat Enterprise Linux CoreOS (RHCOS) QEMU images are properly defined and accessible via the URL provided in the install-config.yaml. For example:

    +
    +
    +
    $ curl -s -o /dev/null -I -w "%{http_code}\n" http://webserver.example.com:8080/rhcos-44.81.202004250133-0-qemu.x86_64.qcow2.gz?sha256=7d884b46ee54fe87bbc3893bf2aa99af3b2d31f2e19ab5529c60636fbd0f1ce7
    +
    +
    +
    +

    If the output is 200, there is a valid response from the webserver storing the bootstrap VM image.

    +
    +
  6. +
+
+
+
+
+

3. Post-installation Pod errors

+
+
+

Use the following procedure to troubleshoot metal3 Pod errors during deployment.

+
+
+
Procedure
+
    +
  1. +

    Retrieve the status for the openshift-machine-api:

    +
    +
    +
    [kni@provisioner ~]$ oc get all -n openshift-machine-api
    +
    +
    +
    +
    +
    NAME                         READY   STATUS
    +pod/metal3-6c6cc7c56c-lj4lr  0/8     Init:CreateContainerConfigError
    +
    +
    +
    +

    A CreateContainerConfigError occurs if there is no ConfigMap.

    +
    +
    +
    +
      Warning  Failed     <invalid> (x7 over 32s)  kubelet, master-1.<cluster-name>.example.com  Error: configmap "metal3-config" not found
    +
    +
    +
    +

    Ensure the metal3-config.yaml file has a ConfigMap section. If there is no metal3-config.yaml, create one in the subsequent steps.

    +
    +
  2. +
  3. +

    Create the metal3-config.yaml file:

    +
    +
    +
    apiVersion: v1
    +kind: ConfigMap
    +metadata:
    +  name: metal3-config
    +  namespace: openshift-machine-api
    +data:
    +  cache_url: rhcos-43.81.202001142154.0-qemu.x86_64.qcow2.gz
    +  deploy_kernel_url: http://172.22.0.1:6180/images/ironic-python-agent.kernel
    +  deploy_ramdisk_url: http://172.22.0.1:6180/images/ironic-python-agent.initramfs
    +  dhcp_range: 172.22.0.10,172.22.0.100
    +  http_port: "6180"
    +  ironic_endpoint: http://172.22.0.1:6385/v1/
    +  ironic_inspector_endpoint: http://172.22.0.3:5050/v1/
    +  provisioning_interface: eno1
    +  provisioning_ip: 172.22.0.1/24
    +  rhcos_image_url: <URL-which-has-qcow-image>
    +
    +
    +
    + + + + + +
    + + +
    +

    Change the rhcos_image_url to the appropriate URL for the +deployment environment.

    +
    +
    +
    +
  4. +
  5. +

    Place the metal3-config.yaml file in the clusterconfigs/ocp/openshift directory:

    +
    +
    +
    [kni@provisioner ~]$ cp metal3-config.yaml clusterconfigs/ocp/openshift directory/99_metal3-config.yaml
    +
    +
    +
  6. +
  7. +

    Re-run the installation.

    +
    +
    +
    [kni@provisioner ~]$ /usr/local/bin/openshift-baremetal-install --dir /path/to/createcluster --log-level debug create cluster
    +
    +
    +
  8. +
  9. +

    Export the kubeconfig file:

    +
    +
    +
    [kni@provisioner ~]$ export KUBECONFIG=clusterconfigs/ocp/auth/kubeconfig
    +
    +
    +
  10. +
  11. +

    Verify that all OpenShift Container Platform nodes are up and running:

    +
    +
    +
    [kni@provisioner ~]$ oc get nodes
    +
    +
    +
    +
    +
    NAME                                      STATUS   ROLES   AGE     VERSION
    +openshift-master-0.openshift.example.com  Ready    master  30h     v1.16.2
    +openshift-master-1.openshift.example.com  Ready    master  30h     v1.16.2
    +openshift-master-2.openshift.example.com  Ready    master  30h     v1.16.2
    +openshift-worker-0.openshift.example.com  Ready    worker  3m27s   v1.16.2
    +openshift-worker-1.openshift.example.com  Ready    worker  3m27s   v1.16.2
    +openshift-worker-2.openshift.example.com  Ready    worker  3m27s   v1.16.2
    +
    +
    +
  12. +
  13. +

    If the installation fails again, review the .openshift-install.log files and proceed to the subsequent steps.

    +
  14. +
  15. +

    Check if any of the OpenShift Container Platform nodes are in a NotReady state:

    +
    +
    +
    [kni@provisioner~]$ oc get nodes
    +
    +
    +
    +
    +
    NAME                                      STATUS   ROLES   AGE     VERSION
    +openshift-master-0.openshift.example.com  NotReady master  30h     v1.16.2
    +openshift-master-1.openshift.example.com  Ready    master  30h     v1.16.2
    +openshift-master-2.openshift.example.com  Ready    master  30h     v1.16.2
    +openshift-worker-0.openshift.example.com  Ready    worker  3m27s   v1.16.2
    +openshift-worker-1.openshift.example.com  Ready    worker  3m27s   v1.16.2
    +openshift-worker-2.openshift.example.com  Ready    worker  3m27s   v1.16.2
    +
    +
    +
  16. +
  17. +

    Ensure the kubelet service is running on each Control Plane (master) node. For example:

    +
    +
    +
    [kni@provisioner~]$ ssh core@openshift-master-x
    +
    +
    +
    +
    +
    [core@openshift-master-x ~]$ sudo systemctl status kubelet
    +
    +
    +
    + + + + + +
    + + +
    +

    Replace master-x with the appropriate hostname and node number.

    +
    +
    +
    +
    +
    +
    ● kubelet.service - Kubernetes Kubelet
    +   Loaded: loaded (/etc/systemd/system/kubelet.service; enabled; vendor preset: enabled)
    +  Drop-In: /etc/systemd/system/kubelet.service.d
    +           └─10-default-env.conf, 20-nodenet.conf
    +   Active: inactive (dead) since Tue 2020-03-10 16:05:14 UTC; 33s ago
    + Main PID: 2358 (code=exited, status=0/SUCCESS)
    +      CPU: 3min 34.752s
    +
    +
    +
  18. +
  19. +

    Start the kubelet service as needed:

    +
    +
    +
    [core@openshift-master-x ~]$ sudo systemctl start kubelet
    +
    +
    +
    +
    +
    [core@openshift-master-x ~]$ sudo systemctl status kubelet
    +
    +
    +
    +
    +
    ● kubelet.service - Kubernetes Kubelet
    +   Loaded: loaded (/etc/systemd/system/kubelet.service; enabled; vendor preset: enabled)
    +  Drop-In: /etc/systemd/system/kubelet.service.d
    +           └─10-default-env.conf, 20-nodenet.conf
    +   Active: active (running) since Tue 2020-03-10 16:07:27 UTC; 4s ago
    +
    +
    +
  20. +
  21. +

    Check the status of the nodes:

    +
    +
    +
    [kni@provisioner~]$ oc get nodes
    +
    +
    +
    +
    +
    NAME                                      STATUS   ROLES   AGE     VERSION
    +openshift-master-0.openshift.example.com  Ready    master  30h     v1.16.2
    +openshift-master-1.openshift.example.com  Ready    master  30h     v1.16.2
    +openshift-master-2.openshift.example.com  Ready    master  30h     v1.16.2
    +openshift-worker-0.openshift.example.com  Ready    worker  3m27s   v1.16.2
    +openshift-worker-1.openshift.example.com  Ready    worker  3m27s   v1.16.2
    +openshift-worker-2.openshift.example.com  Ready    worker  3m27s   v1.16.2
    +
    +
    +
  22. +
+
+
+
+
+

4. Bootstrap VM issues

+
+
+

The OpenShift Container Platform installer spawns a bootstrap node virtual machine, which handles provisioning the OpenShift Container Platform cluster nodes.

+
+
+
Procedure
+
    +
  1. +

    About 10 to 15 minutes after triggering the installer, check to ensure the bootstrap VM is operational using the virsh command:

    +
    +
    +
    $ sudo virsh list
    +
    +
    +
    +
    +
     Id    Name                           State
    + --------------------------------------------
    + 12    openshift-xf6fq-bootstrap      running
    +
    +
    +
    + + + + + +
    + + +
    +

    The name of the bootstrap VM is always the cluster name followed by a random set of characters and ending in the word "bootstrap."

    +
    +
    +
    +
    +

    If the bootstrap VM is not running after 10-15 minutes, troubleshoot why it is not running. Possible issues include:

    +
    +
  2. +
  3. +

    Verify libvirtd is running on the system:

    +
    +
    +
    $ systemctl status libvirtd
    +
    +
    +
    +
    +
    ● libvirtd.service - Virtualization daemon
    +   Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor preset: enabled)
    +   Active: active (running) since Tue 2020-03-03 21:21:07 UTC; 3 weeks 5 days ago
    +     Docs: man:libvirtd(8)
    +           https://libvirt.org
    + Main PID: 9850 (libvirtd)
    +    Tasks: 20 (limit: 32768)
    +   Memory: 74.8M
    +   CGroup: /system.slice/libvirtd.service
    +           ├─ 9850 /usr/sbin/libvirtd
    +
    +
    +
    +

    If the bootstrap VM is operational, log into it.

    +
    +
  4. +
  5. +

    Use the virsh console command to find the IP address of the bootstrap VM:

    +
    +
    +
    $ sudo virsh console example.com
    +
    +
    +
    +
    +
    Connected to domain example.com
    +Escape character is ^]
    +
    +Red Hat Enterprise Linux CoreOS 43.81.202001142154.0 (Ootpa) 4.3
    +SSH host key: SHA256:BRWJktXZgQQRY5zjuAV0IKZ4WM7i4TiUyMVanqu9Pqg (ED25519)
    +SSH host key: SHA256:7+iKGA7VtG5szmk2jB5gl/5EZ+SNcJ3a2g23o0lnIio (ECDSA)
    +SSH host key: SHA256:DH5VWhvhvagOTaLsYiVNse9ca+ZSW/30OOMed8rIGOc (RSA)
    +ens3:  fd35:919d:4042:2:c7ed:9a9f:a9ec:7
    +ens4: 172.22.0.2 fe80::1d05:e52e:be5d:263f
    +localhost login:
    +
    +
    +
    + + + + + +
    + + +
    +

    When deploying a OpenShift Container Platform cluster without the provisioning network, you must use a public IP address and not a private IP address like 172.22.0.2.

    +
    +
    +
    +
  6. +
  7. +

    Once you obtain the IP address, log in to the bootstrap VM using the ssh command:

    +
    + + + + + +
    + + +
    +

    In the console output of the previous step, you can use the IPv6 IP address provided by ens3 or the IPv4 IP provided by ens4.

    +
    +
    +
    +
    +
    +
    $ ssh core@172.22.0.2
    +
    +
    +
  8. +
+
+
+

If you are not successful logging in to the bootstrap VM, you have likely encountered one of the following scenarios:

+
+
+
    +
  • +

    You cannot reach the 172.22.0.0/24 network. Verify network connectivity on the provisioner host specifically around the provisioning network bridge. This will not be the issue if you are not using the provisioning network.

    +
  • +
  • +

    You cannot reach the bootstrap VM via the public network. When attempting +to SSH via baremetal network, verify connectivity on the +provisioner host specifically around the baremetal network bridge.

    +
  • +
  • +

    You encountered Permission denied (publickey,password,keyboard-interactive). When +attempting to access the bootstrap VM, a Permission denied error +might occur. Verify that the SSH key for the user attempting to log +into the VM is set within the install-config.yaml file.

    +
  • +
+
+
+

4.1. Bootstrap VM cannot boot up the cluster nodes

+
+

During the deployment, it is possible for the bootstrap VM to fail to boot the cluster nodes, which prevents the VM from provisioning the nodes with the RHCOS image. This scenario can arise due to:

+
+
+
    +
  • +

    A problem with the install-config.yaml file.

    +
  • +
  • +

    Issues with out-of-band network access via the baremetal network.

    +
  • +
+
+
+

To verify the issue, there are three containers related to ironic:

+
+
+
    +
  • +

    ironic-api

    +
  • +
  • +

    ironic-conductor

    +
  • +
  • +

    ironic-inspector

    +
  • +
+
+
+
Procedure
+
    +
  1. +

    Log in to the bootstrap VM:

    +
    +
    +
    $ ssh core@172.22.0.2
    +
    +
    +
  2. +
  3. +

    To check the container logs, execute the following:

    +
    +
    +
    [core@localhost ~]$ sudo podman logs -f <container-name>
    +
    +
    +
    +

    Replace <container-name> with one of ironic-api, ironic-conductor, or ironic-inspector. If you encounter an issue where the control plane nodes are not booting up via PXE, check the ironic-conductor pod. The ironic-conductor pod contains the most detail about the attempt to boot the cluster nodes, because it attempts to log in to the node over IPMI.

    +
    +
  4. +
+
+
+
Potential reason
+

The cluster nodes might be in the ON state when deployment started.

+
+
+
Solution
+

Power off the OpenShift Container Platform cluster nodes before you begin the +installation over IPMI:

+
+
+
+
$ ipmitool -I lanplus -U root -P <password> -H <out-of-band-ip> power off
+
+
+
+
+

4.2. Inspecting logs

+
+

When experiencing issues downloading or accessing the RHCOS images, first verify that the URL is correct in the install-config.yaml configuration file.

+
+
+
Example of internal webserver hosting RHCOS images
+
+
bootstrapOSImage: http://<ip:port>/rhcos-43.81.202001142154.0-qemu.x86_64.qcow2.gz?sha256=9d999f55ff1d44f7ed7c106508e5deecd04dc3c06095d34d36bf1cd127837e0c
+clusterOSImage: http://<ip:port>/rhcos-43.81.202001142154.0-openstack.x86_64.qcow2.gz?sha256=a1bda656fa0892f7b936fdc6b6a6086bddaed5dafacedcd7a1e811abb78fe3b0
+
+
+
+

The ipa-downloader and coreos-downloader containers download resources from a webserver or the external quay.io registry, whichever the install-config.yaml configuration file specifies. Verify the following two containers are up and running and inspect their logs as needed:

+
+
+
    +
  • +

    ipa-downloader

    +
  • +
  • +

    coreos-downloader

    +
  • +
+
+
+
Procedure
+
    +
  1. +

    Log in to the bootstrap VM:

    +
    +
    +
    $ ssh core@172.22.0.2
    +
    +
    +
  2. +
  3. +

    Check the status of the ipa-downloader and coreos-downloader containers within the bootstrap VM:

    +
    +
    +
    [core@localhost ~]$ podman logs -f ipa-downloader
    +
    +
    +
    +
    +
    [core@localhost ~]$ podman logs -f coreos-downloader
    +
    +
    +
    +

    If the bootstrap VM cannot access the URL to the images, use the curl command to verify that the VM can access the images.

    +
    +
  4. +
  5. +

    To inspect the bootkube logs that indicate if all the containers launched during the deployment phase, execute the following:

    +
    +
    +
    [core@localhost ~]$ journalctl -xe
    +
    +
    +
    +
    +
    [core@localhost ~]$ journalctl -b -f -u bootkube.service
    +
    +
    +
  6. +
  7. +

    Verify all the pods, including dnsmasq, mariadb, httpd, and ironic, are running:

    +
    +
    +
    [core@localhost ~]$ sudo podman ps
    +
    +
    +
  8. +
  9. +

    If there are issues with the pods, check the logs of the containers with issues. To check the log of the ironic-api, execute the following:

    +
    +
    +
    [core@localhost ~]$ sudo podman logs <ironic-api>
    +
    +
    +
  10. +
+
+
+
+
+
+

5. Ironic Bootstrap issues

+
+
+

The OpenShift Container Platform installer spawns a bootstrap node virtual machine, which handles provisioning the OpenShift Container Platform cluster nodes. The cluster nodes are powered on, introspected and finally provisioned using Ironic.

+
+
+

Sometimes you might need to connect to the Ironic service running on the bootstrap node virtual machine to troubleshoot issues related to Ironic.

+
+
+
Procedure
+
    +
  1. +

    About 10 to 15 minutes after triggering the installer, check to ensure the bootstrap VM is operational using the virsh command:

    +
    +
    +
    [kni@provisioner ~]$ sudo virsh list
    +
    +
    +
    +
    +
     Id    Name                           State
    + --------------------------------------------
    + 12    openshift-xf6fq-bootstrap      running
    +
    +
    +
  2. +
  3. +

    Use the virsh console command to find the IP address of the bootstrap VM:

    +
    +
    +
    [kni@provisioner ~]$ sudo virsh console openshift-xf6fq-bootstrap
    +
    +
    +
    +
    +
    Connected to domain openshift-xf6fq-bootstrap
    +Escape character is ^]
    +
    +Red Hat Enterprise Linux CoreOS 43.81.202001142154.0 (Ootpa) 4.3
    +SSH host key: SHA256:BRWJktXZgQQRY5zjuAV0IKZ4WM7i4TiUyMVanqu9Pqg (ED25519)
    +SSH host key: SHA256:7+iKGA7VtG5szmk2jB5gl/5EZ+SNcJ3a2g23o0lnIio (ECDSA)
    +SSH host key: SHA256:DH5VWhvhvagOTaLsYiVNse9ca+ZSW/30OOMed8rIGOc (RSA)
    +ens3:  fd35:919d:4042:2:c7ed:9a9f:a9ec:7
    +ens4: 172.22.0.2 fe80::1d05:e52e:be5d:263f
    +localhost login:
    +
    +
    +
  4. +
  5. +

    Once you obtain the IP address, log in to the bootstrap VM using the ssh command:

    +
    + + + + + +
    + + +
    +

    In the console output of the previous step, the IPv6 IP provided by ens3 or the IPv4 IP provided by ens4 can be used.

    +
    +
    +
    +
    +
    +
    [kni@provisioner ~]$ ssh core@172.22.0.2
    +
    +
    +
  6. +
  7. +

    Make sure Ironic containers are running:

    +
    +
    +
    [core@localhost ~]$ sudo podman ps | grep ironic
    +90251a35d1e2  quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:a5603d959546a8293deaee66332da4fa3cb96bcd04c26967070c247085ca7203                        2 minutes ago  Up 2 minutes ago         ironic-api
    +168e712c9996  quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:c6af62509b3d66effe8e16c81e42e75e124ccb5770f82efb010ecc3ebadc48b8                        2 minutes ago  Up 2 minutes ago         ironic-inspector
    +025f8247bfb0  quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:a5603d959546a8293deaee66332da4fa3cb96bcd04c26967070c247085ca7203                        2 minutes ago  Up 2 minutes ago         ironic-conductor
    +
    +
    +
  8. +
  9. +

    Get the value for the bootstrapProvisioningIp property from your install-config.yaml.

    +
  10. +
  11. +

    Create a clouds.yaml file:

    +
    +
    +
    clouds:
    +  metal3-bootstrap:
    +    auth_type: none
    +    baremetal_endpoint_override: http://<bootstrapProvisioningIp>:6385
    +    baremetal_introspection_endpoint_override: http://<bootstrapProvisioningIp>:5050
    +
    +
    +
    + + + + + +
    + + +
    +

    Make sure in the file above you change <bootstrapProvisioningIp> with the value from your install-config.yaml file.

    +
    +
    +
    +
  12. +
  13. +

    Run the ironic-client on the bootstrap VM using podman:

    +
    +
    +
    [core@localhost ~]$ podman run -ti --rm --entrypoint /bin/bash -v /path/to/clouds.yaml:/clouds.yaml -e OS_CLOUD=metal3-bootstrap quay.io/metal3-io/ironic-client
    +
    +
    +
  14. +
  15. +

    Once you’re in the container, run the following command to see the status of the nodes on Ironic:

    +
    +
    +
    [root@1facad6bccff /]# baremetal node list
    +
    +
    +
    +

    The expected states for the nodes are clean-waitavailabledeployingwait call-backactive.

    +
    +
    +
      +
    • +

      clean-wait: The IPA (Ironic Python Agent) will clean the node main disk and write RHCOS to it. After that will report the node status back to Ironic.

      +
    • +
    • +

      available: The node has been introspected and it’s ready to be provisioned.

      +
    • +
    • +

      deploying: The node is being provisioned with RHCOS + the required Ignition configs.

      +
    • +
    • +

      wait call-back: The node is deployed and Ironic is waiting for the node to finish everything before marking the node as active.

      +
    • +
    • +

      active: The node is fully provisioned from an Ironic perspective.

      +
    • +
    +
    +
  16. +
+
+
+

If you are not getting any output, you have likely encountered of the following scenarios:

+
+
+
    +
  • +

    You cannot reach the bootstrapProvisioningIp from the bootstrap VM.

    +
  • +
  • +

    The Ironic conductor was not able to power on and configure the nodes to boot with the IPA image.

    +
  • +
  • +

    The machine running the openshift-install binary cannot access the bootstrapProvisioningIp on port 6385.

    +
  • +
+
+
+
+
+

6. Cluster nodes will not PXE boot

+
+
+

When OpenShift Container Platform cluster nodes will not PXE boot, execute the following checks on the cluster nodes that will not PXE boot. This procedure does not apply when installing a OpenShift Container Platform cluster without the provisioning network.

+
+
+
Procedure
+
    +
  1. +

    Check the network connectivity to the provisioning network.

    +
  2. +
  3. +

    Ensure PXE is enabled on the NIC for the provisioning network and PXE is disabled for all other NICs.

    +
  4. +
  5. +

    Verify that the install-config.yaml configuration file has the proper hardware profile and boot MAC address for the NIC connected to the provisioning network. For example:

    +
    +
    Master node settings
    +
    +
    bootMACAddress: 24:6E:96:1B:96:90 # MAC of bootable provisioning NIC
    +hardwareProfile: default          #master node settings
    +
    +
    +
    +
    Worker node settings
    +
    +
    bootMACAddress: 24:6E:96:1B:96:90 # MAC of bootable provisioning NIC
    +hardwareProfile: unknown          #worker node settings
    +
    +
    +
  6. +
+
+
+
+
+

7. The API is not accessible

+
+
+

When the cluster is running and clients cannot access the API, domain name resolution issues might impede access to the API.

+
+
+
Procedure
+
    +
  1. +

    Hostname Resolution: Check the cluster nodes to ensure they have a fully qualified domain name, and not just localhost.localdomain. For example:

    +
    +
    +
    $ hostname
    +
    +
    +
    +

    If a hostname is not set, set the correct hostname. For example:

    +
    +
    +
    +
    $ hostnamectl set-hostname <hostname>
    +
    +
    +
  2. +
  3. +

    Incorrect Name Resolution: Ensure that each node has the correct name resolution in the DNS server using dig and nslookup. For example:

    +
    +
    +
    $ dig api.<cluster-name>.example.com
    +
    +
    +
    +
    +
    ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> api.<cluster-name>.example.com
    +;; global options: +cmd
    +;; Got answer:
    +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37551
    +;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
    +
    +;; OPT PSEUDOSECTION:
    +; EDNS: version: 0, flags:; udp: 4096
    +; COOKIE: 866929d2f8e8563582af23f05ec44203d313e50948d43f60 (good)
    +;; QUESTION SECTION:
    +;api.<cluster-name>.example.com. IN A
    +
    +;; ANSWER SECTION:
    +api.<cluster-name>.example.com. 10800 IN	A 10.19.13.86
    +
    +;; AUTHORITY SECTION:
    +<cluster-name>.example.com. 10800 IN NS	<cluster-name>.example.com.
    +
    +;; ADDITIONAL SECTION:
    +<cluster-name>.example.com. 10800 IN A	10.19.14.247
    +
    +;; Query time: 0 msec
    +;; SERVER: 10.19.14.247#53(10.19.14.247)
    +;; WHEN: Tue May 19 20:30:59 UTC 2020
    +;; MSG SIZE  rcvd: 140
    +
    +
    +
    +

    The output in the foregoing example indicates that the appropriate IP address for the api.<cluster-name>.example.com VIP is 10.19.13.86. This IP address should reside on the baremetal network.

    +
    +
  4. +
+
+
+
+
+

8. Cleaning up previous installations

+
+
+

In the event of a previous failed deployment, remove the artifacts from the failed attempt before attempting to deploy OpenShift Container Platform again.

+
+
+
Procedure
+
    +
  1. +

    Power off all bare metal nodes prior to installing the OpenShift Container Platform cluster:

    +
    +
    +
    $ ipmitool -I lanplus -U <user> -P <password> -H <management-server-ip> power off
    +
    +
    +
  2. +
  3. +

    Remove all old bootstrap resources if any are left over from a previous deployment attempt:

    +
    +
    +
    for i in $(sudo virsh list | tail -n +3 | grep bootstrap | awk {'print $2'});
    +do
    +  sudo virsh destroy $i;
    +  sudo virsh undefine $i;
    +  sudo virsh vol-delete $i --pool default;
    +  sudo virsh vol-delete $i.ign --pool default;
    +done
    +
    +
    +
  4. +
  5. +

    Remove the following from the clusterconfigs directory to prevent Terraform from failing:

    +
    +
    +
    $ rm -rf ~/clusterconfigs/auth ~/clusterconfigs/terraform* ~/clusterconfigs/tls ~/clusterconfigs/metadata.json
    +
    +
    +
  6. +
+
+
+
+
+

9. Issues with creating the registry

+
+
+

When creating a disconnected registry, you might encounter a "User Not Authorized" error when attempting to mirror the registry. This error might occur if you fail to append the new authentication to the existing pull-secret.txt file.

+
+
+
Procedure
+
    +
  1. +

    Check to ensure authentication is successful:

    +
    +
    +
    [user@registry ~]$ /usr/local/bin/oc adm release mirror \
    +  -a pull-secret-update.json
    +  --from=$UPSTREAM_REPO \
    +  --to-release-image=$LOCAL_REG/$LOCAL_REPO:${VERSION} \
    +  --to=$LOCAL_REG/$LOCAL_REPO
    +
    +
    +
    + + + + + +
    + + +
    +

    Example output of the variables used to mirror the install images:

    +
    +
    +
    +
    UPSTREAM_REPO=${RELEASE_IMAGE}
    +LOCAL_REG=<registry_FQDN>:<registry_port>
    +LOCAL_REPO='ocp4/openshift4'
    +
    +
    +
    +

    The values of RELEASE_IMAGE and VERSION were set during the Retrieving OpenShift Installer step of the Setting up the environment for an OpenShift installation section.

    +
    +
    +
    +
  2. +
  3. +

    After mirroring the registry, confirm that you can access it in your +disconnected environment:

    +
    +
    +
    $ curl -k -u <user>:<password> https://registry.example.com:<registry-port>/v2/_catalog
    +{"repositories":["<Repo-Name>"]}
    +
    +
    +
  4. +
+
+
+
+
+

10. Miscellaneous issues

+
+
+

10.1. Addressing the runtime network not ready error

+
+

After the deployment of a cluster you might receive the following error:

+
+
+
+
`runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:Network plugin returns error: Missing CNI default network`
+
+
+
+

The Cluster Network Operator is responsible for deploying the networking components in response to a special object created by the installer. It runs very early in the installation process, after the control plane (master) nodes have come up, but before the bootstrap control plane has been torn down. It can be indicative of more subtle installer issues, such as long delays in bringing up control plane (master) nodes or issues with apiserver communication.

+
+
+
Procedure
+
    +
  1. +

    Inspect the pods in the openshift-network-operator namespace:

    +
    +
    +
    $ oc get all -n openshift-network-operator
    +
    +
    +
    +
    +
    NAME                                    READY STATUS            RESTARTS   AGE
    +pod/network-operator-69dfd7b577-bg89v   0/1   ContainerCreating 0          149m
    +
    +
    +
  2. +
  3. +

    On the provisioner node, determine that the network configuration exists:

    +
    +
    +
    $ kubectl get network.config.openshift.io cluster -oyaml
    +
    +
    +
    +
    +
    apiVersion: config.openshift.io/v1
    +kind: Network
    +metadata:
    +  name: cluster
    +spec:
    +  serviceNetwork:
    +  - 172.30.0.0/16
    +  clusterNetwork:
    +  - cidr: 10.128.0.0/14
    +    hostPrefix: 23
    +  networkType: OpenShiftSDN
    +
    +
    +
    +

    If it does not exist, the installer did not create it. To determine why the installer did not create it, execute the following:

    +
    +
    +
    +
    $ openshift-install create manifests
    +
    +
    +
  4. +
  5. +

    Check that the network-operator is running:

    +
    +
    +
    $ kubectl -n openshift-network-operator get pods
    +
    +
    +
  6. +
  7. +

    Retrieve the logs:

    +
    +
    +
    $ kubectl -n openshift-network-operator logs -l "name=network-operator"
    +
    +
    +
    +

    On high availability clusters with three or more control plane (master) nodes, the Operator will perform leader election and all other Operators will sleep. For additional details, see Troubleshooting.

    +
    +
  8. +
+
+
+
+

10.2. Cluster nodes not getting the correct IPv6 address over DHCP

+
+

If the cluster nodes are not getting the correct IPv6 address over DHCP, check the following:

+
+
+
    +
  1. +

    Ensure the reserved IPv6 addresses reside outside the DHCP range.

    +
  2. +
  3. +

    In the IP address reservation on the DHCP server, ensure the reservation specifies the correct DHCP Unique Identifier (DUID). For example:

    +
    +
    +
    # This is a dnsmasq dhcp reservation, 'id:00:03:00:01' is the client id and '18:db:f2:8c:d5:9f' is the MAC Address for the NIC
    +id:00:03:00:01:18:db:f2:8c:d5:9f,openshift-master-1,[2620:52:0:1302::6]
    +
    +
    +
  4. +
  5. +

    Ensure that route announcements are working.

    +
  6. +
  7. +

    Ensure that the DHCP server is listening on the required interfaces serving the IP address ranges.

    +
  8. +
+
+
+
+

10.3. Cluster nodes not getting the correct hostname over DHCP

+
+

During IPv6 deployment, cluster nodes must get their hostname over DHCP. Sometimes the NetworkManager does not assign the hostname immediately. A control plane (master) node might report an error such as:

+
+
+
+
Failed Units: 2
+  NetworkManager-wait-online.service
+  nodeip-configuration.service
+
+
+
+

This error indicates that the cluster node likely booted without first receiving a hostname from the DHCP server, which causes kubelet to boot +with a localhost.localdomain hostname. To address the error, force the node to renew the hostname.

+
+
+
Procedure
+
    +
  1. +

    Retrieve the hostname:

    +
    +
    +
    [core@master-X ~]$ hostname
    +
    +
    +
    +

    If the hostname is localhost, proceed with the following steps.

    +
    +
    + + + + + +
    + + +
    +

    Where X is the master node number.

    +
    +
    +
    +
  2. +
  3. +

    Force the cluster node to renew the DHCP lease:

    +
    +
    +
    [core@master-X ~]$ sudo nmcli con up "<bare-metal-nic>"
    +
    +
    +
    +

    Replace <bare-metal-nic> with the wired connection corresponding to the baremetal network.

    +
    +
  4. +
  5. +

    Check hostname again:

    +
    +
    +
    [core@master-X ~]$ hostname
    +
    +
    +
  6. +
  7. +

    If the hostname is still localhost.localdomain, restart NetworkManager:

    +
    +
    +
    [core@master-X ~]$ sudo systemctl restart NetworkManager
    +
    +
    +
  8. +
  9. +

    If the hostname is still localhost.localdomain, wait a few minutes and check again. If the hostname remains localhost.localdomain, repeat the previous steps.

    +
  10. +
  11. +

    Restart the nodeip-configuration service:

    +
    +
    +
    [core@master-X ~]$ sudo systemctl restart nodeip-configuration.service
    +
    +
    +
    +

    This service will reconfigure the kubelet service with the correct hostname references.

    +
    +
  12. +
  13. +

    Reload the unit files definition since the kubelet changed in the previous step:

    +
    +
    +
    [core@master-X ~]$ sudo systemctl daemon-reload
    +
    +
    +
  14. +
  15. +

    Restart the kubelet service:

    +
    +
    +
    [core@master-X ~]$ sudo systemctl restart kubelet.service
    +
    +
    +
  16. +
  17. +

    Ensure kubelet booted with the correct hostname:

    +
    +
    +
    [core@master-X ~]$ sudo journalctl -fu kubelet.service
    +
    +
    +
  18. +
+
+
+

If the cluster node is not getting the correct hostname over DHCP after the cluster is up and running, such as during a reboot, the cluster will have a pending csr. Do not approve a csr, or other issues might arise.

+
+
+
Addressing a csr
+
    +
  1. +

    Get CSRs on the cluster:

    +
    +
    +
    $ oc get csr
    +
    +
    +
  2. +
  3. +

    Verify if a pending csr contains Subject Name: localhost.localdomain:

    +
    +
    +
    $ oc get csr <pending_csr> -o jsonpath='{.spec.request}' | base64 -d | openssl req -noout -text
    +
    +
    +
  4. +
  5. +

    Remove any csr that contains Subject Name: localhost.localdomain:

    +
    +
    +
    $ oc delete csr <wrong_csr>
    +
    +
    +
  6. +
+
+
+
+

10.4. Routes do not reach endpoints

+
+

During the installation process, it is possible to encounter a Virtual Router Redundancy Protocol (VRRP) conflict. This conflict might occur if a previously used OpenShift Container Platform node that was once part of a cluster deployment using a specific cluster name is still running but not part of the current OpenShift Container Platform cluster deployment using that same cluster name. For example, a cluster was deployed using the cluster name openshift, deploying three control plane (master) nodes and three worker nodes. Later, a separate install uses the same cluster name openshift, but this redeployment only installed three control plane (master) nodes, leaving the three worker nodes from a previous deployment in an ON state. This might cause a Virtual Router Identifier (VRID) conflict and a VRRP conflict.

+
+
+
    +
  1. +

    Get the route:

    +
    +
    +
    $ oc get route oauth-openshift
    +
    +
    +
  2. +
  3. +

    Check the service endpoint:

    +
    +
    +
    $ oc get svc oauth-openshift
    +
    +
    +
    +
    +
    NAME              TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
    +oauth-openshift   ClusterIP   172.30.19.162   <none>        443/TCP   59m
    +
    +
    +
  4. +
  5. +

    Attempt to reach the service from a control plane (master) node:

    +
    +
    +
    [core@master0 ~]$ curl -k https://172.30.19.162
    +
    +
    +
    +
    +
    {
    +  "kind": "Status",
    +  "apiVersion": "v1",
    +  "metadata": {
    +  },
    +  "status": "Failure",
    +  "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
    +  "reason": "Forbidden",
    +  "details": {
    +  },
    +  "code": 403
    +
    +
    +
  6. +
  7. +

    Identify the authentication-operator errors from the provisioner node:

    +
    +
    +
    $ oc logs deployment/authentication-operator -n openshift-authentication-operator
    +
    +
    +
    +
    +
    Event(v1.ObjectReference{Kind:"Deployment", Namespace:"openshift-authentication-operator", Name:"authentication-operator", UID:"225c5bd5-b368-439b-9155-5fd3c0459d98", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Normal' reason: 'OperatorStatusChanged' Status for clusteroperator/authentication changed: Degraded message changed from "IngressStateEndpointsDegraded: All 2 endpoints for oauth-server are reporting"
    +
    +
    +
  8. +
+
+
+
Solution
+
    +
  1. +

    Ensure that the cluster name for every deployment is unique, ensuring no conflict.

    +
  2. +
  3. +

    Turn off all the rogue nodes which are not part of the cluster deployment that are using the same cluster name. Otherwise, the authentication pod of the OpenShift Container Platform cluster might never start successfully.

    +
  4. +
+
+
+
+

10.5. Failed Ignition during Firstboot

+
+

During the Firstboot, the Ignition configuration may fail.

+
+
+
Procedure
+
    +
  1. +

    Connect to the node where the Ignition configuration failed:

    +
    +
    +
    Failed Units: 1
    +  machine-config-daemon-firstboot.service
    +
    +
    +
  2. +
  3. +

    Restart the machine-config-daemon-firstboot service:

    +
    +
    +
    [core@worker-X ~]$ sudo systemctl restart machine-config-daemon-firstboot.service
    +
    +
    +
  4. +
+
+
+
+

10.6. NTP out of sync

+
+

The deployment of OpenShift Container Platform clusters depends on NTP synchronized clocks among the cluster nodes. Without synchronized clocks, the deployment may fail due to clock drift if the time difference is greater than two seconds.

+
+
+
Procedure
+
    +
  1. +

    Check for differences in the AGE of the cluster nodes. For example:

    +
    +
    +
    $ oc get nodes
    +
    +
    +
    +
    +
    NAME                         STATUS   ROLES    AGE   VERSION
    +master-0.cloud.example.com   Ready    master   145m   v1.16.2
    +master-1.cloud.example.com   Ready    master   135m   v1.16.2
    +master-2.cloud.example.com   Ready    master   145m   v1.16.2
    +worker-2.cloud.example.com   Ready    worker   100m   v1.16.2
    +
    +
    +
  2. +
  3. +

    Check for inconsistent timing delays due to clock drift. For example:

    +
    +
    +
    $ oc get bmh -n openshift-machine-api
    +
    +
    +
    +
    +
    master-1   error registering master-1  ipmi://<out-of-band-ip>
    +
    +
    +
    +
    +
    $ sudo timedatectl
    +
    +
    +
    +
    +
                   Local time: Tue 2020-03-10 18:20:02 UTC
    +           Universal time: Tue 2020-03-10 18:20:02 UTC
    +                 RTC time: Tue 2020-03-10 18:36:53
    +                Time zone: UTC (UTC, +0000)
    +System clock synchronized: no
    +              NTP service: active
    +          RTC in local TZ: no
    +
    +
    +
  4. +
+
+
+
Addressing clock drift in existing clusters
+
    +
  1. +

    Create a chrony.conf file and encode it as base64 string. For example:

    +
    +
    +
    $ cat << EOF | base 64
    +server <NTP-server> iburst(1)
    +stratumweight 0
    +driftfile /var/lib/chrony/drift
    +rtcsync
    +makestep 10 3
    +bindcmdaddress 127.0.0.1
    +bindcmdaddress ::1
    +keyfile /etc/chrony.keys
    +commandkey 1
    +generatecommandkey
    +noclientlog
    +logchange 0.5
    +logdir /var/log/chrony
    +EOF
    +
    +
    +
    + + + + + +
    1Replace <NTP-server> with the IP address of the NTP server. Copy the output. +
    +
    +
    [text-in-base-64]
    +
    +
    +
    +
  2. +
  3. +

    Create a MachineConfig object, replacing the base64 string with +the [text-in-base-64] string generated in the output of the previous step. The following example adds the file to the control plane (master) nodes. You can modify the file for worker nodes or make an additional machine config for the worker role.

    +
    +
    +
    $ cat << EOF > ./99_masters-chrony-configuration.yaml
    +apiVersion: machineconfiguration.openshift.io/v1
    +kind: MachineConfig
    +metadata:
    +  creationTimestamp: null
    +  labels:
    +    machineconfiguration.openshift.io/role: master
    +  name: 99-master-etc-chrony-conf
    +spec:
    +  config:
    +    ignition:
    +      config: {}
    +      security:
    +        tls: {}
    +      timeouts: {}
    +      version: 3.1.0
    +    networkd: {}
    +    passwd: {}
    +    storage:
    +      files:
    +      - contents:
    +          source: data:text/plain;charset=utf-8;base64,[text-in-base-64](1)
    +        group:
    +          name: root
    +        mode: 420
    +        overwrite: true
    +        path: /etc/chrony.conf
    +        user:
    +          name: root
    +  osImageURL: ""
    +
    +
    +
    + + + + + +
    1Replace [text-in-base-64] with the base64 string.
    +
    +
  4. +
  5. +

    Make a backup copy of the configuration file. For example:

    +
    +
    +
    $ cp 99_masters-chrony-configuration.yaml 99_masters-chrony-configuration.yaml.backup
    +
    +
    +
  6. +
  7. +

    Apply the configuration file:

    +
    +
    +
    $ oc apply -f ./masters-chrony-configuration.yaml
    +
    +
    +
  8. +
  9. +

    Ensure the System clock synchronized value is yes:

    +
    +
    +
    $ sudo timedatectl
    +
    +
    +
    +
    +
                   Local time: Tue 2020-03-10 19:10:02 UTC
    +           Universal time: Tue 2020-03-10 19:10:02 UTC
    +                 RTC time: Tue 2020-03-10 19:36:53
    +                Time zone: UTC (UTC, +0000)
    +System clock synchronized: yes
    +              NTP service: active
    +          RTC in local TZ: no
    +
    +
    +
    +

    To setup clock synchronization prior to deployment, generate the manifest files and add this file to the openshift directory. For example:

    +
    +
    +
    +
    $ cp chrony-masters.yaml ~/clusterconfigs/openshift/99_masters-chrony-configuration.yaml
    +
    +
    +
    +

    Then, continue to create the cluster.

    +
    +
  10. +
+
+
+
+
+
+

11. Reviewing the installation

+
+
+

After installation, ensure the installer deployed the nodes and pods successfully.

+
+
+
Procedure
+
    +
  1. +

    When the OpenShift Container Platform cluster nodes are installed appropriately, the following Ready state is seen within the STATUS column:

    +
    +
    +
    $ oc get nodes
    +
    +
    +
    +
    +
    NAME                   STATUS   ROLES           AGE  VERSION
    +master-0.example.com   Ready    master,worker   4h   v1.16.2
    +master-1.example.com   Ready    master,worker   4h   v1.16.2
    +master-2.example.com   Ready    master,worker   4h   v1.16.2
    +
    +
    +
  2. +
  3. +

    Confirm the installer deployed all pods successfully. The following command +removes any pods that are still running or have completed as part of the output.

    +
    +
    +
    $ oc get pods --all-namespaces | grep -iv running | grep -iv complete
    +
    +
    +
  4. +
+
+
+
+
+ + + \ No newline at end of file diff --git a/4.3/Troubleshooting.pdf b/4.3/Troubleshooting.pdf new file mode 100644 index 0000000000..69a89a26e1 Binary files /dev/null and b/4.3/Troubleshooting.pdf differ diff --git a/4.4/Deployment.html b/4.4/Deployment.html new file mode 100644 index 0000000000..afc4458f10 --- /dev/null +++ b/4.4/Deployment.html @@ -0,0 +1,4815 @@ + + + + + + + + + + +Deploying Installer Provisioned Infrastructure (IPI) of OpenShift on Bare Metal - 4.4 + + + + + + + + + + + + + + + + +
+
+
+
+ + + + + +
+ + +
+

Download the PDF version of this document or visit https://openshift-kni.github.io/baremetal-deploy/

+
+
+
+
+
+
+

1. Overview

+
+
+

Installer-provisioned installation provides support for installing OpenShift Container Platform on bare metal nodes. This guide provides a methodology to achieving a successful installation.

+
+
+

During installer-provisioned installation on bare metal, the installer on the bare metal node labeled as provisioner creates a bootstrap virtual machine (VM). The role of the bootstrap VM is to assist in the process of deploying an OpenShift Container Platform cluster. The bootstrap VM connects to the baremetal network and to the provisioning network, if present, via the network bridges.

+
+
+
+Deployment phase one +
+
+
+

When the installation of OpenShift control plane nodes is complete and fully operational, the installer destroys the bootstrap VM automatically and moves the virtual IP addresses (VIPs) to +the appropriate nodes. The API VIP moves to the control plane nodes and the Ingress VIP moves to the worker nodes.

+
+
+

The API and DNS VIPs move into the control plane nodes and the Ingress VIP services applications that reside within the worker nodes.

+
+
+
+Deployment phase two +
+
+
+
+
+

2. Prerequisites

+
+ +
+

Installer-provisioned installation of OpenShift Container Platform requires:

+
+
+
    +
  1. +

    One provisioner node with Red Hat Enterprise Linux (RHEL) 8.x installed.

    +
  2. +
  3. +

    Three control plane nodes.

    +
  4. +
  5. +

    Baseboard Management Controller (BMC) access to each node.

    +
  6. +
  7. +

    At least two networks:

    +
    +
      +
    1. +

      One required routable network

      +
    2. +
    3. +

      One required network for provisioning nodes; and,

      +
    4. +
    5. +

      One optional management network.

      +
    6. +
    +
    +
  8. +
+
+
+

Before starting an installer-provisioned installation of OpenShift Container Platform, ensure the hardware environment meets the following requirements.

+
+
+

2.1. Node requirements

+
+

Installer-provisioned installation involves a number of hardware node requirements:

+
+
+
    +
  • +

    CPU architecture: All nodes must use x86_64 CPU architecture.

    +
  • +
  • +

    Similar nodes: Red Hat recommends nodes have an identical configuration per role. That is, Red Hat recommends nodes be the same brand and model with the same CPU, memory and storage configuration.

    +
  • +
  • +

    Intelligent Platform Management Interface (IPMI): Installer-provisioned installation requires IPMI enabled on each node.

    +
  • +
  • +

    Latest generation: Nodes must be of the most recent generation. Installer-provisioned installation relies on BMC protocols, which must be compatible across nodes. Additionally, RHEL 8 ships with the most recent drivers for RAID controllers. Ensure that the nodes are recent enough to support RHEL 8 for the provisioner node and RHCOS 8 for the control plane and worker nodes.

    +
  • +
  • +

    Registry node: (Optional) If setting up a disconnected mirrored registry, it is recommended the registry reside in its own node.

    +
  • +
  • +

    Provisioner node: Installer-provisioned installation requires one provisioner node.

    +
  • +
  • +

    Control plane: Installer-provisioned installation requires three control plane nodes for high availability.

    +
  • +
  • +

    Worker nodes: While not required, a typical production cluster has one or more worker nodes. Smaller clusters are more resource efficient for administrators and developers during development, production, and testing.

    +
  • +
  • +

    Network interfaces: Each node must have at least one 10GB network interface for the routable baremetal network. Each node must have one 10GB network interface for a provisioning network when using the provisioning network for deployment. Using the provisioning network is the default configuration. Network interface names must follow the same naming convention across all nodes. For example, the first NIC name on a node, such as eth0 or eno1, must be the same name on all of the other nodes. The same principle applies to the remaining NICs on each node.

    +
  • +
  • +

    Unified Extensible Firmware Interface (UEFI): Installer-provisioned installation requires UEFI boot on all OpenShift Container Platform nodes when using IPv6 addressing on the provisioning network. In addition, UEFI Device PXE Settings must be set to use the IPv6 protocol on the provisioning network NIC, but omitting the provisioning network removes this requirement.

    +
  • +
+
+
+
+

2.2. Network requirements

+
+

Installer-provisioned installation of OpenShift Container Platform involves several network requirements by default. First, installer-provisioned installation involves a non-routable provisioning network for provisioning the operating system on each bare metal node and a routable baremetal network. Since installer-provisioned installation deploys ironic-dnsmasq, the networks should have no other DHCP servers running on the same broadcast domain. Network administrators must reserve IP addresses for each node in the OpenShift Container Platform cluster.

+
+
+
Network Time Protocol (NTP)
+

Each OpenShift Container Platform node in the cluster must have access to an NTP server. OpenShift Container Platform nodes use NTP to synchronize their clocks. For example, cluster nodes use SSL certificates that require validation, which might fail if the date and time between the nodes are not in sync.

+
+
+ + + + + +
+ + +
+

Define a consistent clock date and time format in each cluster node’s BIOS settings, or installation might fail.

+
+
+
+
+
Configuring NICs
+

OpenShift Container Platform deploys with two networks:

+
+
+
    +
  • +

    provisioning: The provisioning network is an optional non-routable network used for provisioning the underlying operating system on each node that is a part of the OpenShift Container Platform cluster. The network interface for the provisioning network on each cluster node must have the BIOS or UEFI configured to PXE boot. In OpenShift Container Platform 4.3, when deploying using the provisioning network, the first NIC on each node, such as eth0 or eno1, must interface with the provisioning network. In OpenShift Container Platform 4.4 and later releases, you can specify the provisioning network NIC with the provisioningNetworkInterface configuration setting.

    +
  • +
  • +

    baremetal: The baremetal network is a routable network. In OpenShift Container Platform 4.3, when deploying using the provisioning network, the second NIC on each node, such as eth1 or eno2, must interface with the baremetal network. In OpenShift Container Platform 4.4 and later releases, you can use any NIC order to interface with the baremetal network, provided it is the same NIC order across worker and control plane nodes and not the NIC specified in the provisioningNetworkInterface configuration setting for the provisioning network.

    +
  • +
+
+
+ + + + + +
+ + +
+

Use a compatible approach such that cluster nodes use the same NIC ordering on all cluster nodes. NICs must have heterogeneous hardware with the same NIC naming convention such as eth0 or eno1.

+
+
+
+
+ + + + + +
+ + +
+

When using a VLAN, each NIC must be on a separate VLAN corresponding to the appropriate network.

+
+
+
+
+
Configuring the DNS server
+

Clients access the OpenShift Container Platform cluster nodes over the baremetal network. A network administrator must configure a subdomain or subzone where the canonical name extension is the cluster name.

+
+
+
+
<cluster-name>.<domain-name>
+
+
+
+

For example:

+
+
+
+
test-cluster.example.com
+
+
+
+

For assistance in configuring the DNS server, check Appendix section for:

+
+ +
+
Reserving IP addresses for nodes with the DHCP server
+

For the baremetal network, a network administrator must reserve a number of IP addresses, including:

+
+
+
    +
  1. +

    Three virtual IP addresses

    +
    +
      +
    • +

      One IP address for the API endpoint

      +
    • +
    • +

      One IP address for the wildcard ingress endpoint

      +
    • +
    • +

      One IP address for the name server

      +
    • +
    +
    +
  2. +
  3. +

    One IP address for the provisioner node.

    +
  4. +
  5. +

    One IP address for each control plane (master) node.

    +
  6. +
  7. +

    One IP address for each worker node, if applicable.

    +
  8. +
+
+
+

The following table provides an exemplary embodiment of fully qualified domain names. The API and Nameserver addresses begin with canonical name extensions. The host names of the control plane and worker nodes are exemplary, so you can use any host naming convention you prefer.

+
+ +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
UsageHost NameIP

API

api.<cluster-name>.<domain>

<ip>

Ingress LB (apps)

*.apps.<cluster-name>.<domain>

<ip>

Nameserver

ns1.<cluster-name>.<domain>

<ip>

Provisioner node

provisioner.<cluster-name>.<domain>

<ip>

Master-0

openshift-master-0.<cluster-name>.<domain>

<ip>

Master-1

openshift-master-1.<cluster-name>-.<domain>

<ip>

Master-2

openshift-master-2.<cluster-name>.<domain>

<ip>

Worker-0

openshift-worker-0.<cluster-name>.<domain>

<ip>

Worker-1

openshift-worker-1.<cluster-name>.<domain>

<ip>

Worker-n

openshift-worker-n.<cluster-name>.<domain>

<ip>

+
+

For assistance in configuring the DHCP server, check Appendix section for:

+
+ +
+
+

2.3. Configuring nodes

+
+
Configuring nodes when using the provisioning network
+

Each node in the cluster requires the following configuration for proper installation.

+
+
+ + + + + +
+ + +
+

A mismatch between nodes will cause an installation failure.

+
+
+
+
+

While the cluster nodes can contain more than two NICs, the installation process only focuses on the first two NICs:

+
+ +++++ + + + + + + + + + + + + + + + + + +

NIC

Network

VLAN

NIC1

provisioning

<provisioning-vlan>

NIC2

baremetal

<baremetal-vlan>

+
+

NIC1 is a non-routable network (provisioning) that is only used for the installation of the OpenShift Container Platform cluster.

+
+
+

The Red Hat Enterprise Linux (RHEL) 8.x installation process on the provisioner node might vary. To install Red Hat Enterprise Linux (RHEL) 8.x using a local Satellite server or a PXE server, PXE-enable NIC2.

+
+ ++++ + + + + + + + + + + + + + + +

PXE

Boot order

NIC1 PXE-enabled provisioning network

1

NIC2 baremetal network. PXE-enabled is optional.

2

+
+ + + + + +
+ + +
+

Ensure PXE is disabled on all other NICs.

+
+
+
+
+

Configure the control plane and worker nodes as follows:

+
+ ++++ + + + + + + + + + + +

PXE

Boot order

NIC1 PXE-enabled (provisioning network)

1

+
+
Configuring nodes without the provisioning network
+

The installation process requires one NIC:

+
+ +++++ + + + + + + + + + + + + +

NIC

Network

VLAN

NICx

baremetal

<baremetal-vlan>

+
+

NICx is a routable network (baremetal) that is used for the installation of the OpenShift Container Platform cluster, and routable to the internet.

+
+
+
+

2.4. Out-of-band management

+
+

Nodes will typically have an additional NIC used by the Baseboard Management Controllers (BMCs). These BMCs must be accessible from the provisioner node.

+
+
+

Each node must be accessible via out-of-band management. When using an out-of-band management network, the provisioner node requires access to the out-of-band management network for a successful OpenShift Container Platform 4 installation.

+
+
+

The out-of-band management setup is out of scope for this document. We recommend setting up a separate management network for out-of-band management. However, using the provisioning network or the baremetal network are valid options.

+
+
+
+

2.5. Required data for installation

+
+

Prior to the installation of the OpenShift Container Platform cluster, gather the following information from all cluster nodes:

+
+
+
    +
  • +

    Out-of-band management IP

    +
    +
      +
    • +

      Examples

      +
      +
        +
      • +

        Dell (iDRAC) IP

        +
      • +
      • +

        HP (iLO) IP

        +
      • +
      +
      +
    • +
    +
    +
  • +
  • +

    NIC1 (provisioning) MAC address

    +
  • +
  • +

    NIC2 (baremetal) MAC address

    +
  • +
  • +

    NICx (baremetal) MAC address

    +
  • +
+
+
+
+

2.6. Validation checklist for nodes

+
+
When using the provisioning network
+
    +
  • +

    NIC1 VLAN is configured for the provisioning network.

    +
  • +
  • +

    NIC2 VLAN is configured for the baremetal network.

    +
  • +
  • +

    NIC1 is PXE-enabled on the provisioner, Control Plane (master), and worker nodes.

    +
  • +
  • +

    PXE has been disabled on all other NICs.

    +
  • +
  • +

    Control plane and worker nodes are configured.

    +
  • +
  • +

    All nodes accessible via out-of-band management.

    +
  • +
  • +

    A separate management network has been created. (optional)

    +
  • +
  • +

    Required data for installation.

    +
  • +
+
+
+
When omitting the provisioning network
+
    +
  • +

    NICx VLAN is configured for the baremetal network.

    +
  • +
  • +

    Control plane and worker nodes are configured.

    +
  • +
  • +

    All nodes accessible via out-of-band management.

    +
  • +
  • +

    A separate management network has been created. (optional)

    +
  • +
  • +

    Required data for installation.

    +
  • +
+
+
+
Summary
+

After an environment has been prepared according to the documented prerequisites, the installation process is the same as other installer-provisioned platforms.

+
+
+
+
+
+

3. Setting up the environment for an OpenShift installation

+
+ +
+

3.1. Installing RHEL on the provisioner node

+
+

With the networking configuration complete, the next step is to install RHEL 8.X on the provisioner node. The installer uses the provisioner node as the orchestrator while installing the OpenShift Container Platform cluster. For the purposes of this document, installing RHEL on the provisioner node is out of scope. However, options include but are not limited to using a RHEL Satellite server, PXE, or installation media.

+
+
+
+

3.2. Preparing the provisioner node for OpenShift Container Platform installation

+
+

Perform the following steps to prepare the environment.

+
+
+
Procedure
+
    +
  1. +

    Log in to the provisioner node via ssh.

    +
  2. +
  3. +

    Create a non-root user (kni) and provide that user with sudo privileges.

    +
    +
    +
    [root@provisioner ~]# useradd kni
    +[root@provisioner ~]# passwd kni
    +[root@provisioner ~]# echo "kni ALL=(root) NOPASSWD:ALL" | tee -a /etc/sudoers.d/kni
    +[root@provisioner ~]# chmod 0440 /etc/sudoers.d/kni
    +
    +
    +
  4. +
  5. +

    Create an ssh key for the new user.

    +
    +
    +
    [root@provisioner ~]# su - kni -c "ssh-keygen -t rsa -f /home/kni/.ssh/id_rsa -N ''"
    +
    +
    +
  6. +
  7. +

    Log in as the new user on the provisioner node.

    +
    +
    +
    [root@provisioner ~]# su - kni
    +[kni@provisioner ~]$
    +
    +
    +
  8. +
  9. +

    Use Red Hat Subscription Manager to register the provisioner node.

    +
    +
    +
    [kni@provisioner ~]$ sudo subscription-manager register --username=<user> --password=<pass> --auto-attach
    +[kni@provisioner ~]$ sudo subscription-manager repos --enable=rhel-8-for-x86_64-appstream-rpms --enable=rhel-8-for-x86_64-baseos-rpms
    +
    +
    +
    + + + + + +
    + + +
    +

    For more information about Red Hat Subscription Manager, see Using and Configuring Red Hat Subscription Manager.

    +
    +
    +
    +
  10. +
  11. +

    Install the following packages.

    +
    +
    +
    [kni@provisioner ~]$ sudo dnf install -y libvirt qemu-kvm mkisofs python3-devel jq ipmitool
    +
    +
    +
  12. +
  13. +

    Modify the user to add the libvirt group to the newly created user.

    +
    +
    +
    [kni@provisioner ~]$ sudo usermod --append --groups libvirt <user>
    +
    +
    +
  14. +
  15. +

    Restart firewalld and enable the http service.

    +
    +
    +
    [kni@provisioner ~]$ sudo systemctl start firewalld
    +[kni@provisioner ~]$ sudo firewall-cmd --zone=public --add-service=http --permanent
    +[kni@provisioner ~]$ sudo firewall-cmd --add-port=5000/tcp --zone=libvirt  --permanent
    +[kni@provisioner ~]$ sudo firewall-cmd --add-port=5000/tcp --zone=public   --permanent
    +[kni@provisioner ~]$ sudo firewall-cmd --reload
    +
    +
    +
  16. +
  17. +

    Start and enable the libvirtd service.

    +
    +
    +
    [kni@provisioner ~]$ sudo systemctl start libvirtd
    +[kni@provisioner ~]$ sudo systemctl enable libvirtd --now
    +
    +
    +
  18. +
  19. +

    Create the default storage pool and start it.

    +
    +
    +
    [kni@provisioner ~]$ sudo virsh pool-define-as --name default --type dir --target /var/lib/libvirt/images
    +[kni@provisioner ~]$ sudo virsh pool-start default
    +[kni@provisioner ~]$ sudo virsh pool-autostart default
    +
    +
    +
  20. +
  21. +

    Configure networking.

    +
    + + + + + +
    + + +
    +

    This step can also be run from the web console.

    +
    +
    +
    +
    +
    Provisioning Network (IPv4 address)
    +
    +
    [kni@provisioner ~]$ sudo nohup bash -c """
    +    nmcli con down "$PROV_CONN"
    +    nmcli con delete "$PROV_CONN"
    +    # RHEL 8.1 appends the word "System" in front of the connection, delete in case it exists
    +    nmcli con down "System $PROV_CONN"
    +    nmcli con delete "System $PROV_CONN"
    +    nmcli connection add ifname provisioning type bridge con-name provisioning
    +    nmcli con add type bridge-slave ifname "$PROV_CONN" master provisioning
    +    nmcli connection modify provisioning ipv4.addresses 172.22.0.1/24 ipv4.method manual
    +    nmcli con down provisioning
    +    nmcli con up provisioning"""
    +
    +
    +
    + + + + + +
    + + +
    +

    The ssh connection might disconnect after executing this step.

    +
    +
    +

    The IPv4 address may be any address as long as it is not routable via the baremetal network.

    +
    +
    +
    +
    +
    Provisioning Network (IPv6 address)
    +
    +
    [kni@provisioner ~]$ sudo nohup bash -c """
    +    nmcli con down "$PROV_CONN"
    +    nmcli con delete "$PROV_CONN"
    +    # RHEL 8.1 appends the word "System" in front of the connection, delete in case it exists
    +    nmcli con down "System $PROV_CONN"
    +    nmcli con delete "System $PROV_CONN"
    +    nmcli connection add ifname provisioning type bridge con-name provisioning
    +    nmcli con add type bridge-slave ifname "$PROV_CONN" master provisioning
    +    nmcli connection modify provisioning ipv6.addresses fd00:1101::1/64 ipv6.method manual
    +    nmcli con down provisioning
    +    nmcli con up provisioning"""
    +
    +
    +
    + + + + + +
    + + +
    +

    The ssh connection might disconnect after executing this step.

    +
    +
    +

    The IPv6 address may be any address as long as it is not routable via the baremetal network.

    +
    +
    +
    +
    + + + + + +
    + + +
    +

    Ensure that UEFI is enabled and UEFI PXE settings are set to the IPv6 protocol when using IPv6 addressing.

    +
    +
    +
    +
  22. +
  23. +

    ssh back into the provisioner node (if required).

    +
    +
    +
    # ssh kni@provisioner.<cluster-name>.<domain>
    +
    +
    +
  24. +
  25. +

    Verify the connection bridges have been properly created.

    +
    +
    +
    [kni@provisioner ~]$ nmcli con show
    +
    +
    +
    +
    +
    NAME               UUID                                  TYPE      DEVICE
    +baremetal          4d5133a5-8351-4bb9-bfd4-3af264801530  bridge    baremetal
    +provisioning       43942805-017f-4d7d-a2c2-7cb3324482ed  bridge    provisioning
    +virbr0             d9bca40f-eee1-410b-8879-a2d4bb0465e7  bridge    virbr0
    +bridge-slave-eno1  76a8ed50-c7e5-4999-b4f6-6d9014dd0812  ethernet  eno1
    +bridge-slave-eno2  f31c3353-54b7-48de-893a-02d2b34c4736  ethernet  eno2
    +
    +
    +
  26. +
  27. +

    Create a pull-secret.txt file.

    +
    +
    +
    [kni@provisioner ~]$ vim pull-secret.txt
    +
    +
    +
    +

    In a web browser, navigate to Install on Bare Metal with user-provisioned infrastructure, and scroll down to the Downloads section. Click Copy pull secret. Paste the contents into the pull-secret.txt file and save the contents in the kni user’s home directory.

    +
    +
  28. +
+
+
+
+

3.3. Retrieving the OpenShift Container Platform installer (GA Release)

+
+

Use the latest-4.x version of the installer to deploy the latest generally +available version of OpenShift Container Platform:

+
+
+
+
[kni@provisioner ~]$ export VERSION=latest-4.4
+export RELEASE_IMAGE=$(curl -s https://mirror.openshift.com/pub/openshift-v4/clients/ocp/$VERSION/release.txt | grep 'Pull From: quay.io' | awk -F ' ' '{print $3}')
+
+
+
+
+

3.4. Extracting the OpenShift Container Platform installer (GA Release)

+
+

After retrieving the installer, the next step is to extract it.

+
+
+
Procedure
+
    +
  1. +

    Set the environment variables:

    +
    +
    +
    [kni@provisioner ~]$ export cmd=openshift-baremetal-install
    +[kni@provisioner ~]$ export pullsecret_file=~/pull-secret.txt
    +[kni@provisioner ~]$ export extract_dir=$(pwd)
    +
    +
    +
  2. +
  3. +

    Get the oc binary:

    +
    +
    +
    [kni@provisioner ~]$ curl -s https://mirror.openshift.com/pub/openshift-v4/clients/ocp/$VERSION/openshift-client-linux.tar.gz | tar zxvf - oc
    +
    +
    +
  4. +
  5. +

    Extract the installer:

    +
    +
    +
    [kni@provisioner ~]$ sudo cp oc /usr/local/bin
    +[kni@provisioner ~]$ oc adm release extract --registry-config "${pullsecret_file}" --command=$cmd --to "${extract_dir}" ${RELEASE_IMAGE}
    +[kni@provisioner ~]$ sudo cp openshift-baremetal-install /usr/local/bin
    +
    +
    +
  6. +
+
+
+
+

3.5. Creating an RHCOS images cache (optional)

+
+

To employ image caching, you must download two images: the Red Hat Enterprise Linux CoreOS (RHCOS) image used by the bootstrap VM and the RHCOS image used by the installer to provision the different nodes. Image caching is optional, but especially useful when running the installer on a network with limited bandwidth.

+
+
+

If you are running the installer on a network with limited bandwidth and the RHCOS images download takes more than 15 to 20 minutes, the installer will timeout. Caching images on a web server will help in such scenarios.

+
+
+

Use the following steps to install a container that contains the images.

+
+
+
    +
  1. +

    Install podman.

    +
    +
    +
    $ sudo dnf install -y podman
    +
    +
    +
  2. +
  3. +

    Open firewall port 8080 to be used for RHCOS image caching.

    +
    +
    +
    $ sudo firewall-cmd --add-port=8080/tcp --zone=public --permanent
    +$ sudo firewall-cmd --reload
    +
    +
    +
  4. +
  5. +

    Create a directory to store the bootstraposimage and clusterosimage.

    +
    +
    +
    $ mkdir /home/kni/rhcos_image_cache
    +
    +
    +
  6. +
  7. +

    Set the appropriate SELinux context for the newly created directory.

    +
    +
    +
    $ sudo semanage fcontext -a -t httpd_sys_content_t "/home/kni/rhcos_image_cache(/.*)?"
    +$ sudo restorecon -Rv rhcos_image_cache/
    +
    +
    +
  8. +
  9. +

    Get the commit ID from the installer. The ID determines which images the installer needs to download.

    +
    +
    +
    $ export COMMIT_ID=$(/usr/local/bin/openshift-baremetal-install version | grep '^built from commit' | awk '{print $4}')
    +
    +
    +
  10. +
  11. +

    Get the URI for the RHCOS image that the installer will deploy on the nodes.

    +
    +
    +
    $ export RHCOS_OPENSTACK_URI=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json  | jq .images.openstack.path | sed 's/"//g')
    +
    +
    +
  12. +
  13. +

    Get the URI for the RHCOS image that the installer will deploy on the bootstrap VM.

    +
    +
    +
    $ export RHCOS_QEMU_URI=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json  | jq .images.qemu.path | sed 's/"//g')
    +
    +
    +
  14. +
  15. +

    Get the path where the images are published.

    +
    +
    +
    $ export RHCOS_PATH=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json | jq .baseURI | sed 's/"//g')
    +
    +
    +
  16. +
  17. +

    Get the SHA hash for the RHCOS image that will be deployed on the bootstrap VM.

    +
    +
    +
    $ export RHCOS_QEMU_SHA_UNCOMPRESSED=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json  | jq -r '.images.qemu["uncompressed-sha256"]')
    +
    +
    +
  18. +
  19. +

    Get the SHA hash for the RHCOS image that will be deployed on the nodes.

    +
    +
    +
    $ export RHCOS_OPENSTACK_SHA_COMPRESSED=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json  | jq -r '.images.openstack.sha256')
    +
    +
    +
  20. +
  21. +

    Download the images and place them in the /home/kni/rhcos_image_cache directory.

    +
    +
    +
    $ curl -L ${RHCOS_PATH}${RHCOS_QEMU_URI} -o /home/kni/rhcos_image_cache/${RHCOS_QEMU_URI}
    +$ curl -L ${RHCOS_PATH}${RHCOS_OPENSTACK_URI} -o /home/kni/rhcos_image_cache/${RHCOS_OPENSTACK_URI}
    +
    +
    +
  22. +
  23. +

    Confirm SELinux type is of httpd_sys_content_t for the newly created files.

    +
    +
    +
    $ ls -Z /home/kni/rhcos_image_cache
    +
    +
    +
  24. +
  25. +

    Create the pod.

    +
    +
    +
    $ podman run -d --name rhcos_image_cache \
    +-v /home/kni/rhcos_image_cache:/var/www/html \
    +-p 8080:8080/tcp \
    +quay.io/centos7/httpd-24-centos7:latest
    +
    +
    +
  26. +
  27. +

    Generate the bootstrapOSImage and clusterOSImage configuration.

    +
    +
    +
    $ export BAREMETAL_IP=$(ip addr show dev baremetal | awk '/inet /{print $2}' | cut -d"/" -f1)
    +$ export RHCOS_OPENSTACK_SHA256=$(zcat /home/kni/rhcos_image_cache/${RHCOS_OPENSTACK_URI} | sha256sum | awk '{print $1}')
    +$ export RHCOS_QEMU_SHA256=$(zcat /home/kni/rhcos_image_cache/${RHCOS_QEMU_URI} | sha256sum | awk '{print $1}')
    +$ export CLUSTER_OS_IMAGE="http://${BAREMETAL_IP}:8080/${RHCOS_OPENSTACK_URI}?sha256=${RHCOS_OPENSTACK_SHA256}"
    +$ export BOOTSTRAP_OS_IMAGE="http://${BAREMETAL_IP}:8080/${RHCOS_QEMU_URI}?sha256=${RHCOS_QEMU_SHA256}"
    +$ echo "${RHCOS_OPENSTACK_SHA256}  ${RHCOS_OPENSTACK_URI}" > /home/kni/rhcos_image_cache/rhcos-ootpa-latest.qcow2.md5sum
    +$ echo "    bootstrapOSImage=${BOOTSTRAP_OS_IMAGE}"
    +$ echo "    clusterOSImage=${CLUSTER_OS_IMAGE}"
    +
    +
    +
  28. +
  29. +

    Add the required configuration to the install-config.yaml file under platform.baremetal.

    +
    +
    +
    platform:
    +  baremetal:
    +    bootstrapOSImage: http://<BAREMETAL_IP>:8080/<RHCOS_QEMU_URI>?sha256=<RHCOS_QEMU_SHA256>
    +    clusterOSImage: http://<BAREMETAL_IP>:8080/<RHCOS_OPENSTACK_URI>?sha256=<RHCOS_OPENSTACK_SHA256>
    +
    +
    +
    +

    See the Configuring the install-config.yaml file section for additional details.

    +
    +
  30. +
+
+
+
+

3.6. Configuration files

+
+

3.6.1. Configuring the install-config.yaml file

+
+

The install-config.yaml file requires some additional details. +Most of the information is teaching the installer and the resulting cluster enough about the available hardware so that it is able to fully manage it.

+
+
+
    +
  1. +

    Configure install-config.yaml. Change the appropriate variables to match the environment, including pullSecret and sshKey.

    +
    +
    +
    apiVersion: v1
    +basedomain: <domain>
    +metadata:
    +  name: <cluster-name>
    +networking:
    +  machineCIDR: <public-cidr>
    +  networkType: OVNKubernetes
    +compute:
    +- name: worker
    +  replicas: 2 (1)
    +controlPlane:
    +  name: master
    +  replicas: 3
    +  platform:
    +    baremetal: {}
    +platform:
    +  baremetal:
    +    apiVIP: <api-ip>
    +    ingressVIP: <wildcard-ip>
    +    dnsVIP: <dns-ip>
    +    provisioningNetworkInterface: <NIC1>
    +    provisioningNetworkCIDR: <CIDR>
    +    hosts:
    +      - name: openshift-master-0
    +        role: master
    +        bmc:
    +          address: ipmi://<out-of-band-ip> (2)
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: default
    +      - name: openshift-master-1
    +        role: master
    +        bmc:
    +          address: ipmi://<out-of-band-ip>
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: default
    +      - name: openshift-master-2
    +        role: master
    +        bmc:
    +          address: ipmi://<out-of-band-ip>
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: default
    +      - name: openshift-worker-0
    +        role: worker
    +        bmc:
    +          address: ipmi://<out-of-band-ip>
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: unknown
    +      - name: openshift-worker-1
    +        role: worker
    +        bmc:
    +          address: ipmi://<out-of-band-ip>
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: unknown
    +pullSecret: '<pull_secret>'
    +sshKey: '<ssh_pub_key>'
    +
    +
    +
    + + + + + + + + + +
    1Scale the worker machines based on the number of worker nodes that are part of the OpenShift Container Platform cluster.
    2Refer to the BMC addressing for more options
    +
    +
  2. +
  3. +

    Create a directory to store cluster configs.

    +
    +
    +
    [kni@provisioner ~]$ mkdir ~/clusterconfigs
    +[kni@provisioner ~]$ cp install-config.yaml ~/clusterconfigs
    +
    +
    +
  4. +
  5. +

    Ensure all bare metal nodes are powered off prior to installing the OpenShift Container Platform cluster.

    +
    +
    +
    [kni@provisioner ~]$ ipmitool -I lanplus -U <user> -P <password> -H <management-server-ip> power off
    +
    +
    +
  6. +
  7. +

    Remove old bootstrap resources if any are left over from a previous deployment attempt.

    +
    +
    +
    for i in $(sudo virsh list | tail -n +3 | grep bootstrap | awk {'print $2'});
    +do
    +  sudo virsh destroy $i;
    +  sudo virsh undefine $i;
    +  sudo virsh vol-delete $i --pool default;
    +  sudo virsh vol-delete $i.ign --pool default;
    +done
    +
    +
    +
  8. +
+
+
+
+

3.6.2. Setting proxy settings within the install-config.yaml file (optional)

+
+

To deploy an OpenShift Container Platform cluster using a proxy, make the following changes to the install-config.yaml file.

+
+
+
+
apiVersion: v1
+baseDomain: <domain>
+proxy:
+  httpProxy: http://USERNAME:PASSWORD@proxy.example.com:PORT
+  httpsProxy: https://USERNAME:PASSWORD@proxy.example.com:PORT
+  noProxy: <WILDCARD_OF_DOMAIN>,<PROVISIONING_NETWORK/CIDR>,<BMC_ADDRESS_RANGE/CIDR>
+
+
+
+

See below for an example of noProxy with values.

+
+
+
+
noProxy: .example.com,172.22.0.0/24,10.10.0.0/24
+
+
+
+

With a proxy enabled, set the appropriate values of the proxy in the corresponding key/value pair.

+
+
+

Key considerations:

+
+
+
    +
  • +

    If the proxy does not have an HTTPS proxy, change the value of httpsProxy from https:// to http://.

    +
  • +
  • +

    If using a provisioning network, include it in the noProxy setting, otherwise the installer will fail.

    +
  • +
  • +

    Set all of the proxy settings as environment variables within the provisioner node. For example, HTTP_PROXY, HTTPS_PROXY, and NO_PROXY.

    +
  • +
+
+
+
+

3.6.3. Modifying the install-config.yaml file for no provisioning network (optional)

+
+

To deploy an OpenShift Container Platform cluster without a provisioning network, make the following changes to the install-config.yaml file.

+
+
+
+

3.6.4. Additional install-config parameters

+
+

See the following tables for the required parameters, the hosts parameter, +and the bmc parameter for the install-config.yaml file.

+
+ + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 1. Required parameters
ParametersDefaultDescription

baseDomain

The domain name for the cluster. For example, example.com.

bootMode

legacy

The boot mode for a node. Options are legacy, UEFI and UEFISecureBoot.

sshKey

The sshKey configuration setting contains the key in the ~/.ssh/id_rsa.pub file required to access the control plane nodes and worker nodes. Typically, this key is from the provisioner node.

pullSecret

The pullSecret configuration setting contains a copy of the pull secret downloaded from the Install OpenShift on Bare Metal page when preparing the provisioner node.

+
+
metadata:
+    name:
+
+

The name to be given to the OpenShift Container Platform cluster. For example, openshift.

+
+
networking:
+    machineCIDR:
+
+

The public CIDR (Classless Inter-Domain Routing) of the external network. For example, 10.0.0.0/24 +.

+
+
compute:
+  - name: worker
+
+

The OpenShift Container Platform cluster requires a name be provided for worker (or compute) nodes even if there are zero nodes.

+
+
compute:
+    replicas: 2
+
+

Replicas sets the number of worker (or compute) nodes in the OpenShift Container Platform cluster.

+
+
controlPlane:
+    name: master
+
+

The OpenShift Container Platform cluster requires a name for control plane (master) nodes.

+
+
controlPlane:
+    replicas: 3
+
+

Replicas sets the number of control plane (master) nodes included as part of the OpenShift Container Platform cluster.

+

provisioningNetworkInterface

+

The name of the network interface on control plane nodes connected to the +provisioning network.

defaultMachinePlatform

The default configuration used for machine pools without a platform configuration.

apiVIP

api.<clustername.clusterdomain>

The VIP to use for internal API communication.

+

This setting must either be provided or pre-configured in the DNS so that the +default name resolves correctly.

disableCertificateVerification

False

redfish and redfish-virtualmedia need this parameter to manage BMC addresses. The value should be True when using a self-signed certificate for BMC addresses.

ingressVIP

test.apps.<clustername.clusterdomain>

The VIP to use for ingress traffic.

+

Provide this setting or pre-configure it in the DNS so that the default name resolves correctly.

dnsVIP

The VIP to use for internal DNS communication.

+

This setting has no default and must always be provided.

+ + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 2. Optional Parameters
ParametersDefaultDescription

provisioningDHCPExternal

false

Defines if the installer uses an external DHCP or the provisioner node DHCP.

provisioningDHCPRange

172.22.0.10,172.22.0.100

Defines the IP range for nodes on the provisioning network.

+

provisioningNetworkCIDR

+

172.22.0.0/24

The CIDR for the network to use for provisioning. This option is required when not using the default address range on the provisioning network.

clusterProvisioningIP

The third IP address of the provisioningNetworkCIDR.

The IP address within the cluster where the provisioning services run. Defaults to the third IP address of the provisioning subnet. For example, 172.22.0.3.

bootstrapProvisioningIP

The second IP address of the provisioningNetworkCIDR.

The IP address on the bootstrap VM where the provisioning services run while the installer is deploying the control plane (master) nodes. Defaults to the second IP address of the provisioning subnet. For example, 172.22.0.2 +.

externalBridge

baremetal

The name of the baremetal bridge of the hypervisor attached to the baremetal network.

provisioningBridge

provisioning

The name of the provisioning bridge on the provisioner host attached to the provisioning network.

defaultMachinePlatform

The default configuration used for machine pools without a platform configuration.

bootstrapOSImage

A URL to override the default operating system image for the bootstrap node. The URL must contain a SHA-256 hash of the image. For example: +https://mirror.openshift.com/rhcos-<version>-qemu.qcow2.gz?sha256=<uncompressed_sha256>; +.

clusterOSImage

A URL to override the default operating system for cluster nodes. The URL must include a SHA-256 hash of the image. For example, https://mirror.openshift.com/images/rhcos-<version>-openstack.qcow2.gz?sha256=<compressed_sha256>;.

provisioningNetwork

Set this parameter to Disabled to disable the requirement for a provisioning network. User may only do virtual media based provisioning, or bring up the cluster using assisted installation. If using power management, BMC’s must be accessible from the machine networks. User must provide two IP addresses on the external network that are used for the provisioning services.

+
+
Hosts
+

The hosts parameter is a list of separate bare metal assets used to build the cluster.

+
+ +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Name

Default

Description

name

The name of the BareMetalHost resource to associate with the details. For example, openshift-master-0.

role

The role of the bare metal node. Either master or worker.

bmc

Connection details for the baseboard management controller. See the BMC addressing section for additional details.

bootMACAddress

The MAC address of the NIC the host will use to boot on the provisioning network.

hardwareProfile

default

This parameter exposes the device name that the installer attempts to deploy the OpenShift Container Platform cluster for the control plane and worker nodes. The value defaults to default for control plane nodes and unknown for worker nodes. The list of profiles includes: default, libvirt, dell, dell-raid, and openstack. The default parameter attempts to install on /dev/sda of the OpenShift Container Platform cluster nodes.

+
+
+

3.6.5. BMC addressing

+
+

Most vendors support BMC addressing with the Intelligent Platform Management Interface or IPMI. IPMI does not encrypt communications. It is suitable for use within a data center over a secured or dedicated management network. Check with your vendor to see if they support Redfish network boot. Redfish delivers simple and secure management for converged, hybrid IT and the Software Defined Data Center or SDDC. Redfish is human readable and machine capable, and leverages common Internet and web services standards to expose information directly to the modern tool chain. If your hardware does not support Redfish network boot, use IPMI.

+
+
+
IPMI
+

Hosts using IPMI use the ipmi://<out-of-band-ip>:<port> address format, which defaults to port 623 if not specified. The following example demonstrates an IPMI configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: ipmi://<out-of-band-ip>
+          username: <user>
+          password: <password>
+
+
+
+
Redfish network boot
+

To enable Redfish, use redfish:// or redfish+http:// to disable TLS. The installer requires both the host name or the IP address and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+
BMC addressing for Dell iDRAC
+
+

The address field for each bmc entry is a URL for connecting to the OpenShift Container Platform cluster nodes, including the type of controller in the URL scheme and its location on the network.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: <host name>
+        role: <master | worker>
+        bmc:
+          address: <address> (1)
+          username: <user>
+          password: <password>
+
+
+
+ + + + + +
1The address configuration setting specifies the protocol.
+
+
+

For Dell hardware, Red Hat supports integrated Dell Remote Access Controller (iDRAC) virtual media, Redfish network boot, and IPMI.

+
+ + ++++ + + + + + + + + + + + + + + + + + + + + +
Table 3. BMC address formats for Dell iDRAC
ProtocolAddress Format

iDRAC virtual media

idrac-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1

Redfish network boot

redfish://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1

IPMI

ipmi://<out-of-band-ip>

+
+ + + + + +
+ + +
+

Use idrac-virtualmedia as the protocol for Redfish virtual media. redfish-virtualmedia will not work on Dell hardware. Dell’s idrac-virtualmedia uses the Redfish standard with Dell’s OEM extensions.

+
+
+
+
+

See the following sections for additional details.

+
+
+
Redfish virtual media for Dell iDRAC
+

For Redfish virtual media on Dell servers, use idrac-virtualmedia:// in the address setting. Using redfish-virtualmedia:// will not work.

+
+
+

The following example demonstrates using iDRAC virtual media within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: idrac-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: idrac-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+ + + + + +
+ + +
+

Currently, Redfish is only supported on Dell with iDRAC firmware versions 4.20.20.20 through 04.40.00.00 for installer-provisioned installations on bare metal deployments. There is a known issue with version 04.40.00.00. With iDRAC 9 firmware version 04.40.00.00, the Virtual Console plug-in defaults to eHTML5, which causes problems with the InsertVirtualMedia workflow. Set the plug-in to HTML5 to avoid this issue. The menu path is: ConfigurationVirtual consolePlug-in TypeHTML5 .

+
+
+

Ensure the OpenShift Container Platform cluster nodes have AutoAttach Enabled through the iDRAC console. The menu path is: ConfigurationVirtual MediaAttach ModeAutoAttach .

+
+
+

Use idrac-virtualmedia:// as the protocol for Redfish virtual media. Using redfish-virtualmedia:// will not work on Dell hardware, because the idrac-virtualmedia:// protocol corresponds to the idrac hardware type and the Redfish protocol in Ironic. Dell’s idrac-virtualmedia:// protocol uses the Redfish standard with Dell’s OEM extensions. Ironic also supports the idrac type with the WSMAN protocol. Therefore, you must specify idrac-virtualmedia:// to avoid unexpected behavior when electing to use Redfish with virtual media on Dell hardware.

+
+
+
+
+
Redfish network boot for iDRAC
+

To enable Redfish, use redfish:// or redfish+http:// to disable transport layer security (TLS). The installer requires both the host name or the IP address and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+ + + + + +
+ + +
+

Currently, Redfish is only supported on Dell hardware with iDRAC firmware versions 4.20.20.20 through 04.40.00.00 for installer-provisioned installations on bare metal deployments. There is a known issue with version 04.40.00.00. With iDRAC 9 firmware version 04.40.00.00, the Virtual Console plug-in defaults to eHTML5, which causes problems with the InsertVirtualMedia workflow. Set the plug-in to HTML5 to avoid this issue. The menu path is: ConfigurationVirtual consolePlug-in TypeHTML5 .

+
+
+

Ensure the OpenShift Container Platform cluster nodes have AutoAttach Enabled through the iDRAC console. The menu path is: ConfigurationVirtual MediaAttach ModeAutoAttach .

+
+
+

The redfish:// URL protocol corresponds to the redfish hardware type in Ironic.

+
+
+
+
+
+
BMC addressing for HPE iLO
+
+

The address field for each bmc entry is a URL for connecting to the OpenShift Container Platform cluster nodes, including the type of controller in the URL scheme and its location on the network.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: <host name>
+        role: <master | worker>
+        bmc:
+          address: <address> (1)
+          username: <user>
+          password: <password>
+
+
+
+ + + + + +
1The address configuration setting specifies the protocol.
+
+
+

For HPE integrated Lights Out (iLO), Red Hat supports Redfish virtual media, Redfish network boot, and IPMI.

+
+ + ++++ + + + + + + + + + + + + + + + + + + + + +
Table 4. BMC address formats for HPE iLO
ProtocolAddress Format

Redfish virtual media

redfish-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/1

Redfish network boot

redfish://<out-of-band-ip>/redfish/v1/Systems/1

IPMI

ipmi://<out-of-band-ip>

+
+

See the following sections for additional details.

+
+
+
Redfish virtual media for HPE iLO
+

To enable Redfish virtual media for HPE servers, use redfish-virtualmedia:// in the address setting. The following example demonstrates using Redfish virtual media within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+ + + + + +
+ + +
+

Redfish virtual media is not supported on 9th generation systems running iLO4, because Ironic does not support iLO4 with virtual media.

+
+
+
+
+
Redfish network boot for HPE iLO
+

To enable Redfish, use redfish:// or redfish+http:// to disable TLS. The installer requires both the host name or the IP address and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+
+
BMC addressing for KVM with sushy-tools Redfish emulator
+
+

The address field for each bmc entry is a URL for connecting to the OpenShift Container Platform cluster nodes, including the type of controller in the URL scheme and its location on the network.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: <host name>
+        role: <master | worker>
+        bmc:
+          address: <address> (1)
+          username: <user>
+          password: <password>
+
+
+
+ + + + + +
1The address configuration setting specifies the protocol.
+
+
+

For KVM working with sushy-tools Redfish emulator, Red Hat supports Redfish virtual media and Redfish network boot.

+
+ + ++++ + + + + + + + + + + + + + + + + +
Table 5. BMC address formats for KVM with sushy-tools Redfish emulator
ProtocolAddress Format

Redfish virtual media

redfish-virtualmedia://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>

Redfish network boot

redfish://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>

+
+ + + + + +
+ + +
+

The sushy-tools Redfish emulator runs from the KVM hypervisor and a single instance acts as the virtual BMC for all the guest machines. This means both the out of band IP address and port, will be same and each individual machine must be identified by its System ID.

+
+
+

You may retrieve the System ID of your guest machines with the following command:

+
+
+
+
---
+$ virsh list --all --name --uuid
+d8ac6bf8-3062-4954-84c3-e097faa17025 compute-0
+84971a71-3935-4a92-8d90-a9f8440dac09 compute-1
+92430f42-8805-4412-959a-2a7252c7c540 compute-2
+0fea5296-db95-41d7-9295-f57cfa50255f control-plane-0
+4986e405-fd3a-483d-9210-8cb120b98f80 control-plane-1
+26bf228c-44fd-4c49-9e6f-44f4b5968b34 control-plane-2
+---
+
+
+
+
+
+

See the following sections for additional details.

+
+
+
Redfish virtual media for KVM with sushy-tools Redfish emulator
+

To enable Redfish virtual media for KVM environments running the sushy-tools Redfish emulator, use redfish-virtualmedia:// in the address setting. The following example demonstrates using Redfish virtual media within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish-virtualmedia://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish-virtualmedia://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+
Redfish network boot for KVM with sushy-tools Redfish emulator
+

To enable Redfish, use redfish:// or redfish+http:// to disable TLS. The installer requires the host name or the IP address, the Redfish emulator listening port and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+
+
+

3.6.6. Root device hints

+
+

The rootDeviceHints parameter enables the installer to provision the Red Hat Enterprise Linux CoreOS (RHCOS) image to a particular device. The installer examines the devices in the order it discovers them, and compares the discovered values with the hint values. The installer uses the first discovered device that matches the hint value. The configuration can combine multiple hints, but a device must match all hints for the installer to select it.

+
+ + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 6. Subfields
SubfieldDescription

deviceName

A string containing a Linux device name like /dev/vda. The hint must match the actual value exactly.

hctl

A string containing a SCSI bus address like 0:0:0:0. The hint must match the actual value exactly.

model

A string containing a vendor-specific device identifier. The hint can be a substring of the actual value.

vendor

A string containing the name of the vendor or manufacturer of the device. The hint can be a sub-string of the actual value.

serialNumber

A string containing the device serial number. The hint must match the actual value exactly.

minSizeGigabytes

An integer representing the minimum size of the device in gigabytes.

wwn

A string containing the unique storage identifier. The hint must match the actual value exactly.

wwnWithExtension

A string containing the unique storage identifier with the vendor extension appended. The hint must match the actual value exactly.

wwnVendorExtension

A string containing the unique vendor storage identifier. The hint must match the actual value exactly.

rotational

A Boolean indicating whether the device should be a rotating disk (true) or not (false).

+
+
Example usage
+
+
     - name: master-0
+       role: master
+       bmc:
+         address: ipmi://10.10.0.3:6203
+         username: admin
+         password: redhat
+       bootMACAddress: de:ad:be:ef:00:40
+       rootDeviceHints:
+         deviceName: "/dev/sda"
+
+
+
+
+

3.6.7. Creating the OpenShift Container Platform manifests

+
+
    +
  1. +

    Create the OpenShift Container Platform manifests.

    +
    +
    +
    [kni@provisioner ~]$ ./openshift-baremetal-install --dir ~/clusterconfigs create manifests
    +
    +
    +
    +
    +
    INFO Consuming Install Config from target directory
    +WARNING Making control-plane schedulable by setting MastersSchedulable to true for Scheduler cluster settings
    +WARNING Discarding the Openshift Manifest that was provided in the target directory because its dependencies are dirty and it needs to be regenerated
    +
    +
    +
  2. +
+
+
+
+
+

3.7. Creating a disconnected registry (optional)

+
+

In some cases, you might want to install an OpenShift Container Platform cluster using a local copy of the installation registry. This could be for enhancing network efficiency because the cluster nodes are on a network that does not have access to the internet.

+
+
+

A local, or mirrored, copy of the registry requires the following:

+
+
+
    +
  • +

    A certificate for the registry node. This can be a self-signed certificate.

    +
  • +
  • +

    A web server that a container on a system will serve.

    +
  • +
  • +

    An updated pull secret that contains the certificate and local repository information.

    +
  • +
+
+
+ + + + + +
+ + +
+

Creating a disconnected registry on a registry node is optional. The subsequent sections indicate that they are optional since they are steps you need to execute only when creating a disconnected registry on a registry node. You should execute all of the subsequent sub-sections labeled "(optional)" when creating a disconnected registry on a registry node.

+
+
+
+
+

3.7.1. Preparing the registry node to host the mirrored registry (optional)

+
+

Make the following changes to the registry node.

+
+
+
Procedure
+
    +
  1. +

    Open the firewall port on the registry node.

    +
    +
    +
    [user@registry ~]$ sudo firewall-cmd --add-port=5000/tcp --zone=libvirt  --permanent
    +[user@registry ~]$ sudo firewall-cmd --add-port=5000/tcp --zone=public   --permanent
    +[user@registry ~]$ sudo firewall-cmd --reload
    +
    +
    +
  2. +
  3. +

    Install the required packages for the registry node.

    +
    +
    +
    [user@registry ~]$ sudo yum -y install python3 podman httpd httpd-tools jq
    +
    +
    +
  4. +
  5. +

    Create the directory structure where the repository information will be held.

    +
    +
    +
    [user@registry ~]$ sudo mkdir -p /opt/registry/{auth,certs,data}
    +
    +
    +
  6. +
+
+
+
+

3.7.2. Generating the self-signed certificate (optional)

+
+

Generate a self-signed certificate for the registry node and put it in the /opt/registry/certs directory.

+
+
+
Procedure
+
    +
  1. +

    Adjust the certificate information as appropriate.

    +
    +
    +
    [user@registry ~]$ host_fqdn=$( hostname --long )
    +[user@registry ~]$ cert_c="<Country Name>"   # Country Name (C, 2 letter code)
    +[user@registry ~]$ cert_s="<State>"          # Certificate State (S)
    +[user@registry ~]$ cert_l="<Locality>"       # Certificate Locality (L)
    +[user@registry ~]$ cert_o="<Organization>"   # Certificate Organization (O)
    +[user@registry ~]$ cert_ou="<Org Unit>"      # Certificate Organizational Unit (OU)
    +[user@registry ~]$ cert_cn="${host_fqdn}"    # Certificate Common Name (CN)
    +
    +[user@registry ~]$ openssl req \
    +    -newkey rsa:4096 \
    +    -nodes \
    +    -sha256 \
    +    -keyout /opt/registry/certs/domain.key \
    +    -x509 \
    +    -days 365 \
    +    -out /opt/registry/certs/domain.crt \
    +    -addext "subjectAltName = DNS:${host_fqdn}" \
    +    -subj "/C=${cert_c}/ST=${cert_s}/L=${cert_l}/O=${cert_o}/OU=${cert_ou}/CN=${cert_cn}"
    +
    +
    +
    + + + + + +
    + + +When replacing <Country Name>, ensure that it only contains two letters. For example, US. +
    +
    +
  2. +
  3. +

    Update the registry node’s ca-trust with the new certificate.

    +
    +
    +
    [user@registry ~]$ sudo cp /opt/registry/certs/domain.crt /etc/pki/ca-trust/source/anchors/
    +[user@registry ~]$ sudo update-ca-trust extract
    +
    +
    +
  4. +
+
+
+
+

3.7.3. Creating the registry podman container (optional)

+
+

The registry container uses the /opt/registry directory for certificates, authentication files, and to store its data files.

+
+
+

The registry container uses httpd and needs an htpasswd file for authentication.

+
+
+
Procedure
+
    +
  1. +

    Create an htpasswd file in /opt/registry/auth for the container to use.

    +
    +
    +
    [user@registry ~]$ htpasswd -bBc /opt/registry/auth/htpasswd <user> <passwd>
    +
    +
    +
    +

    Replace <user> with the user name and <passwd> with the password.

    +
    +
  2. +
  3. +

    Create and start the registry container.

    +
    +
    +
    [user@registry ~]$ podman create \
    +  --name ocpdiscon-registry \
    +  -p 5000:5000 \
    +  -e "REGISTRY_AUTH=htpasswd" \
    +  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry" \
    +  -e "REGISTRY_HTTP_SECRET=ALongRandomSecretForRegistry" \
    +  -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \
    +  -e "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt" \
    +  -e "REGISTRY_HTTP_TLS_KEY=/certs/domain.key" \
    +  -e "REGISTRY_COMPATIBILITY_SCHEMA1_ENABLED=true" \
    +  -v /opt/registry/data:/var/lib/registry:z \
    +  -v /opt/registry/auth:/auth:z \
    +  -v /opt/registry/certs:/certs:z \
    +  docker.io/library/registry:2
    +
    +
    +
    +
    +
    [user@registry ~]$ podman start ocpdiscon-registry
    +
    +
    +
  4. +
+
+
+
+

3.7.4. Copy and update the pull-secret (optional)

+
+

Copy the pull secret file from the provisioner node to the registry node and modify it to include the authentication information for the new registry node.

+
+
+
Procedure
+
    +
  1. +

    Copy the pull-secret.txt file.

    +
    +
    +
    [user@registry ~]$ scp kni@provisioner:/home/kni/pull-secret.txt pull-secret.txt
    +
    +
    +
  2. +
  3. +

    Update the host_fqdn environment variable with the fully qualified domain name of the registry node.

    +
    +
    +
    [user@registry ~]$ host_fqdn=$( hostname --long )
    +
    +
    +
  4. +
  5. +

    Update the b64auth environment variable with the base64 encoding of the http credentials used to create the htpasswd file.

    +
    +
    +
    [user@registry ~]$ b64auth=$( echo -n '<username>:<passwd>' | openssl base64 )
    +
    +
    +
    +

    Replace <username> with the user name and <passwd> with the password.

    +
    +
  6. +
  7. +

    Set the AUTHSTRING environment variable to use the base64 authorization string. The $USER variable is an environment variable containing the name of the current user.

    +
    +
    +
    [user@registry ~]$ AUTHSTRING="{\"$host_fqdn:5000\": {\"auth\": \"$b64auth\",\"email\": \"$USER@redhat.com\"}}"
    +
    +
    +
  8. +
  9. +

    Update the pull-secret.txt file.

    +
    +
    +
    [user@registry ~]$ jq ".auths += $AUTHSTRING" < pull-secret.txt > pull-secret-update.txt
    +
    +
    +
  10. +
+
+
+
+

3.7.5. Mirroring the repository (optional)

+
+
Procedure
+
    +
  1. +

    Copy the oc binary from the provisioner node to the registry node.

    +
    +
    +
    [user@registry ~]$ sudo scp kni@provisioner:/usr/local/bin/oc /usr/local/bin
    +
    +
    +
  2. +
  3. +

    Get the release image and mirror the remote install images to the local repository.

    +
    +
    +
    [user@registry ~]$ export VERSION=latest-4.4
    +[user@registry ~]$ UPSTREAM_REPO=$(curl -s https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/$VERSION/release.txt | awk  '/Pull From/ {print $3}')
    +[user@registry ~]$ /usr/local/bin/oc adm release mirror \
    +  -a pull-secret-update.txt
    +  --from=$UPSTREAM_REPO \
    +  --to-release-image=$LOCAL_REG/$LOCAL_REPO:${VERSION} \
    +  --to=$LOCAL_REG/$LOCAL_REPO
    +
    +
    +
  4. +
+
+
+
+

3.7.6. Modify the install-config.yaml file to use the disconnected registry (optional)

+
+

On the provisioner node, the install-config.yaml file should use the newly created pull-secret from the pull-secret-update.txt file. The install-config.yaml file must also contain the disconnected registry node’s certificate and registry information.

+
+
+
Procedure
+
    +
  1. +

    Add the disconnected registry node’s certificate to the install-config.yaml file. The certificate should follow the "additionalTrustBundle: |" line and be properly indented, usually by two spaces.

    +
    +
    +
    $ echo "additionalTrustBundle: |" >> install-config.yaml
    +$ sed -e 's/^/  /' /opt/registry/certs/domain.crt >> install-config.yaml
    +
    +
    +
  2. +
  3. +

    Add the mirror information for the registry to the install-config.yaml file.

    +
    +
    +
    $ cat <<EOF >> install-config.yaml
    +<image-config>: (1)
    +- mirrors:
    +  - registry.example.com:5000/ocp4/openshift4
    +  source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
    +- mirrors:
    +  - registry.example.com:5000/ocp4/openshift4
    +  source: registry.svc.ci.openshift.org/ocp/release
    +- mirrors:
    +  - registry.example.com:5000/ocp4/openshift4
    +  source: quay.io/openshift-release-dev/ocp-release
    +EOF
    +
    +
    +
    +

    Where:

    +
    +
    + + + + + +
    1You must replace <image-config> with imageContentSources for OpenShift 4.13 and below, or imageDigestSources for Openshift 4.14 and above. +
    + + + + + +
    + + +Replace registry.example.com with the registry’s fully qualified domain name. +
    +
    +
    +
  4. +
+
+
+
+
+

3.8. Deploying routers on worker nodes

+
+

During installation, the installer deploys router pods on worker nodes. By default, the installer installs two router pods. If the initial cluster has only one worker node, or if a deployed cluster requires additional routers to handle external traffic loads destined for services within the OpenShift Container Platform cluster, you can create a yaml file to set an appropriate number of router replicas.

+
+
+ + + + + +
+ + +
+

By default, the installer deploys two routers. +If the cluster has at least two worker nodes, you can skip this section. +For more information on the Ingress Operator see: Ingress Operator in OpenShift Container Platform.

+
+
+
+
+ + + + + +
+ + +
+

If the cluster has no worker nodes, the installer deploys the two routers on the control plane nodes by default. If the cluster has no worker nodes, you can skip this section.

+
+
+
+
+
Procedure
+
    +
  1. +

    Create a router-replicas.yaml file.

    +
    +
    +
    apiVersion: operator.openshift.io/v1
    +kind: IngressController
    +metadata:
    +  name: default
    +  namespace: openshift-ingress-operator
    +spec:
    +  replicas: <num-of-router-pods>
    +  endpointPublishingStrategy:
    +    type: HostNetwork
    +  nodePlacement:
    +    nodeSelector:
    +      matchLabels:
    +        node-role.kubernetes.io/worker: ""
    +
    +
    +
    + + + + + +
    + + +
    +

    Replace <num-of-router-pods> with an appropriate value. If working with just one worker node, set replicas: to 1. If working with more than 3 worker nodes, you can increase replicas: from the default value 2 as appropriate.

    +
    +
    +
    +
  2. +
  3. +

    Save and copy the router-replicas.yaml file to the clusterconfigs/openshift directory.

    +
    +
    +
    cp ~/router-replicas.yaml clusterconfigs/openshift/99_router-replicas.yaml
    +
    +
    +
  4. +
+
+
+
+

3.9. Validation checklist for installation

+
+
    +
  • +

    OpenShift Container Platform installer has been retrieved.

    +
  • +
  • +

    OpenShift Container Platform installer has been extracted.

    +
  • +
  • +

    Required parameters for the install-config.yaml have been configured.

    +
  • +
  • +

    The hosts parameter for the install-config.yaml has been configured.

    +
  • +
  • +

    The bmc parameter for the install-config.yaml has been configured.

    +
  • +
  • +

    Conventions for the values configured in the bmc address field have been applied.

    +
  • +
  • +

    Created a disconnected registry (optional).

    +
  • +
  • +

    Validate disconnected registry settings if in use. (optional)

    +
  • +
  • +

    Deployed routers on worker nodes. (optional)

    +
  • +
+
+
+
+

3.10. Deploying the cluster via the OpenShift Container Platform installer

+
+

Run the OpenShift Container Platform installer:

+
+
+
+
[kni@provisioner ~]$ ./openshift-baremetal-install --dir ~/clusterconfigs --log-level debug create cluster
+
+
+
+
+

3.11. Following the installation

+
+

During the deployment process, you can check the installation’s overall status by issuing the tail command to the .openshift_install.log log file in the install directory folder.

+
+
+
+
[kni@provisioner ~]$ tail -f /path/to/install-dir/.openshift_install.log
+
+
+
+
+
+
+

4. Day 2 operations

+
+
+

The following sections are optional, but may be of interest after the initial deployment has been completed.

+
+
+

4.1. Accessing the web console

+
+

The web console runs as a pod on the master. The static assets required to run +the web console are served by the pod. Once OpenShift Container Platform is successfully +installed, find the URL for the web console and login credentials for your +installed cluster in the CLI output of the installation program. For example:

+
+
+
Example output
+
+
INFO Install complete!
+INFO Run 'export KUBECONFIG=<your working directory>/auth/kubeconfig' to manage the cluster with 'oc', the OpenShift CLI.
+INFO The cluster is ready when 'oc login -u kubeadmin -p <provided>' succeeds (wait a few minutes).
+INFO Access the OpenShift web-console here: https://console-openshift-console.apps.demo1.openshift4-beta-abcorp.com
+INFO Login to the console with user: kubeadmin, password: <provided>
+
+
+
+

Use those details to log in and access the web console.

+
+
+

Additionally, you can execute:

+
+
+
+
oc whoami --show-console
+
+
+
+

To obtain the url for the console.

+
+
+
+

4.2. Backing up the cluster configuration

+
+

At this point you have a working OpenShift 4 cluster on baremetal. +In order to take advantage of the baremetal hardware that was the provision node, +you can repurpose the provisioning node as a worker. +Prior to reprovisioning the node, it is recommended to backup some existing files.

+
+
+
Procedure
+
    +
  1. +

    Tar the clusterconfig folder and download it to your local machine.

    +
    +
    +
    tar cvfz clusterconfig.tar.gz ~/clusterconfig
    +
    +
    +
  2. +
  3. +

    Copy the Private part for the SSH Key configured on the install-config.yaml file to your local machine.

    +
    +
    +
    tar cvfz clusterconfigsh.tar.gz ~/.ssh/id_rsa*
    +
    +
    +
  4. +
  5. +

    Copy the install-config.yaml and metal3-config.yaml files.

    +
    +
    +
    tar cvfz yamlconfigs.tar.gz install-config.yaml metal3-config.yaml
    +
    +
    +
  6. +
+
+
+
+

4.3. Expanding the cluster

+
+

After deploying an installer-provisioned OpenShift Container Platform cluster, you can use the following procedures to expand the number of worker nodes. Ensure that each prospective worker node meets the prerequisites.

+
+
+ + + + + +
+ + +
+

Expanding the cluster using RedFish Virtual Media involves meeting minimum firmware requirements. See Firmware requirements for installing with virtual media in the Prerequisites section for additional details when expanding the cluster using RedFish Virtual Media.

+
+
+
+
+

4.3.1. Preparing the bare metal node

+
+

Expanding the cluster requires a DHCP server. Each node must have a DHCP reservation.

+
+
+

Preparing the bare metal node requires executing the following procedure from the provisioner node.

+
+
+
Procedure
+
    +
  1. +

    Get the oc binary, if needed. It should already exist on the provisioner node.

    +
    +
    +
    [kni@provisioner ~]$ export VERSION=latest-4.4
    +[kni@provisioner ~]$ curl -s https://mirror.openshift.com/pub/openshift-v4/clients/ocp/$VERSION/openshift-client-linux-$VERSION.tar.gz | tar zxvf - oc
    +
    +
    +
    +
    +
    [kni@provisioner ~]$ sudo cp oc /usr/local/bin
    +
    +
    +
  2. +
  3. +

    Power off the bare metal node via the baseboard management controller and ensure it is off.

    +
  4. +
  5. +

    Retrieve the user name and password of the bare metal node’s baseboard management controller. Then, create base64 strings from the user name and password. In the following example, the user name is root and the password is calvin.

    +
    +
    +
    [kni@provisioner ~]$ echo -ne "root" | base64
    +
    +
    +
    +
    +
    [kni@provisioner ~]$ echo -ne "calvin" | base64
    +
    +
    +
  6. +
  7. +

    Create a configuration file for the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ vim bmh.yaml
    +
    +
    +
    +
    +
    ---
    +apiVersion: v1
    +kind: Secret
    +metadata:
    +  name: openshift-worker-<num>-bmc-secret
    +type: Opaque
    +data:
    +  username: <base64-of-uid>
    +  password: <base64-of-pwd>
    +---
    +apiVersion: metal3.io/v1alpha1
    +kind: BareMetalHost
    +metadata:
    +  name: openshift-worker-<num>
    +spec:
    +  online: true
    +  bootMACAddress: <NIC1-mac-address>
    +  bmc:
    +    address: <protocol>://<bmc-ip>
    +    credentialsName: openshift-worker-<num>-bmc-secret
    +
    +
    +
    +

    Replace <num> for the worker number of the bare metal node in the two name fields and the credentialsName field. Replace <base64-of-uid> with the base64 string of the user name. Replace <base64-of-pwd> with the base64 string of the password. Replace <NIC1-mac-address> with the MAC address of the bare metal node’s first NIC.

    +
    +
    +

    Refer to the BMC addressing section for additional BMC configuration options. Replace <protocol> with the BMC protocol, such as IPMI, RedFish, or others. +Replace <bmc-ip> with the IP address of the bare metal node’s baseboard management controller.

    +
    +
    + + + + + +
    + + +
    +

    If the MAC address of an existing bare metal node matches the MAC address of a bare metal host that you are attempting to provision, then the Ironic installation will fail. If the host enrollment, inspection, cleaning, or other Ironic steps fail, the metal3-baremetal-operator will continuously retry. See Diagnosing a host duplicate MAC address for more information.

    +
    +
    +
    +
  8. +
  9. +

    Create the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api create -f bmh.yaml
    +
    +
    +
    +
    +
    secret/openshift-worker-<num>-bmc-secret created
    +baremetalhost.metal3.io/openshift-worker-<num> created
    +
    +
    +
    +

    Where <num> will be the worker number.

    +
    +
  10. +
  11. +

    Power up and inspect the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  12. +
+
+
+
+

4.3.2. Preparing to deploy with Virtual Media on the baremetal network

+
+

If the provisioning network is enabled, and you want to expand the cluster using Virtual Media on the baremetal network, execute the following procedure.

+
+
+
Procedure
+
    +
  1. +

    Edit the provisioning configuration resource (CR) to enable deploying with Virtual Media on the baremetal network.

    +
    +
    +
    oc edit provisioning
    +
    +
    +
    +
    +
      apiVersion: metal3.io/v1alpha1
    +  kind: Provisioning
    +  metadata:
    +    creationTimestamp: "2021-08-05T18:51:50Z"
    +    finalizers:
    +    - provisioning.metal3.io
    +    generation: 8
    +    name: provisioning-configuration
    +    resourceVersion: "551591"
    +    uid: f76e956f-24c6-4361-aa5b-feaf72c5b526
    +  spec:
    +    preProvisioningOSDownloadURLs: {}
    +    provisioningDHCPRange: 172.22.0.10,172.22.0.254
    +    provisioningIP: 172.22.0.3
    +    provisioningInterface: enp1s0
    +    provisioningNetwork: Managed
    +    provisioningNetworkCIDR: 172.22.0.0/24
    +    provisioningOSDownloadURL: http://192.168.111.1/images/rhcos-49.84.202107010027-0-openstack.x86_64.qcow2.gz?sha256=c7dde5f96826c33c97b5a4ad34110212281916128ae11100956f400db3d5299e
    +    virtualMediaViaExternalNetwork: true (1)
    +  status:
    +    generations:
    +    - group: apps
    +      hash: ""
    +      lastGeneration: 7
    +      name: metal3
    +      namespace: openshift-machine-api
    +      resource: deployments
    +    - group: apps
    +      hash: ""
    +      lastGeneration: 1
    +      name: metal3-image-cache
    +      namespace: openshift-machine-api
    +      resource: daemonsets
    +    observedGeneration: 8
    +    readyReplicas: 0
    +
    +
    +
    + + + + + +
    1Add virtualMediaViaExternalNetwork: true to the provisioning CR.
    +
    +
  2. +
  3. +

    Edit the machine set to use the API VIP address.

    +
    +
    +
    oc edit machineset
    +
    +
    +
    +
    +
      apiVersion: machine.openshift.io/v1beta1
    +  kind: MachineSet
    +  metadata:
    +    creationTimestamp: "2021-08-05T18:51:52Z"
    +    generation: 11
    +    labels:
    +      machine.openshift.io/cluster-api-cluster: ostest-hwmdt
    +      machine.openshift.io/cluster-api-machine-role: worker
    +      machine.openshift.io/cluster-api-machine-type: worker
    +    name: ostest-hwmdt-worker-0
    +    namespace: openshift-machine-api
    +    resourceVersion: "551513"
    +    uid: fad1c6e0-b9da-4d4a-8d73-286f78788931
    +  spec:
    +    replicas: 2
    +    selector:
    +      matchLabels:
    +        machine.openshift.io/cluster-api-cluster: ostest-hwmdt
    +        machine.openshift.io/cluster-api-machineset: ostest-hwmdt-worker-0
    +    template:
    +      metadata:
    +        labels:
    +          machine.openshift.io/cluster-api-cluster: ostest-hwmdt
    +          machine.openshift.io/cluster-api-machine-role: worker
    +          machine.openshift.io/cluster-api-machine-type: worker
    +          machine.openshift.io/cluster-api-machineset: ostest-hwmdt-worker-0
    +      spec:
    +        metadata: {}
    +        providerSpec:
    +          value:
    +            apiVersion: baremetal.cluster.k8s.io/v1alpha1
    +            hostSelector: {}
    +            image:
    +              checksum: http:/172.22.0.3:6181/images/rhcos-49.84.202107010027-0-openstack.x86_64.qcow2/cached-rhcos-49.84.202107010027-0-openstack.x86_64.qcow2.md5sum (1)
    +              url: http://172.22.0.3:6181/images/rhcos-49.84.202107010027-0-openstack.x86_64.qcow2/cached-rhcos-49.84.202107010027-0-openstack.x86_64.qcow2 (2)
    +            kind: BareMetalMachineProviderSpec
    +            metadata:
    +              creationTimestamp: null
    +            userData:
    +              name: worker-user-data
    +  status:
    +    availableReplicas: 2
    +    fullyLabeledReplicas: 2
    +    observedGeneration: 11
    +    readyReplicas: 2
    +    replicas: 2
    +
    +
    +
    + + + + + + + + + +
    1Edit the checksum URL to use the API VIP address.
    2Edit the url URL to use the API VIP address.
    +
    +
  4. +
+
+
+
Diagnosing a duplicate MAC address when provisioning a new host in the cluster
+
+

If the MAC address of an existing bare-metal node in the cluster matches the MAC address of a bare-metal host you are attempting to add to the cluster, the Bare Metal Operator associates the host with the existing node. If the host enrollment, inspection, cleaning, or other Ironic steps fail, the Bare Metal Operator retries the installation continuously. A registration error is displayed for the failed bare-metal host.

+
+
+

You can diagnose a duplicate MAC address by examining the bare-metal hosts that are running in the openshift-machine-api namespace.

+
+
+
Prerequisites
+
    +
  • +

    Install an OpenShift Container Platform cluster on bare metal.

    +
  • +
  • +

    Install the OpenShift Container Platform CLI oc.

    +
  • +
  • +

    Log in as a user with cluster-admin privileges.

    +
  • +
+
+
+
Procedure
+

To determine whether a bare-metal host that fails provisioning has the same MAC address as an existing node, do the following:

+
+
+
    +
  1. +

    Get the bare-metal hosts running in the openshift-machine-api namespace:

    +
    +
    +
    $ oc get bmh -n openshift-machine-api
    +
    +
    +
    +
    Example output
    +
    +
    NAME                 STATUS   PROVISIONING STATUS      CONSUMER
    +openshift-master-0   OK       externally provisioned   openshift-zpwpq-master-0
    +openshift-master-1   OK       externally provisioned   openshift-zpwpq-master-1
    +openshift-master-2   OK       externally provisioned   openshift-zpwpq-master-2
    +openshift-worker-0   OK       provisioned              openshift-zpwpq-worker-0-lv84n
    +openshift-worker-1   OK       provisioned              openshift-zpwpq-worker-0-zd8lm
    +openshift-worker-2   error    registering
    +
    +
    +
  2. +
  3. +

    To see more detailed information about the status of the failing host, run the following command replacing <bare_metal_host_name> with the name of the host:

    +
    +
    +
    $ oc get -n openshift-machine-api bmh <bare_metal_host_name> -o yaml
    +
    +
    +
    +
    Example output
    +
    +
    ...
    +status:
    +  errorCount: 12
    +  errorMessage: MAC address b4:96:91:1d:7c:20 conflicts with existing node openshift-worker-1
    +  errorType: registration error
    +...
    +
    +
    +
  4. +
+
+
+
+
+

4.3.3. Provisioning the bare metal node

+
+

Provisioning the bare metal node requires executing the following procedure from the provisioner node.

+
+
+
Procedure
+
    +
  1. +

    Ensure the PROVISIONING STATUS is ready before provisioning the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$  oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  2. +
  3. +

    Get a count of the number of worker nodes.

    +
    +
    +
    [kni@provisioner ~]$ oc get nodes
    +
    +
    +
    +
    +
    NAME                                                STATUS   ROLES           AGE     VERSION
    +provisioner.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-1.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-2.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-3.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-worker-0.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-worker-1.openshift.example.com            Ready    master          30h     v1.16.2
    +
    +
    +
  4. +
  5. +

    Get the machine set.

    +
    +
    +
    [kni@provisioner ~]$ oc get machinesets -n openshift-machine-api
    +
    +
    +
    +
    +
    NAME                                DESIRED   CURRENT   READY   AVAILABLE   AGE
    +...
    +openshift-worker-0.example.com      1         1         1       1           55m
    +openshift-worker-1.example.com      1         1         1       1           55m
    +
    +
    +
  6. +
  7. +

    Increase the number of worker nodes by one.

    +
    +
    +
    [kni@provisioner ~]$ oc scale --replicas=<num> machineset <machineset> -n openshift-machine-api
    +
    +
    +
    +

    Replace <num> with the new number of worker nodes. Replace <machineset> with the name of the machine set from the previous step.

    +
    +
  8. +
  9. +

    Check the status of the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number. The status changes from ready to provisioning.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       provisioning          openshift-worker-<num>-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
    +

    The provisioning status remains until the OpenShift Container Platform cluster provisions the node. This can take 30 minutes or more. Once complete, the status will change to provisioned.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       provisioned           openshift-worker-<num>-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  10. +
  11. +

    Once provisioned, ensure the bare metal node is ready.

    +
    +
    +
    [kni@provisioner ~]$ oc get nodes
    +
    +
    +
    +
    +
    NAME                                          STATUS   ROLES   AGE     VERSION
    +provisioner.openshift.example.com             Ready    master  30h     v1.16.2
    +openshift-master-1.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-master-2.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-master-3.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-worker-0.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-worker-1.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-worker-<num>.openshift.example.com  Ready    worker  3m27s   v1.16.2
    +
    +
    +
    +

    You can also check the kubelet.

    +
    +
    +
    +
    [kni@provisioner ~]$ ssh openshift-worker-<num>
    +
    +
    +
    +
    +
    [kni@openshift-worker-<num>]$ journalctl -fu kubelet
    +
    +
    +
  12. +
+
+
+
+

4.3.4. Preparing the provisioner node to be deployed as a worker node

+
+
Procedure
+

Perform the following steps prior to converting the provisioner node to a worker node.

+
+
+
    +
  1. +

    ssh to a system (for example, a laptop) that can access the out of band management network of the current provisioner node.

    +
  2. +
  3. +

    Copy the backups clusterconfig.tar.gz, clusterconfigsh.tar.gz, and amlconfigs.tar.gz to the new system.

    +
  4. +
  5. +

    Copy the oc binary from the existing provisioning node to the new system.

    +
  6. +
  7. +

    Make a note of the mac addresses, the baremetal network IP used for the provisioner node, and the IP address of +the Out of band Management Network.

    +
  8. +
  9. +

    Reboot the system and ensure that PXE is enabled on the provisioning network and PXE is disabled for all other NICs.

    +
  10. +
  11. +

    If installation was performed using a Satellite server, remove the Host entry for the existing provisioning node.

    +
  12. +
  13. +

    Install the ipmitool on the new system in order to power off the provisioner node.

    +
  14. +
+
+
+
+

4.3.5. Adding a worker node to an existing cluster

+
+
Procedure
+
    +
  1. +

    Retrieve the username and password of the bare metal node’s baseboard management controller. Then, create base64 strings from the username and password. In the following example, the username is root and the password is calvin.

    +
    +
    +
    [kni@provisioner ~]$ echo -ne "root" | base64
    +
    +
    +
    +
    +
    [kni@provisioner ~]$ echo -ne "calvin" | base64
    +
    +
    +
  2. +
  3. +

    Create a configuration file for the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ vim bmh.yaml
    +
    +
    +
    +
    +
    ---
    +apiVersion: v1
    +kind: Secret
    +metadata:
    +  name: openshift-worker-<num>-bmc-secret
    +type: Opaque
    +data:
    +  username: <base64-of-uid>
    +  password: <base64-of-pwd>
    +---
    +apiVersion: metal3.io/v1alpha1
    +kind: BareMetalHost
    +metadata:
    +  name: openshift-worker-<num>
    +spec:
    +  online: true
    +  bootMACAddress: <NIC1-mac-address>
    +  bmc:
    +    address: ipmi://<bmc-ip>
    +    credentialsName: openshift-worker-<num>-bmc-secret
    +
    +
    +
    +

    Replace <num> for the worker number of bare metal node in two name fields and credentialsName field. Replace <base64-of-uid> with the base64 string of the username. Replace <base64-of-pwd> with the base64 string of the password. Replace <NIC1-mac-address> with the MAC address of the bare metal node’s first NIC. Replace <bmc-ip> with the IP address of the bare metal node’s baseboard management controller.

    +
    +
  4. +
+
+
+ + + + + +
+ + +
+

When using redfish or redfish-virtualmedia, add the +appropriate addressing as described in the BMC addressing section. See BMC addressing for details.

+
+
+
+
+
    +
  1. +

    Create the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api create -f bmh.yaml
    +
    +
    +
    +
    +
    secret/openshift-worker-<num>-bmc-secret created
    +baremetalhost.metal3.io/openshift-worker-<num> created
    +
    +
    +
    +

    Where <num> will be the worker number.

    +
    +
  2. +
  3. +

    Power up and inspect the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  4. +
  5. +

    Ensure the PROVISIONING STATUS is ready before provisioning the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$  oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  6. +
  7. +

    Get a count of the number of worker nodes.

    +
    +
    +
    [kni@provisioner ~]$ oc get nodes
    +
    +
    +
  8. +
  9. +

    Get the machine set.

    +
    +
    +
    [kni@provisioner ~]$ oc get machinesets -n openshift-machine-api
    +
    +
    +
    +
    +
    NAME                                DESIRED   CURRENT   READY   AVAILABLE   AGE
    +openshift-worker-0.example.com      1         1         1       1           55m
    +openshift-worker-1.example.com      1         1         1       1           55m
    +openshift-worker-2.example.com      1         1         1       1           55m
    +
    +
    +
  10. +
  11. +

    Increase the number of worker nodes by 1.

    +
    +
    +
    [kni@provisioner ~]$ oc scale --replicas=<num> machineset <machineset> -n openshift-machine-api
    +
    +
    +
    +

    Replace <num> with the new number of worker nodes. Replace <machineset> with the name of the machine set from the previous step.

    +
    +
  12. +
  13. +

    Check the status of the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number. The status changes from ready to provisioning.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       provisioning          openshift-worker-<num>-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
    +

    The provisioning status remains until the OpenShift Container Platform cluster provisions the node. This may take 30 minutes or more. Once complete, the status will change to provisioned.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       provisioned           openshift-worker-<num>-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  14. +
  15. +

    Once provisioned, ensure the bare metal node is ready.

    +
    +
    +
    [kni@provisioner ~]$ oc get nodes
    +
    +
    +
    +
    +
    NAME                                                STATUS   ROLES           AGE     VERSION
    +provisioner.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-1.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-2.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-worker-<num>.openshift.example.com        Ready    worker          3m27s   v1.16.2
    +
    +
    +
    +

    You can also check the kubelet.

    +
    +
    +
    +
    [kni@provisioner ~]$ ssh openshift-worker-<num>
    +
    +
    +
    +
    +
    [kni@openshift-worker-<num>]$ journalctl -fu kubelet
    +
    +
    +
  16. +
+
+
+
Appending DNS records
+
+
Configuring Bind (Option 1)
+
+
Procedure
+
    +
  1. +

    Login to the DNS server using ssh.

    +
  2. +
  3. +

    Suspend updates to all dynamic zones: rndc freeze.

    +
  4. +
  5. +

    Edit /var/named/dynamic/example.com.

    +
    +
    +
    $ORIGIN openshift.example.com.
    +<OUTPUT_OMITTED>
    +openshift-worker-1      A       <ip-of-worker-1>
    +openshift-worker-2      A       <ip-of-worker-2>
    +
    +
    +
    + + + + + +
    + + +
    +

    Remove the provisioner as it is replaced by openshift-worker-2.

    +
    +
    +
    +
  6. +
  7. +

    Increase the SERIAL value by 1.

    +
  8. +
  9. +

    Edit /var/named/dynamic/1.0.10.in-addr.arpa.

    +
    + + + + + +
    + + +
    +

    The filename 1.0.10.in-addr.arpa is the reverse of the public CIDR example 10.0.1.0/24.

    +
    +
    +
    +
  10. +
  11. +

    Increase the SERIAL value by 1.

    +
  12. +
  13. +

    Enable updates to all dynamic zones and reload them: rndc thaw.

    +
  14. +
+
+
+
+
Configuring dnsmasq (Option 2)
+
+
Procedure
+

Append the following DNS record to the /etc/hosts file on the server hosting the dnsmasq service.

+
+
+
+
<OUTPUT_OMITTED>
+<NIC2-IP> openshift-worker-1.openshift.example.com openshift-worker-1
+<NIC2-IP> openshift-worker-2.openshift.example.com openshift-worker-2
+
+
+
+ + + + + +
+ + +
+

Remove the provisioner.openshift.example.com entry as it is replaced by worker-2

+
+
+
+
+
+
+
Appending DHCP reservations
+
+
Configuring dhcpd (Option 1)
+
+
Procedure
+
    +
  1. +

    Login to the DHCP server using ssh.

    +
  2. +
  3. +

    Edit /etc/dhcp/dhcpd.hosts.

    +
    +
    +
    host openshift-worker-2 {
    +     option host-name "worker-2";
    +     hardware ethernet <NIC2-mac-address>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +
    +
    +
    + + + + + +
    + + +
    +

    Remove the provisioner as it is replaced by openshift-worker-2.

    +
    +
    +
    +
  4. +
  5. +

    Restart the dhcpd service.

    +
    +
    +
    systemctl restart dhcpd
    +
    +
    +
  6. +
+
+
+
+
Configuring dnsmasq (Option 2)
+
+
Procedure
+
    +
  1. +

    Append the following DHCP reservation to the /etc/dnsmasq.d/example.dns file on the server hosting the dnsmasq service.

    +
    +
    +
    <OUTPUT_OMITTED>
    +dhcp-host=<NIC2-mac-address>,openshift-worker-1.openshift.example.com,<ip-of-worker-1>
    +dhcp-host=<NIC2-mac-address>,openshift-worker-2.openshift.example.com,<ip-of-worker-2>
    +
    +
    +
    + + + + + +
    + + +
    +

    Remove the provisioner.openshift.example.com entry as it is replaced by worker-2

    +
    +
    +
    +
  2. +
  3. +

    Restart the dnsmasq service.

    +
    +
    +
    systemctl restart dnsmasq
    +
    +
    +
  4. +
+
+
+
+
+
Deploying the provisioner node as a worker node using Metal3
+
+

After you have completed the prerequisites, perform the deployment process.

+
+
+
Procedure
+
    +
  1. +

    Power off the node using ipmitool and confirm the provisioning node is powered off.

    +
    +
    +
    ssh <server-with-access-to-management-net>
    +# Use the user, password and Management net IP adddress to shutdown the system
    +ipmitool -I lanplus -U <user> -P <password> -H <management-server-ip> power off
    +# Confirm the server is powered down
    +ipmitool -I lanplus -U <user> -P <password> -H <management-server-ip> power status
    +Chassis Power is off
    +
    +
    +
  2. +
  3. +

    Get base64 strings for the Out of band Management credentials. In this example, the user is root and the password is calvin.

    +
    +
    +
    # Use echo -ne, otherwise you will get your secrets with \n which will cause issues
    +# Get root username in base64
    +echo -ne "root" | base64
    +# Get root password in base64
    +echo -ne "calvin" | base64
    +
    +
    +
  4. +
  5. +

    Configure the BaremetalHost bmh.yaml file.

    +
    +
    +
    ---
    +apiVersion: v1
    +kind: Secret
    +metadata:
    +  name: openshift-worker-2-bmc-secret
    +type: Opaque
    +data:
    +  username: ca2vdAo=
    +  password: MWAwTWdtdC0K
    +---
    +apiVersion: metal3.io/v1alpha1
    +kind: BareMetalHost
    +metadata:
    +  name: openshift-worker-2
    +spec:
    +  online: true
    +  bootMACAddress: <NIC1-mac-address>
    +  bmc:
    +    address: ipmi://<out-of-band-ip>
    +    credentialsName: openshift-worker-2-bmc-secret
    +
    +
    +
  6. +
  7. +

    Create the BaremetalHost.

    +
    +
    +
    ./oc -n openshift-machine-api create -f bmh.yaml
    +secret/openshift-worker-2-bmc-secret created
    +baremetalhost.metal3.io/openshift-worker-2 created
    +
    +
    +
  8. +
  9. +

    Power up and inspect the node.

    +
    +
    +
    ./oc -n openshift-machine-api get bmh openshift-worker-2
    +
    +NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-2   OK       inspecting                       ipmi://<out-of-band-ip>                      true
    +
    +
    +
  10. +
  11. +

    After finishing the inspection, the node is ready to be provisioned.

    +
    +
    +
    ./oc -n openshift-machine-api get bmh openshift-worker-2
    +
    +NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-2   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  12. +
  13. +

    Scale the workers machineset. Previously, there were two replicas during original installation.

    +
    +
    +
    ./oc get machineset -n openshift-machine-api
    +NAME            DESIRED   CURRENT   READY   AVAILABLE   AGE
    +openshift-worker-2   0         0                             21h
    +
    +./oc -n openshift-machine-api scale machineset openshift-worker-2 --replicas=3
    +
    +
    +
  14. +
  15. +

    The baremetal host moves to provisioning status. This can take as long as 30 minutes. You can follow the status +from the node console.

    +
    +
    +
    oc -n openshift-machine-api get bmh openshift-worker-2
    +
    +NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-2   OK       provisioning          openshift-worker-0-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  16. +
  17. +

    When the node is provisioned it moves to provisioned status.

    +
    +
    +
    oc -n openshift-machine-api get bmh openshift-worker-2
    +
    +NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-2   OK       provisioned           openshift-worker-2-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  18. +
  19. +

    When the kubelet finishes initialization the node is ready for use. +You can connect to the node and run journalctl -fu kubelet to check the process.

    +
    +
    +
    oc get node
    +NAME                                            STATUS   ROLES           AGE     VERSION
    +openshift-master-0.openshift.example.com        Ready    master          30h     v1.16.2
    +openshift-master-1.openshift.example.com        Ready    master          30h     v1.16.2
    +openshift-master-2.openshift.example.com        Ready    master          30h     v1.16.2
    +openshift-worker-0.openshift.example.com        Ready    worker          3m27s   v1.16.2
    +openshift-worker-1.openshift.example.com        Ready    worker          3m27s   v1.16.2
    +openshift-worker-2.openshift.example.com        Ready    worker          3m27s   v1.16.2
    +
    +
    +
  20. +
+
+
+
+
+
+
+
+

5. Appendix

+
+
+

In this section of the document, extra information is provided that is outside of the regular workflow.

+
+
+

5.1. Troubleshooting

+
+

Troubleshooting the installation is out of scope of the Deployment Guide. For more details on troubleshooting deployment, refer to our Troubleshooting guide.

+
+
+
+

5.2. Creating DNS Records

+
+

Two options are documented for configuring DNS records:

+
+ +
+

5.2.1. Configuring Bind (Option 1)

+
+

Use Option 1 if access to the appropriate DNS server for the baremetal network is accessible or a request +to your network admin to create the DNS records is an option. +If this is not an option, skip this section and go to section Create DNS records using dnsmasq (Option 2).

+
+
+

Create a subzone with the name of the cluster that is going to be used on your domain. +In our example, the domain used is example.com and the cluster name used is openshift. +Make sure to change these according to your environment specifics.

+
+
+
Procedure
+
    +
  1. +

    Login to the DNS server using ssh.

    +
  2. +
  3. +

    Suspend updates to all dynamic zones: rndc freeze.

    +
  4. +
  5. +

    Edit /var/named/dynamic/example.com.

    +
    +
    +
    $ORIGIN openshift.example.com.
    +$TTL 300        ; 5 minutes
    +@  IN  SOA  dns1.example.com.  hostmaster.example.com. (
    +       2001062501  ; serial
    +       21600       ; refresh after 6 hours
    +       3600        ; retry after 1 hour
    +       604800      ; expire after 1 week
    +       86400 )     ; minimum TTL of 1 day
    +;
    +api                     A       <api-ip>
    +ns1                     A       <dns-vip-ip>
    +$ORIGIN apps.openshift.example.com.
    +*                       A       <wildcard-ingress-lb-ip>
    +$ORIGIN openshift.example.com.
    +provisioner             A       <NIC2-ip-of-provision>
    +openshift-master-0      A       <NIC2-ip-of-openshift-master-0>
    +openshift-master-1      A       <NIC2-ip-of-openshift-master-1>
    +openshift-master-2      A       <NIC2-ip-of-openshift-master-2>
    +openshift-worker-0      A       <NIC2-ip-of-openshift-worker-0>
    +openshift-worker-1      A       <NIC2-ip-of-openshift-worker-1>
    +
    +
    +
  6. +
  7. +

    Increase the serial value by 1.

    +
  8. +
  9. +

    Edit /var/named/dynamic/1.0.10.in-addr.arpa.

    +
    +
    +
    $ORIGIN 1.0.10.in-addr.arpa.
    +$TTL 300
    +@  IN  SOA  dns1.example.com.  hostmaster.example.com. (
    +       2001062501  ; serial
    +       21600       ; refresh after 6 hours
    +       3600        ; retry after 1 hour
    +       604800      ; expire after 1 week
    +       86400 )     ; minimum TTL of 1 day
    +;
    +126 IN      PTR      provisioner.openshift.example.com.
    +127	IN        	PTR    	openshift-master-0.openshift.example.com.
    +128	IN        	PTR    	openshift-master-1.openshift.example.com.
    +129	IN 	        PTR   	openshift-master-2.openshift.example.com.
    +130	IN 	        PTR   	openshift-worker-0.openshift.example.com.
    +131	IN        	PTR    	openshift-worker-1.openshift.example.com.
    +132 IN      PTR     api.openshift.example.com.
    +133 IN      PTR     ns1.openshift.example.com.
    +
    +
    +
    + + + + + +
    + + +
    +

    In this example, the IP addresses 10.0.1.126-133 are pointed to the corresponding fully qualified domain name.

    +
    +
    +
    +
    + + + + + +
    + + +
    +

    The filename 1.0.10.in-addr.arpa is the reverse of the public CIDR example 10.0.1.0/24.

    +
    +
    +
    +
  10. +
  11. +

    Increase the serial value by 1.

    +
  12. +
  13. +

    Enable updates to all dynamic zones and reload them: rndc thaw.

    +
  14. +
+
+
+
+

5.2.2. Configuring dnsmasq (Option 2)

+
+

To create DNS records, open the /etc/hosts file and add the NIC2 (baremetal net) IP followed by the hostname. +In our example, the domain used is example.com and the cluster name used is openshift. +Make sure to change these according to your environment specifics.

+
+
+
Procedure
+
    +
  1. +

    Edit /etc/hosts and add the NIC2 (baremetal net) IP followed by the hostname.

    +
    +
    +
    cat /etc/hosts
    +127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
    +::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
    +<NIC2-IP> provisioner.openshift.example.com provisioner
    +<NIC2-IP> openshift-master-0.openshift.example.com openshift-master-0
    +<NIC2-IP> openshift-master-1.openshift.example.com openshift-master-1
    +<NIC2-IP> openshift-master-2.openshift.example.com openshift-master-2
    +<NIC2-IP> openshift-worker-0.openshift.example.com openshift-worker-0
    +<NIC2-IP> openshift-worker-1.openshift.example.com openshift-worker-1
    +<API-IP>  api.openshift.example.com api
    +<DNS-VIP-IP> ns1.openshift.example.com ns1
    +
    +
    +
  2. +
  3. +

    Open the appropriate firewalld DNS service and reload the rules.

    +
    +
    +
    systemctl restart firewalld
    +firewall-cmd --add-service=dns --permanent
    +firewall-cmd --reload
    +
    +
    +
  4. +
+
+
+
+
+

5.3. Creating DHCP reservations

+
+

Two options are documented for configuring DHCP:

+
+ +
+

5.3.1. Configuring dhcpd (Option 1)

+
+

Use Option 1 if access to the appropriate DHCP server for the baremetal network is accessible or a request +to your network admin to create the DHCP reservations is an option. +If this is not an option, skip this section and go to section Create DHCP records using dnsmasq (Option 2).

+
+
+
    +
  1. +

    Login to the DHCP server using ssh.

    +
  2. +
  3. +

    Edit /etc/dhcp/dhcpd.hosts.

    +
    +
    +
    host provisioner {
    +     option host-name "provisioner";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +host openshift-master-0 {
    +     option host-name "openshift-master-0";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +
    +host openshift-master-1 {
    +     option host-name "openshift-master-1";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +
    +host openshift-master-2 {
    +     option host-name "openshift-master-2";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +host openshift-worker-0 {
    +     option host-name "openshift-worker-0";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +host openshift-worker-1 {
    +     option host-name "openshift-worker-1";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +
    +
    +
  4. +
  5. +

    Restart the dhcpd service.

    +
    +
    +
    systemctl restart dhcpd
    +
    +
    +
  6. +
+
+
+
+

5.3.2. Configuring dnsmasq (Option 2)

+
+

Set up dnsmasq on a server that can access the baremetal network.

+
+
+
Procedure
+
    +
  1. +

    Install dnsmasq.

    +
    +
    +
    dnf install -y dnsmasq
    +
    +
    +
  2. +
  3. +

    Change to the /etc/dnsmasq.d directory.

    +
    +
    +
    cd /etc/dnsmasq.d
    +
    +
    +
  4. +
  5. +

    Create a file that reflects your OpenShift cluster appended by .dns.

    +
    +
    +
    touch <filename>.dns
    +
    +
    +
  6. +
  7. +

    Open the appropriate firewalld DHCP service.

    +
    +
    +
    systemctl restart firewalld
    +firewall-cmd --add-service=dhcp --permanent
    +firewall-cmd --reload
    +
    +
    +
  8. +
  9. +

    Define DNS configuration file

    +
    IPv4
    +
    +

    Here is an example of the .dns file for IPv4.

    +
    +
    +
    +
    domain-needed
    +bind-dynamic
    +bogus-priv
    +domain=openshift.example.com
    +dhcp-range=<baremetal-net-starting-ip,baremetal-net-ending-ip>
    +#dhcp-range=10.0.1.4,10.0.14
    +dhcp-option=3,<baremetal-net-gateway-ip>
    +#dhcp-option=3,10.0.1.254
    +resolv-file=/etc/resolv.conf.upstream
    +interface=<nic-with-access-to-baremetal-net>
    +#interface=em2
    +server=<ip-of-existing-server-on-baremetal-net>
    +
    +
    +#Wildcard for apps -- make changes to cluster-name (openshift) and domain (example.com)
    +address=/.apps.openshift.example.com/<wildcard-ingress-lb-ip>
    +
    +#Static IPs for Masters
    +dhcp-host=<NIC2-mac-address>,provisioner.openshift.example.com,<ip-of-provisioner>
    +dhcp-host=<NIC2-mac-address>,openshift-master-0.openshift.example.com,<ip-of-openshift-master-0>
    +dhcp-host=<NIC2-mac-address>,openshift-master-1.openshift.example.com,<ip-of-openshift-master-1>
    +dhcp-host=<NIC2-mac-address>,openshift-master-2.openshift.example.com,<ip-of-openshift-master-2>
    +dhcp-host=<NIC2-mac-address>,openshift-worker-0.openshift.example.com,<ip-of-openshift-worker-0>
    +dhcp-host=<NIC2-mac-address>,openshift-worker-1.openshift.example.com,<ip-of-openshift-worker-1>
    +
    +
    +
  10. +
  11. +

    Create the resolv.conf.upstream file to provide DNS fowarding to an existing DNS server for resolution +to the outside world.

    +
    +
    +
    search <domain.com>
    +nameserver <ip-of-my-existing-dns-nameserver>
    +
    +
    +
  12. +
  13. +

    Restart the dnsmasq service.

    +
    +
    +
    systemctl restart dnsmasq
    +
    +
    +
  14. +
  15. +

    Verify the dnsmasq service is running.

    +
    +
    +
    systemctl status dnsmasq
    +
    +
    +
  16. +
+
+
+
+
+
+
+ + + \ No newline at end of file diff --git a/4.4/Deployment.pdf b/4.4/Deployment.pdf new file mode 100644 index 0000000000..6fed8635ad Binary files /dev/null and b/4.4/Deployment.pdf differ diff --git a/4.4/Troubleshooting.html b/4.4/Troubleshooting.html new file mode 100644 index 0000000000..198b47bff8 --- /dev/null +++ b/4.4/Troubleshooting.html @@ -0,0 +1,1989 @@ + + + + + + + + + + +Troubleshooting Guide for IPI Installation + + + + + + + + + + + + + + + + +
+
+
+
+ + + + + +
+ + +
+

Download the PDF version of this document or visit https://openshift-kni.github.io/baremetal-deploy/

+
+
+
+
+

While attempting to deploy Installer Provisioned Infrastructure (IPI) of OpenShift on Bare Metal (BM), you may run into a situation where you need to troubleshoot your environment. This document provides troubleshooting guidance and tips in solving common issues that may arise.

+
+
+
+
+

1. Troubleshooting the installer workflow

+
+
+

Prior to troubleshooting the installation environment, it is critical to understand the overall flow of the IPI installation on bare metal. The diagrams below provide a troubleshooting flow with a step-by-step breakdown for the environment.

+
+
+

Flow-Diagram-1

+
+
+

Workflow 1 of 4 illustrates a troubleshooting workflow when the install-config.yaml file has errors or the Red Hat Enterprise Linux CoreOS (RHCOS) images are inaccessible. Troubleshooting suggestions can be found at

+
+ +
+

Flow-Diagram-2

+
+
+

Workflow 2 of 4 illustrates a troubleshooting workflow for bootstrap VM issues, bootstrap VMs that cannot boot up the cluster nodes, and inspecting logs.

+
+
+

Flow-Diagram-3

+
+
+

Workflow 3 of 4 illustrates a troubleshooting workflow for cluster nodes that will not PXE boot.

+
+
+

Flow-Diagram-4

+
+
+

Workflow 4 of 4 illustrates a troubleshooting workflow from + a non-accessible API to a validated installation.

+
+
+
+
+

2. Troubleshooting install-config.yaml

+
+
+

The install-config.yaml configuration file represents all of the nodes that are part of the OpenShift Container Platform cluster. The file contains the necessary options consisting of but not limited to apiVersion, baseDomain, imageContentSources (OpenShift 4.13 and below) or imageDigestSources (OpenShirt 4.14 and above), and virtual IP addresses. If errors occur early in the deployment of the OpenShift Container Platform cluster, the errors are likely in the install-config.yaml configuration file.

+
+
+
Procedure
+
    +
  1. +

    Use the guidelines in YAML-tips.

    +
  2. +
  3. +

    Verify the YAML syntax is correct using syntax-check.

    +
  4. +
  5. +

    Verify the Red Hat Enterprise Linux CoreOS (RHCOS) QEMU images are properly defined and accessible via the URL provided in the install-config.yaml. For example:

    +
    +
    +
    $ curl -s -o /dev/null -I -w "%{http_code}\n" http://webserver.example.com:8080/rhcos-44.81.202004250133-0-qemu.x86_64.qcow2.gz?sha256=7d884b46ee54fe87bbc3893bf2aa99af3b2d31f2e19ab5529c60636fbd0f1ce7
    +
    +
    +
    +

    If the output is 200, there is a valid response from the webserver storing the bootstrap VM image.

    +
    +
  6. +
+
+
+
+
+

3. Bootstrap VM issues

+
+
+

The OpenShift Container Platform installer spawns a bootstrap node virtual machine, which handles provisioning the OpenShift Container Platform cluster nodes.

+
+
+
Procedure
+
    +
  1. +

    About 10 to 15 minutes after triggering the installer, check to ensure the bootstrap VM is operational using the virsh command:

    +
    +
    +
    $ sudo virsh list
    +
    +
    +
    +
    +
     Id    Name                           State
    + --------------------------------------------
    + 12    openshift-xf6fq-bootstrap      running
    +
    +
    +
    + + + + + +
    + + +
    +

    The name of the bootstrap VM is always the cluster name followed by a random set of characters and ending in the word "bootstrap."

    +
    +
    +
    +
    +

    If the bootstrap VM is not running after 10-15 minutes, troubleshoot why it is not running. Possible issues include:

    +
    +
  2. +
  3. +

    Verify libvirtd is running on the system:

    +
    +
    +
    $ systemctl status libvirtd
    +
    +
    +
    +
    +
    ● libvirtd.service - Virtualization daemon
    +   Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor preset: enabled)
    +   Active: active (running) since Tue 2020-03-03 21:21:07 UTC; 3 weeks 5 days ago
    +     Docs: man:libvirtd(8)
    +           https://libvirt.org
    + Main PID: 9850 (libvirtd)
    +    Tasks: 20 (limit: 32768)
    +   Memory: 74.8M
    +   CGroup: /system.slice/libvirtd.service
    +           ├─ 9850 /usr/sbin/libvirtd
    +
    +
    +
    +

    If the bootstrap VM is operational, log into it.

    +
    +
  4. +
  5. +

    Use the virsh console command to find the IP address of the bootstrap VM:

    +
    +
    +
    $ sudo virsh console example.com
    +
    +
    +
    +
    +
    Connected to domain example.com
    +Escape character is ^]
    +
    +Red Hat Enterprise Linux CoreOS 43.81.202001142154.0 (Ootpa) 4.3
    +SSH host key: SHA256:BRWJktXZgQQRY5zjuAV0IKZ4WM7i4TiUyMVanqu9Pqg (ED25519)
    +SSH host key: SHA256:7+iKGA7VtG5szmk2jB5gl/5EZ+SNcJ3a2g23o0lnIio (ECDSA)
    +SSH host key: SHA256:DH5VWhvhvagOTaLsYiVNse9ca+ZSW/30OOMed8rIGOc (RSA)
    +ens3:  fd35:919d:4042:2:c7ed:9a9f:a9ec:7
    +ens4: 172.22.0.2 fe80::1d05:e52e:be5d:263f
    +localhost login:
    +
    +
    +
    + + + + + +
    + + +
    +

    When deploying a OpenShift Container Platform cluster without the provisioning network, you must use a public IP address and not a private IP address like 172.22.0.2.

    +
    +
    +
    +
  6. +
  7. +

    Once you obtain the IP address, log in to the bootstrap VM using the ssh command:

    +
    + + + + + +
    + + +
    +

    In the console output of the previous step, you can use the IPv6 IP address provided by ens3 or the IPv4 IP provided by ens4.

    +
    +
    +
    +
    +
    +
    $ ssh core@172.22.0.2
    +
    +
    +
  8. +
+
+
+

If you are not successful logging in to the bootstrap VM, you have likely encountered one of the following scenarios:

+
+
+
    +
  • +

    You cannot reach the 172.22.0.0/24 network. Verify network connectivity on the provisioner host specifically around the provisioning network bridge. This will not be the issue if you are not using the provisioning network.

    +
  • +
  • +

    You cannot reach the bootstrap VM via the public network. When attempting +to SSH via baremetal network, verify connectivity on the +provisioner host specifically around the baremetal network bridge.

    +
  • +
  • +

    You encountered Permission denied (publickey,password,keyboard-interactive). When +attempting to access the bootstrap VM, a Permission denied error +might occur. Verify that the SSH key for the user attempting to log +into the VM is set within the install-config.yaml file.

    +
  • +
+
+
+

3.1. Bootstrap VM cannot boot up the cluster nodes

+
+

During the deployment, it is possible for the bootstrap VM to fail to boot the cluster nodes, which prevents the VM from provisioning the nodes with the RHCOS image. This scenario can arise due to:

+
+
+
    +
  • +

    A problem with the install-config.yaml file.

    +
  • +
  • +

    Issues with out-of-band network access via the baremetal network.

    +
  • +
+
+
+

To verify the issue, there are three containers related to ironic:

+
+
+
    +
  • +

    ironic-api

    +
  • +
  • +

    ironic-conductor

    +
  • +
  • +

    ironic-inspector

    +
  • +
+
+
+
Procedure
+
    +
  1. +

    Log in to the bootstrap VM:

    +
    +
    +
    $ ssh core@172.22.0.2
    +
    +
    +
  2. +
  3. +

    To check the container logs, execute the following:

    +
    +
    +
    [core@localhost ~]$ sudo podman logs -f <container-name>
    +
    +
    +
    +

    Replace <container-name> with one of ironic-api, ironic-conductor, or ironic-inspector. If you encounter an issue where the control plane nodes are not booting up via PXE, check the ironic-conductor pod. The ironic-conductor pod contains the most detail about the attempt to boot the cluster nodes, because it attempts to log in to the node over IPMI.

    +
    +
  4. +
+
+
+
Potential reason
+

The cluster nodes might be in the ON state when deployment started.

+
+
+
Solution
+

Power off the OpenShift Container Platform cluster nodes before you begin the +installation over IPMI:

+
+
+
+
$ ipmitool -I lanplus -U root -P <password> -H <out-of-band-ip> power off
+
+
+
+
+

3.2. Inspecting logs

+
+

When experiencing issues downloading or accessing the RHCOS images, first verify that the URL is correct in the install-config.yaml configuration file.

+
+
+
Example of internal webserver hosting RHCOS images
+
+
bootstrapOSImage: http://<ip:port>/rhcos-43.81.202001142154.0-qemu.x86_64.qcow2.gz?sha256=9d999f55ff1d44f7ed7c106508e5deecd04dc3c06095d34d36bf1cd127837e0c
+clusterOSImage: http://<ip:port>/rhcos-43.81.202001142154.0-openstack.x86_64.qcow2.gz?sha256=a1bda656fa0892f7b936fdc6b6a6086bddaed5dafacedcd7a1e811abb78fe3b0
+
+
+
+

The ipa-downloader and coreos-downloader containers download resources from a webserver or the external quay.io registry, whichever the install-config.yaml configuration file specifies. Verify the following two containers are up and running and inspect their logs as needed:

+
+
+
    +
  • +

    ipa-downloader

    +
  • +
  • +

    coreos-downloader

    +
  • +
+
+
+
Procedure
+
    +
  1. +

    Log in to the bootstrap VM:

    +
    +
    +
    $ ssh core@172.22.0.2
    +
    +
    +
  2. +
  3. +

    Check the status of the ipa-downloader and coreos-downloader containers within the bootstrap VM:

    +
    +
    +
    [core@localhost ~]$ podman logs -f ipa-downloader
    +
    +
    +
    +
    +
    [core@localhost ~]$ podman logs -f coreos-downloader
    +
    +
    +
    +

    If the bootstrap VM cannot access the URL to the images, use the curl command to verify that the VM can access the images.

    +
    +
  4. +
  5. +

    To inspect the bootkube logs that indicate if all the containers launched during the deployment phase, execute the following:

    +
    +
    +
    [core@localhost ~]$ journalctl -xe
    +
    +
    +
    +
    +
    [core@localhost ~]$ journalctl -b -f -u bootkube.service
    +
    +
    +
  6. +
  7. +

    Verify all the pods, including dnsmasq, mariadb, httpd, and ironic, are running:

    +
    +
    +
    [core@localhost ~]$ sudo podman ps
    +
    +
    +
  8. +
  9. +

    If there are issues with the pods, check the logs of the containers with issues. To check the log of the ironic-api, execute the following:

    +
    +
    +
    [core@localhost ~]$ sudo podman logs <ironic-api>
    +
    +
    +
  10. +
+
+
+
+
+
+

4. Ironic Bootstrap issues

+
+
+

The OpenShift Container Platform installer spawns a bootstrap node virtual machine, which handles provisioning the OpenShift Container Platform cluster nodes. The cluster nodes are powered on, introspected and finally provisioned using Ironic.

+
+
+

Sometimes you might need to connect to the Ironic service running on the bootstrap node virtual machine to troubleshoot issues related to Ironic.

+
+
+
Procedure
+
    +
  1. +

    About 10 to 15 minutes after triggering the installer, check to ensure the bootstrap VM is operational using the virsh command:

    +
    +
    +
    [kni@provisioner ~]$ sudo virsh list
    +
    +
    +
    +
    +
     Id    Name                           State
    + --------------------------------------------
    + 12    openshift-xf6fq-bootstrap      running
    +
    +
    +
  2. +
  3. +

    Use the virsh console command to find the IP address of the bootstrap VM:

    +
    +
    +
    [kni@provisioner ~]$ sudo virsh console openshift-xf6fq-bootstrap
    +
    +
    +
    +
    +
    Connected to domain openshift-xf6fq-bootstrap
    +Escape character is ^]
    +
    +Red Hat Enterprise Linux CoreOS 43.81.202001142154.0 (Ootpa) 4.3
    +SSH host key: SHA256:BRWJktXZgQQRY5zjuAV0IKZ4WM7i4TiUyMVanqu9Pqg (ED25519)
    +SSH host key: SHA256:7+iKGA7VtG5szmk2jB5gl/5EZ+SNcJ3a2g23o0lnIio (ECDSA)
    +SSH host key: SHA256:DH5VWhvhvagOTaLsYiVNse9ca+ZSW/30OOMed8rIGOc (RSA)
    +ens3:  fd35:919d:4042:2:c7ed:9a9f:a9ec:7
    +ens4: 172.22.0.2 fe80::1d05:e52e:be5d:263f
    +localhost login:
    +
    +
    +
  4. +
  5. +

    Once you obtain the IP address, log in to the bootstrap VM using the ssh command:

    +
    + + + + + +
    + + +
    +

    In the console output of the previous step, the IPv6 IP provided by ens3 or the IPv4 IP provided by ens4 can be used.

    +
    +
    +
    +
    +
    +
    [kni@provisioner ~]$ ssh core@172.22.0.2
    +
    +
    +
  6. +
  7. +

    Make sure Ironic containers are running:

    +
    +
    +
    [core@localhost ~]$ sudo podman ps | grep ironic
    +90251a35d1e2  quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:a5603d959546a8293deaee66332da4fa3cb96bcd04c26967070c247085ca7203                        2 minutes ago  Up 2 minutes ago         ironic-api
    +168e712c9996  quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:c6af62509b3d66effe8e16c81e42e75e124ccb5770f82efb010ecc3ebadc48b8                        2 minutes ago  Up 2 minutes ago         ironic-inspector
    +025f8247bfb0  quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:a5603d959546a8293deaee66332da4fa3cb96bcd04c26967070c247085ca7203                        2 minutes ago  Up 2 minutes ago         ironic-conductor
    +
    +
    +
  8. +
  9. +

    Get the value for the bootstrapProvisioningIp property from your install-config.yaml.

    +
  10. +
  11. +

    Create a clouds.yaml file:

    +
    +
    +
    clouds:
    +  metal3-bootstrap:
    +    auth_type: none
    +    baremetal_endpoint_override: http://<bootstrapProvisioningIp>:6385
    +    baremetal_introspection_endpoint_override: http://<bootstrapProvisioningIp>:5050
    +
    +
    +
    + + + + + +
    + + +
    +

    Make sure in the file above you change <bootstrapProvisioningIp> with the value from your install-config.yaml file.

    +
    +
    +
    +
  12. +
  13. +

    Run the ironic-client on the bootstrap VM using podman:

    +
    +
    +
    [core@localhost ~]$ podman run -ti --rm --entrypoint /bin/bash -v /path/to/clouds.yaml:/clouds.yaml -e OS_CLOUD=metal3-bootstrap quay.io/metal3-io/ironic-client
    +
    +
    +
  14. +
  15. +

    Once you’re in the container, run the following command to see the status of the nodes on Ironic:

    +
    +
    +
    [root@1facad6bccff /]# baremetal node list
    +
    +
    +
    +

    The expected states for the nodes are clean-waitavailabledeployingwait call-backactive.

    +
    +
    +
      +
    • +

      clean-wait: The IPA (Ironic Python Agent) will clean the node main disk and write RHCOS to it. After that will report the node status back to Ironic.

      +
    • +
    • +

      available: The node has been introspected and it’s ready to be provisioned.

      +
    • +
    • +

      deploying: The node is being provisioned with RHCOS + the required Ignition configs.

      +
    • +
    • +

      wait call-back: The node is deployed and Ironic is waiting for the node to finish everything before marking the node as active.

      +
    • +
    • +

      active: The node is fully provisioned from an Ironic perspective.

      +
    • +
    +
    +
  16. +
+
+
+

If you are not getting any output, you have likely encountered of the following scenarios:

+
+
+
    +
  • +

    You cannot reach the bootstrapProvisioningIp from the bootstrap VM.

    +
  • +
  • +

    The Ironic conductor was not able to power on and configure the nodes to boot with the IPA image.

    +
  • +
  • +

    The machine running the openshift-install binary cannot access the bootstrapProvisioningIp on port 6385.

    +
  • +
+
+
+
+
+

5. Cluster nodes will not PXE boot

+
+
+

When OpenShift Container Platform cluster nodes will not PXE boot, execute the following checks on the cluster nodes that will not PXE boot. This procedure does not apply when installing a OpenShift Container Platform cluster without the provisioning network.

+
+
+
Procedure
+
    +
  1. +

    Check the network connectivity to the provisioning network.

    +
  2. +
  3. +

    Ensure PXE is enabled on the NIC for the provisioning network and PXE is disabled for all other NICs.

    +
  4. +
  5. +

    Verify that the install-config.yaml configuration file has the proper hardware profile and boot MAC address for the NIC connected to the provisioning network. For example:

    +
    +
    Master node settings
    +
    +
    bootMACAddress: 24:6E:96:1B:96:90 # MAC of bootable provisioning NIC
    +hardwareProfile: default          #master node settings
    +
    +
    +
    +
    Worker node settings
    +
    +
    bootMACAddress: 24:6E:96:1B:96:90 # MAC of bootable provisioning NIC
    +hardwareProfile: unknown          #worker node settings
    +
    +
    +
  6. +
+
+
+
+
+

6. The API is not accessible

+
+
+

When the cluster is running and clients cannot access the API, domain name resolution issues might impede access to the API.

+
+
+
Procedure
+
    +
  1. +

    Hostname Resolution: Check the cluster nodes to ensure they have a fully qualified domain name, and not just localhost.localdomain. For example:

    +
    +
    +
    $ hostname
    +
    +
    +
    +

    If a hostname is not set, set the correct hostname. For example:

    +
    +
    +
    +
    $ hostnamectl set-hostname <hostname>
    +
    +
    +
  2. +
  3. +

    Incorrect Name Resolution: Ensure that each node has the correct name resolution in the DNS server using dig and nslookup. For example:

    +
    +
    +
    $ dig api.<cluster-name>.example.com
    +
    +
    +
    +
    +
    ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> api.<cluster-name>.example.com
    +;; global options: +cmd
    +;; Got answer:
    +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37551
    +;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
    +
    +;; OPT PSEUDOSECTION:
    +; EDNS: version: 0, flags:; udp: 4096
    +; COOKIE: 866929d2f8e8563582af23f05ec44203d313e50948d43f60 (good)
    +;; QUESTION SECTION:
    +;api.<cluster-name>.example.com. IN A
    +
    +;; ANSWER SECTION:
    +api.<cluster-name>.example.com. 10800 IN	A 10.19.13.86
    +
    +;; AUTHORITY SECTION:
    +<cluster-name>.example.com. 10800 IN NS	<cluster-name>.example.com.
    +
    +;; ADDITIONAL SECTION:
    +<cluster-name>.example.com. 10800 IN A	10.19.14.247
    +
    +;; Query time: 0 msec
    +;; SERVER: 10.19.14.247#53(10.19.14.247)
    +;; WHEN: Tue May 19 20:30:59 UTC 2020
    +;; MSG SIZE  rcvd: 140
    +
    +
    +
    +

    The output in the foregoing example indicates that the appropriate IP address for the api.<cluster-name>.example.com VIP is 10.19.13.86. This IP address should reside on the baremetal network.

    +
    +
  4. +
+
+
+
+
+

7. Cleaning up previous installations

+
+
+

In the event of a previous failed deployment, remove the artifacts from the failed attempt before attempting to deploy OpenShift Container Platform again.

+
+
+
Procedure
+
    +
  1. +

    Power off all bare metal nodes prior to installing the OpenShift Container Platform cluster:

    +
    +
    +
    $ ipmitool -I lanplus -U <user> -P <password> -H <management-server-ip> power off
    +
    +
    +
  2. +
  3. +

    Remove all old bootstrap resources if any are left over from a previous deployment attempt:

    +
    +
    +
    for i in $(sudo virsh list | tail -n +3 | grep bootstrap | awk {'print $2'});
    +do
    +  sudo virsh destroy $i;
    +  sudo virsh undefine $i;
    +  sudo virsh vol-delete $i --pool default;
    +  sudo virsh vol-delete $i.ign --pool default;
    +done
    +
    +
    +
  4. +
  5. +

    Remove the following from the clusterconfigs directory to prevent Terraform from failing:

    +
    +
    +
    $ rm -rf ~/clusterconfigs/auth ~/clusterconfigs/terraform* ~/clusterconfigs/tls ~/clusterconfigs/metadata.json
    +
    +
    +
  6. +
+
+
+
+
+

8. Issues with creating the registry

+
+
+

When creating a disconnected registry, you might encounter a "User Not Authorized" error when attempting to mirror the registry. This error might occur if you fail to append the new authentication to the existing pull-secret.txt file.

+
+
+
Procedure
+
    +
  1. +

    Check to ensure authentication is successful:

    +
    +
    +
    [user@registry ~]$ /usr/local/bin/oc adm release mirror \
    +  -a pull-secret-update.json
    +  --from=$UPSTREAM_REPO \
    +  --to-release-image=$LOCAL_REG/$LOCAL_REPO:${VERSION} \
    +  --to=$LOCAL_REG/$LOCAL_REPO
    +
    +
    +
    + + + + + +
    + + +
    +

    Example output of the variables used to mirror the install images:

    +
    +
    +
    +
    UPSTREAM_REPO=${RELEASE_IMAGE}
    +LOCAL_REG=<registry_FQDN>:<registry_port>
    +LOCAL_REPO='ocp4/openshift4'
    +
    +
    +
    +

    The values of RELEASE_IMAGE and VERSION were set during the Retrieving OpenShift Installer step of the Setting up the environment for an OpenShift installation section.

    +
    +
    +
    +
  2. +
  3. +

    After mirroring the registry, confirm that you can access it in your +disconnected environment:

    +
    +
    +
    $ curl -k -u <user>:<password> https://registry.example.com:<registry-port>/v2/_catalog
    +{"repositories":["<Repo-Name>"]}
    +
    +
    +
  4. +
+
+
+
+
+

9. Miscellaneous issues

+
+
+

9.1. Addressing the runtime network not ready error

+
+

After the deployment of a cluster you might receive the following error:

+
+
+
+
`runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:Network plugin returns error: Missing CNI default network`
+
+
+
+

The Cluster Network Operator is responsible for deploying the networking components in response to a special object created by the installer. It runs very early in the installation process, after the control plane (master) nodes have come up, but before the bootstrap control plane has been torn down. It can be indicative of more subtle installer issues, such as long delays in bringing up control plane (master) nodes or issues with apiserver communication.

+
+
+
Procedure
+
    +
  1. +

    Inspect the pods in the openshift-network-operator namespace:

    +
    +
    +
    $ oc get all -n openshift-network-operator
    +
    +
    +
    +
    +
    NAME                                    READY STATUS            RESTARTS   AGE
    +pod/network-operator-69dfd7b577-bg89v   0/1   ContainerCreating 0          149m
    +
    +
    +
  2. +
  3. +

    On the provisioner node, determine that the network configuration exists:

    +
    +
    +
    $ kubectl get network.config.openshift.io cluster -oyaml
    +
    +
    +
    +
    +
    apiVersion: config.openshift.io/v1
    +kind: Network
    +metadata:
    +  name: cluster
    +spec:
    +  serviceNetwork:
    +  - 172.30.0.0/16
    +  clusterNetwork:
    +  - cidr: 10.128.0.0/14
    +    hostPrefix: 23
    +  networkType: OpenShiftSDN
    +
    +
    +
    +

    If it does not exist, the installer did not create it. To determine why the installer did not create it, execute the following:

    +
    +
    +
    +
    $ openshift-install create manifests
    +
    +
    +
  4. +
  5. +

    Check that the network-operator is running:

    +
    +
    +
    $ kubectl -n openshift-network-operator get pods
    +
    +
    +
  6. +
  7. +

    Retrieve the logs:

    +
    +
    +
    $ kubectl -n openshift-network-operator logs -l "name=network-operator"
    +
    +
    +
    +

    On high availability clusters with three or more control plane (master) nodes, the Operator will perform leader election and all other Operators will sleep. For additional details, see Troubleshooting.

    +
    +
  8. +
+
+
+
+

9.2. Cluster nodes not getting the correct IPv6 address over DHCP

+
+

If the cluster nodes are not getting the correct IPv6 address over DHCP, check the following:

+
+
+
    +
  1. +

    Ensure the reserved IPv6 addresses reside outside the DHCP range.

    +
  2. +
  3. +

    In the IP address reservation on the DHCP server, ensure the reservation specifies the correct DHCP Unique Identifier (DUID). For example:

    +
    +
    +
    # This is a dnsmasq dhcp reservation, 'id:00:03:00:01' is the client id and '18:db:f2:8c:d5:9f' is the MAC Address for the NIC
    +id:00:03:00:01:18:db:f2:8c:d5:9f,openshift-master-1,[2620:52:0:1302::6]
    +
    +
    +
  4. +
  5. +

    Ensure that route announcements are working.

    +
  6. +
  7. +

    Ensure that the DHCP server is listening on the required interfaces serving the IP address ranges.

    +
  8. +
+
+
+
+

9.3. Cluster nodes not getting the correct hostname over DHCP

+
+

During IPv6 deployment, cluster nodes must get their hostname over DHCP. Sometimes the NetworkManager does not assign the hostname immediately. A control plane (master) node might report an error such as:

+
+
+
+
Failed Units: 2
+  NetworkManager-wait-online.service
+  nodeip-configuration.service
+
+
+
+

This error indicates that the cluster node likely booted without first receiving a hostname from the DHCP server, which causes kubelet to boot +with a localhost.localdomain hostname. To address the error, force the node to renew the hostname.

+
+
+
Procedure
+
    +
  1. +

    Retrieve the hostname:

    +
    +
    +
    [core@master-X ~]$ hostname
    +
    +
    +
    +

    If the hostname is localhost, proceed with the following steps.

    +
    +
    + + + + + +
    + + +
    +

    Where X is the master node number.

    +
    +
    +
    +
  2. +
  3. +

    Force the cluster node to renew the DHCP lease:

    +
    +
    +
    [core@master-X ~]$ sudo nmcli con up "<bare-metal-nic>"
    +
    +
    +
    +

    Replace <bare-metal-nic> with the wired connection corresponding to the baremetal network.

    +
    +
  4. +
  5. +

    Check hostname again:

    +
    +
    +
    [core@master-X ~]$ hostname
    +
    +
    +
  6. +
  7. +

    If the hostname is still localhost.localdomain, restart NetworkManager:

    +
    +
    +
    [core@master-X ~]$ sudo systemctl restart NetworkManager
    +
    +
    +
  8. +
  9. +

    If the hostname is still localhost.localdomain, wait a few minutes and check again. If the hostname remains localhost.localdomain, repeat the previous steps.

    +
  10. +
  11. +

    Restart the nodeip-configuration service:

    +
    +
    +
    [core@master-X ~]$ sudo systemctl restart nodeip-configuration.service
    +
    +
    +
    +

    This service will reconfigure the kubelet service with the correct hostname references.

    +
    +
  12. +
  13. +

    Reload the unit files definition since the kubelet changed in the previous step:

    +
    +
    +
    [core@master-X ~]$ sudo systemctl daemon-reload
    +
    +
    +
  14. +
  15. +

    Restart the kubelet service:

    +
    +
    +
    [core@master-X ~]$ sudo systemctl restart kubelet.service
    +
    +
    +
  16. +
  17. +

    Ensure kubelet booted with the correct hostname:

    +
    +
    +
    [core@master-X ~]$ sudo journalctl -fu kubelet.service
    +
    +
    +
  18. +
+
+
+

If the cluster node is not getting the correct hostname over DHCP after the cluster is up and running, such as during a reboot, the cluster will have a pending csr. Do not approve a csr, or other issues might arise.

+
+
+
Addressing a csr
+
    +
  1. +

    Get CSRs on the cluster:

    +
    +
    +
    $ oc get csr
    +
    +
    +
  2. +
  3. +

    Verify if a pending csr contains Subject Name: localhost.localdomain:

    +
    +
    +
    $ oc get csr <pending_csr> -o jsonpath='{.spec.request}' | base64 -d | openssl req -noout -text
    +
    +
    +
  4. +
  5. +

    Remove any csr that contains Subject Name: localhost.localdomain:

    +
    +
    +
    $ oc delete csr <wrong_csr>
    +
    +
    +
  6. +
+
+
+
+

9.4. Routes do not reach endpoints

+
+

During the installation process, it is possible to encounter a Virtual Router Redundancy Protocol (VRRP) conflict. This conflict might occur if a previously used OpenShift Container Platform node that was once part of a cluster deployment using a specific cluster name is still running but not part of the current OpenShift Container Platform cluster deployment using that same cluster name. For example, a cluster was deployed using the cluster name openshift, deploying three control plane (master) nodes and three worker nodes. Later, a separate install uses the same cluster name openshift, but this redeployment only installed three control plane (master) nodes, leaving the three worker nodes from a previous deployment in an ON state. This might cause a Virtual Router Identifier (VRID) conflict and a VRRP conflict.

+
+
+
    +
  1. +

    Get the route:

    +
    +
    +
    $ oc get route oauth-openshift
    +
    +
    +
  2. +
  3. +

    Check the service endpoint:

    +
    +
    +
    $ oc get svc oauth-openshift
    +
    +
    +
    +
    +
    NAME              TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
    +oauth-openshift   ClusterIP   172.30.19.162   <none>        443/TCP   59m
    +
    +
    +
  4. +
  5. +

    Attempt to reach the service from a control plane (master) node:

    +
    +
    +
    [core@master0 ~]$ curl -k https://172.30.19.162
    +
    +
    +
    +
    +
    {
    +  "kind": "Status",
    +  "apiVersion": "v1",
    +  "metadata": {
    +  },
    +  "status": "Failure",
    +  "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
    +  "reason": "Forbidden",
    +  "details": {
    +  },
    +  "code": 403
    +
    +
    +
  6. +
  7. +

    Identify the authentication-operator errors from the provisioner node:

    +
    +
    +
    $ oc logs deployment/authentication-operator -n openshift-authentication-operator
    +
    +
    +
    +
    +
    Event(v1.ObjectReference{Kind:"Deployment", Namespace:"openshift-authentication-operator", Name:"authentication-operator", UID:"225c5bd5-b368-439b-9155-5fd3c0459d98", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Normal' reason: 'OperatorStatusChanged' Status for clusteroperator/authentication changed: Degraded message changed from "IngressStateEndpointsDegraded: All 2 endpoints for oauth-server are reporting"
    +
    +
    +
  8. +
+
+
+
Solution
+
    +
  1. +

    Ensure that the cluster name for every deployment is unique, ensuring no conflict.

    +
  2. +
  3. +

    Turn off all the rogue nodes which are not part of the cluster deployment that are using the same cluster name. Otherwise, the authentication pod of the OpenShift Container Platform cluster might never start successfully.

    +
  4. +
+
+
+
+

9.5. Failed Ignition during Firstboot

+
+

During the Firstboot, the Ignition configuration may fail.

+
+
+
Procedure
+
    +
  1. +

    Connect to the node where the Ignition configuration failed:

    +
    +
    +
    Failed Units: 1
    +  machine-config-daemon-firstboot.service
    +
    +
    +
  2. +
  3. +

    Restart the machine-config-daemon-firstboot service:

    +
    +
    +
    [core@worker-X ~]$ sudo systemctl restart machine-config-daemon-firstboot.service
    +
    +
    +
  4. +
+
+
+
+

9.6. NTP out of sync

+
+

The deployment of OpenShift Container Platform clusters depends on NTP synchronized clocks among the cluster nodes. Without synchronized clocks, the deployment may fail due to clock drift if the time difference is greater than two seconds.

+
+
+
Procedure
+
    +
  1. +

    Check for differences in the AGE of the cluster nodes. For example:

    +
    +
    +
    $ oc get nodes
    +
    +
    +
    +
    +
    NAME                         STATUS   ROLES    AGE   VERSION
    +master-0.cloud.example.com   Ready    master   145m   v1.16.2
    +master-1.cloud.example.com   Ready    master   135m   v1.16.2
    +master-2.cloud.example.com   Ready    master   145m   v1.16.2
    +worker-2.cloud.example.com   Ready    worker   100m   v1.16.2
    +
    +
    +
  2. +
  3. +

    Check for inconsistent timing delays due to clock drift. For example:

    +
    +
    +
    $ oc get bmh -n openshift-machine-api
    +
    +
    +
    +
    +
    master-1   error registering master-1  ipmi://<out-of-band-ip>
    +
    +
    +
    +
    +
    $ sudo timedatectl
    +
    +
    +
    +
    +
                   Local time: Tue 2020-03-10 18:20:02 UTC
    +           Universal time: Tue 2020-03-10 18:20:02 UTC
    +                 RTC time: Tue 2020-03-10 18:36:53
    +                Time zone: UTC (UTC, +0000)
    +System clock synchronized: no
    +              NTP service: active
    +          RTC in local TZ: no
    +
    +
    +
  4. +
+
+
+
Addressing clock drift in existing clusters
+
    +
  1. +

    Create a chrony.conf file and encode it as base64 string. For example:

    +
    +
    +
    $ cat << EOF | base 64
    +server <NTP-server> iburst(1)
    +stratumweight 0
    +driftfile /var/lib/chrony/drift
    +rtcsync
    +makestep 10 3
    +bindcmdaddress 127.0.0.1
    +bindcmdaddress ::1
    +keyfile /etc/chrony.keys
    +commandkey 1
    +generatecommandkey
    +noclientlog
    +logchange 0.5
    +logdir /var/log/chrony
    +EOF
    +
    +
    +
    + + + + + +
    1Replace <NTP-server> with the IP address of the NTP server. Copy the output. +
    +
    +
    [text-in-base-64]
    +
    +
    +
    +
  2. +
  3. +

    Create a MachineConfig object, replacing the base64 string with +the [text-in-base-64] string generated in the output of the previous step. The following example adds the file to the control plane (master) nodes. You can modify the file for worker nodes or make an additional machine config for the worker role.

    +
    +
    +
    $ cat << EOF > ./99_masters-chrony-configuration.yaml
    +apiVersion: machineconfiguration.openshift.io/v1
    +kind: MachineConfig
    +metadata:
    +  creationTimestamp: null
    +  labels:
    +    machineconfiguration.openshift.io/role: master
    +  name: 99-master-etc-chrony-conf
    +spec:
    +  config:
    +    ignition:
    +      config: {}
    +      security:
    +        tls: {}
    +      timeouts: {}
    +      version: 3.1.0
    +    networkd: {}
    +    passwd: {}
    +    storage:
    +      files:
    +      - contents:
    +          source: data:text/plain;charset=utf-8;base64,[text-in-base-64](1)
    +        group:
    +          name: root
    +        mode: 420
    +        overwrite: true
    +        path: /etc/chrony.conf
    +        user:
    +          name: root
    +  osImageURL: ""
    +
    +
    +
    + + + + + +
    1Replace [text-in-base-64] with the base64 string.
    +
    +
  4. +
  5. +

    Make a backup copy of the configuration file. For example:

    +
    +
    +
    $ cp 99_masters-chrony-configuration.yaml 99_masters-chrony-configuration.yaml.backup
    +
    +
    +
  6. +
  7. +

    Apply the configuration file:

    +
    +
    +
    $ oc apply -f ./masters-chrony-configuration.yaml
    +
    +
    +
  8. +
  9. +

    Ensure the System clock synchronized value is yes:

    +
    +
    +
    $ sudo timedatectl
    +
    +
    +
    +
    +
                   Local time: Tue 2020-03-10 19:10:02 UTC
    +           Universal time: Tue 2020-03-10 19:10:02 UTC
    +                 RTC time: Tue 2020-03-10 19:36:53
    +                Time zone: UTC (UTC, +0000)
    +System clock synchronized: yes
    +              NTP service: active
    +          RTC in local TZ: no
    +
    +
    +
    +

    To setup clock synchronization prior to deployment, generate the manifest files and add this file to the openshift directory. For example:

    +
    +
    +
    +
    $ cp chrony-masters.yaml ~/clusterconfigs/openshift/99_masters-chrony-configuration.yaml
    +
    +
    +
    +

    Then, continue to create the cluster.

    +
    +
  10. +
+
+
+
+
+
+

10. Reviewing the installation

+
+
+

After installation, ensure the installer deployed the nodes and pods successfully.

+
+
+
Procedure
+
    +
  1. +

    When the OpenShift Container Platform cluster nodes are installed appropriately, the following Ready state is seen within the STATUS column:

    +
    +
    +
    $ oc get nodes
    +
    +
    +
    +
    +
    NAME                   STATUS   ROLES           AGE  VERSION
    +master-0.example.com   Ready    master,worker   4h   v1.16.2
    +master-1.example.com   Ready    master,worker   4h   v1.16.2
    +master-2.example.com   Ready    master,worker   4h   v1.16.2
    +
    +
    +
  2. +
  3. +

    Confirm the installer deployed all pods successfully. The following command +removes any pods that are still running or have completed as part of the output.

    +
    +
    +
    $ oc get pods --all-namespaces | grep -iv running | grep -iv complete
    +
    +
    +
  4. +
+
+
+
+
+ + + \ No newline at end of file diff --git a/4.4/Troubleshooting.pdf b/4.4/Troubleshooting.pdf new file mode 100644 index 0000000000..b51b8d52d8 Binary files /dev/null and b/4.4/Troubleshooting.pdf differ diff --git a/4.5/Deployment.html b/4.5/Deployment.html new file mode 100644 index 0000000000..4f2e6a684a --- /dev/null +++ b/4.5/Deployment.html @@ -0,0 +1,4933 @@ + + + + + + + + + + +Deploying Installer Provisioned Infrastructure (IPI) of OpenShift on Bare Metal - 4.5 + + + + + + + + + + + + + + + + +
+
+
+
+ + + + + +
+ + +
+

Download the PDF version of this document or visit https://openshift-kni.github.io/baremetal-deploy/

+
+
+
+
+
+
+

1. Overview

+
+
+

Installer-provisioned installation provides support for installing OpenShift Container Platform on bare metal nodes. This guide provides a methodology to achieving a successful installation.

+
+
+

During installer-provisioned installation on bare metal, the installer on the bare metal node labeled as provisioner creates a bootstrap virtual machine (VM). The role of the bootstrap VM is to assist in the process of deploying an OpenShift Container Platform cluster. The bootstrap VM connects to the baremetal network and to the provisioning network, if present, via the network bridges.

+
+
+
+Deployment phase one +
+
+
+

When the installation of OpenShift control plane nodes is complete and fully operational, the installer destroys the bootstrap VM automatically and moves the virtual IP addresses (VIPs) to +the appropriate nodes. The API VIP moves to the control plane nodes and the Ingress VIP moves to the worker nodes.

+
+
+

The API VIPs move into the control plane nodes and the Ingress VIP services applications that reside within the worker nodes.

+
+
+
+Deployment phase two +
+
+
+
+
+

2. Prerequisites

+
+ +
+

Installer-provisioned installation of OpenShift Container Platform requires:

+
+
+
    +
  1. +

    One provisioner node with Red Hat Enterprise Linux (RHEL) 8.x installed.

    +
  2. +
  3. +

    Three control plane nodes.

    +
  4. +
  5. +

    Baseboard Management Controller (BMC) access to each node.

    +
  6. +
  7. +

    At least two networks:

    +
    +
      +
    1. +

      One required routable network

      +
    2. +
    3. +

      One required network for provisioning nodes; and,

      +
    4. +
    5. +

      One optional management network.

      +
    6. +
    +
    +
  8. +
+
+
+

Before starting an installer-provisioned installation of OpenShift Container Platform, ensure the hardware environment meets the following requirements.

+
+
+

2.1. Node requirements

+
+

Installer-provisioned installation involves a number of hardware node requirements:

+
+
+
    +
  • +

    CPU architecture: All nodes must use x86_64 CPU architecture.

    +
  • +
  • +

    Similar nodes: Red Hat recommends nodes have an identical configuration per role. That is, Red Hat recommends nodes be the same brand and model with the same CPU, memory and storage configuration.

    +
  • +
  • +

    Baseboard Management Controller: The provisioner node must be able to access the baseboard management controller (BMC) of each OpenShift Container Platform cluster node. You may use IPMI, Redfish, or a proprietary protocol.

    +
  • +
  • +

    Latest generation: Nodes must be of the most recent generation. Installer-provisioned installation relies on BMC protocols, which must be compatible across nodes. Additionally, RHEL 8 ships with the most recent drivers for RAID controllers. Ensure that the nodes are recent enough to support RHEL 8 for the provisioner node and RHCOS 8 for the control plane and worker nodes.

    +
  • +
  • +

    Registry node: (Optional) If setting up a disconnected mirrored registry, it is recommended the registry reside in its own node.

    +
  • +
  • +

    Provisioner node: Installer-provisioned installation requires one provisioner node.

    +
  • +
  • +

    Control plane: Installer-provisioned installation requires three control plane nodes for high availability.

    +
  • +
  • +

    Worker nodes: While not required, a typical production cluster has one or more worker nodes. Smaller clusters are more resource efficient for administrators and developers during development, production, and testing.

    +
  • +
  • +

    Network interfaces: Each node must have at least one 10GB network interface for the routable baremetal network. Each node must have one 10GB network interface for a provisioning network when using the provisioning network for deployment. Using the provisioning network is the default configuration. Network interface names must follow the same naming convention across all nodes. For example, the first NIC name on a node, such as eth0 or eno1, must be the same name on all of the other nodes. The same principle applies to the remaining NICs on each node.

    +
  • +
  • +

    Unified Extensible Firmware Interface (UEFI): Installer-provisioned installation requires UEFI boot on all OpenShift Container Platform nodes when using IPv6 addressing on the provisioning network. In addition, UEFI Device PXE Settings must be set to use the IPv6 protocol on the provisioning network NIC, but omitting the provisioning network removes this requirement.

    +
  • +
+
+
+
+

2.2. Network requirements

+
+

Installer-provisioned installation of OpenShift Container Platform involves several network requirements by default. First, installer-provisioned installation involves a non-routable provisioning network for provisioning the operating system on each bare metal node and a routable baremetal network. Since installer-provisioned installation deploys ironic-dnsmasq, the networks should have no other DHCP servers running on the same broadcast domain. Network administrators must reserve IP addresses for each node in the OpenShift Container Platform cluster.

+
+
+
Network Time Protocol (NTP)
+

Each OpenShift Container Platform node in the cluster must have access to an NTP server. OpenShift Container Platform nodes use NTP to synchronize their clocks. For example, cluster nodes use SSL certificates that require validation, which might fail if the date and time between the nodes are not in sync.

+
+
+ + + + + +
+ + +
+

Define a consistent clock date and time format in each cluster node’s BIOS settings, or installation might fail.

+
+
+
+
+
Configuring NICs
+

OpenShift Container Platform deploys with two networks:

+
+
+
    +
  • +

    provisioning: The provisioning network is an optional non-routable network used for provisioning the underlying operating system on each node that is a part of the OpenShift Container Platform cluster. The network interface for the provisioning network on each cluster node must have the BIOS or UEFI configured to PXE boot. In OpenShift Container Platform 4.3, when deploying using the provisioning network, the first NIC on each node, such as eth0 or eno1, must interface with the provisioning network. In OpenShift Container Platform 4.4 and later releases, you can specify the provisioning network NIC with the provisioningNetworkInterface configuration setting.

    +
  • +
  • +

    baremetal: The baremetal network is a routable network. In OpenShift Container Platform 4.3, when deploying using the provisioning network, the second NIC on each node, such as eth1 or eno2, must interface with the baremetal network. In OpenShift Container Platform 4.4 and later releases, you can use any NIC order to interface with the baremetal network, provided it is the same NIC order across worker and control plane nodes and not the NIC specified in the provisioningNetworkInterface configuration setting for the provisioning network.

    +
  • +
+
+
+ + + + + +
+ + +
+

Use a compatible approach such that cluster nodes use the same NIC ordering on all cluster nodes. NICs must have heterogeneous hardware with the same NIC naming convention such as eth0 or eno1.

+
+
+
+
+ + + + + +
+ + +
+

When using a VLAN, each NIC must be on a separate VLAN corresponding to the appropriate network.

+
+
+
+
+
Configuring the DNS server
+

Clients access the OpenShift Container Platform cluster nodes over the baremetal network. A network administrator must configure a subdomain or subzone where the canonical name extension is the cluster name.

+
+
+
+
<cluster-name>.<domain-name>
+
+
+
+

For example:

+
+
+
+
test-cluster.example.com
+
+
+
+

For assistance in configuring the DNS server, check Appendix section for:

+
+ +
+
Reserving IP addresses for nodes with the DHCP server
+

For the baremetal network, a network administrator must reserve a number of IP addresses, including:

+
+
+
    +
  1. +

    Three virtual IP addresses

    +
    +
      +
    • +

      One IP address for the API endpoint

      +
    • +
    • +

      One IP address for the wildcard ingress endpoint

      +
    • +
    • +

      One IP address for the name server

      +
    • +
    +
    +
  2. +
  3. +

    One IP address for the provisioner node.

    +
  4. +
  5. +

    One IP address for each control plane (master) node.

    +
  6. +
  7. +

    One IP address for each worker node, if applicable.

    +
  8. +
+
+
+

The following table provides an exemplary embodiment of fully qualified domain names. The API and Nameserver addresses begin with canonical name extensions. The host names of the control plane and worker nodes are exemplary, so you can use any host naming convention you prefer.

+
+ +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
UsageHost NameIP

API

api.<cluster-name>.<domain>

<ip>

Ingress LB (apps)

*.apps.<cluster-name>.<domain>

<ip>

Nameserver

ns1.<cluster-name>.<domain>

<ip>

Provisioner node

provisioner.<cluster-name>.<domain>

<ip>

Master-0

openshift-master-0.<cluster-name>.<domain>

<ip>

Master-1

openshift-master-1.<cluster-name>-.<domain>

<ip>

Master-2

openshift-master-2.<cluster-name>.<domain>

<ip>

Worker-0

openshift-worker-0.<cluster-name>.<domain>

<ip>

Worker-1

openshift-worker-1.<cluster-name>.<domain>

<ip>

Worker-n

openshift-worker-n.<cluster-name>.<domain>

<ip>

+
+

For assistance in configuring the DHCP server, check Appendix section for:

+
+ +

IPv6 considerations

+
+
SLAAC Addressing
+

If you do not plan to use SLAAC [1] addresses on your OpenShift Container Platform node, then it should be disabled for baremetal networks, that means that if your network equipment is configured to send SLAAC addresses when replying to Route Advertisements that behavior should be changed, so it only sends the route and not the SLAAC address.

+
+
+

Install ndptool on your system in order to check what your RAs look like:

+
+
+
+
# Turn down/up baremetal iface on a master Node
+$ sudo nmcli con down "Wired connection 5" && sudo nmcli con up "Wired connection 5"
+Connection 'Wired connection 5' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1983)
+Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2044)
+
+# ndptool monitor on Helper node
+$ sudo ndptool monitor -t ra
+NDP payload len 80, from addr: fe80::c0a4:6464:bcb3:d657, iface: baremetal.153
+  Type: RA
+  Hop limit: 64
+  Managed address configuration: yes
+  Other configuration: no
+  Default router preference: medium
+  Router lifetime: 0s
+  Reachable time: unspecified
+  Retransmit time: unspecified
+  Source linkaddr: 1c:40:24:1b:0c:34
+  Prefix: 2620:52:0:1303::/64, valid_time: 86400s, preferred_time: 14400s, on_link: yes, autonomous_addr_conf: no, router_addr: no
+  Route: ::/0, lifetime: 0s, preference: low
+
+
+
+

The ndptool monitor should report Managed address configuration: yes.

+
+
+
Network Ranges and Configurations
+

Different baremetal and provisioning networks are required for each environment; each environment will have a different IPv6 range for each one of those networks.

+
+
+

In our configuration we used subinterfaces attached to two different physical interfaces, VLAN tagging was done at O.S. level (this required switch ports configured with trunk mode).

+
+
+

Our different IPv6 networks were all routable but usually, the only routable networks are the baremetal ones.

+
+
+

Keep in mind that provisioning networks cannot be in the same broadcast domain, since services such as DHCP are running.

+
+
+ + + + + +
+ + +
Route Advertisement
+
+

Route Advertisement must be enabled for both networks baremetal and provisioning.

+
+
+
+
+
Route Advertisements
+

As mentioned previously, both the baremetal and the provisioning networks must have Route Advertisement enabled. For the baremetal network, the radvd daemon was used, while the provisioning network has RA enabled in the Metal³ dnsmasq, so no configuration is needed.

+
+
+
+

2.3. Configuring nodes

+
+
Configuring nodes when using the provisioning network
+

Each node in the cluster requires the following configuration for proper installation.

+
+
+ + + + + +
+ + +
+

A mismatch between nodes will cause an installation failure.

+
+
+
+
+

While the cluster nodes can contain more than two NICs, the installation process only focuses on the first two NICs:

+
+ +++++ + + + + + + + + + + + + + + + + + +

NIC

Network

VLAN

NIC1

provisioning

<provisioning-vlan>

NIC2

baremetal

<baremetal-vlan>

+
+

NIC1 is a non-routable network (provisioning) that is only used for the installation of the OpenShift Container Platform cluster.

+
+
+

The Red Hat Enterprise Linux (RHEL) 8.x installation process on the provisioner node might vary. To install Red Hat Enterprise Linux (RHEL) 8.x using a local Satellite server or a PXE server, PXE-enable NIC2.

+
+ ++++ + + + + + + + + + + + + + + +

PXE

Boot order

NIC1 PXE-enabled provisioning network

1

NIC2 baremetal network. PXE-enabled is optional.

2

+
+ + + + + +
+ + +
+

Ensure PXE is disabled on all other NICs.

+
+
+
+
+

Configure the control plane and worker nodes as follows:

+
+ ++++ + + + + + + + + + + +

PXE

Boot order

NIC1 PXE-enabled (provisioning network)

1

+
+
Configuring nodes without the provisioning network
+

The installation process requires one NIC:

+
+ +++++ + + + + + + + + + + + + +

NIC

Network

VLAN

NICx

baremetal

<baremetal-vlan>

+
+

NICx is a routable network (baremetal) that is used for the installation of the OpenShift Container Platform cluster, and routable to the internet.

+
+
+
+

2.4. Out-of-band management

+
+

Nodes will typically have an additional NIC used by the Baseboard Management Controllers (BMCs). These BMCs must be accessible from the provisioner node.

+
+
+

Each node must be accessible via out-of-band management. When using an out-of-band management network, the provisioner node requires access to the out-of-band management network for a successful OpenShift Container Platform 4 installation.

+
+
+

The out-of-band management setup is out of scope for this document. We recommend setting up a separate management network for out-of-band management. However, using the provisioning network or the baremetal network are valid options.

+
+
+
+

2.5. Required data for installation

+
+

Prior to the installation of the OpenShift Container Platform cluster, gather the following information from all cluster nodes:

+
+
+
    +
  • +

    Out-of-band management IP

    +
    +
      +
    • +

      Examples

      +
      +
        +
      • +

        Dell (iDRAC) IP

        +
      • +
      • +

        HP (iLO) IP

        +
      • +
      +
      +
    • +
    +
    +
  • +
  • +

    NIC1 (provisioning) MAC address

    +
  • +
  • +

    NIC2 (baremetal) MAC address

    +
  • +
  • +

    NICx (baremetal) MAC address

    +
  • +
+
+
+
+

2.6. Validation checklist for nodes

+
+
When using the provisioning network
+
    +
  • +

    NIC1 VLAN is configured for the provisioning network.

    +
  • +
  • +

    NIC2 VLAN is configured for the baremetal network.

    +
  • +
  • +

    NIC1 is PXE-enabled on the provisioner, Control Plane (master), and worker nodes.

    +
  • +
  • +

    PXE has been disabled on all other NICs.

    +
  • +
  • +

    Control plane and worker nodes are configured.

    +
  • +
  • +

    All nodes accessible via out-of-band management.

    +
  • +
  • +

    A separate management network has been created. (optional)

    +
  • +
  • +

    Required data for installation.

    +
  • +
+
+
+
When omitting the provisioning network
+
    +
  • +

    NICx VLAN is configured for the baremetal network.

    +
  • +
  • +

    Control plane and worker nodes are configured.

    +
  • +
  • +

    All nodes accessible via out-of-band management.

    +
  • +
  • +

    A separate management network has been created. (optional)

    +
  • +
  • +

    Required data for installation.

    +
  • +
+
+
+
Summary
+

After an environment has been prepared according to the documented prerequisites, the installation process is the same as other installer-provisioned platforms.

+
+
+
+
+
+

3. Setting up the environment for an OpenShift installation

+
+ +
+

3.1. Installing RHEL on the provisioner node

+
+

With the networking configuration complete, the next step is to install RHEL 8.X on the provisioner node. The installer uses the provisioner node as the orchestrator while installing the OpenShift Container Platform cluster. For the purposes of this document, installing RHEL on the provisioner node is out of scope. However, options include but are not limited to using a RHEL Satellite server, PXE, or installation media.

+
+
+
+

3.2. Preparing the provisioner node for OpenShift Container Platform installation

+
+

Perform the following steps to prepare the environment.

+
+
+
Procedure
+
    +
  1. +

    Log in to the provisioner node via ssh.

    +
  2. +
  3. +

    Create a non-root user (kni) and provide that user with sudo privileges.

    +
    +
    +
    [root@provisioner ~]# useradd kni
    +[root@provisioner ~]# passwd kni
    +[root@provisioner ~]# echo "kni ALL=(root) NOPASSWD:ALL" | tee -a /etc/sudoers.d/kni
    +[root@provisioner ~]# chmod 0440 /etc/sudoers.d/kni
    +
    +
    +
  4. +
  5. +

    Create an ssh key for the new user.

    +
    +
    +
    [root@provisioner ~]# su - kni -c "ssh-keygen -t rsa -f /home/kni/.ssh/id_rsa -N ''"
    +
    +
    +
  6. +
  7. +

    Log in as the new user on the provisioner node.

    +
    +
    +
    [root@provisioner ~]# su - kni
    +[kni@provisioner ~]$
    +
    +
    +
  8. +
  9. +

    Use Red Hat Subscription Manager to register the provisioner node.

    +
    +
    +
    [kni@provisioner ~]$ sudo subscription-manager register --username=<user> --password=<pass> --auto-attach
    +[kni@provisioner ~]$ sudo subscription-manager repos --enable=rhel-8-for-x86_64-appstream-rpms --enable=rhel-8-for-x86_64-baseos-rpms
    +
    +
    +
    + + + + + +
    + + +
    +

    For more information about Red Hat Subscription Manager, see Using and Configuring Red Hat Subscription Manager.

    +
    +
    +
    +
  10. +
  11. +

    Install the following packages.

    +
    +
    +
    [kni@provisioner ~]$ sudo dnf install -y libvirt qemu-kvm mkisofs python3-devel jq ipmitool
    +
    +
    +
  12. +
  13. +

    Modify the user to add the libvirt group to the newly created user.

    +
    +
    +
    [kni@provisioner ~]$ sudo usermod --append --groups libvirt <user>
    +
    +
    +
  14. +
  15. +

    Restart firewalld and enable the http service.

    +
    +
    +
    [kni@provisioner ~]$ sudo systemctl start firewalld
    +[kni@provisioner ~]$ sudo firewall-cmd --zone=public --add-service=http --permanent
    +[kni@provisioner ~]$ sudo firewall-cmd --add-port=5000/tcp --zone=libvirt  --permanent
    +[kni@provisioner ~]$ sudo firewall-cmd --add-port=5000/tcp --zone=public   --permanent
    +[kni@provisioner ~]$ sudo firewall-cmd --reload
    +
    +
    +
  16. +
  17. +

    Start and enable the libvirtd service.

    +
    +
    +
    [kni@provisioner ~]$ sudo systemctl start libvirtd
    +[kni@provisioner ~]$ sudo systemctl enable libvirtd --now
    +
    +
    +
  18. +
  19. +

    Create the default storage pool and start it.

    +
    +
    +
    [kni@provisioner ~]$ sudo virsh pool-define-as --name default --type dir --target /var/lib/libvirt/images
    +[kni@provisioner ~]$ sudo virsh pool-start default
    +[kni@provisioner ~]$ sudo virsh pool-autostart default
    +
    +
    +
  20. +
  21. +

    Configure networking.

    +
    + + + + + +
    + + +
    +

    This step can also be run from the web console.

    +
    +
    +
    +
    +
    Provisioning Network (IPv4 address)
    +
    +
    [kni@provisioner ~]$ sudo nohup bash -c """
    +    nmcli con down "$PROV_CONN"
    +    nmcli con delete "$PROV_CONN"
    +    # RHEL 8.1 appends the word "System" in front of the connection, delete in case it exists
    +    nmcli con down "System $PROV_CONN"
    +    nmcli con delete "System $PROV_CONN"
    +    nmcli connection add ifname provisioning type bridge con-name provisioning
    +    nmcli con add type bridge-slave ifname "$PROV_CONN" master provisioning
    +    nmcli connection modify provisioning ipv4.addresses 172.22.0.1/24 ipv4.method manual
    +    nmcli con down provisioning
    +    nmcli con up provisioning"""
    +
    +
    +
    + + + + + +
    + + +
    +

    The ssh connection might disconnect after executing this step.

    +
    +
    +

    The IPv4 address may be any address as long as it is not routable via the baremetal network.

    +
    +
    +
    +
    +
    Provisioning Network (IPv6 address)
    +
    +
    [kni@provisioner ~]$ sudo nohup bash -c """
    +    nmcli con down "$PROV_CONN"
    +    nmcli con delete "$PROV_CONN"
    +    # RHEL 8.1 appends the word "System" in front of the connection, delete in case it exists
    +    nmcli con down "System $PROV_CONN"
    +    nmcli con delete "System $PROV_CONN"
    +    nmcli connection add ifname provisioning type bridge con-name provisioning
    +    nmcli con add type bridge-slave ifname "$PROV_CONN" master provisioning
    +    nmcli connection modify provisioning ipv6.addresses fd00:1101::1/64 ipv6.method manual
    +    nmcli con down provisioning
    +    nmcli con up provisioning"""
    +
    +
    +
    + + + + + +
    + + +
    +

    The ssh connection might disconnect after executing this step.

    +
    +
    +

    The IPv6 address may be any address as long as it is not routable via the baremetal network.

    +
    +
    +
    +
    + + + + + +
    + + +
    +

    Ensure that UEFI is enabled and UEFI PXE settings are set to the IPv6 protocol when using IPv6 addressing.

    +
    +
    +
    +
  22. +
  23. +

    ssh back into the provisioner node (if required).

    +
    +
    +
    # ssh kni@provisioner.<cluster-name>.<domain>
    +
    +
    +
  24. +
  25. +

    Verify the connection bridges have been properly created.

    +
    +
    +
    [kni@provisioner ~]$ nmcli con show
    +
    +
    +
    +
    +
    NAME               UUID                                  TYPE      DEVICE
    +baremetal          4d5133a5-8351-4bb9-bfd4-3af264801530  bridge    baremetal
    +provisioning       43942805-017f-4d7d-a2c2-7cb3324482ed  bridge    provisioning
    +virbr0             d9bca40f-eee1-410b-8879-a2d4bb0465e7  bridge    virbr0
    +bridge-slave-eno1  76a8ed50-c7e5-4999-b4f6-6d9014dd0812  ethernet  eno1
    +bridge-slave-eno2  f31c3353-54b7-48de-893a-02d2b34c4736  ethernet  eno2
    +
    +
    +
  26. +
  27. +

    Create a pull-secret.txt file.

    +
    +
    +
    [kni@provisioner ~]$ vim pull-secret.txt
    +
    +
    +
    +

    In a web browser, navigate to Install on Bare Metal with user-provisioned infrastructure, and scroll down to the Downloads section. Click Copy pull secret. Paste the contents into the pull-secret.txt file and save the contents in the kni user’s home directory.

    +
    +
  28. +
+
+
+
+

3.3. Retrieving the OpenShift Container Platform installer (GA Release)

+
+

Use the latest-4.x version of the installer to deploy the latest generally +available version of OpenShift Container Platform:

+
+
+
+
[kni@provisioner ~]$ export VERSION=latest-4.5
+export RELEASE_IMAGE=$(curl -s https://mirror.openshift.com/pub/openshift-v4/clients/ocp/$VERSION/release.txt | grep 'Pull From: quay.io' | awk -F ' ' '{print $3}')
+
+
+
+
+

3.4. Extracting the OpenShift Container Platform installer (GA Release)

+
+

After retrieving the installer, the next step is to extract it.

+
+
+
Procedure
+
    +
  1. +

    Set the environment variables:

    +
    +
    +
    [kni@provisioner ~]$ export cmd=openshift-baremetal-install
    +[kni@provisioner ~]$ export pullsecret_file=~/pull-secret.txt
    +[kni@provisioner ~]$ export extract_dir=$(pwd)
    +
    +
    +
  2. +
  3. +

    Get the oc binary:

    +
    +
    +
    [kni@provisioner ~]$ curl -s https://mirror.openshift.com/pub/openshift-v4/clients/ocp/$VERSION/openshift-client-linux.tar.gz | tar zxvf - oc
    +
    +
    +
  4. +
  5. +

    Extract the installer:

    +
    +
    +
    [kni@provisioner ~]$ sudo cp oc /usr/local/bin
    +[kni@provisioner ~]$ oc adm release extract --registry-config "${pullsecret_file}" --command=$cmd --to "${extract_dir}" ${RELEASE_IMAGE}
    +[kni@provisioner ~]$ sudo cp openshift-baremetal-install /usr/local/bin
    +
    +
    +
  6. +
+
+
+
+

3.5. Creating an RHCOS images cache (optional)

+
+

To employ image caching, you must download two images: the Red Hat Enterprise Linux CoreOS (RHCOS) image used by the bootstrap VM and the RHCOS image used by the installer to provision the different nodes. Image caching is optional, but especially useful when running the installer on a network with limited bandwidth.

+
+
+

If you are running the installer on a network with limited bandwidth and the RHCOS images download takes more than 15 to 20 minutes, the installer will timeout. Caching images on a web server will help in such scenarios.

+
+
+

Use the following steps to install a container that contains the images.

+
+
+
    +
  1. +

    Install podman.

    +
    +
    +
    $ sudo dnf install -y podman
    +
    +
    +
  2. +
  3. +

    Open firewall port 8080 to be used for RHCOS image caching.

    +
    +
    +
    $ sudo firewall-cmd --add-port=8080/tcp --zone=public --permanent
    +$ sudo firewall-cmd --reload
    +
    +
    +
  4. +
  5. +

    Create a directory to store the bootstraposimage and clusterosimage.

    +
    +
    +
    $ mkdir /home/kni/rhcos_image_cache
    +
    +
    +
  6. +
  7. +

    Set the appropriate SELinux context for the newly created directory.

    +
    +
    +
    $ sudo semanage fcontext -a -t httpd_sys_content_t "/home/kni/rhcos_image_cache(/.*)?"
    +$ sudo restorecon -Rv rhcos_image_cache/
    +
    +
    +
  8. +
  9. +

    Get the commit ID from the installer. The ID determines which images the installer needs to download.

    +
    +
    +
    $ export COMMIT_ID=$(/usr/local/bin/openshift-baremetal-install version | grep '^built from commit' | awk '{print $4}')
    +
    +
    +
  10. +
  11. +

    Get the URI for the RHCOS image that the installer will deploy on the nodes.

    +
    +
    +
    $ export RHCOS_OPENSTACK_URI=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json  | jq .images.openstack.path | sed 's/"//g')
    +
    +
    +
  12. +
  13. +

    Get the URI for the RHCOS image that the installer will deploy on the bootstrap VM.

    +
    +
    +
    $ export RHCOS_QEMU_URI=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json  | jq .images.qemu.path | sed 's/"//g')
    +
    +
    +
  14. +
  15. +

    Get the path where the images are published.

    +
    +
    +
    $ export RHCOS_PATH=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json | jq .baseURI | sed 's/"//g')
    +
    +
    +
  16. +
  17. +

    Get the SHA hash for the RHCOS image that will be deployed on the bootstrap VM.

    +
    +
    +
    $ export RHCOS_QEMU_SHA_UNCOMPRESSED=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json  | jq -r '.images.qemu["uncompressed-sha256"]')
    +
    +
    +
  18. +
  19. +

    Get the SHA hash for the RHCOS image that will be deployed on the nodes.

    +
    +
    +
    $ export RHCOS_OPENSTACK_SHA_COMPRESSED=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json  | jq -r '.images.openstack.sha256')
    +
    +
    +
  20. +
  21. +

    Download the images and place them in the /home/kni/rhcos_image_cache directory.

    +
    +
    +
    $ curl -L ${RHCOS_PATH}${RHCOS_QEMU_URI} -o /home/kni/rhcos_image_cache/${RHCOS_QEMU_URI}
    +$ curl -L ${RHCOS_PATH}${RHCOS_OPENSTACK_URI} -o /home/kni/rhcos_image_cache/${RHCOS_OPENSTACK_URI}
    +
    +
    +
  22. +
  23. +

    Confirm SELinux type is of httpd_sys_content_t for the newly created files.

    +
    +
    +
    $ ls -Z /home/kni/rhcos_image_cache
    +
    +
    +
  24. +
  25. +

    Create the pod.

    +
    +
    +
    $ podman run -d --name rhcos_image_cache \
    +-v /home/kni/rhcos_image_cache:/var/www/html \
    +-p 8080:8080/tcp \
    +quay.io/centos7/httpd-24-centos7:latest
    +
    +
    +
  26. +
  27. +

    Generate the bootstrapOSImage and clusterOSImage configuration.

    +
    +
    +
    $ export BAREMETAL_IP=$(ip addr show dev baremetal | awk '/inet /{print $2}' | cut -d"/" -f1)
    +$ export RHCOS_OPENSTACK_SHA256=$(zcat /home/kni/rhcos_image_cache/${RHCOS_OPENSTACK_URI} | sha256sum | awk '{print $1}')
    +$ export RHCOS_QEMU_SHA256=$(zcat /home/kni/rhcos_image_cache/${RHCOS_QEMU_URI} | sha256sum | awk '{print $1}')
    +$ export CLUSTER_OS_IMAGE="http://${BAREMETAL_IP}:8080/${RHCOS_OPENSTACK_URI}?sha256=${RHCOS_OPENSTACK_SHA256}"
    +$ export BOOTSTRAP_OS_IMAGE="http://${BAREMETAL_IP}:8080/${RHCOS_QEMU_URI}?sha256=${RHCOS_QEMU_SHA256}"
    +$ echo "${RHCOS_OPENSTACK_SHA256}  ${RHCOS_OPENSTACK_URI}" > /home/kni/rhcos_image_cache/rhcos-ootpa-latest.qcow2.md5sum
    +$ echo "    bootstrapOSImage=${BOOTSTRAP_OS_IMAGE}"
    +$ echo "    clusterOSImage=${CLUSTER_OS_IMAGE}"
    +
    +
    +
  28. +
  29. +

    Add the required configuration to the install-config.yaml file under platform.baremetal.

    +
    +
    +
    platform:
    +  baremetal:
    +    bootstrapOSImage: http://<BAREMETAL_IP>:8080/<RHCOS_QEMU_URI>?sha256=<RHCOS_QEMU_SHA256>
    +    clusterOSImage: http://<BAREMETAL_IP>:8080/<RHCOS_OPENSTACK_URI>?sha256=<RHCOS_OPENSTACK_SHA256>
    +
    +
    +
    +

    See the Configuring the install-config.yaml file section for additional details.

    +
    +
  30. +
+
+
+
+

3.6. Configuration files

+
+

3.6.1. Configuring the install-config.yaml file

+
+

The install-config.yaml file requires some additional details. +Most of the information is teaching the installer and the resulting cluster enough about the available hardware so that it is able to fully manage it.

+
+
+
    +
  1. +

    Configure install-config.yaml. Change the appropriate variables to match the environment, including pullSecret and sshKey.

    +
    +
    +
    apiVersion: v1
    +basedomain: <domain>
    +metadata:
    +  name: <cluster-name>
    +networking:
    +  machineCIDR: <public-cidr>
    +  networkType: OVNKubernetes
    +compute:
    +- name: worker
    +  replicas: 2 (1)
    +controlPlane:
    +  name: master
    +  replicas: 3
    +  platform:
    +    baremetal: {}
    +platform:
    +  baremetal:
    +    apiVIP: <api-ip>
    +    ingressVIP: <wildcard-ip>
    +    provisioningNetworkInterface: <NIC1>
    +    provisioningNetworkCIDR: <CIDR>
    +    hosts:
    +      - name: openshift-master-0
    +        role: master
    +        bmc:
    +          address: ipmi://<out-of-band-ip> (2)
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: default
    +      - name: openshift-master-1
    +        role: master
    +        bmc:
    +          address: ipmi://<out-of-band-ip>
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: default
    +      - name: openshift-master-2
    +        role: master
    +        bmc:
    +          address: ipmi://<out-of-band-ip>
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: default
    +      - name: openshift-worker-0
    +        role: worker
    +        bmc:
    +          address: ipmi://<out-of-band-ip>
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: unknown
    +      - name: openshift-worker-1
    +        role: worker
    +        bmc:
    +          address: ipmi://<out-of-band-ip>
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: unknown
    +pullSecret: '<pull_secret>'
    +sshKey: '<ssh_pub_key>'
    +
    +
    +
    + + + + + + + + + +
    1Scale the worker machines based on the number of worker nodes that are part of the OpenShift Container Platform cluster.
    2Refer to the BMC addressing for more options
    +
    +
  2. +
  3. +

    Create a directory to store cluster configs.

    +
    +
    +
    [kni@provisioner ~]$ mkdir ~/clusterconfigs
    +[kni@provisioner ~]$ cp install-config.yaml ~/clusterconfigs
    +
    +
    +
  4. +
  5. +

    Ensure all bare metal nodes are powered off prior to installing the OpenShift Container Platform cluster.

    +
    +
    +
    [kni@provisioner ~]$ ipmitool -I lanplus -U <user> -P <password> -H <management-server-ip> power off
    +
    +
    +
  6. +
  7. +

    Remove old bootstrap resources if any are left over from a previous deployment attempt.

    +
    +
    +
    for i in $(sudo virsh list | tail -n +3 | grep bootstrap | awk {'print $2'});
    +do
    +  sudo virsh destroy $i;
    +  sudo virsh undefine $i;
    +  sudo virsh vol-delete $i --pool default;
    +  sudo virsh vol-delete $i.ign --pool default;
    +done
    +
    +
    +
  8. +
+
+
+
+

3.6.2. Setting proxy settings within the install-config.yaml file (optional)

+
+

To deploy an OpenShift Container Platform cluster using a proxy, make the following changes to the install-config.yaml file.

+
+
+
+
apiVersion: v1
+baseDomain: <domain>
+proxy:
+  httpProxy: http://USERNAME:PASSWORD@proxy.example.com:PORT
+  httpsProxy: https://USERNAME:PASSWORD@proxy.example.com:PORT
+  noProxy: <WILDCARD_OF_DOMAIN>,<PROVISIONING_NETWORK/CIDR>,<BMC_ADDRESS_RANGE/CIDR>
+
+
+
+

See below for an example of noProxy with values.

+
+
+
+
noProxy: .example.com,172.22.0.0/24,10.10.0.0/24
+
+
+
+

With a proxy enabled, set the appropriate values of the proxy in the corresponding key/value pair.

+
+
+

Key considerations:

+
+
+
    +
  • +

    If the proxy does not have an HTTPS proxy, change the value of httpsProxy from https:// to http://.

    +
  • +
  • +

    If using a provisioning network, include it in the noProxy setting, otherwise the installer will fail.

    +
  • +
  • +

    Set all of the proxy settings as environment variables within the provisioner node. For example, HTTP_PROXY, HTTPS_PROXY, and NO_PROXY.

    +
  • +
+
+
+
+

3.6.3. Modifying the install-config.yaml file for no provisioning network (optional)

+
+

To deploy an OpenShift Container Platform cluster without a provisioning network, make the following changes to the install-config.yaml file.

+
+
+
+

3.6.4. Additional install-config parameters

+
+

See the following tables for the required parameters, the hosts parameter, +and the bmc parameter for the install-config.yaml file.

+
+ + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 1. Required parameters
ParametersDefaultDescription

baseDomain

The domain name for the cluster. For example, example.com.

bootMode

legacy

The boot mode for a node. Options are legacy, UEFI and UEFISecureBoot.

sshKey

The sshKey configuration setting contains the key in the ~/.ssh/id_rsa.pub file required to access the control plane nodes and worker nodes. Typically, this key is from the provisioner node.

pullSecret

The pullSecret configuration setting contains a copy of the pull secret downloaded from the Install OpenShift on Bare Metal page when preparing the provisioner node.

+
+
metadata:
+    name:
+
+

The name to be given to the OpenShift Container Platform cluster. For example, openshift.

+
+
networking:
+    machineCIDR:
+
+

The public CIDR (Classless Inter-Domain Routing) of the external network. For example, 10.0.0.0/24 +or 2620:52:0:1302::/64 +.

+
+
compute:
+  - name: worker
+
+

The OpenShift Container Platform cluster requires a name be provided for worker (or compute) nodes even if there are zero nodes.

+
+
compute:
+    replicas: 2
+
+

Replicas sets the number of worker (or compute) nodes in the OpenShift Container Platform cluster.

+
+
controlPlane:
+    name: master
+
+

The OpenShift Container Platform cluster requires a name for control plane (master) nodes.

+
+
controlPlane:
+    replicas: 3
+
+

Replicas sets the number of control plane (master) nodes included as part of the OpenShift Container Platform cluster.

+

provisioningNetworkInterface

+

The name of the network interface on control plane nodes connected to the +provisioning network.

defaultMachinePlatform

The default configuration used for machine pools without a platform configuration.

apiVIP

api.<clustername.clusterdomain>

The VIP to use for internal API communication.

+

This setting must either be provided or pre-configured in the DNS so that the +default name resolves correctly.

disableCertificateVerification

False

redfish and redfish-virtualmedia need this parameter to manage BMC addresses. The value should be True when using a self-signed certificate for BMC addresses.

ingressVIP

test.apps.<clustername.clusterdomain>

The VIP to use for ingress traffic.

+ + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 2. Optional Parameters
ParametersDefaultDescription

provisioningDHCPExternal

false

Defines if the installer uses an external DHCP or the provisioner node DHCP.

provisioningDHCPRange

172.22.0.10,172.22.0.100

Defines the IP range for nodes on the provisioning network.

+

provisioningNetworkCIDR

+

172.22.0.0/24

The CIDR for the network to use for provisioning. This option is required when not using the default address range on the provisioning network.

clusterProvisioningIP

The third IP address of the provisioningNetworkCIDR.

The IP address within the cluster where the provisioning services run. Defaults to the third IP address of the provisioning subnet. For example, 172.22.0.3.

bootstrapProvisioningIP

The second IP address of the provisioningNetworkCIDR.

The IP address on the bootstrap VM where the provisioning services run while the installer is deploying the control plane (master) nodes. Defaults to the second IP address of the provisioning subnet. For example, 172.22.0.2 +or 2620:52:0:1307::2 +.

externalBridge

baremetal

The name of the baremetal bridge of the hypervisor attached to the baremetal network.

provisioningBridge

provisioning

The name of the provisioning bridge on the provisioner host attached to the provisioning network.

defaultMachinePlatform

The default configuration used for machine pools without a platform configuration.

bootstrapOSImage

A URL to override the default operating system image for the bootstrap node. The URL must contain a SHA-256 hash of the image. For example: +https://mirror.openshift.com/rhcos-<version>-qemu.qcow2.gz?sha256=<uncompressed_sha256>; + or http://[2620:52:0:1307::1]/rhcos-<version>-qemu.x86_64.qcow2.gz?sha256=<uncompressed_sha256> +.

clusterOSImage

A URL to override the default operating system for cluster nodes. The URL must include a SHA-256 hash of the image. For example, https://mirror.openshift.com/images/rhcos-<version>-openstack.qcow2.gz?sha256=<compressed_sha256>;.

provisioningNetwork

Set this parameter to Disabled to disable the requirement for a provisioning network. User may only do virtual media based provisioning, or bring up the cluster using assisted installation. If using power management, BMC’s must be accessible from the machine networks. User must provide two IP addresses on the external network that are used for the provisioning services.

httpProxy

Set this parameter to the appropriate HTTP proxy used within your environment.

httpsProxy

Set this parameter to the appropriate HTTPS proxy used within your environment.

noProxy

Set this parameter to the appropriate list of exclusions for proxy usage within your environment.

+
+
Hosts
+

The hosts parameter is a list of separate bare metal assets used to build the cluster.

+
+ +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Name

Default

Description

name

The name of the BareMetalHost resource to associate with the details. For example, openshift-master-0.

role

The role of the bare metal node. Either master or worker.

bmc

Connection details for the baseboard management controller. See the BMC addressing section for additional details.

bootMACAddress

The MAC address of the NIC the host will use to boot on the provisioning network.

hardwareProfile

default

This parameter exposes the device name that the installer attempts to deploy the OpenShift Container Platform cluster for the control plane and worker nodes. The value defaults to default for control plane nodes and unknown for worker nodes. The list of profiles includes: default, libvirt, dell, dell-raid, and openstack. The default parameter attempts to install on /dev/sda of the OpenShift Container Platform cluster nodes.

+
+
+

3.6.5. BMC addressing

+
+

Most vendors support BMC addressing with the Intelligent Platform Management Interface or IPMI. IPMI does not encrypt communications. It is suitable for use within a data center over a secured or dedicated management network. Check with your vendor to see if they support Redfish network boot. Redfish delivers simple and secure management for converged, hybrid IT and the Software Defined Data Center or SDDC. Redfish is human readable and machine capable, and leverages common Internet and web services standards to expose information directly to the modern tool chain. If your hardware does not support Redfish network boot, use IPMI.

+
+
+
IPMI
+

Hosts using IPMI use the ipmi://<out-of-band-ip>:<port> address format, which defaults to port 623 if not specified. The following example demonstrates an IPMI configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: ipmi://<out-of-band-ip>
+          username: <user>
+          password: <password>
+
+
+
+
Redfish network boot
+

To enable Redfish, use redfish:// or redfish+http:// to disable TLS. The installer requires both the host name or the IP address and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+
BMC addressing for Dell iDRAC
+
+

The address field for each bmc entry is a URL for connecting to the OpenShift Container Platform cluster nodes, including the type of controller in the URL scheme and its location on the network.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: <host name>
+        role: <master | worker>
+        bmc:
+          address: <address> (1)
+          username: <user>
+          password: <password>
+
+
+
+ + + + + +
1The address configuration setting specifies the protocol.
+
+
+

For Dell hardware, Red Hat supports integrated Dell Remote Access Controller (iDRAC) virtual media, Redfish network boot, and IPMI.

+
+ + ++++ + + + + + + + + + + + + + + + + + + + + +
Table 3. BMC address formats for Dell iDRAC
ProtocolAddress Format

iDRAC virtual media

idrac-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1

Redfish network boot

redfish://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1

IPMI

ipmi://<out-of-band-ip>

+
+ + + + + +
+ + +
+

Use idrac-virtualmedia as the protocol for Redfish virtual media. redfish-virtualmedia will not work on Dell hardware. Dell’s idrac-virtualmedia uses the Redfish standard with Dell’s OEM extensions.

+
+
+
+
+

See the following sections for additional details.

+
+
+
Redfish virtual media for Dell iDRAC
+

For Redfish virtual media on Dell servers, use idrac-virtualmedia:// in the address setting. Using redfish-virtualmedia:// will not work.

+
+
+

The following example demonstrates using iDRAC virtual media within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: idrac-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: idrac-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+ + + + + +
+ + +
+

Currently, Redfish is only supported on Dell with iDRAC firmware versions 4.20.20.20 through 04.40.00.00 for installer-provisioned installations on bare metal deployments. There is a known issue with version 04.40.00.00. With iDRAC 9 firmware version 04.40.00.00, the Virtual Console plug-in defaults to eHTML5, which causes problems with the InsertVirtualMedia workflow. Set the plug-in to HTML5 to avoid this issue. The menu path is: ConfigurationVirtual consolePlug-in TypeHTML5 .

+
+
+

Ensure the OpenShift Container Platform cluster nodes have AutoAttach Enabled through the iDRAC console. The menu path is: ConfigurationVirtual MediaAttach ModeAutoAttach .

+
+
+

Use idrac-virtualmedia:// as the protocol for Redfish virtual media. Using redfish-virtualmedia:// will not work on Dell hardware, because the idrac-virtualmedia:// protocol corresponds to the idrac hardware type and the Redfish protocol in Ironic. Dell’s idrac-virtualmedia:// protocol uses the Redfish standard with Dell’s OEM extensions. Ironic also supports the idrac type with the WSMAN protocol. Therefore, you must specify idrac-virtualmedia:// to avoid unexpected behavior when electing to use Redfish with virtual media on Dell hardware.

+
+
+
+
+
Redfish network boot for iDRAC
+

To enable Redfish, use redfish:// or redfish+http:// to disable transport layer security (TLS). The installer requires both the host name or the IP address and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+ + + + + +
+ + +
+

Currently, Redfish is only supported on Dell hardware with iDRAC firmware versions 4.20.20.20 through 04.40.00.00 for installer-provisioned installations on bare metal deployments. There is a known issue with version 04.40.00.00. With iDRAC 9 firmware version 04.40.00.00, the Virtual Console plug-in defaults to eHTML5, which causes problems with the InsertVirtualMedia workflow. Set the plug-in to HTML5 to avoid this issue. The menu path is: ConfigurationVirtual consolePlug-in TypeHTML5 .

+
+
+

Ensure the OpenShift Container Platform cluster nodes have AutoAttach Enabled through the iDRAC console. The menu path is: ConfigurationVirtual MediaAttach ModeAutoAttach .

+
+
+

The redfish:// URL protocol corresponds to the redfish hardware type in Ironic.

+
+
+
+
+
+
BMC addressing for HPE iLO
+
+

The address field for each bmc entry is a URL for connecting to the OpenShift Container Platform cluster nodes, including the type of controller in the URL scheme and its location on the network.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: <host name>
+        role: <master | worker>
+        bmc:
+          address: <address> (1)
+          username: <user>
+          password: <password>
+
+
+
+ + + + + +
1The address configuration setting specifies the protocol.
+
+
+

For HPE integrated Lights Out (iLO), Red Hat supports Redfish virtual media, Redfish network boot, and IPMI.

+
+ + ++++ + + + + + + + + + + + + + + + + + + + + +
Table 4. BMC address formats for HPE iLO
ProtocolAddress Format

Redfish virtual media

redfish-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/1

Redfish network boot

redfish://<out-of-band-ip>/redfish/v1/Systems/1

IPMI

ipmi://<out-of-band-ip>

+
+

See the following sections for additional details.

+
+
+
Redfish virtual media for HPE iLO
+

To enable Redfish virtual media for HPE servers, use redfish-virtualmedia:// in the address setting. The following example demonstrates using Redfish virtual media within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+ + + + + +
+ + +
+

Redfish virtual media is not supported on 9th generation systems running iLO4, because Ironic does not support iLO4 with virtual media.

+
+
+
+
+
Redfish network boot for HPE iLO
+

To enable Redfish, use redfish:// or redfish+http:// to disable TLS. The installer requires both the host name or the IP address and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+
+
BMC addressing for KVM with sushy-tools Redfish emulator
+
+

The address field for each bmc entry is a URL for connecting to the OpenShift Container Platform cluster nodes, including the type of controller in the URL scheme and its location on the network.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: <host name>
+        role: <master | worker>
+        bmc:
+          address: <address> (1)
+          username: <user>
+          password: <password>
+
+
+
+ + + + + +
1The address configuration setting specifies the protocol.
+
+
+

For KVM working with sushy-tools Redfish emulator, Red Hat supports Redfish virtual media and Redfish network boot.

+
+ + ++++ + + + + + + + + + + + + + + + + +
Table 5. BMC address formats for KVM with sushy-tools Redfish emulator
ProtocolAddress Format

Redfish virtual media

redfish-virtualmedia://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>

Redfish network boot

redfish://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>

+
+ + + + + +
+ + +
+

The sushy-tools Redfish emulator runs from the KVM hypervisor and a single instance acts as the virtual BMC for all the guest machines. This means both the out of band IP address and port, will be same and each individual machine must be identified by its System ID.

+
+
+

You may retrieve the System ID of your guest machines with the following command:

+
+
+
+
---
+$ virsh list --all --name --uuid
+d8ac6bf8-3062-4954-84c3-e097faa17025 compute-0
+84971a71-3935-4a92-8d90-a9f8440dac09 compute-1
+92430f42-8805-4412-959a-2a7252c7c540 compute-2
+0fea5296-db95-41d7-9295-f57cfa50255f control-plane-0
+4986e405-fd3a-483d-9210-8cb120b98f80 control-plane-1
+26bf228c-44fd-4c49-9e6f-44f4b5968b34 control-plane-2
+---
+
+
+
+
+
+

See the following sections for additional details.

+
+
+
Redfish virtual media for KVM with sushy-tools Redfish emulator
+

To enable Redfish virtual media for KVM environments running the sushy-tools Redfish emulator, use redfish-virtualmedia:// in the address setting. The following example demonstrates using Redfish virtual media within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish-virtualmedia://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish-virtualmedia://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+
Redfish network boot for KVM with sushy-tools Redfish emulator
+

To enable Redfish, use redfish:// or redfish+http:// to disable TLS. The installer requires the host name or the IP address, the Redfish emulator listening port and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+
+
+

3.6.6. Root device hints

+
+

The rootDeviceHints parameter enables the installer to provision the Red Hat Enterprise Linux CoreOS (RHCOS) image to a particular device. The installer examines the devices in the order it discovers them, and compares the discovered values with the hint values. The installer uses the first discovered device that matches the hint value. The configuration can combine multiple hints, but a device must match all hints for the installer to select it.

+
+ + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 6. Subfields
SubfieldDescription

deviceName

A string containing a Linux device name like /dev/vda. The hint must match the actual value exactly.

hctl

A string containing a SCSI bus address like 0:0:0:0. The hint must match the actual value exactly.

model

A string containing a vendor-specific device identifier. The hint can be a substring of the actual value.

vendor

A string containing the name of the vendor or manufacturer of the device. The hint can be a sub-string of the actual value.

serialNumber

A string containing the device serial number. The hint must match the actual value exactly.

minSizeGigabytes

An integer representing the minimum size of the device in gigabytes.

wwn

A string containing the unique storage identifier. The hint must match the actual value exactly.

wwnWithExtension

A string containing the unique storage identifier with the vendor extension appended. The hint must match the actual value exactly.

wwnVendorExtension

A string containing the unique vendor storage identifier. The hint must match the actual value exactly.

rotational

A Boolean indicating whether the device should be a rotating disk (true) or not (false).

+
+
Example usage
+
+
     - name: master-0
+       role: master
+       bmc:
+         address: ipmi://10.10.0.3:6203
+         username: admin
+         password: redhat
+       bootMACAddress: de:ad:be:ef:00:40
+       rootDeviceHints:
+         deviceName: "/dev/sda"
+
+
+
+
+

3.6.7. Creating the OpenShift Container Platform manifests

+
+
    +
  1. +

    Create the OpenShift Container Platform manifests.

    +
    +
    +
    [kni@provisioner ~]$ ./openshift-baremetal-install --dir ~/clusterconfigs create manifests
    +
    +
    +
    +
    +
    INFO Consuming Install Config from target directory
    +WARNING Making control-plane schedulable by setting MastersSchedulable to true for Scheduler cluster settings
    +WARNING Discarding the Openshift Manifest that was provided in the target directory because its dependencies are dirty and it needs to be regenerated
    +
    +
    +
  2. +
+
+
+
+
+

3.7. Creating a disconnected registry (optional)

+
+

In some cases, you might want to install an OpenShift Container Platform cluster using a local copy of the installation registry. This could be for enhancing network efficiency because the cluster nodes are on a network that does not have access to the internet.

+
+
+

A local, or mirrored, copy of the registry requires the following:

+
+
+
    +
  • +

    A certificate for the registry node. This can be a self-signed certificate.

    +
  • +
  • +

    A web server that a container on a system will serve.

    +
  • +
  • +

    An updated pull secret that contains the certificate and local repository information.

    +
  • +
+
+
+ + + + + +
+ + +
+

Creating a disconnected registry on a registry node is optional. The subsequent sections indicate that they are optional since they are steps you need to execute only when creating a disconnected registry on a registry node. You should execute all of the subsequent sub-sections labeled "(optional)" when creating a disconnected registry on a registry node.

+
+
+
+
+

3.7.1. Preparing the registry node to host the mirrored registry (optional)

+
+

Make the following changes to the registry node.

+
+
+
Procedure
+
    +
  1. +

    Open the firewall port on the registry node.

    +
    +
    +
    [user@registry ~]$ sudo firewall-cmd --add-port=5000/tcp --zone=libvirt  --permanent
    +[user@registry ~]$ sudo firewall-cmd --add-port=5000/tcp --zone=public   --permanent
    +[user@registry ~]$ sudo firewall-cmd --reload
    +
    +
    +
  2. +
  3. +

    Install the required packages for the registry node.

    +
    +
    +
    [user@registry ~]$ sudo yum -y install python3 podman httpd httpd-tools jq
    +
    +
    +
  4. +
  5. +

    Create the directory structure where the repository information will be held.

    +
    +
    +
    [user@registry ~]$ sudo mkdir -p /opt/registry/{auth,certs,data}
    +
    +
    +
  6. +
+
+
+
+

3.7.2. Generating the self-signed certificate (optional)

+
+

Generate a self-signed certificate for the registry node and put it in the /opt/registry/certs directory.

+
+
+
Procedure
+
    +
  1. +

    Adjust the certificate information as appropriate.

    +
    +
    +
    [user@registry ~]$ host_fqdn=$( hostname --long )
    +[user@registry ~]$ cert_c="<Country Name>"   # Country Name (C, 2 letter code)
    +[user@registry ~]$ cert_s="<State>"          # Certificate State (S)
    +[user@registry ~]$ cert_l="<Locality>"       # Certificate Locality (L)
    +[user@registry ~]$ cert_o="<Organization>"   # Certificate Organization (O)
    +[user@registry ~]$ cert_ou="<Org Unit>"      # Certificate Organizational Unit (OU)
    +[user@registry ~]$ cert_cn="${host_fqdn}"    # Certificate Common Name (CN)
    +
    +[user@registry ~]$ openssl req \
    +    -newkey rsa:4096 \
    +    -nodes \
    +    -sha256 \
    +    -keyout /opt/registry/certs/domain.key \
    +    -x509 \
    +    -days 365 \
    +    -out /opt/registry/certs/domain.crt \
    +    -addext "subjectAltName = DNS:${host_fqdn}" \
    +    -subj "/C=${cert_c}/ST=${cert_s}/L=${cert_l}/O=${cert_o}/OU=${cert_ou}/CN=${cert_cn}"
    +
    +
    +
    + + + + + +
    + + +When replacing <Country Name>, ensure that it only contains two letters. For example, US. +
    +
    +
  2. +
  3. +

    Update the registry node’s ca-trust with the new certificate.

    +
    +
    +
    [user@registry ~]$ sudo cp /opt/registry/certs/domain.crt /etc/pki/ca-trust/source/anchors/
    +[user@registry ~]$ sudo update-ca-trust extract
    +
    +
    +
  4. +
+
+
+
+

3.7.3. Creating the registry podman container (optional)

+
+

The registry container uses the /opt/registry directory for certificates, authentication files, and to store its data files.

+
+
+

The registry container uses httpd and needs an htpasswd file for authentication.

+
+
+
Procedure
+
    +
  1. +

    Create an htpasswd file in /opt/registry/auth for the container to use.

    +
    +
    +
    [user@registry ~]$ htpasswd -bBc /opt/registry/auth/htpasswd <user> <passwd>
    +
    +
    +
    +

    Replace <user> with the user name and <passwd> with the password.

    +
    +
  2. +
  3. +

    Create and start the registry container.

    +
    +
    +
    [user@registry ~]$ podman create \
    +  --name ocpdiscon-registry \
    +  -p 5000:5000 \
    +  -e "REGISTRY_AUTH=htpasswd" \
    +  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry" \
    +  -e "REGISTRY_HTTP_SECRET=ALongRandomSecretForRegistry" \
    +  -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \
    +  -e "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt" \
    +  -e "REGISTRY_HTTP_TLS_KEY=/certs/domain.key" \
    +  -e "REGISTRY_COMPATIBILITY_SCHEMA1_ENABLED=true" \
    +  -v /opt/registry/data:/var/lib/registry:z \
    +  -v /opt/registry/auth:/auth:z \
    +  -v /opt/registry/certs:/certs:z \
    +  docker.io/library/registry:2
    +
    +
    +
    +
    +
    [user@registry ~]$ podman start ocpdiscon-registry
    +
    +
    +
  4. +
+
+
+
+

3.7.4. Copy and update the pull-secret (optional)

+
+

Copy the pull secret file from the provisioner node to the registry node and modify it to include the authentication information for the new registry node.

+
+
+
Procedure
+
    +
  1. +

    Copy the pull-secret.txt file.

    +
    +
    +
    [user@registry ~]$ scp kni@provisioner:/home/kni/pull-secret.txt pull-secret.txt
    +
    +
    +
  2. +
  3. +

    Update the host_fqdn environment variable with the fully qualified domain name of the registry node.

    +
    +
    +
    [user@registry ~]$ host_fqdn=$( hostname --long )
    +
    +
    +
  4. +
  5. +

    Update the b64auth environment variable with the base64 encoding of the http credentials used to create the htpasswd file.

    +
    +
    +
    [user@registry ~]$ b64auth=$( echo -n '<username>:<passwd>' | openssl base64 )
    +
    +
    +
    +

    Replace <username> with the user name and <passwd> with the password.

    +
    +
  6. +
  7. +

    Set the AUTHSTRING environment variable to use the base64 authorization string. The $USER variable is an environment variable containing the name of the current user.

    +
    +
    +
    [user@registry ~]$ AUTHSTRING="{\"$host_fqdn:5000\": {\"auth\": \"$b64auth\",\"email\": \"$USER@redhat.com\"}}"
    +
    +
    +
  8. +
  9. +

    Update the pull-secret.txt file.

    +
    +
    +
    [user@registry ~]$ jq ".auths += $AUTHSTRING" < pull-secret.txt > pull-secret-update.txt
    +
    +
    +
  10. +
+
+
+
+

3.7.5. Mirroring the repository (optional)

+
+
Procedure
+
    +
  1. +

    Copy the oc binary from the provisioner node to the registry node.

    +
    +
    +
    [user@registry ~]$ sudo scp kni@provisioner:/usr/local/bin/oc /usr/local/bin
    +
    +
    +
  2. +
  3. +

    Get the release image and mirror the remote install images to the local repository.

    +
    +
    +
    [user@registry ~]$ export VERSION=latest-4.5
    +[user@registry ~]$ UPSTREAM_REPO=$(curl -s https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/$VERSION/release.txt | awk  '/Pull From/ {print $3}')
    +[user@registry ~]$ /usr/local/bin/oc adm release mirror \
    +  -a pull-secret-update.txt
    +  --from=$UPSTREAM_REPO \
    +  --to-release-image=$LOCAL_REG/$LOCAL_REPO:${VERSION} \
    +  --to=$LOCAL_REG/$LOCAL_REPO
    +
    +
    +
  4. +
+
+
+
+

3.7.6. Modify the install-config.yaml file to use the disconnected registry (optional)

+
+

On the provisioner node, the install-config.yaml file should use the newly created pull-secret from the pull-secret-update.txt file. The install-config.yaml file must also contain the disconnected registry node’s certificate and registry information.

+
+
+
Procedure
+
    +
  1. +

    Add the disconnected registry node’s certificate to the install-config.yaml file. The certificate should follow the "additionalTrustBundle: |" line and be properly indented, usually by two spaces.

    +
    +
    +
    $ echo "additionalTrustBundle: |" >> install-config.yaml
    +$ sed -e 's/^/  /' /opt/registry/certs/domain.crt >> install-config.yaml
    +
    +
    +
  2. +
  3. +

    Add the mirror information for the registry to the install-config.yaml file.

    +
    +
    +
    $ cat <<EOF >> install-config.yaml
    +<image-config>: (1)
    +- mirrors:
    +  - registry.example.com:5000/ocp4/openshift4
    +  source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
    +- mirrors:
    +  - registry.example.com:5000/ocp4/openshift4
    +  source: registry.svc.ci.openshift.org/ocp/release
    +- mirrors:
    +  - registry.example.com:5000/ocp4/openshift4
    +  source: quay.io/openshift-release-dev/ocp-release
    +EOF
    +
    +
    +
    +

    Where:

    +
    +
    + + + + + +
    1You must replace <image-config> with imageContentSources for OpenShift 4.13 and below, or imageDigestSources for Openshift 4.14 and above. +
    + + + + + +
    + + +Replace registry.example.com with the registry’s fully qualified domain name. +
    +
    +
    +
  4. +
+
+
+
+
+

3.8. Deploying routers on worker nodes

+
+

During installation, the installer deploys router pods on worker nodes. By default, the installer installs two router pods. If the initial cluster has only one worker node, or if a deployed cluster requires additional routers to handle external traffic loads destined for services within the OpenShift Container Platform cluster, you can create a yaml file to set an appropriate number of router replicas.

+
+
+ + + + + +
+ + +
+

By default, the installer deploys two routers. +If the cluster has at least two worker nodes, you can skip this section. +For more information on the Ingress Operator see: Ingress Operator in OpenShift Container Platform.

+
+
+
+
+ + + + + +
+ + +
+

If the cluster has no worker nodes, the installer deploys the two routers on the control plane nodes by default. If the cluster has no worker nodes, you can skip this section.

+
+
+
+
+
Procedure
+
    +
  1. +

    Create a router-replicas.yaml file.

    +
    +
    +
    apiVersion: operator.openshift.io/v1
    +kind: IngressController
    +metadata:
    +  name: default
    +  namespace: openshift-ingress-operator
    +spec:
    +  replicas: <num-of-router-pods>
    +  endpointPublishingStrategy:
    +    type: HostNetwork
    +  nodePlacement:
    +    nodeSelector:
    +      matchLabels:
    +        node-role.kubernetes.io/worker: ""
    +
    +
    +
    + + + + + +
    + + +
    +

    Replace <num-of-router-pods> with an appropriate value. If working with just one worker node, set replicas: to 1. If working with more than 3 worker nodes, you can increase replicas: from the default value 2 as appropriate.

    +
    +
    +
    +
  2. +
  3. +

    Save and copy the router-replicas.yaml file to the clusterconfigs/openshift directory.

    +
    +
    +
    cp ~/router-replicas.yaml clusterconfigs/openshift/99_router-replicas.yaml
    +
    +
    +
  4. +
+
+
+
+

3.9. Validation checklist for installation

+
+
    +
  • +

    OpenShift Container Platform installer has been retrieved.

    +
  • +
  • +

    OpenShift Container Platform installer has been extracted.

    +
  • +
  • +

    Required parameters for the install-config.yaml have been configured.

    +
  • +
  • +

    The hosts parameter for the install-config.yaml has been configured.

    +
  • +
  • +

    The bmc parameter for the install-config.yaml has been configured.

    +
  • +
  • +

    Conventions for the values configured in the bmc address field have been applied.

    +
  • +
  • +

    Created a disconnected registry (optional).

    +
  • +
  • +

    Validate disconnected registry settings if in use. (optional)

    +
  • +
  • +

    Deployed routers on worker nodes. (optional)

    +
  • +
+
+
+
+

3.10. Deploying the cluster via the OpenShift Container Platform installer

+
+

Run the OpenShift Container Platform installer:

+
+
+
+
[kni@provisioner ~]$ ./openshift-baremetal-install --dir ~/clusterconfigs --log-level debug create cluster
+
+
+
+
+

3.11. Following the installation

+
+

During the deployment process, you can check the installation’s overall status by issuing the tail command to the .openshift_install.log log file in the install directory folder.

+
+
+
+
[kni@provisioner ~]$ tail -f /path/to/install-dir/.openshift_install.log
+
+
+
+
+
+
+

4. Day 2 operations

+
+
+

The following sections are optional, but may be of interest after the initial deployment has been completed.

+
+
+

4.1. Accessing the web console

+
+

The web console runs as a pod on the master. The static assets required to run +the web console are served by the pod. Once OpenShift Container Platform is successfully +installed, find the URL for the web console and login credentials for your +installed cluster in the CLI output of the installation program. For example:

+
+
+
Example output
+
+
INFO Install complete!
+INFO Run 'export KUBECONFIG=<your working directory>/auth/kubeconfig' to manage the cluster with 'oc', the OpenShift CLI.
+INFO The cluster is ready when 'oc login -u kubeadmin -p <provided>' succeeds (wait a few minutes).
+INFO Access the OpenShift web-console here: https://console-openshift-console.apps.demo1.openshift4-beta-abcorp.com
+INFO Login to the console with user: kubeadmin, password: <provided>
+
+
+
+

Use those details to log in and access the web console.

+
+
+

Additionally, you can execute:

+
+
+
+
oc whoami --show-console
+
+
+
+

To obtain the url for the console.

+
+
+
+

4.2. Backing up the cluster configuration

+
+

At this point you have a working OpenShift 4 cluster on baremetal. +In order to take advantage of the baremetal hardware that was the provision node, +you can repurpose the provisioning node as a worker. +Prior to reprovisioning the node, it is recommended to backup some existing files.

+
+
+
Procedure
+
    +
  1. +

    Tar the clusterconfig folder and download it to your local machine.

    +
    +
    +
    tar cvfz clusterconfig.tar.gz ~/clusterconfig
    +
    +
    +
  2. +
  3. +

    Copy the Private part for the SSH Key configured on the install-config.yaml file to your local machine.

    +
    +
    +
    tar cvfz clusterconfigsh.tar.gz ~/.ssh/id_rsa*
    +
    +
    +
  4. +
  5. +

    Copy the install-config.yaml and metal3-config.yaml files.

    +
    +
    +
    tar cvfz yamlconfigs.tar.gz install-config.yaml metal3-config.yaml
    +
    +
    +
  6. +
+
+
+
+

4.3. Expanding the cluster

+
+

After deploying an installer-provisioned OpenShift Container Platform cluster, you can use the following procedures to expand the number of worker nodes. Ensure that each prospective worker node meets the prerequisites.

+
+
+ + + + + +
+ + +
+

Expanding the cluster using RedFish Virtual Media involves meeting minimum firmware requirements. See Firmware requirements for installing with virtual media in the Prerequisites section for additional details when expanding the cluster using RedFish Virtual Media.

+
+
+
+
+

4.3.1. Preparing the bare metal node

+
+

Expanding the cluster requires a DHCP server. Each node must have a DHCP reservation.

+
+
+

Preparing the bare metal node requires executing the following procedure from the provisioner node.

+
+
+
Procedure
+
    +
  1. +

    Get the oc binary, if needed. It should already exist on the provisioner node.

    +
    +
    +
    [kni@provisioner ~]$ export VERSION=latest-4.5
    +[kni@provisioner ~]$ curl -s https://mirror.openshift.com/pub/openshift-v4/clients/ocp/$VERSION/openshift-client-linux-$VERSION.tar.gz | tar zxvf - oc
    +
    +
    +
    +
    +
    [kni@provisioner ~]$ sudo cp oc /usr/local/bin
    +
    +
    +
  2. +
  3. +

    Power off the bare metal node via the baseboard management controller and ensure it is off.

    +
  4. +
  5. +

    Retrieve the user name and password of the bare metal node’s baseboard management controller. Then, create base64 strings from the user name and password. In the following example, the user name is root and the password is calvin.

    +
    +
    +
    [kni@provisioner ~]$ echo -ne "root" | base64
    +
    +
    +
    +
    +
    [kni@provisioner ~]$ echo -ne "calvin" | base64
    +
    +
    +
  6. +
  7. +

    Create a configuration file for the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ vim bmh.yaml
    +
    +
    +
    +
    +
    ---
    +apiVersion: v1
    +kind: Secret
    +metadata:
    +  name: openshift-worker-<num>-bmc-secret
    +type: Opaque
    +data:
    +  username: <base64-of-uid>
    +  password: <base64-of-pwd>
    +---
    +apiVersion: metal3.io/v1alpha1
    +kind: BareMetalHost
    +metadata:
    +  name: openshift-worker-<num>
    +spec:
    +  online: true
    +  bootMACAddress: <NIC1-mac-address>
    +  bmc:
    +    address: <protocol>://<bmc-ip>
    +    credentialsName: openshift-worker-<num>-bmc-secret
    +
    +
    +
    +

    Replace <num> for the worker number of the bare metal node in the two name fields and the credentialsName field. Replace <base64-of-uid> with the base64 string of the user name. Replace <base64-of-pwd> with the base64 string of the password. Replace <NIC1-mac-address> with the MAC address of the bare metal node’s first NIC.

    +
    +
    +

    Refer to the BMC addressing section for additional BMC configuration options. Replace <protocol> with the BMC protocol, such as IPMI, RedFish, or others. +Replace <bmc-ip> with the IP address of the bare metal node’s baseboard management controller.

    +
    +
    + + + + + +
    + + +
    +

    If the MAC address of an existing bare metal node matches the MAC address of a bare metal host that you are attempting to provision, then the Ironic installation will fail. If the host enrollment, inspection, cleaning, or other Ironic steps fail, the metal3-baremetal-operator will continuously retry. See Diagnosing a host duplicate MAC address for more information.

    +
    +
    +
    +
  8. +
  9. +

    Create the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api create -f bmh.yaml
    +
    +
    +
    +
    +
    secret/openshift-worker-<num>-bmc-secret created
    +baremetalhost.metal3.io/openshift-worker-<num> created
    +
    +
    +
    +

    Where <num> will be the worker number.

    +
    +
  10. +
  11. +

    Power up and inspect the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  12. +
+
+
+
+

4.3.2. Preparing to deploy with Virtual Media on the baremetal network

+
+

If the provisioning network is enabled, and you want to expand the cluster using Virtual Media on the baremetal network, execute the following procedure.

+
+
+
Procedure
+
    +
  1. +

    Edit the provisioning configuration resource (CR) to enable deploying with Virtual Media on the baremetal network.

    +
    +
    +
    oc edit provisioning
    +
    +
    +
    +
    +
      apiVersion: metal3.io/v1alpha1
    +  kind: Provisioning
    +  metadata:
    +    creationTimestamp: "2021-08-05T18:51:50Z"
    +    finalizers:
    +    - provisioning.metal3.io
    +    generation: 8
    +    name: provisioning-configuration
    +    resourceVersion: "551591"
    +    uid: f76e956f-24c6-4361-aa5b-feaf72c5b526
    +  spec:
    +    preProvisioningOSDownloadURLs: {}
    +    provisioningDHCPRange: 172.22.0.10,172.22.0.254
    +    provisioningIP: 172.22.0.3
    +    provisioningInterface: enp1s0
    +    provisioningNetwork: Managed
    +    provisioningNetworkCIDR: 172.22.0.0/24
    +    provisioningOSDownloadURL: http://192.168.111.1/images/rhcos-49.84.202107010027-0-openstack.x86_64.qcow2.gz?sha256=c7dde5f96826c33c97b5a4ad34110212281916128ae11100956f400db3d5299e
    +    virtualMediaViaExternalNetwork: true (1)
    +  status:
    +    generations:
    +    - group: apps
    +      hash: ""
    +      lastGeneration: 7
    +      name: metal3
    +      namespace: openshift-machine-api
    +      resource: deployments
    +    - group: apps
    +      hash: ""
    +      lastGeneration: 1
    +      name: metal3-image-cache
    +      namespace: openshift-machine-api
    +      resource: daemonsets
    +    observedGeneration: 8
    +    readyReplicas: 0
    +
    +
    +
    + + + + + +
    1Add virtualMediaViaExternalNetwork: true to the provisioning CR.
    +
    +
  2. +
  3. +

    Edit the machine set to use the API VIP address.

    +
    +
    +
    oc edit machineset
    +
    +
    +
    +
    +
      apiVersion: machine.openshift.io/v1beta1
    +  kind: MachineSet
    +  metadata:
    +    creationTimestamp: "2021-08-05T18:51:52Z"
    +    generation: 11
    +    labels:
    +      machine.openshift.io/cluster-api-cluster: ostest-hwmdt
    +      machine.openshift.io/cluster-api-machine-role: worker
    +      machine.openshift.io/cluster-api-machine-type: worker
    +    name: ostest-hwmdt-worker-0
    +    namespace: openshift-machine-api
    +    resourceVersion: "551513"
    +    uid: fad1c6e0-b9da-4d4a-8d73-286f78788931
    +  spec:
    +    replicas: 2
    +    selector:
    +      matchLabels:
    +        machine.openshift.io/cluster-api-cluster: ostest-hwmdt
    +        machine.openshift.io/cluster-api-machineset: ostest-hwmdt-worker-0
    +    template:
    +      metadata:
    +        labels:
    +          machine.openshift.io/cluster-api-cluster: ostest-hwmdt
    +          machine.openshift.io/cluster-api-machine-role: worker
    +          machine.openshift.io/cluster-api-machine-type: worker
    +          machine.openshift.io/cluster-api-machineset: ostest-hwmdt-worker-0
    +      spec:
    +        metadata: {}
    +        providerSpec:
    +          value:
    +            apiVersion: baremetal.cluster.k8s.io/v1alpha1
    +            hostSelector: {}
    +            image:
    +              checksum: http:/172.22.0.3:6181/images/rhcos-49.84.202107010027-0-openstack.x86_64.qcow2/cached-rhcos-49.84.202107010027-0-openstack.x86_64.qcow2.md5sum (1)
    +              url: http://172.22.0.3:6181/images/rhcos-49.84.202107010027-0-openstack.x86_64.qcow2/cached-rhcos-49.84.202107010027-0-openstack.x86_64.qcow2 (2)
    +            kind: BareMetalMachineProviderSpec
    +            metadata:
    +              creationTimestamp: null
    +            userData:
    +              name: worker-user-data
    +  status:
    +    availableReplicas: 2
    +    fullyLabeledReplicas: 2
    +    observedGeneration: 11
    +    readyReplicas: 2
    +    replicas: 2
    +
    +
    +
    + + + + + + + + + +
    1Edit the checksum URL to use the API VIP address.
    2Edit the url URL to use the API VIP address.
    +
    +
  4. +
+
+
+
Diagnosing a duplicate MAC address when provisioning a new host in the cluster
+
+

If the MAC address of an existing bare-metal node in the cluster matches the MAC address of a bare-metal host you are attempting to add to the cluster, the Bare Metal Operator associates the host with the existing node. If the host enrollment, inspection, cleaning, or other Ironic steps fail, the Bare Metal Operator retries the installation continuously. A registration error is displayed for the failed bare-metal host.

+
+
+

You can diagnose a duplicate MAC address by examining the bare-metal hosts that are running in the openshift-machine-api namespace.

+
+
+
Prerequisites
+
    +
  • +

    Install an OpenShift Container Platform cluster on bare metal.

    +
  • +
  • +

    Install the OpenShift Container Platform CLI oc.

    +
  • +
  • +

    Log in as a user with cluster-admin privileges.

    +
  • +
+
+
+
Procedure
+

To determine whether a bare-metal host that fails provisioning has the same MAC address as an existing node, do the following:

+
+
+
    +
  1. +

    Get the bare-metal hosts running in the openshift-machine-api namespace:

    +
    +
    +
    $ oc get bmh -n openshift-machine-api
    +
    +
    +
    +
    Example output
    +
    +
    NAME                 STATUS   PROVISIONING STATUS      CONSUMER
    +openshift-master-0   OK       externally provisioned   openshift-zpwpq-master-0
    +openshift-master-1   OK       externally provisioned   openshift-zpwpq-master-1
    +openshift-master-2   OK       externally provisioned   openshift-zpwpq-master-2
    +openshift-worker-0   OK       provisioned              openshift-zpwpq-worker-0-lv84n
    +openshift-worker-1   OK       provisioned              openshift-zpwpq-worker-0-zd8lm
    +openshift-worker-2   error    registering
    +
    +
    +
  2. +
  3. +

    To see more detailed information about the status of the failing host, run the following command replacing <bare_metal_host_name> with the name of the host:

    +
    +
    +
    $ oc get -n openshift-machine-api bmh <bare_metal_host_name> -o yaml
    +
    +
    +
    +
    Example output
    +
    +
    ...
    +status:
    +  errorCount: 12
    +  errorMessage: MAC address b4:96:91:1d:7c:20 conflicts with existing node openshift-worker-1
    +  errorType: registration error
    +...
    +
    +
    +
  4. +
+
+
+
+
+

4.3.3. Provisioning the bare metal node

+
+

Provisioning the bare metal node requires executing the following procedure from the provisioner node.

+
+
+
Procedure
+
    +
  1. +

    Ensure the PROVISIONING STATUS is ready before provisioning the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$  oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  2. +
  3. +

    Get a count of the number of worker nodes.

    +
    +
    +
    [kni@provisioner ~]$ oc get nodes
    +
    +
    +
    +
    +
    NAME                                                STATUS   ROLES           AGE     VERSION
    +provisioner.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-1.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-2.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-3.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-worker-0.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-worker-1.openshift.example.com            Ready    master          30h     v1.16.2
    +
    +
    +
  4. +
  5. +

    Get the machine set.

    +
    +
    +
    [kni@provisioner ~]$ oc get machinesets -n openshift-machine-api
    +
    +
    +
    +
    +
    NAME                                DESIRED   CURRENT   READY   AVAILABLE   AGE
    +...
    +openshift-worker-0.example.com      1         1         1       1           55m
    +openshift-worker-1.example.com      1         1         1       1           55m
    +
    +
    +
  6. +
  7. +

    Increase the number of worker nodes by one.

    +
    +
    +
    [kni@provisioner ~]$ oc scale --replicas=<num> machineset <machineset> -n openshift-machine-api
    +
    +
    +
    +

    Replace <num> with the new number of worker nodes. Replace <machineset> with the name of the machine set from the previous step.

    +
    +
  8. +
  9. +

    Check the status of the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number. The status changes from ready to provisioning.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       provisioning          openshift-worker-<num>-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
    +

    The provisioning status remains until the OpenShift Container Platform cluster provisions the node. This can take 30 minutes or more. Once complete, the status will change to provisioned.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       provisioned           openshift-worker-<num>-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  10. +
  11. +

    Once provisioned, ensure the bare metal node is ready.

    +
    +
    +
    [kni@provisioner ~]$ oc get nodes
    +
    +
    +
    +
    +
    NAME                                          STATUS   ROLES   AGE     VERSION
    +provisioner.openshift.example.com             Ready    master  30h     v1.16.2
    +openshift-master-1.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-master-2.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-master-3.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-worker-0.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-worker-1.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-worker-<num>.openshift.example.com  Ready    worker  3m27s   v1.16.2
    +
    +
    +
    +

    You can also check the kubelet.

    +
    +
    +
    +
    [kni@provisioner ~]$ ssh openshift-worker-<num>
    +
    +
    +
    +
    +
    [kni@openshift-worker-<num>]$ journalctl -fu kubelet
    +
    +
    +
  12. +
+
+
+
+

4.3.4. Preparing the provisioner node to be deployed as a worker node

+
+
Procedure
+

Perform the following steps prior to converting the provisioner node to a worker node.

+
+
+
    +
  1. +

    ssh to a system (for example, a laptop) that can access the out of band management network of the current provisioner node.

    +
  2. +
  3. +

    Copy the backups clusterconfig.tar.gz, clusterconfigsh.tar.gz, and amlconfigs.tar.gz to the new system.

    +
  4. +
  5. +

    Copy the oc binary from the existing provisioning node to the new system.

    +
  6. +
  7. +

    Make a note of the mac addresses, the baremetal network IP used for the provisioner node, and the IP address of +the Out of band Management Network.

    +
  8. +
  9. +

    Reboot the system and ensure that PXE is enabled on the provisioning network and PXE is disabled for all other NICs.

    +
  10. +
  11. +

    If installation was performed using a Satellite server, remove the Host entry for the existing provisioning node.

    +
  12. +
  13. +

    Install the ipmitool on the new system in order to power off the provisioner node.

    +
  14. +
+
+
+
+

4.3.5. Adding a worker node to an existing cluster

+
+
Procedure
+
    +
  1. +

    Retrieve the username and password of the bare metal node’s baseboard management controller. Then, create base64 strings from the username and password. In the following example, the username is root and the password is calvin.

    +
    +
    +
    [kni@provisioner ~]$ echo -ne "root" | base64
    +
    +
    +
    +
    +
    [kni@provisioner ~]$ echo -ne "calvin" | base64
    +
    +
    +
  2. +
  3. +

    Create a configuration file for the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ vim bmh.yaml
    +
    +
    +
    +
    +
    ---
    +apiVersion: v1
    +kind: Secret
    +metadata:
    +  name: openshift-worker-<num>-bmc-secret
    +type: Opaque
    +data:
    +  username: <base64-of-uid>
    +  password: <base64-of-pwd>
    +---
    +apiVersion: metal3.io/v1alpha1
    +kind: BareMetalHost
    +metadata:
    +  name: openshift-worker-<num>
    +spec:
    +  online: true
    +  bootMACAddress: <NIC1-mac-address>
    +  bmc:
    +    address: ipmi://<bmc-ip>
    +    credentialsName: openshift-worker-<num>-bmc-secret
    +
    +
    +
    +

    Replace <num> for the worker number of bare metal node in two name fields and credentialsName field. Replace <base64-of-uid> with the base64 string of the username. Replace <base64-of-pwd> with the base64 string of the password. Replace <NIC1-mac-address> with the MAC address of the bare metal node’s first NIC. Replace <bmc-ip> with the IP address of the bare metal node’s baseboard management controller.

    +
    +
  4. +
+
+
+ + + + + +
+ + +
+

When using redfish or redfish-virtualmedia, add the +appropriate addressing as described in the BMC addressing section. See BMC addressing for details.

+
+
+
+
+
    +
  1. +

    Create the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api create -f bmh.yaml
    +
    +
    +
    +
    +
    secret/openshift-worker-<num>-bmc-secret created
    +baremetalhost.metal3.io/openshift-worker-<num> created
    +
    +
    +
    +

    Where <num> will be the worker number.

    +
    +
  2. +
  3. +

    Power up and inspect the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  4. +
  5. +

    Ensure the PROVISIONING STATUS is ready before provisioning the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$  oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  6. +
  7. +

    Get a count of the number of worker nodes.

    +
    +
    +
    [kni@provisioner ~]$ oc get nodes
    +
    +
    +
  8. +
  9. +

    Get the machine set.

    +
    +
    +
    [kni@provisioner ~]$ oc get machinesets -n openshift-machine-api
    +
    +
    +
    +
    +
    NAME                                DESIRED   CURRENT   READY   AVAILABLE   AGE
    +openshift-worker-0.example.com      1         1         1       1           55m
    +openshift-worker-1.example.com      1         1         1       1           55m
    +openshift-worker-2.example.com      1         1         1       1           55m
    +
    +
    +
  10. +
  11. +

    Increase the number of worker nodes by 1.

    +
    +
    +
    [kni@provisioner ~]$ oc scale --replicas=<num> machineset <machineset> -n openshift-machine-api
    +
    +
    +
    +

    Replace <num> with the new number of worker nodes. Replace <machineset> with the name of the machine set from the previous step.

    +
    +
  12. +
  13. +

    Check the status of the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number. The status changes from ready to provisioning.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       provisioning          openshift-worker-<num>-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
    +

    The provisioning status remains until the OpenShift Container Platform cluster provisions the node. This may take 30 minutes or more. Once complete, the status will change to provisioned.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       provisioned           openshift-worker-<num>-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  14. +
  15. +

    Once provisioned, ensure the bare metal node is ready.

    +
    +
    +
    [kni@provisioner ~]$ oc get nodes
    +
    +
    +
    +
    +
    NAME                                                STATUS   ROLES           AGE     VERSION
    +provisioner.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-1.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-2.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-worker-<num>.openshift.example.com        Ready    worker          3m27s   v1.16.2
    +
    +
    +
    +

    You can also check the kubelet.

    +
    +
    +
    +
    [kni@provisioner ~]$ ssh openshift-worker-<num>
    +
    +
    +
    +
    +
    [kni@openshift-worker-<num>]$ journalctl -fu kubelet
    +
    +
    +
  16. +
+
+
+
Appending DNS records
+
+
Configuring Bind (Option 1)
+
+
Procedure
+
    +
  1. +

    Login to the DNS server using ssh.

    +
  2. +
  3. +

    Suspend updates to all dynamic zones: rndc freeze.

    +
  4. +
  5. +

    Edit /var/named/dynamic/example.com.

    +
    +
    +
    $ORIGIN openshift.example.com.
    +<OUTPUT_OMITTED>
    +openshift-worker-1      A       <ip-of-worker-1>
    +openshift-worker-2      A       <ip-of-worker-2>
    +
    +
    +
    + + + + + +
    + + +
    +

    Remove the provisioner as it is replaced by openshift-worker-2.

    +
    +
    +
    +
  6. +
  7. +

    Increase the SERIAL value by 1.

    +
  8. +
  9. +

    Edit /var/named/dynamic/1.0.10.in-addr.arpa.

    +
    + + + + + +
    + + +
    +

    The filename 1.0.10.in-addr.arpa is the reverse of the public CIDR example 10.0.1.0/24.

    +
    +
    +
    +
  10. +
  11. +

    Increase the SERIAL value by 1.

    +
  12. +
  13. +

    Enable updates to all dynamic zones and reload them: rndc thaw.

    +
  14. +
+
+
+
+
Configuring dnsmasq (Option 2)
+
+
Procedure
+

Append the following DNS record to the /etc/hosts file on the server hosting the dnsmasq service.

+
+
+
+
<OUTPUT_OMITTED>
+<NIC2-IP> openshift-worker-1.openshift.example.com openshift-worker-1
+<NIC2-IP> openshift-worker-2.openshift.example.com openshift-worker-2
+
+
+
+ + + + + +
+ + +
+

Remove the provisioner.openshift.example.com entry as it is replaced by worker-2

+
+
+
+
+
+
+
Appending DHCP reservations
+
+
Configuring dhcpd (Option 1)
+
+
Procedure
+
    +
  1. +

    Login to the DHCP server using ssh.

    +
  2. +
  3. +

    Edit /etc/dhcp/dhcpd.hosts.

    +
    +
    +
    host openshift-worker-2 {
    +     option host-name "worker-2";
    +     hardware ethernet <NIC2-mac-address>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +
    +
    +
    + + + + + +
    + + +
    +

    Remove the provisioner as it is replaced by openshift-worker-2.

    +
    +
    +
    +
  4. +
  5. +

    Restart the dhcpd service.

    +
    +
    +
    systemctl restart dhcpd
    +
    +
    +
  6. +
+
+
+
+
Configuring dnsmasq (Option 2)
+
+
Procedure
+
    +
  1. +

    Append the following DHCP reservation to the /etc/dnsmasq.d/example.dns file on the server hosting the dnsmasq service.

    +
    +
    +
    <OUTPUT_OMITTED>
    +dhcp-host=<NIC2-mac-address>,openshift-worker-1.openshift.example.com,<ip-of-worker-1>
    +dhcp-host=<NIC2-mac-address>,openshift-worker-2.openshift.example.com,<ip-of-worker-2>
    +
    +
    +
    + + + + + +
    + + +
    +

    Remove the provisioner.openshift.example.com entry as it is replaced by worker-2

    +
    +
    +
    +
  2. +
  3. +

    Restart the dnsmasq service.

    +
    +
    +
    systemctl restart dnsmasq
    +
    +
    +
  4. +
+
+
+
+
+
Deploying the provisioner node as a worker node using Metal3
+
+

After you have completed the prerequisites, perform the deployment process.

+
+
+
Procedure
+
    +
  1. +

    Power off the node using ipmitool and confirm the provisioning node is powered off.

    +
    +
    +
    ssh <server-with-access-to-management-net>
    +# Use the user, password and Management net IP adddress to shutdown the system
    +ipmitool -I lanplus -U <user> -P <password> -H <management-server-ip> power off
    +# Confirm the server is powered down
    +ipmitool -I lanplus -U <user> -P <password> -H <management-server-ip> power status
    +Chassis Power is off
    +
    +
    +
  2. +
  3. +

    Get base64 strings for the Out of band Management credentials. In this example, the user is root and the password is calvin.

    +
    +
    +
    # Use echo -ne, otherwise you will get your secrets with \n which will cause issues
    +# Get root username in base64
    +echo -ne "root" | base64
    +# Get root password in base64
    +echo -ne "calvin" | base64
    +
    +
    +
  4. +
  5. +

    Configure the BaremetalHost bmh.yaml file.

    +
    +
    +
    ---
    +apiVersion: v1
    +kind: Secret
    +metadata:
    +  name: openshift-worker-2-bmc-secret
    +type: Opaque
    +data:
    +  username: ca2vdAo=
    +  password: MWAwTWdtdC0K
    +---
    +apiVersion: metal3.io/v1alpha1
    +kind: BareMetalHost
    +metadata:
    +  name: openshift-worker-2
    +spec:
    +  online: true
    +  bootMACAddress: <NIC1-mac-address>
    +  bmc:
    +    address: ipmi://<out-of-band-ip>
    +    credentialsName: openshift-worker-2-bmc-secret
    +
    +
    +
  6. +
  7. +

    Create the BaremetalHost.

    +
    +
    +
    ./oc -n openshift-machine-api create -f bmh.yaml
    +secret/openshift-worker-2-bmc-secret created
    +baremetalhost.metal3.io/openshift-worker-2 created
    +
    +
    +
  8. +
  9. +

    Power up and inspect the node.

    +
    +
    +
    ./oc -n openshift-machine-api get bmh openshift-worker-2
    +
    +NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-2   OK       inspecting                       ipmi://<out-of-band-ip>                      true
    +
    +
    +
  10. +
  11. +

    After finishing the inspection, the node is ready to be provisioned.

    +
    +
    +
    ./oc -n openshift-machine-api get bmh openshift-worker-2
    +
    +NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-2   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  12. +
  13. +

    Scale the workers machineset. Previously, there were two replicas during original installation.

    +
    +
    +
    ./oc get machineset -n openshift-machine-api
    +NAME            DESIRED   CURRENT   READY   AVAILABLE   AGE
    +openshift-worker-2   0         0                             21h
    +
    +./oc -n openshift-machine-api scale machineset openshift-worker-2 --replicas=3
    +
    +
    +
  14. +
  15. +

    The baremetal host moves to provisioning status. This can take as long as 30 minutes. You can follow the status +from the node console.

    +
    +
    +
    oc -n openshift-machine-api get bmh openshift-worker-2
    +
    +NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-2   OK       provisioning          openshift-worker-0-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  16. +
  17. +

    When the node is provisioned it moves to provisioned status.

    +
    +
    +
    oc -n openshift-machine-api get bmh openshift-worker-2
    +
    +NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-2   OK       provisioned           openshift-worker-2-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  18. +
  19. +

    When the kubelet finishes initialization the node is ready for use. +You can connect to the node and run journalctl -fu kubelet to check the process.

    +
    +
    +
    oc get node
    +NAME                                            STATUS   ROLES           AGE     VERSION
    +openshift-master-0.openshift.example.com        Ready    master          30h     v1.16.2
    +openshift-master-1.openshift.example.com        Ready    master          30h     v1.16.2
    +openshift-master-2.openshift.example.com        Ready    master          30h     v1.16.2
    +openshift-worker-0.openshift.example.com        Ready    worker          3m27s   v1.16.2
    +openshift-worker-1.openshift.example.com        Ready    worker          3m27s   v1.16.2
    +openshift-worker-2.openshift.example.com        Ready    worker          3m27s   v1.16.2
    +
    +
    +
  20. +
+
+
+
+
+
+
+
+

5. Appendix

+
+
+

In this section of the document, extra information is provided that is outside of the regular workflow.

+
+
+

5.1. Troubleshooting

+
+

Troubleshooting the installation is out of scope of the Deployment Guide. For more details on troubleshooting deployment, refer to our Troubleshooting guide.

+
+
+
+

5.2. Creating DNS Records

+
+

Two options are documented for configuring DNS records:

+
+ +
+

5.2.1. Configuring Bind (Option 1)

+
+

Use Option 1 if access to the appropriate DNS server for the baremetal network is accessible or a request +to your network admin to create the DNS records is an option. +If this is not an option, skip this section and go to section Create DNS records using dnsmasq (Option 2).

+
+
+

Create a subzone with the name of the cluster that is going to be used on your domain. +In our example, the domain used is example.com and the cluster name used is openshift. +Make sure to change these according to your environment specifics.

+
+
+
Procedure
+
    +
  1. +

    Login to the DNS server using ssh.

    +
  2. +
  3. +

    Suspend updates to all dynamic zones: rndc freeze.

    +
  4. +
  5. +

    Edit /var/named/dynamic/example.com.

    +
    +
    +
    $ORIGIN openshift.example.com.
    +$TTL 300        ; 5 minutes
    +@  IN  SOA  dns1.example.com.  hostmaster.example.com. (
    +       2001062501  ; serial
    +       21600       ; refresh after 6 hours
    +       3600        ; retry after 1 hour
    +       604800      ; expire after 1 week
    +       86400 )     ; minimum TTL of 1 day
    +;
    +api                     A       <api-ip>
    +ns1                     A       <dns-vip-ip>
    +$ORIGIN apps.openshift.example.com.
    +*                       A       <wildcard-ingress-lb-ip>
    +$ORIGIN openshift.example.com.
    +provisioner             A       <NIC2-ip-of-provision>
    +openshift-master-0      A       <NIC2-ip-of-openshift-master-0>
    +openshift-master-1      A       <NIC2-ip-of-openshift-master-1>
    +openshift-master-2      A       <NIC2-ip-of-openshift-master-2>
    +openshift-worker-0      A       <NIC2-ip-of-openshift-worker-0>
    +openshift-worker-1      A       <NIC2-ip-of-openshift-worker-1>
    +
    +
    +
  6. +
  7. +

    Increase the serial value by 1.

    +
  8. +
  9. +

    Edit /var/named/dynamic/1.0.10.in-addr.arpa.

    +
    +
    +
    $ORIGIN 1.0.10.in-addr.arpa.
    +$TTL 300
    +@  IN  SOA  dns1.example.com.  hostmaster.example.com. (
    +       2001062501  ; serial
    +       21600       ; refresh after 6 hours
    +       3600        ; retry after 1 hour
    +       604800      ; expire after 1 week
    +       86400 )     ; minimum TTL of 1 day
    +;
    +126 IN      PTR      provisioner.openshift.example.com.
    +127	IN        	PTR    	openshift-master-0.openshift.example.com.
    +128	IN        	PTR    	openshift-master-1.openshift.example.com.
    +129	IN 	        PTR   	openshift-master-2.openshift.example.com.
    +130	IN 	        PTR   	openshift-worker-0.openshift.example.com.
    +131	IN        	PTR    	openshift-worker-1.openshift.example.com.
    +132 IN      PTR     api.openshift.example.com.
    +133 IN      PTR     ns1.openshift.example.com.
    +
    +
    +
    + + + + + +
    + + +
    +

    In this example, the IP addresses 10.0.1.126-133 are pointed to the corresponding fully qualified domain name.

    +
    +
    +
    +
    + + + + + +
    + + +
    +

    The filename 1.0.10.in-addr.arpa is the reverse of the public CIDR example 10.0.1.0/24.

    +
    +
    +
    +
  10. +
  11. +

    Increase the serial value by 1.

    +
  12. +
  13. +

    Enable updates to all dynamic zones and reload them: rndc thaw.

    +
  14. +
+
+
+
+

5.2.2. Configuring dnsmasq (Option 2)

+
+

To create DNS records, open the /etc/hosts file and add the NIC2 (baremetal net) IP followed by the hostname. +In our example, the domain used is example.com and the cluster name used is openshift. +Make sure to change these according to your environment specifics.

+
+
+
Procedure
+
    +
  1. +

    Edit /etc/hosts and add the NIC2 (baremetal net) IP followed by the hostname.

    +
    +
    +
    cat /etc/hosts
    +127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
    +::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
    +<NIC2-IP> provisioner.openshift.example.com provisioner
    +<NIC2-IP> openshift-master-0.openshift.example.com openshift-master-0
    +<NIC2-IP> openshift-master-1.openshift.example.com openshift-master-1
    +<NIC2-IP> openshift-master-2.openshift.example.com openshift-master-2
    +<NIC2-IP> openshift-worker-0.openshift.example.com openshift-worker-0
    +<NIC2-IP> openshift-worker-1.openshift.example.com openshift-worker-1
    +<API-IP>  api.openshift.example.com api
    +<DNS-VIP-IP> ns1.openshift.example.com ns1
    +
    +
    +
  2. +
  3. +

    Open the appropriate firewalld DNS service and reload the rules.

    +
    +
    +
    systemctl restart firewalld
    +firewall-cmd --add-service=dns --permanent
    +firewall-cmd --reload
    +
    +
    +
  4. +
+
+
+
+
+

5.3. Creating DHCP reservations

+
+

Two options are documented for configuring DHCP:

+
+ +
+

5.3.1. Configuring dhcpd (Option 1)

+
+

Use Option 1 if access to the appropriate DHCP server for the baremetal network is accessible or a request +to your network admin to create the DHCP reservations is an option. +If this is not an option, skip this section and go to section Create DHCP records using dnsmasq (Option 2).

+
+
+
    +
  1. +

    Login to the DHCP server using ssh.

    +
  2. +
  3. +

    Edit /etc/dhcp/dhcpd.hosts.

    +
    +
    +
    host provisioner {
    +     option host-name "provisioner";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +host openshift-master-0 {
    +     option host-name "openshift-master-0";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +
    +host openshift-master-1 {
    +     option host-name "openshift-master-1";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +
    +host openshift-master-2 {
    +     option host-name "openshift-master-2";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +host openshift-worker-0 {
    +     option host-name "openshift-worker-0";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +host openshift-worker-1 {
    +     option host-name "openshift-worker-1";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +
    +
    +
  4. +
  5. +

    Restart the dhcpd service.

    +
    +
    +
    systemctl restart dhcpd
    +
    +
    +
  6. +
+
+
+
+

5.3.2. Configuring dnsmasq (Option 2)

+
+

Set up dnsmasq on a server that can access the baremetal network.

+
+
+
Procedure
+
    +
  1. +

    Install dnsmasq.

    +
    +
    +
    dnf install -y dnsmasq
    +
    +
    +
  2. +
  3. +

    Change to the /etc/dnsmasq.d directory.

    +
    +
    +
    cd /etc/dnsmasq.d
    +
    +
    +
  4. +
  5. +

    Create a file that reflects your OpenShift cluster appended by .dns.

    +
    +
    +
    touch <filename>.dns
    +
    +
    +
  6. +
  7. +

    Open the appropriate firewalld DHCP service.

    +
    +
    +
    systemctl restart firewalld
    +firewall-cmd --add-service=dhcp --permanent
    +firewall-cmd --reload
    +
    +
    +
  8. +
  9. +

    Define DNS configuration file

    +
    IPv4
    +
    +

    Here is an example of the .dns file for IPv4.

    +
    +
    +
    +
    domain-needed
    +bind-dynamic
    +bogus-priv
    +domain=openshift.example.com
    +dhcp-range=<baremetal-net-starting-ip,baremetal-net-ending-ip>
    +#dhcp-range=10.0.1.4,10.0.14
    +dhcp-option=3,<baremetal-net-gateway-ip>
    +#dhcp-option=3,10.0.1.254
    +resolv-file=/etc/resolv.conf.upstream
    +interface=<nic-with-access-to-baremetal-net>
    +#interface=em2
    +server=<ip-of-existing-server-on-baremetal-net>
    +
    +
    +#Wildcard for apps -- make changes to cluster-name (openshift) and domain (example.com)
    +address=/.apps.openshift.example.com/<wildcard-ingress-lb-ip>
    +
    +#Static IPs for Masters
    +dhcp-host=<NIC2-mac-address>,provisioner.openshift.example.com,<ip-of-provisioner>
    +dhcp-host=<NIC2-mac-address>,openshift-master-0.openshift.example.com,<ip-of-openshift-master-0>
    +dhcp-host=<NIC2-mac-address>,openshift-master-1.openshift.example.com,<ip-of-openshift-master-1>
    +dhcp-host=<NIC2-mac-address>,openshift-master-2.openshift.example.com,<ip-of-openshift-master-2>
    +dhcp-host=<NIC2-mac-address>,openshift-worker-0.openshift.example.com,<ip-of-openshift-worker-0>
    +dhcp-host=<NIC2-mac-address>,openshift-worker-1.openshift.example.com,<ip-of-openshift-worker-1>
    +
    +
    +
    IPv6
    +
    +

    Here is an example of the .dns file for IPv6.

    +
    +
    +
    +
    strict-order
    +bind-dynamic
    +bogus-priv
    +dhcp-authoritative
    +dhcp-range=baremetal,<baremetal-IPv6-dhcp-range-start>,<baremetal-IPv6-dhcp-range-end>,<range-prefix>
    +dhcp-option=baremetal,option6:dns-server,[<IPv6-DNS-Server>]
    +
    +resolv-file=/etc/resolv.conf.upstream
    +except-interface=lo
    +dhcp-lease-max=81
    +log-dhcp
    +
    +domain=openshift.example.com,<baremetal-IPv6-cidr>,local
    +
    +# static host-records
    +address=/.apps.openshift.example.com/<wildcard-ingress-lb-ip>
    +host-record=api.openshift.example.com,<api-ip>
    +host-record=ns1.openshift.example.com,<dns-ip>
    +host-record=openshift-master-0.openshift.example.com,<ip-of-openshift-master-0>
    +host-record=openshift-master-1.openshift.example.com,<ip-of-openshift-master-1>
    +host-record=openshift-master-2.openshift.example.com,<ip-of-openshift-master-1>
    +# Registry
    +host-record=registry.openshift.example.com,<ip-of-registry-server>
    +
    +#Static IPs for Masters
    +dhcp-host=<baremetal-nic-duid>,openshift-master-0.openshift.example.com,<ip-of-openshift-master-0>
    +dhcp-host=<baremetal-nic-duid>,openshift-master-1.openshift.example.com,<ip-of-openshift-master-1>
    +dhcp-host=<baremetal-nic-duid>,openshift-master-2.openshift.example.com,<ip-of-openshift-master-2>
    +
    +
    +
  10. +
  11. +

    Create the resolv.conf.upstream file to provide DNS fowarding to an existing DNS server for resolution +to the outside world.

    +
    +
    +
    search <domain.com>
    +nameserver <ip-of-my-existing-dns-nameserver>
    +
    +
    +
  12. +
  13. +

    Restart the dnsmasq service.

    +
    +
    +
    systemctl restart dnsmasq
    +
    +
    +
  14. +
  15. +

    Verify the dnsmasq service is running.

    +
    +
    +
    systemctl status dnsmasq
    +
    +
    +
  16. +
+
+
+
+
+
+
+
+
+
+1. Stateless Address AutoConfiguration +
+
+ + + \ No newline at end of file diff --git a/4.5/Deployment.pdf b/4.5/Deployment.pdf new file mode 100644 index 0000000000..907f332edc Binary files /dev/null and b/4.5/Deployment.pdf differ diff --git a/4.5/Troubleshooting.html b/4.5/Troubleshooting.html new file mode 100644 index 0000000000..198b47bff8 --- /dev/null +++ b/4.5/Troubleshooting.html @@ -0,0 +1,1989 @@ + + + + + + + + + + +Troubleshooting Guide for IPI Installation + + + + + + + + + + + + + + + + +
+
+
+
+ + + + + +
+ + +
+

Download the PDF version of this document or visit https://openshift-kni.github.io/baremetal-deploy/

+
+
+
+
+

While attempting to deploy Installer Provisioned Infrastructure (IPI) of OpenShift on Bare Metal (BM), you may run into a situation where you need to troubleshoot your environment. This document provides troubleshooting guidance and tips in solving common issues that may arise.

+
+
+
+
+

1. Troubleshooting the installer workflow

+
+
+

Prior to troubleshooting the installation environment, it is critical to understand the overall flow of the IPI installation on bare metal. The diagrams below provide a troubleshooting flow with a step-by-step breakdown for the environment.

+
+
+

Flow-Diagram-1

+
+
+

Workflow 1 of 4 illustrates a troubleshooting workflow when the install-config.yaml file has errors or the Red Hat Enterprise Linux CoreOS (RHCOS) images are inaccessible. Troubleshooting suggestions can be found at

+
+ +
+

Flow-Diagram-2

+
+
+

Workflow 2 of 4 illustrates a troubleshooting workflow for bootstrap VM issues, bootstrap VMs that cannot boot up the cluster nodes, and inspecting logs.

+
+
+

Flow-Diagram-3

+
+
+

Workflow 3 of 4 illustrates a troubleshooting workflow for cluster nodes that will not PXE boot.

+
+
+

Flow-Diagram-4

+
+
+

Workflow 4 of 4 illustrates a troubleshooting workflow from + a non-accessible API to a validated installation.

+
+
+
+
+

2. Troubleshooting install-config.yaml

+
+
+

The install-config.yaml configuration file represents all of the nodes that are part of the OpenShift Container Platform cluster. The file contains the necessary options consisting of but not limited to apiVersion, baseDomain, imageContentSources (OpenShift 4.13 and below) or imageDigestSources (OpenShirt 4.14 and above), and virtual IP addresses. If errors occur early in the deployment of the OpenShift Container Platform cluster, the errors are likely in the install-config.yaml configuration file.

+
+
+
Procedure
+
    +
  1. +

    Use the guidelines in YAML-tips.

    +
  2. +
  3. +

    Verify the YAML syntax is correct using syntax-check.

    +
  4. +
  5. +

    Verify the Red Hat Enterprise Linux CoreOS (RHCOS) QEMU images are properly defined and accessible via the URL provided in the install-config.yaml. For example:

    +
    +
    +
    $ curl -s -o /dev/null -I -w "%{http_code}\n" http://webserver.example.com:8080/rhcos-44.81.202004250133-0-qemu.x86_64.qcow2.gz?sha256=7d884b46ee54fe87bbc3893bf2aa99af3b2d31f2e19ab5529c60636fbd0f1ce7
    +
    +
    +
    +

    If the output is 200, there is a valid response from the webserver storing the bootstrap VM image.

    +
    +
  6. +
+
+
+
+
+

3. Bootstrap VM issues

+
+
+

The OpenShift Container Platform installer spawns a bootstrap node virtual machine, which handles provisioning the OpenShift Container Platform cluster nodes.

+
+
+
Procedure
+
    +
  1. +

    About 10 to 15 minutes after triggering the installer, check to ensure the bootstrap VM is operational using the virsh command:

    +
    +
    +
    $ sudo virsh list
    +
    +
    +
    +
    +
     Id    Name                           State
    + --------------------------------------------
    + 12    openshift-xf6fq-bootstrap      running
    +
    +
    +
    + + + + + +
    + + +
    +

    The name of the bootstrap VM is always the cluster name followed by a random set of characters and ending in the word "bootstrap."

    +
    +
    +
    +
    +

    If the bootstrap VM is not running after 10-15 minutes, troubleshoot why it is not running. Possible issues include:

    +
    +
  2. +
  3. +

    Verify libvirtd is running on the system:

    +
    +
    +
    $ systemctl status libvirtd
    +
    +
    +
    +
    +
    ● libvirtd.service - Virtualization daemon
    +   Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor preset: enabled)
    +   Active: active (running) since Tue 2020-03-03 21:21:07 UTC; 3 weeks 5 days ago
    +     Docs: man:libvirtd(8)
    +           https://libvirt.org
    + Main PID: 9850 (libvirtd)
    +    Tasks: 20 (limit: 32768)
    +   Memory: 74.8M
    +   CGroup: /system.slice/libvirtd.service
    +           ├─ 9850 /usr/sbin/libvirtd
    +
    +
    +
    +

    If the bootstrap VM is operational, log into it.

    +
    +
  4. +
  5. +

    Use the virsh console command to find the IP address of the bootstrap VM:

    +
    +
    +
    $ sudo virsh console example.com
    +
    +
    +
    +
    +
    Connected to domain example.com
    +Escape character is ^]
    +
    +Red Hat Enterprise Linux CoreOS 43.81.202001142154.0 (Ootpa) 4.3
    +SSH host key: SHA256:BRWJktXZgQQRY5zjuAV0IKZ4WM7i4TiUyMVanqu9Pqg (ED25519)
    +SSH host key: SHA256:7+iKGA7VtG5szmk2jB5gl/5EZ+SNcJ3a2g23o0lnIio (ECDSA)
    +SSH host key: SHA256:DH5VWhvhvagOTaLsYiVNse9ca+ZSW/30OOMed8rIGOc (RSA)
    +ens3:  fd35:919d:4042:2:c7ed:9a9f:a9ec:7
    +ens4: 172.22.0.2 fe80::1d05:e52e:be5d:263f
    +localhost login:
    +
    +
    +
    + + + + + +
    + + +
    +

    When deploying a OpenShift Container Platform cluster without the provisioning network, you must use a public IP address and not a private IP address like 172.22.0.2.

    +
    +
    +
    +
  6. +
  7. +

    Once you obtain the IP address, log in to the bootstrap VM using the ssh command:

    +
    + + + + + +
    + + +
    +

    In the console output of the previous step, you can use the IPv6 IP address provided by ens3 or the IPv4 IP provided by ens4.

    +
    +
    +
    +
    +
    +
    $ ssh core@172.22.0.2
    +
    +
    +
  8. +
+
+
+

If you are not successful logging in to the bootstrap VM, you have likely encountered one of the following scenarios:

+
+
+
    +
  • +

    You cannot reach the 172.22.0.0/24 network. Verify network connectivity on the provisioner host specifically around the provisioning network bridge. This will not be the issue if you are not using the provisioning network.

    +
  • +
  • +

    You cannot reach the bootstrap VM via the public network. When attempting +to SSH via baremetal network, verify connectivity on the +provisioner host specifically around the baremetal network bridge.

    +
  • +
  • +

    You encountered Permission denied (publickey,password,keyboard-interactive). When +attempting to access the bootstrap VM, a Permission denied error +might occur. Verify that the SSH key for the user attempting to log +into the VM is set within the install-config.yaml file.

    +
  • +
+
+
+

3.1. Bootstrap VM cannot boot up the cluster nodes

+
+

During the deployment, it is possible for the bootstrap VM to fail to boot the cluster nodes, which prevents the VM from provisioning the nodes with the RHCOS image. This scenario can arise due to:

+
+
+
    +
  • +

    A problem with the install-config.yaml file.

    +
  • +
  • +

    Issues with out-of-band network access via the baremetal network.

    +
  • +
+
+
+

To verify the issue, there are three containers related to ironic:

+
+
+
    +
  • +

    ironic-api

    +
  • +
  • +

    ironic-conductor

    +
  • +
  • +

    ironic-inspector

    +
  • +
+
+
+
Procedure
+
    +
  1. +

    Log in to the bootstrap VM:

    +
    +
    +
    $ ssh core@172.22.0.2
    +
    +
    +
  2. +
  3. +

    To check the container logs, execute the following:

    +
    +
    +
    [core@localhost ~]$ sudo podman logs -f <container-name>
    +
    +
    +
    +

    Replace <container-name> with one of ironic-api, ironic-conductor, or ironic-inspector. If you encounter an issue where the control plane nodes are not booting up via PXE, check the ironic-conductor pod. The ironic-conductor pod contains the most detail about the attempt to boot the cluster nodes, because it attempts to log in to the node over IPMI.

    +
    +
  4. +
+
+
+
Potential reason
+

The cluster nodes might be in the ON state when deployment started.

+
+
+
Solution
+

Power off the OpenShift Container Platform cluster nodes before you begin the +installation over IPMI:

+
+
+
+
$ ipmitool -I lanplus -U root -P <password> -H <out-of-band-ip> power off
+
+
+
+
+

3.2. Inspecting logs

+
+

When experiencing issues downloading or accessing the RHCOS images, first verify that the URL is correct in the install-config.yaml configuration file.

+
+
+
Example of internal webserver hosting RHCOS images
+
+
bootstrapOSImage: http://<ip:port>/rhcos-43.81.202001142154.0-qemu.x86_64.qcow2.gz?sha256=9d999f55ff1d44f7ed7c106508e5deecd04dc3c06095d34d36bf1cd127837e0c
+clusterOSImage: http://<ip:port>/rhcos-43.81.202001142154.0-openstack.x86_64.qcow2.gz?sha256=a1bda656fa0892f7b936fdc6b6a6086bddaed5dafacedcd7a1e811abb78fe3b0
+
+
+
+

The ipa-downloader and coreos-downloader containers download resources from a webserver or the external quay.io registry, whichever the install-config.yaml configuration file specifies. Verify the following two containers are up and running and inspect their logs as needed:

+
+
+
    +
  • +

    ipa-downloader

    +
  • +
  • +

    coreos-downloader

    +
  • +
+
+
+
Procedure
+
    +
  1. +

    Log in to the bootstrap VM:

    +
    +
    +
    $ ssh core@172.22.0.2
    +
    +
    +
  2. +
  3. +

    Check the status of the ipa-downloader and coreos-downloader containers within the bootstrap VM:

    +
    +
    +
    [core@localhost ~]$ podman logs -f ipa-downloader
    +
    +
    +
    +
    +
    [core@localhost ~]$ podman logs -f coreos-downloader
    +
    +
    +
    +

    If the bootstrap VM cannot access the URL to the images, use the curl command to verify that the VM can access the images.

    +
    +
  4. +
  5. +

    To inspect the bootkube logs that indicate if all the containers launched during the deployment phase, execute the following:

    +
    +
    +
    [core@localhost ~]$ journalctl -xe
    +
    +
    +
    +
    +
    [core@localhost ~]$ journalctl -b -f -u bootkube.service
    +
    +
    +
  6. +
  7. +

    Verify all the pods, including dnsmasq, mariadb, httpd, and ironic, are running:

    +
    +
    +
    [core@localhost ~]$ sudo podman ps
    +
    +
    +
  8. +
  9. +

    If there are issues with the pods, check the logs of the containers with issues. To check the log of the ironic-api, execute the following:

    +
    +
    +
    [core@localhost ~]$ sudo podman logs <ironic-api>
    +
    +
    +
  10. +
+
+
+
+
+
+

4. Ironic Bootstrap issues

+
+
+

The OpenShift Container Platform installer spawns a bootstrap node virtual machine, which handles provisioning the OpenShift Container Platform cluster nodes. The cluster nodes are powered on, introspected and finally provisioned using Ironic.

+
+
+

Sometimes you might need to connect to the Ironic service running on the bootstrap node virtual machine to troubleshoot issues related to Ironic.

+
+
+
Procedure
+
    +
  1. +

    About 10 to 15 minutes after triggering the installer, check to ensure the bootstrap VM is operational using the virsh command:

    +
    +
    +
    [kni@provisioner ~]$ sudo virsh list
    +
    +
    +
    +
    +
     Id    Name                           State
    + --------------------------------------------
    + 12    openshift-xf6fq-bootstrap      running
    +
    +
    +
  2. +
  3. +

    Use the virsh console command to find the IP address of the bootstrap VM:

    +
    +
    +
    [kni@provisioner ~]$ sudo virsh console openshift-xf6fq-bootstrap
    +
    +
    +
    +
    +
    Connected to domain openshift-xf6fq-bootstrap
    +Escape character is ^]
    +
    +Red Hat Enterprise Linux CoreOS 43.81.202001142154.0 (Ootpa) 4.3
    +SSH host key: SHA256:BRWJktXZgQQRY5zjuAV0IKZ4WM7i4TiUyMVanqu9Pqg (ED25519)
    +SSH host key: SHA256:7+iKGA7VtG5szmk2jB5gl/5EZ+SNcJ3a2g23o0lnIio (ECDSA)
    +SSH host key: SHA256:DH5VWhvhvagOTaLsYiVNse9ca+ZSW/30OOMed8rIGOc (RSA)
    +ens3:  fd35:919d:4042:2:c7ed:9a9f:a9ec:7
    +ens4: 172.22.0.2 fe80::1d05:e52e:be5d:263f
    +localhost login:
    +
    +
    +
  4. +
  5. +

    Once you obtain the IP address, log in to the bootstrap VM using the ssh command:

    +
    + + + + + +
    + + +
    +

    In the console output of the previous step, the IPv6 IP provided by ens3 or the IPv4 IP provided by ens4 can be used.

    +
    +
    +
    +
    +
    +
    [kni@provisioner ~]$ ssh core@172.22.0.2
    +
    +
    +
  6. +
  7. +

    Make sure Ironic containers are running:

    +
    +
    +
    [core@localhost ~]$ sudo podman ps | grep ironic
    +90251a35d1e2  quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:a5603d959546a8293deaee66332da4fa3cb96bcd04c26967070c247085ca7203                        2 minutes ago  Up 2 minutes ago         ironic-api
    +168e712c9996  quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:c6af62509b3d66effe8e16c81e42e75e124ccb5770f82efb010ecc3ebadc48b8                        2 minutes ago  Up 2 minutes ago         ironic-inspector
    +025f8247bfb0  quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:a5603d959546a8293deaee66332da4fa3cb96bcd04c26967070c247085ca7203                        2 minutes ago  Up 2 minutes ago         ironic-conductor
    +
    +
    +
  8. +
  9. +

    Get the value for the bootstrapProvisioningIp property from your install-config.yaml.

    +
  10. +
  11. +

    Create a clouds.yaml file:

    +
    +
    +
    clouds:
    +  metal3-bootstrap:
    +    auth_type: none
    +    baremetal_endpoint_override: http://<bootstrapProvisioningIp>:6385
    +    baremetal_introspection_endpoint_override: http://<bootstrapProvisioningIp>:5050
    +
    +
    +
    + + + + + +
    + + +
    +

    Make sure in the file above you change <bootstrapProvisioningIp> with the value from your install-config.yaml file.

    +
    +
    +
    +
  12. +
  13. +

    Run the ironic-client on the bootstrap VM using podman:

    +
    +
    +
    [core@localhost ~]$ podman run -ti --rm --entrypoint /bin/bash -v /path/to/clouds.yaml:/clouds.yaml -e OS_CLOUD=metal3-bootstrap quay.io/metal3-io/ironic-client
    +
    +
    +
  14. +
  15. +

    Once you’re in the container, run the following command to see the status of the nodes on Ironic:

    +
    +
    +
    [root@1facad6bccff /]# baremetal node list
    +
    +
    +
    +

    The expected states for the nodes are clean-waitavailabledeployingwait call-backactive.

    +
    +
    +
      +
    • +

      clean-wait: The IPA (Ironic Python Agent) will clean the node main disk and write RHCOS to it. After that will report the node status back to Ironic.

      +
    • +
    • +

      available: The node has been introspected and it’s ready to be provisioned.

      +
    • +
    • +

      deploying: The node is being provisioned with RHCOS + the required Ignition configs.

      +
    • +
    • +

      wait call-back: The node is deployed and Ironic is waiting for the node to finish everything before marking the node as active.

      +
    • +
    • +

      active: The node is fully provisioned from an Ironic perspective.

      +
    • +
    +
    +
  16. +
+
+
+

If you are not getting any output, you have likely encountered of the following scenarios:

+
+
+
    +
  • +

    You cannot reach the bootstrapProvisioningIp from the bootstrap VM.

    +
  • +
  • +

    The Ironic conductor was not able to power on and configure the nodes to boot with the IPA image.

    +
  • +
  • +

    The machine running the openshift-install binary cannot access the bootstrapProvisioningIp on port 6385.

    +
  • +
+
+
+
+
+

5. Cluster nodes will not PXE boot

+
+
+

When OpenShift Container Platform cluster nodes will not PXE boot, execute the following checks on the cluster nodes that will not PXE boot. This procedure does not apply when installing a OpenShift Container Platform cluster without the provisioning network.

+
+
+
Procedure
+
    +
  1. +

    Check the network connectivity to the provisioning network.

    +
  2. +
  3. +

    Ensure PXE is enabled on the NIC for the provisioning network and PXE is disabled for all other NICs.

    +
  4. +
  5. +

    Verify that the install-config.yaml configuration file has the proper hardware profile and boot MAC address for the NIC connected to the provisioning network. For example:

    +
    +
    Master node settings
    +
    +
    bootMACAddress: 24:6E:96:1B:96:90 # MAC of bootable provisioning NIC
    +hardwareProfile: default          #master node settings
    +
    +
    +
    +
    Worker node settings
    +
    +
    bootMACAddress: 24:6E:96:1B:96:90 # MAC of bootable provisioning NIC
    +hardwareProfile: unknown          #worker node settings
    +
    +
    +
  6. +
+
+
+
+
+

6. The API is not accessible

+
+
+

When the cluster is running and clients cannot access the API, domain name resolution issues might impede access to the API.

+
+
+
Procedure
+
    +
  1. +

    Hostname Resolution: Check the cluster nodes to ensure they have a fully qualified domain name, and not just localhost.localdomain. For example:

    +
    +
    +
    $ hostname
    +
    +
    +
    +

    If a hostname is not set, set the correct hostname. For example:

    +
    +
    +
    +
    $ hostnamectl set-hostname <hostname>
    +
    +
    +
  2. +
  3. +

    Incorrect Name Resolution: Ensure that each node has the correct name resolution in the DNS server using dig and nslookup. For example:

    +
    +
    +
    $ dig api.<cluster-name>.example.com
    +
    +
    +
    +
    +
    ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> api.<cluster-name>.example.com
    +;; global options: +cmd
    +;; Got answer:
    +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37551
    +;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
    +
    +;; OPT PSEUDOSECTION:
    +; EDNS: version: 0, flags:; udp: 4096
    +; COOKIE: 866929d2f8e8563582af23f05ec44203d313e50948d43f60 (good)
    +;; QUESTION SECTION:
    +;api.<cluster-name>.example.com. IN A
    +
    +;; ANSWER SECTION:
    +api.<cluster-name>.example.com. 10800 IN	A 10.19.13.86
    +
    +;; AUTHORITY SECTION:
    +<cluster-name>.example.com. 10800 IN NS	<cluster-name>.example.com.
    +
    +;; ADDITIONAL SECTION:
    +<cluster-name>.example.com. 10800 IN A	10.19.14.247
    +
    +;; Query time: 0 msec
    +;; SERVER: 10.19.14.247#53(10.19.14.247)
    +;; WHEN: Tue May 19 20:30:59 UTC 2020
    +;; MSG SIZE  rcvd: 140
    +
    +
    +
    +

    The output in the foregoing example indicates that the appropriate IP address for the api.<cluster-name>.example.com VIP is 10.19.13.86. This IP address should reside on the baremetal network.

    +
    +
  4. +
+
+
+
+
+

7. Cleaning up previous installations

+
+
+

In the event of a previous failed deployment, remove the artifacts from the failed attempt before attempting to deploy OpenShift Container Platform again.

+
+
+
Procedure
+
    +
  1. +

    Power off all bare metal nodes prior to installing the OpenShift Container Platform cluster:

    +
    +
    +
    $ ipmitool -I lanplus -U <user> -P <password> -H <management-server-ip> power off
    +
    +
    +
  2. +
  3. +

    Remove all old bootstrap resources if any are left over from a previous deployment attempt:

    +
    +
    +
    for i in $(sudo virsh list | tail -n +3 | grep bootstrap | awk {'print $2'});
    +do
    +  sudo virsh destroy $i;
    +  sudo virsh undefine $i;
    +  sudo virsh vol-delete $i --pool default;
    +  sudo virsh vol-delete $i.ign --pool default;
    +done
    +
    +
    +
  4. +
  5. +

    Remove the following from the clusterconfigs directory to prevent Terraform from failing:

    +
    +
    +
    $ rm -rf ~/clusterconfigs/auth ~/clusterconfigs/terraform* ~/clusterconfigs/tls ~/clusterconfigs/metadata.json
    +
    +
    +
  6. +
+
+
+
+
+

8. Issues with creating the registry

+
+
+

When creating a disconnected registry, you might encounter a "User Not Authorized" error when attempting to mirror the registry. This error might occur if you fail to append the new authentication to the existing pull-secret.txt file.

+
+
+
Procedure
+
    +
  1. +

    Check to ensure authentication is successful:

    +
    +
    +
    [user@registry ~]$ /usr/local/bin/oc adm release mirror \
    +  -a pull-secret-update.json
    +  --from=$UPSTREAM_REPO \
    +  --to-release-image=$LOCAL_REG/$LOCAL_REPO:${VERSION} \
    +  --to=$LOCAL_REG/$LOCAL_REPO
    +
    +
    +
    + + + + + +
    + + +
    +

    Example output of the variables used to mirror the install images:

    +
    +
    +
    +
    UPSTREAM_REPO=${RELEASE_IMAGE}
    +LOCAL_REG=<registry_FQDN>:<registry_port>
    +LOCAL_REPO='ocp4/openshift4'
    +
    +
    +
    +

    The values of RELEASE_IMAGE and VERSION were set during the Retrieving OpenShift Installer step of the Setting up the environment for an OpenShift installation section.

    +
    +
    +
    +
  2. +
  3. +

    After mirroring the registry, confirm that you can access it in your +disconnected environment:

    +
    +
    +
    $ curl -k -u <user>:<password> https://registry.example.com:<registry-port>/v2/_catalog
    +{"repositories":["<Repo-Name>"]}
    +
    +
    +
  4. +
+
+
+
+
+

9. Miscellaneous issues

+
+
+

9.1. Addressing the runtime network not ready error

+
+

After the deployment of a cluster you might receive the following error:

+
+
+
+
`runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:Network plugin returns error: Missing CNI default network`
+
+
+
+

The Cluster Network Operator is responsible for deploying the networking components in response to a special object created by the installer. It runs very early in the installation process, after the control plane (master) nodes have come up, but before the bootstrap control plane has been torn down. It can be indicative of more subtle installer issues, such as long delays in bringing up control plane (master) nodes or issues with apiserver communication.

+
+
+
Procedure
+
    +
  1. +

    Inspect the pods in the openshift-network-operator namespace:

    +
    +
    +
    $ oc get all -n openshift-network-operator
    +
    +
    +
    +
    +
    NAME                                    READY STATUS            RESTARTS   AGE
    +pod/network-operator-69dfd7b577-bg89v   0/1   ContainerCreating 0          149m
    +
    +
    +
  2. +
  3. +

    On the provisioner node, determine that the network configuration exists:

    +
    +
    +
    $ kubectl get network.config.openshift.io cluster -oyaml
    +
    +
    +
    +
    +
    apiVersion: config.openshift.io/v1
    +kind: Network
    +metadata:
    +  name: cluster
    +spec:
    +  serviceNetwork:
    +  - 172.30.0.0/16
    +  clusterNetwork:
    +  - cidr: 10.128.0.0/14
    +    hostPrefix: 23
    +  networkType: OpenShiftSDN
    +
    +
    +
    +

    If it does not exist, the installer did not create it. To determine why the installer did not create it, execute the following:

    +
    +
    +
    +
    $ openshift-install create manifests
    +
    +
    +
  4. +
  5. +

    Check that the network-operator is running:

    +
    +
    +
    $ kubectl -n openshift-network-operator get pods
    +
    +
    +
  6. +
  7. +

    Retrieve the logs:

    +
    +
    +
    $ kubectl -n openshift-network-operator logs -l "name=network-operator"
    +
    +
    +
    +

    On high availability clusters with three or more control plane (master) nodes, the Operator will perform leader election and all other Operators will sleep. For additional details, see Troubleshooting.

    +
    +
  8. +
+
+
+
+

9.2. Cluster nodes not getting the correct IPv6 address over DHCP

+
+

If the cluster nodes are not getting the correct IPv6 address over DHCP, check the following:

+
+
+
    +
  1. +

    Ensure the reserved IPv6 addresses reside outside the DHCP range.

    +
  2. +
  3. +

    In the IP address reservation on the DHCP server, ensure the reservation specifies the correct DHCP Unique Identifier (DUID). For example:

    +
    +
    +
    # This is a dnsmasq dhcp reservation, 'id:00:03:00:01' is the client id and '18:db:f2:8c:d5:9f' is the MAC Address for the NIC
    +id:00:03:00:01:18:db:f2:8c:d5:9f,openshift-master-1,[2620:52:0:1302::6]
    +
    +
    +
  4. +
  5. +

    Ensure that route announcements are working.

    +
  6. +
  7. +

    Ensure that the DHCP server is listening on the required interfaces serving the IP address ranges.

    +
  8. +
+
+
+
+

9.3. Cluster nodes not getting the correct hostname over DHCP

+
+

During IPv6 deployment, cluster nodes must get their hostname over DHCP. Sometimes the NetworkManager does not assign the hostname immediately. A control plane (master) node might report an error such as:

+
+
+
+
Failed Units: 2
+  NetworkManager-wait-online.service
+  nodeip-configuration.service
+
+
+
+

This error indicates that the cluster node likely booted without first receiving a hostname from the DHCP server, which causes kubelet to boot +with a localhost.localdomain hostname. To address the error, force the node to renew the hostname.

+
+
+
Procedure
+
    +
  1. +

    Retrieve the hostname:

    +
    +
    +
    [core@master-X ~]$ hostname
    +
    +
    +
    +

    If the hostname is localhost, proceed with the following steps.

    +
    +
    + + + + + +
    + + +
    +

    Where X is the master node number.

    +
    +
    +
    +
  2. +
  3. +

    Force the cluster node to renew the DHCP lease:

    +
    +
    +
    [core@master-X ~]$ sudo nmcli con up "<bare-metal-nic>"
    +
    +
    +
    +

    Replace <bare-metal-nic> with the wired connection corresponding to the baremetal network.

    +
    +
  4. +
  5. +

    Check hostname again:

    +
    +
    +
    [core@master-X ~]$ hostname
    +
    +
    +
  6. +
  7. +

    If the hostname is still localhost.localdomain, restart NetworkManager:

    +
    +
    +
    [core@master-X ~]$ sudo systemctl restart NetworkManager
    +
    +
    +
  8. +
  9. +

    If the hostname is still localhost.localdomain, wait a few minutes and check again. If the hostname remains localhost.localdomain, repeat the previous steps.

    +
  10. +
  11. +

    Restart the nodeip-configuration service:

    +
    +
    +
    [core@master-X ~]$ sudo systemctl restart nodeip-configuration.service
    +
    +
    +
    +

    This service will reconfigure the kubelet service with the correct hostname references.

    +
    +
  12. +
  13. +

    Reload the unit files definition since the kubelet changed in the previous step:

    +
    +
    +
    [core@master-X ~]$ sudo systemctl daemon-reload
    +
    +
    +
  14. +
  15. +

    Restart the kubelet service:

    +
    +
    +
    [core@master-X ~]$ sudo systemctl restart kubelet.service
    +
    +
    +
  16. +
  17. +

    Ensure kubelet booted with the correct hostname:

    +
    +
    +
    [core@master-X ~]$ sudo journalctl -fu kubelet.service
    +
    +
    +
  18. +
+
+
+

If the cluster node is not getting the correct hostname over DHCP after the cluster is up and running, such as during a reboot, the cluster will have a pending csr. Do not approve a csr, or other issues might arise.

+
+
+
Addressing a csr
+
    +
  1. +

    Get CSRs on the cluster:

    +
    +
    +
    $ oc get csr
    +
    +
    +
  2. +
  3. +

    Verify if a pending csr contains Subject Name: localhost.localdomain:

    +
    +
    +
    $ oc get csr <pending_csr> -o jsonpath='{.spec.request}' | base64 -d | openssl req -noout -text
    +
    +
    +
  4. +
  5. +

    Remove any csr that contains Subject Name: localhost.localdomain:

    +
    +
    +
    $ oc delete csr <wrong_csr>
    +
    +
    +
  6. +
+
+
+
+

9.4. Routes do not reach endpoints

+
+

During the installation process, it is possible to encounter a Virtual Router Redundancy Protocol (VRRP) conflict. This conflict might occur if a previously used OpenShift Container Platform node that was once part of a cluster deployment using a specific cluster name is still running but not part of the current OpenShift Container Platform cluster deployment using that same cluster name. For example, a cluster was deployed using the cluster name openshift, deploying three control plane (master) nodes and three worker nodes. Later, a separate install uses the same cluster name openshift, but this redeployment only installed three control plane (master) nodes, leaving the three worker nodes from a previous deployment in an ON state. This might cause a Virtual Router Identifier (VRID) conflict and a VRRP conflict.

+
+
+
    +
  1. +

    Get the route:

    +
    +
    +
    $ oc get route oauth-openshift
    +
    +
    +
  2. +
  3. +

    Check the service endpoint:

    +
    +
    +
    $ oc get svc oauth-openshift
    +
    +
    +
    +
    +
    NAME              TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
    +oauth-openshift   ClusterIP   172.30.19.162   <none>        443/TCP   59m
    +
    +
    +
  4. +
  5. +

    Attempt to reach the service from a control plane (master) node:

    +
    +
    +
    [core@master0 ~]$ curl -k https://172.30.19.162
    +
    +
    +
    +
    +
    {
    +  "kind": "Status",
    +  "apiVersion": "v1",
    +  "metadata": {
    +  },
    +  "status": "Failure",
    +  "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
    +  "reason": "Forbidden",
    +  "details": {
    +  },
    +  "code": 403
    +
    +
    +
  6. +
  7. +

    Identify the authentication-operator errors from the provisioner node:

    +
    +
    +
    $ oc logs deployment/authentication-operator -n openshift-authentication-operator
    +
    +
    +
    +
    +
    Event(v1.ObjectReference{Kind:"Deployment", Namespace:"openshift-authentication-operator", Name:"authentication-operator", UID:"225c5bd5-b368-439b-9155-5fd3c0459d98", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Normal' reason: 'OperatorStatusChanged' Status for clusteroperator/authentication changed: Degraded message changed from "IngressStateEndpointsDegraded: All 2 endpoints for oauth-server are reporting"
    +
    +
    +
  8. +
+
+
+
Solution
+
    +
  1. +

    Ensure that the cluster name for every deployment is unique, ensuring no conflict.

    +
  2. +
  3. +

    Turn off all the rogue nodes which are not part of the cluster deployment that are using the same cluster name. Otherwise, the authentication pod of the OpenShift Container Platform cluster might never start successfully.

    +
  4. +
+
+
+
+

9.5. Failed Ignition during Firstboot

+
+

During the Firstboot, the Ignition configuration may fail.

+
+
+
Procedure
+
    +
  1. +

    Connect to the node where the Ignition configuration failed:

    +
    +
    +
    Failed Units: 1
    +  machine-config-daemon-firstboot.service
    +
    +
    +
  2. +
  3. +

    Restart the machine-config-daemon-firstboot service:

    +
    +
    +
    [core@worker-X ~]$ sudo systemctl restart machine-config-daemon-firstboot.service
    +
    +
    +
  4. +
+
+
+
+

9.6. NTP out of sync

+
+

The deployment of OpenShift Container Platform clusters depends on NTP synchronized clocks among the cluster nodes. Without synchronized clocks, the deployment may fail due to clock drift if the time difference is greater than two seconds.

+
+
+
Procedure
+
    +
  1. +

    Check for differences in the AGE of the cluster nodes. For example:

    +
    +
    +
    $ oc get nodes
    +
    +
    +
    +
    +
    NAME                         STATUS   ROLES    AGE   VERSION
    +master-0.cloud.example.com   Ready    master   145m   v1.16.2
    +master-1.cloud.example.com   Ready    master   135m   v1.16.2
    +master-2.cloud.example.com   Ready    master   145m   v1.16.2
    +worker-2.cloud.example.com   Ready    worker   100m   v1.16.2
    +
    +
    +
  2. +
  3. +

    Check for inconsistent timing delays due to clock drift. For example:

    +
    +
    +
    $ oc get bmh -n openshift-machine-api
    +
    +
    +
    +
    +
    master-1   error registering master-1  ipmi://<out-of-band-ip>
    +
    +
    +
    +
    +
    $ sudo timedatectl
    +
    +
    +
    +
    +
                   Local time: Tue 2020-03-10 18:20:02 UTC
    +           Universal time: Tue 2020-03-10 18:20:02 UTC
    +                 RTC time: Tue 2020-03-10 18:36:53
    +                Time zone: UTC (UTC, +0000)
    +System clock synchronized: no
    +              NTP service: active
    +          RTC in local TZ: no
    +
    +
    +
  4. +
+
+
+
Addressing clock drift in existing clusters
+
    +
  1. +

    Create a chrony.conf file and encode it as base64 string. For example:

    +
    +
    +
    $ cat << EOF | base 64
    +server <NTP-server> iburst(1)
    +stratumweight 0
    +driftfile /var/lib/chrony/drift
    +rtcsync
    +makestep 10 3
    +bindcmdaddress 127.0.0.1
    +bindcmdaddress ::1
    +keyfile /etc/chrony.keys
    +commandkey 1
    +generatecommandkey
    +noclientlog
    +logchange 0.5
    +logdir /var/log/chrony
    +EOF
    +
    +
    +
    + + + + + +
    1Replace <NTP-server> with the IP address of the NTP server. Copy the output. +
    +
    +
    [text-in-base-64]
    +
    +
    +
    +
  2. +
  3. +

    Create a MachineConfig object, replacing the base64 string with +the [text-in-base-64] string generated in the output of the previous step. The following example adds the file to the control plane (master) nodes. You can modify the file for worker nodes or make an additional machine config for the worker role.

    +
    +
    +
    $ cat << EOF > ./99_masters-chrony-configuration.yaml
    +apiVersion: machineconfiguration.openshift.io/v1
    +kind: MachineConfig
    +metadata:
    +  creationTimestamp: null
    +  labels:
    +    machineconfiguration.openshift.io/role: master
    +  name: 99-master-etc-chrony-conf
    +spec:
    +  config:
    +    ignition:
    +      config: {}
    +      security:
    +        tls: {}
    +      timeouts: {}
    +      version: 3.1.0
    +    networkd: {}
    +    passwd: {}
    +    storage:
    +      files:
    +      - contents:
    +          source: data:text/plain;charset=utf-8;base64,[text-in-base-64](1)
    +        group:
    +          name: root
    +        mode: 420
    +        overwrite: true
    +        path: /etc/chrony.conf
    +        user:
    +          name: root
    +  osImageURL: ""
    +
    +
    +
    + + + + + +
    1Replace [text-in-base-64] with the base64 string.
    +
    +
  4. +
  5. +

    Make a backup copy of the configuration file. For example:

    +
    +
    +
    $ cp 99_masters-chrony-configuration.yaml 99_masters-chrony-configuration.yaml.backup
    +
    +
    +
  6. +
  7. +

    Apply the configuration file:

    +
    +
    +
    $ oc apply -f ./masters-chrony-configuration.yaml
    +
    +
    +
  8. +
  9. +

    Ensure the System clock synchronized value is yes:

    +
    +
    +
    $ sudo timedatectl
    +
    +
    +
    +
    +
                   Local time: Tue 2020-03-10 19:10:02 UTC
    +           Universal time: Tue 2020-03-10 19:10:02 UTC
    +                 RTC time: Tue 2020-03-10 19:36:53
    +                Time zone: UTC (UTC, +0000)
    +System clock synchronized: yes
    +              NTP service: active
    +          RTC in local TZ: no
    +
    +
    +
    +

    To setup clock synchronization prior to deployment, generate the manifest files and add this file to the openshift directory. For example:

    +
    +
    +
    +
    $ cp chrony-masters.yaml ~/clusterconfigs/openshift/99_masters-chrony-configuration.yaml
    +
    +
    +
    +

    Then, continue to create the cluster.

    +
    +
  10. +
+
+
+
+
+
+

10. Reviewing the installation

+
+
+

After installation, ensure the installer deployed the nodes and pods successfully.

+
+
+
Procedure
+
    +
  1. +

    When the OpenShift Container Platform cluster nodes are installed appropriately, the following Ready state is seen within the STATUS column:

    +
    +
    +
    $ oc get nodes
    +
    +
    +
    +
    +
    NAME                   STATUS   ROLES           AGE  VERSION
    +master-0.example.com   Ready    master,worker   4h   v1.16.2
    +master-1.example.com   Ready    master,worker   4h   v1.16.2
    +master-2.example.com   Ready    master,worker   4h   v1.16.2
    +
    +
    +
  2. +
  3. +

    Confirm the installer deployed all pods successfully. The following command +removes any pods that are still running or have completed as part of the output.

    +
    +
    +
    $ oc get pods --all-namespaces | grep -iv running | grep -iv complete
    +
    +
    +
  4. +
+
+
+
+
+ + + \ No newline at end of file diff --git a/4.5/Troubleshooting.pdf b/4.5/Troubleshooting.pdf new file mode 100644 index 0000000000..17bcf69476 Binary files /dev/null and b/4.5/Troubleshooting.pdf differ diff --git a/4.6/Deployment.html b/4.6/Deployment.html new file mode 100644 index 0000000000..d5fbd0be3a --- /dev/null +++ b/4.6/Deployment.html @@ -0,0 +1,5084 @@ + + + + + + + + + + +Deploying Installer Provisioned Infrastructure (IPI) of OpenShift on Bare Metal - 4.6 + + + + + + + + + + + + + + + + +
+
+
+
+ + + + + +
+ + +
+

Download the PDF version of this document or visit https://openshift-kni.github.io/baremetal-deploy/

+
+
+
+
+
+
+

1. Overview

+
+
+

Installer-provisioned installation provides support for installing OpenShift Container Platform on bare metal nodes. This guide provides a methodology to achieving a successful installation.

+
+
+

During installer-provisioned installation on bare metal, the installer on the bare metal node labeled as provisioner creates a bootstrap virtual machine (VM). The role of the bootstrap VM is to assist in the process of deploying an OpenShift Container Platform cluster. The bootstrap VM connects to the baremetal network and to the provisioning network, if present, via the network bridges.

+
+
+
+Deployment phase one +
+
+
+

When the installation of OpenShift control plane nodes is complete and fully operational, the installer destroys the bootstrap VM automatically and moves the virtual IP addresses (VIPs) to +the appropriate nodes. The API VIP moves to the control plane nodes and the Ingress VIP moves to the worker nodes.

+
+
+
+Deployment phase two +
+
+
+
+
+

2. Prerequisites

+
+ +
+

Installer-provisioned installation of OpenShift Container Platform requires:

+
+
+
    +
  1. +

    One provisioner node with Red Hat Enterprise Linux (RHEL) 8.x installed.

    +
  2. +
  3. +

    Three control plane nodes.

    +
  4. +
  5. +

    Baseboard Management Controller (BMC) access to each node.

    +
  6. +
  7. +

    At least one network:

    +
    +
      +
    1. +

      One required routable network

      +
    2. +
    3. +

      One optional network for provisioning nodes; and,

      +
    4. +
    5. +

      One optional management network.

      +
    6. +
    +
    +
  8. +
+
+
+

Before starting an installer-provisioned installation of OpenShift Container Platform, ensure the hardware environment meets the following requirements.

+
+
+

2.1. Node requirements

+
+

Installer-provisioned installation involves a number of hardware node requirements:

+
+
+
    +
  • +

    CPU architecture: All nodes must use x86_64 CPU architecture.

    +
  • +
  • +

    Similar nodes: Red Hat recommends nodes have an identical configuration per role. That is, Red Hat recommends nodes be the same brand and model with the same CPU, memory and storage configuration.

    +
  • +
  • +

    Baseboard Management Controller: The provisioner node must be able to access the baseboard management controller (BMC) of each OpenShift Container Platform cluster node. You may use IPMI, Redfish, or a proprietary protocol.

    +
  • +
  • +

    Latest generation: Nodes must be of the most recent generation. Installer-provisioned installation relies on BMC protocols, which must be compatible across nodes. Additionally, RHEL 8 ships with the most recent drivers for RAID controllers. Ensure that the nodes are recent enough to support RHEL 8 for the provisioner node and RHCOS 8 for the control plane and worker nodes.

    +
  • +
  • +

    Registry node: (Optional) If setting up a disconnected mirrored registry, it is recommended the registry reside in its own node.

    +
  • +
  • +

    Provisioner node: Installer-provisioned installation requires one provisioner node.

    +
  • +
  • +

    Control plane: Installer-provisioned installation requires three control plane nodes for high availability.

    +
  • +
  • +

    Worker nodes: While not required, a typical production cluster has one or more worker nodes. Smaller clusters are more resource efficient for administrators and developers during development, production, and testing.

    +
  • +
  • +

    Network interfaces: Each node must have at least one 10GB network interface for the routable baremetal network. Each node must have one 10GB network interface for a provisioning network when using the provisioning network for deployment. Using the provisioning network is the default configuration. Network interface names must follow the same naming convention across all nodes. For example, the first NIC name on a node, such as eth0 or eno1, must be the same name on all of the other nodes. The same principle applies to the remaining NICs on each node.

    +
  • +
  • +

    Unified Extensible Firmware Interface (UEFI): Installer-provisioned installation requires UEFI boot on all OpenShift Container Platform nodes when using IPv6 addressing on the provisioning network. In addition, UEFI Device PXE Settings must be set to use the IPv6 protocol on the provisioning network NIC, but omitting the provisioning network removes this requirement.

    +
  • +
+
+
+
+

2.2. Firmware requirements for installing with virtual media

+
+

The installer for installer-provisioned OpenShift Container Platform clusters validates the hardware and firmware compatibility with Redfish virtual media. The following table lists supported firmware for installer-provisioned OpenShift Container Platform clusters deployed with Redfish virtual media.

+
+ + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 1. Firmware compatibility for Redfish virtual media
HardwareModelManagementFirmware Versions

HP

10th Generation

iLO5

N/A

9th Generation

iLO4

N/A

Dell

14th Generation

iDRAC 9

v4.20.20.20 - 04.40.00.00

13th Generation

iDRAC 8

v2.75.75.75+

+
+ + + + + +
+ + +
+

Refer to the hardware documentation for the nodes or contact the hardware vendor for information on updating the firmware.

+
+
+

There are no known firmware limitations for HP servers.

+
+
+

For Dell servers, ensure the OpenShift Container Platform cluster nodes have AutoAttach Enabled through the iDRAC console. The menu path is: ConfigurationVirtual MediaAttach ModeAutoAttach . With iDRAC 9 firmware version 04.40.00.00, the Virtual Console plug-in defaults to eHTML5, which causes problems with the InsertVirtualMedia workflow. Set the plug-in to HTML5 to avoid this issue. The menu path is: ConfigurationVirtual consolePlug-in TypeHTML5 .

+
+
+
+
+ + + + + +
+ + +
+

The installer will not initiate installation on a node if the node firmware is below the foregoing versions when installing with virtual media.

+
+
+
+
+
+

2.3. Network requirements

+
+

Installer-provisioned installation of OpenShift Container Platform involves several network requirements by default. First, installer-provisioned installation involves a non-routable provisioning network for provisioning the operating system on each bare metal node and a routable baremetal network. Since installer-provisioned installation deploys ironic-dnsmasq, the networks should have no other DHCP servers running on the same broadcast domain. Network administrators must reserve IP addresses for each node in the OpenShift Container Platform cluster.

+
+
+
Network Time Protocol (NTP)
+

Each OpenShift Container Platform node in the cluster must have access to an NTP server. OpenShift Container Platform nodes use NTP to synchronize their clocks. For example, cluster nodes use SSL certificates that require validation, which might fail if the date and time between the nodes are not in sync.

+
+
+ + + + + +
+ + +
+

Define a consistent clock date and time format in each cluster node’s BIOS settings, or installation might fail.

+
+
+
+
+
Configuring NICs
+

OpenShift Container Platform deploys with two networks:

+
+
+
    +
  • +

    provisioning: The provisioning network is an optional non-routable network used for provisioning the underlying operating system on each node that is a part of the OpenShift Container Platform cluster. The network interface for the provisioning network on each cluster node must have the BIOS or UEFI configured to PXE boot. In OpenShift Container Platform 4.3, when deploying using the provisioning network, the first NIC on each node, such as eth0 or eno1, must interface with the provisioning network. In OpenShift Container Platform 4.4 and later releases, you can specify the provisioning network NIC with the provisioningNetworkInterface configuration setting.

    +
  • +
  • +

    baremetal: The baremetal network is a routable network. In OpenShift Container Platform 4.3, when deploying using the provisioning network, the second NIC on each node, such as eth1 or eno2, must interface with the baremetal network. In OpenShift Container Platform 4.4 and later releases, you can use any NIC order to interface with the baremetal network, provided it is the same NIC order across worker and control plane nodes and not the NIC specified in the provisioningNetworkInterface configuration setting for the provisioning network.

    +
  • +
+
+
+ + + + + +
+ + +
+

Use a compatible approach such that cluster nodes use the same NIC ordering on all cluster nodes. NICs must have heterogeneous hardware with the same NIC naming convention such as eth0 or eno1.

+
+
+
+
+ + + + + +
+ + +
+

When using a VLAN, each NIC must be on a separate VLAN corresponding to the appropriate network.

+
+
+
+
+
Configuring the DNS server
+

Clients access the OpenShift Container Platform cluster nodes over the baremetal network. A network administrator must configure a subdomain or subzone where the canonical name extension is the cluster name.

+
+
+
+
<cluster-name>.<domain-name>
+
+
+
+

For example:

+
+
+
+
test-cluster.example.com
+
+
+
+

For assistance in configuring the DNS server, check Appendix section for:

+
+ +
+
Reserving IP addresses for nodes with the DHCP server
+

For the baremetal network, a network administrator must reserve a number of IP addresses, including:

+
+
+
    +
  1. +

    Two virtual IP addresses.

    +
    +
      +
    • +

      One IP address for the API endpoint

      +
    • +
    • +

      One IP address for the wildcard ingress endpoint

      +
    • +
    +
    +
  2. +
  3. +

    One IP address for the provisioner node.

    +
  4. +
  5. +

    One IP address for each control plane (master) node.

    +
  6. +
  7. +

    One IP address for each worker node, if applicable.

    +
  8. +
+
+
+

The following table provides an exemplary embodiment of fully qualified domain names. The API and Nameserver addresses begin with canonical name extensions. The host names of the control plane and worker nodes are exemplary, so you can use any host naming convention you prefer.

+
+ +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
UsageHost NameIP

API

api.<cluster-name>.<domain>

<ip>

Ingress LB (apps)

*.apps.<cluster-name>.<domain>

<ip>

Provisioner node

provisioner.<cluster-name>.<domain>

<ip>

Master-0

openshift-master-0.<cluster-name>.<domain>

<ip>

Master-1

openshift-master-1.<cluster-name>-.<domain>

<ip>

Master-2

openshift-master-2.<cluster-name>.<domain>

<ip>

Worker-0

openshift-worker-0.<cluster-name>.<domain>

<ip>

Worker-1

openshift-worker-1.<cluster-name>.<domain>

<ip>

Worker-n

openshift-worker-n.<cluster-name>.<domain>

<ip>

+
+

For assistance in configuring the DHCP server, check Appendix section for:

+
+ +
+
Additional requirements with no provisioning network
+

All installer-provisioned installations require a baremetal network. The baremetal network is a routable network used for external network access to the outside world. In addition to the IP address supplied to the OpenShift Container Platform cluster node, installations without a provisioning network require the following:

+
+
+
    +
  • +

    Setting an available IP address from the baremetal network to the bootstrapProvisioningIP configuration setting within the install-config.yaml configuration file.

    +
  • +
  • +

    Setting an available IP address from the baremetal network to the provisioningHostIP configuration setting within the install-config.yaml configuration file.

    +
  • +
  • +

    Deploying the OpenShift Container Platform cluster using RedFish Virtual Media/iDRAC Virtual Media.

    +
  • +
+
+
+ + + + + +
+ + +
+

Configuring additional IP addresses for bootstrapProvisioningIP and provisioningHostIP is not required when using a provisioning network.

+
+
+
+

IPv6 considerations

+
+
SLAAC Addressing
+

If you do not plan to use SLAAC [1] addresses on your OpenShift Container Platform node, then it should be disabled for baremetal networks, that means that if your network equipment is configured to send SLAAC addresses when replying to Route Advertisements that behavior should be changed, so it only sends the route and not the SLAAC address.

+
+
+

Install ndptool on your system in order to check what your RAs look like:

+
+
+
+
# Turn down/up baremetal iface on a master Node
+$ sudo nmcli con down "Wired connection 5" && sudo nmcli con up "Wired connection 5"
+Connection 'Wired connection 5' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1983)
+Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2044)
+
+# ndptool monitor on Helper node
+$ sudo ndptool monitor -t ra
+NDP payload len 80, from addr: fe80::c0a4:6464:bcb3:d657, iface: baremetal.153
+  Type: RA
+  Hop limit: 64
+  Managed address configuration: yes
+  Other configuration: no
+  Default router preference: medium
+  Router lifetime: 0s
+  Reachable time: unspecified
+  Retransmit time: unspecified
+  Source linkaddr: 1c:40:24:1b:0c:34
+  Prefix: 2620:52:0:1303::/64, valid_time: 86400s, preferred_time: 14400s, on_link: yes, autonomous_addr_conf: no, router_addr: no
+  Route: ::/0, lifetime: 0s, preference: low
+
+
+
+

The ndptool monitor should report Managed address configuration: yes.

+
+
+
Network Ranges and Configurations
+

Different baremetal and provisioning networks are required for each environment; each environment will have a different IPv6 range for each one of those networks.

+
+
+

In our configuration we used subinterfaces attached to two different physical interfaces, VLAN tagging was done at O.S. level (this required switch ports configured with trunk mode).

+
+
+

Our different IPv6 networks were all routable but usually, the only routable networks are the baremetal ones.

+
+
+

Keep in mind that provisioning networks cannot be in the same broadcast domain, since services such as DHCP are running.

+
+
+ + + + + +
+ + +
Route Advertisement
+
+

Route Advertisement must be enabled for both networks baremetal and provisioning.

+
+
+
+
+
Route Advertisements
+

As mentioned previously, both the baremetal and the provisioning networks must have Route Advertisement enabled. For the baremetal network, the radvd daemon was used, while the provisioning network has RA enabled in the Metal³ dnsmasq, so no configuration is needed.

+
+
+
+

2.4. Configuring nodes

+
+
Configuring nodes when using the provisioning network
+

Each node in the cluster requires the following configuration for proper installation.

+
+
+ + + + + +
+ + +
+

A mismatch between nodes will cause an installation failure.

+
+
+
+
+

While the cluster nodes can contain more than two NICs, the installation process only focuses on the first two NICs:

+
+ +++++ + + + + + + + + + + + + + + + + + +

NIC

Network

VLAN

NIC1

provisioning

<provisioning-vlan>

NIC2

baremetal

<baremetal-vlan>

+
+

NIC1 is a non-routable network (provisioning) that is only used for the installation of the OpenShift Container Platform cluster.

+
+
+

The Red Hat Enterprise Linux (RHEL) 8.x installation process on the provisioner node might vary. To install Red Hat Enterprise Linux (RHEL) 8.x using a local Satellite server or a PXE server, PXE-enable NIC2.

+
+ ++++ + + + + + + + + + + + + + + +

PXE

Boot order

NIC1 PXE-enabled provisioning network

1

NIC2 baremetal network. PXE-enabled is optional.

2

+
+ + + + + +
+ + +
+

Ensure PXE is disabled on all other NICs.

+
+
+
+
+

Configure the control plane and worker nodes as follows:

+
+ ++++ + + + + + + + + + + +

PXE

Boot order

NIC1 PXE-enabled (provisioning network)

1

+
+
Configuring nodes without the provisioning network
+

The installation process requires one NIC:

+
+ +++++ + + + + + + + + + + + + +

NIC

Network

VLAN

NICx

baremetal

<baremetal-vlan>

+
+

NICx is a routable network (baremetal) that is used for the installation of the OpenShift Container Platform cluster, and routable to the internet.

+
+
+
+

2.5. Out-of-band management

+
+

Nodes will typically have an additional NIC used by the Baseboard Management Controllers (BMCs). These BMCs must be accessible from the provisioner node.

+
+
+

Each node must be accessible via out-of-band management. When using an out-of-band management network, the provisioner node requires access to the out-of-band management network for a successful OpenShift Container Platform 4 installation.

+
+
+

The out-of-band management setup is out of scope for this document. We recommend setting up a separate management network for out-of-band management. However, using the provisioning network or the baremetal network are valid options.

+
+
+
+

2.6. Required data for installation

+
+

Prior to the installation of the OpenShift Container Platform cluster, gather the following information from all cluster nodes:

+
+
+
    +
  • +

    Out-of-band management IP

    +
    +
      +
    • +

      Examples

      +
      +
        +
      • +

        Dell (iDRAC) IP

        +
      • +
      • +

        HP (iLO) IP

        +
      • +
      +
      +
    • +
    +
    +
  • +
+
+
+
When using the provisioning network
+
    +
  • +

    NIC1 (provisioning) MAC address

    +
  • +
  • +

    NIC2 (baremetal) MAC address

    +
  • +
+
+
+
When omitting the provisioning network
+
    +
  • +

    NICx (baremetal) MAC address

    +
  • +
+
+
+
+

2.7. Validation checklist for nodes

+
+
When using the provisioning network
+
    +
  • +

    NIC1 VLAN is configured for the provisioning network.

    +
  • +
  • +

    NIC2 VLAN is configured for the baremetal network.

    +
  • +
  • +

    NIC1 is PXE-enabled on the provisioner, Control Plane (master), and worker nodes.

    +
  • +
  • +

    PXE has been disabled on all other NICs.

    +
  • +
  • +

    Control plane and worker nodes are configured.

    +
  • +
  • +

    All nodes accessible via out-of-band management.

    +
  • +
  • +

    A separate management network has been created. (optional)

    +
  • +
  • +

    Required data for installation.

    +
  • +
+
+
+
When omitting the provisioning network
+
    +
  • +

    NICx VLAN is configured for the baremetal network.

    +
  • +
  • +

    Control plane and worker nodes are configured.

    +
  • +
  • +

    All nodes accessible via out-of-band management.

    +
  • +
  • +

    A separate management network has been created. (optional)

    +
  • +
  • +

    Required data for installation.

    +
  • +
+
+
+
Summary
+

After an environment has been prepared according to the documented prerequisites, the installation process is the same as other installer-provisioned platforms.

+
+
+
+
+
+

3. Setting up the environment for an OpenShift installation

+
+ +
+

3.1. Installing RHEL on the provisioner node

+
+

With the networking configuration complete, the next step is to install RHEL 8.X on the provisioner node. The installer uses the provisioner node as the orchestrator while installing the OpenShift Container Platform cluster. For the purposes of this document, installing RHEL on the provisioner node is out of scope. However, options include but are not limited to using a RHEL Satellite server, PXE, or installation media.

+
+
+
+

3.2. Preparing the provisioner node for OpenShift Container Platform installation

+
+

Perform the following steps to prepare the environment.

+
+
+
Procedure
+
    +
  1. +

    Log in to the provisioner node via ssh.

    +
  2. +
  3. +

    Create a non-root user (kni) and provide that user with sudo privileges.

    +
    +
    +
    [root@provisioner ~]# useradd kni
    +[root@provisioner ~]# passwd kni
    +[root@provisioner ~]# echo "kni ALL=(root) NOPASSWD:ALL" | tee -a /etc/sudoers.d/kni
    +[root@provisioner ~]# chmod 0440 /etc/sudoers.d/kni
    +
    +
    +
  4. +
  5. +

    Create an ssh key for the new user.

    +
    +
    +
    [root@provisioner ~]# su - kni -c "ssh-keygen -t rsa -f /home/kni/.ssh/id_rsa -N ''"
    +
    +
    +
  6. +
  7. +

    Log in as the new user on the provisioner node.

    +
    +
    +
    [root@provisioner ~]# su - kni
    +[kni@provisioner ~]$
    +
    +
    +
  8. +
  9. +

    Use Red Hat Subscription Manager to register the provisioner node.

    +
    +
    +
    [kni@provisioner ~]$ sudo subscription-manager register --username=<user> --password=<pass> --auto-attach
    +[kni@provisioner ~]$ sudo subscription-manager repos --enable=rhel-8-for-x86_64-appstream-rpms --enable=rhel-8-for-x86_64-baseos-rpms
    +
    +
    +
    + + + + + +
    + + +
    +

    For more information about Red Hat Subscription Manager, see Using and Configuring Red Hat Subscription Manager.

    +
    +
    +
    +
  10. +
  11. +

    Install the following packages.

    +
    +
    +
    [kni@provisioner ~]$ sudo dnf install -y libvirt qemu-kvm mkisofs python3-devel jq ipmitool
    +
    +
    +
  12. +
  13. +

    Modify the user to add the libvirt group to the newly created user.

    +
    +
    +
    [kni@provisioner ~]$ sudo usermod --append --groups libvirt <user>
    +
    +
    +
  14. +
  15. +

    Restart firewalld and enable the http service.

    +
    +
    +
    [kni@provisioner ~]$ sudo systemctl start firewalld
    +[kni@provisioner ~]$ sudo firewall-cmd --zone=public --add-service=http --permanent
    +[kni@provisioner ~]$ sudo firewall-cmd --add-port=5000/tcp --zone=libvirt  --permanent
    +[kni@provisioner ~]$ sudo firewall-cmd --add-port=5000/tcp --zone=public   --permanent
    +[kni@provisioner ~]$ sudo firewall-cmd --reload
    +
    +
    +
  16. +
  17. +

    Start and enable the libvirtd service.

    +
    +
    +
    [kni@provisioner ~]$ sudo systemctl start libvirtd
    +[kni@provisioner ~]$ sudo systemctl enable libvirtd --now
    +
    +
    +
  18. +
  19. +

    Create the default storage pool and start it.

    +
    +
    +
    [kni@provisioner ~]$ sudo virsh pool-define-as --name default --type dir --target /var/lib/libvirt/images
    +[kni@provisioner ~]$ sudo virsh pool-start default
    +[kni@provisioner ~]$ sudo virsh pool-autostart default
    +
    +
    +
  20. +
  21. +

    Configure networking.

    +
    + + + + + +
    + + +
    +

    This step can also be run from the web console.

    +
    +
    +
    +
    +
    Provisioning Network (IPv4 address)
    +
    +
    [kni@provisioner ~]$ sudo nohup bash -c """
    +    nmcli con down "$PROV_CONN"
    +    nmcli con delete "$PROV_CONN"
    +    # RHEL 8.1 appends the word "System" in front of the connection, delete in case it exists
    +    nmcli con down "System $PROV_CONN"
    +    nmcli con delete "System $PROV_CONN"
    +    nmcli connection add ifname provisioning type bridge con-name provisioning
    +    nmcli con add type bridge-slave ifname "$PROV_CONN" master provisioning
    +    nmcli connection modify provisioning ipv4.addresses 172.22.0.1/24 ipv4.method manual
    +    nmcli con down provisioning
    +    nmcli con up provisioning"""
    +
    +
    +
    + + + + + +
    + + +
    +

    The ssh connection might disconnect after executing this step.

    +
    +
    +

    The IPv4 address may be any address as long as it is not routable via the baremetal network.

    +
    +
    +
    +
    +
    Provisioning Network (IPv6 address)
    +
    +
    [kni@provisioner ~]$ sudo nohup bash -c """
    +    nmcli con down "$PROV_CONN"
    +    nmcli con delete "$PROV_CONN"
    +    # RHEL 8.1 appends the word "System" in front of the connection, delete in case it exists
    +    nmcli con down "System $PROV_CONN"
    +    nmcli con delete "System $PROV_CONN"
    +    nmcli connection add ifname provisioning type bridge con-name provisioning
    +    nmcli con add type bridge-slave ifname "$PROV_CONN" master provisioning
    +    nmcli connection modify provisioning ipv6.addresses fd00:1101::1/64 ipv6.method manual
    +    nmcli con down provisioning
    +    nmcli con up provisioning"""
    +
    +
    +
    + + + + + +
    + + +
    +

    The ssh connection might disconnect after executing this step.

    +
    +
    +

    The IPv6 address may be any address as long as it is not routable via the baremetal network.

    +
    +
    +
    +
    + + + + + +
    + + +
    +

    Ensure that UEFI is enabled and UEFI PXE settings are set to the IPv6 protocol when using IPv6 addressing.

    +
    +
    +
    +
  22. +
  23. +

    ssh back into the provisioner node (if required).

    +
    +
    +
    # ssh kni@provisioner.<cluster-name>.<domain>
    +
    +
    +
  24. +
  25. +

    Verify the connection bridges have been properly created.

    +
    +
    +
    [kni@provisioner ~]$ nmcli con show
    +
    +
    +
    +
    +
    NAME               UUID                                  TYPE      DEVICE
    +baremetal          4d5133a5-8351-4bb9-bfd4-3af264801530  bridge    baremetal
    +provisioning       43942805-017f-4d7d-a2c2-7cb3324482ed  bridge    provisioning
    +virbr0             d9bca40f-eee1-410b-8879-a2d4bb0465e7  bridge    virbr0
    +bridge-slave-eno1  76a8ed50-c7e5-4999-b4f6-6d9014dd0812  ethernet  eno1
    +bridge-slave-eno2  f31c3353-54b7-48de-893a-02d2b34c4736  ethernet  eno2
    +
    +
    +
  26. +
  27. +

    Create a pull-secret.txt file.

    +
    +
    +
    [kni@provisioner ~]$ vim pull-secret.txt
    +
    +
    +
    +

    In a web browser, navigate to Install on Bare Metal with user-provisioned infrastructure, and scroll down to the Downloads section. Click Copy pull secret. Paste the contents into the pull-secret.txt file and save the contents in the kni user’s home directory.

    +
    +
  28. +
+
+
+
+

3.3. Retrieving the OpenShift Container Platform installer (GA Release)

+
+

Use the latest-4.x version of the installer to deploy the latest generally +available version of OpenShift Container Platform:

+
+
+
+
[kni@provisioner ~]$ export VERSION=latest-4.6
+export RELEASE_IMAGE=$(curl -s https://mirror.openshift.com/pub/openshift-v4/clients/ocp/$VERSION/release.txt | grep 'Pull From: quay.io' | awk -F ' ' '{print $3}')
+
+
+
+
+

3.4. Extracting the OpenShift Container Platform installer (GA Release)

+
+

After retrieving the installer, the next step is to extract it.

+
+
+
Procedure
+
    +
  1. +

    Set the environment variables:

    +
    +
    +
    [kni@provisioner ~]$ export cmd=openshift-baremetal-install
    +[kni@provisioner ~]$ export pullsecret_file=~/pull-secret.txt
    +[kni@provisioner ~]$ export extract_dir=$(pwd)
    +
    +
    +
  2. +
  3. +

    Get the oc binary:

    +
    +
    +
    [kni@provisioner ~]$ curl -s https://mirror.openshift.com/pub/openshift-v4/clients/ocp/$VERSION/openshift-client-linux.tar.gz | tar zxvf - oc
    +
    +
    +
  4. +
  5. +

    Extract the installer:

    +
    +
    +
    [kni@provisioner ~]$ sudo cp oc /usr/local/bin
    +[kni@provisioner ~]$ oc adm release extract --registry-config "${pullsecret_file}" --command=$cmd --to "${extract_dir}" ${RELEASE_IMAGE}
    +[kni@provisioner ~]$ sudo cp openshift-baremetal-install /usr/local/bin
    +
    +
    +
  6. +
+
+
+
+

3.5. Creating an RHCOS images cache (optional)

+
+

To employ image caching, you must download two images: the Red Hat Enterprise Linux CoreOS (RHCOS) image used by the bootstrap VM and the RHCOS image used by the installer to provision the different nodes. Image caching is optional, but especially useful when running the installer on a network with limited bandwidth.

+
+
+

If you are running the installer on a network with limited bandwidth and the RHCOS images download takes more than 15 to 20 minutes, the installer will timeout. Caching images on a web server will help in such scenarios.

+
+
+

Use the following steps to install a container that contains the images.

+
+
+
    +
  1. +

    Install podman.

    +
    +
    +
    $ sudo dnf install -y podman
    +
    +
    +
  2. +
  3. +

    Open firewall port 8080 to be used for RHCOS image caching.

    +
    +
    +
    $ sudo firewall-cmd --add-port=8080/tcp --zone=public --permanent
    +$ sudo firewall-cmd --reload
    +
    +
    +
  4. +
  5. +

    Create a directory to store the bootstraposimage and clusterosimage.

    +
    +
    +
    $ mkdir /home/kni/rhcos_image_cache
    +
    +
    +
  6. +
  7. +

    Set the appropriate SELinux context for the newly created directory.

    +
    +
    +
    $ sudo semanage fcontext -a -t httpd_sys_content_t "/home/kni/rhcos_image_cache(/.*)?"
    +$ sudo restorecon -Rv rhcos_image_cache/
    +
    +
    +
  8. +
  9. +

    Get the commit ID from the installer. The ID determines which images the installer needs to download.

    +
    +
    +
    $ export COMMIT_ID=$(/usr/local/bin/openshift-baremetal-install version | grep '^built from commit' | awk '{print $4}')
    +
    +
    +
  10. +
  11. +

    Get the URI for the RHCOS image that the installer will deploy on the nodes.

    +
    +
    +
    $ export RHCOS_OPENSTACK_URI=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json  | jq .images.openstack.path | sed 's/"//g')
    +
    +
    +
  12. +
  13. +

    Get the URI for the RHCOS image that the installer will deploy on the bootstrap VM.

    +
    +
    +
    $ export RHCOS_QEMU_URI=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json  | jq .images.qemu.path | sed 's/"//g')
    +
    +
    +
  14. +
  15. +

    Get the path where the images are published.

    +
    +
    +
    $ export RHCOS_PATH=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json | jq .baseURI | sed 's/"//g')
    +
    +
    +
  16. +
  17. +

    Get the SHA hash for the RHCOS image that will be deployed on the bootstrap VM.

    +
    +
    +
    $ export RHCOS_QEMU_SHA_UNCOMPRESSED=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json  | jq -r '.images.qemu["uncompressed-sha256"]')
    +
    +
    +
  18. +
  19. +

    Get the SHA hash for the RHCOS image that will be deployed on the nodes.

    +
    +
    +
    $ export RHCOS_OPENSTACK_SHA_COMPRESSED=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json  | jq -r '.images.openstack.sha256')
    +
    +
    +
  20. +
  21. +

    Download the images and place them in the /home/kni/rhcos_image_cache directory.

    +
    +
    +
    $ curl -L ${RHCOS_PATH}${RHCOS_QEMU_URI} -o /home/kni/rhcos_image_cache/${RHCOS_QEMU_URI}
    +$ curl -L ${RHCOS_PATH}${RHCOS_OPENSTACK_URI} -o /home/kni/rhcos_image_cache/${RHCOS_OPENSTACK_URI}
    +
    +
    +
  22. +
  23. +

    Confirm SELinux type is of httpd_sys_content_t for the newly created files.

    +
    +
    +
    $ ls -Z /home/kni/rhcos_image_cache
    +
    +
    +
  24. +
  25. +

    Create the pod.

    +
    +
    +
    $ podman run -d --name rhcos_image_cache \
    +-v /home/kni/rhcos_image_cache:/var/www/html \
    +-p 8080:8080/tcp \
    +quay.io/centos7/httpd-24-centos7:latest
    +
    +
    +
  26. +
  27. +

    Generate the bootstrapOSImage and clusterOSImage configuration.

    +
    +
    +
    $ export BAREMETAL_IP=$(ip addr show dev baremetal | awk '/inet /{print $2}' | cut -d"/" -f1)
    +$ export RHCOS_OPENSTACK_SHA256=$(zcat /home/kni/rhcos_image_cache/${RHCOS_OPENSTACK_URI} | sha256sum | awk '{print $1}')
    +$ export RHCOS_QEMU_SHA256=$(zcat /home/kni/rhcos_image_cache/${RHCOS_QEMU_URI} | sha256sum | awk '{print $1}')
    +$ export CLUSTER_OS_IMAGE="http://${BAREMETAL_IP}:8080/${RHCOS_OPENSTACK_URI}?sha256=${RHCOS_OPENSTACK_SHA256}"
    +$ export BOOTSTRAP_OS_IMAGE="http://${BAREMETAL_IP}:8080/${RHCOS_QEMU_URI}?sha256=${RHCOS_QEMU_SHA256}"
    +$ echo "${RHCOS_OPENSTACK_SHA256}  ${RHCOS_OPENSTACK_URI}" > /home/kni/rhcos_image_cache/rhcos-ootpa-latest.qcow2.md5sum
    +$ echo "    bootstrapOSImage=${BOOTSTRAP_OS_IMAGE}"
    +$ echo "    clusterOSImage=${CLUSTER_OS_IMAGE}"
    +
    +
    +
  28. +
  29. +

    Add the required configuration to the install-config.yaml file under platform.baremetal.

    +
    +
    +
    platform:
    +  baremetal:
    +    bootstrapOSImage: http://<BAREMETAL_IP>:8080/<RHCOS_QEMU_URI>?sha256=<RHCOS_QEMU_SHA256>
    +    clusterOSImage: http://<BAREMETAL_IP>:8080/<RHCOS_OPENSTACK_URI>?sha256=<RHCOS_OPENSTACK_SHA256>
    +
    +
    +
    +

    See the Configuring the install-config.yaml file section for additional details.

    +
    +
  30. +
+
+
+
+

3.6. Configuration files

+
+

3.6.1. Configuring the install-config.yaml file

+
+

The install-config.yaml file requires some additional details. +Most of the information is teaching the installer and the resulting cluster enough about the available hardware so that it is able to fully manage it.

+
+
+
    +
  1. +

    Configure install-config.yaml. Change the appropriate variables to match the environment, including pullSecret and sshKey.

    +
    +
    +
    apiVersion: v1
    +basedomain: <domain>
    +metadata:
    +  name: <cluster-name>
    +networking:
    +  machineCIDR: <public-cidr>
    +  networkType: OVNKubernetes
    +compute:
    +- name: worker
    +  replicas: 2 (1)
    +controlPlane:
    +  name: master
    +  replicas: 3
    +  platform:
    +    baremetal: {}
    +platform:
    +  baremetal:
    +    apiVIP: <api-ip>
    +    ingressVIP: <wildcard-ip>
    +    provisioningNetworkInterface: <NIC1>
    +    provisioningNetworkCIDR: <CIDR>
    +    hosts:
    +      - name: openshift-master-0
    +        role: master
    +        bmc:
    +          address: ipmi://<out-of-band-ip> (2)
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: default
    +      - name: openshift-master-1
    +        role: master
    +        bmc:
    +          address: ipmi://<out-of-band-ip>
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: default
    +      - name: openshift-master-2
    +        role: master
    +        bmc:
    +          address: ipmi://<out-of-band-ip>
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: default
    +      - name: openshift-worker-0
    +        role: worker
    +        bmc:
    +          address: ipmi://<out-of-band-ip>
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: unknown
    +      - name: openshift-worker-1
    +        role: worker
    +        bmc:
    +          address: ipmi://<out-of-band-ip>
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: unknown
    +pullSecret: '<pull_secret>'
    +sshKey: '<ssh_pub_key>'
    +
    +
    +
    + + + + + + + + + +
    1Scale the worker machines based on the number of worker nodes that are part of the OpenShift Container Platform cluster.
    2Refer to the BMC addressing for more options
    +
    +
  2. +
  3. +

    Create a directory to store cluster configs.

    +
    +
    +
    [kni@provisioner ~]$ mkdir ~/clusterconfigs
    +[kni@provisioner ~]$ cp install-config.yaml ~/clusterconfigs
    +
    +
    +
  4. +
  5. +

    Ensure all bare metal nodes are powered off prior to installing the OpenShift Container Platform cluster.

    +
    +
    +
    [kni@provisioner ~]$ ipmitool -I lanplus -U <user> -P <password> -H <management-server-ip> power off
    +
    +
    +
  6. +
  7. +

    Remove old bootstrap resources if any are left over from a previous deployment attempt.

    +
    +
    +
    for i in $(sudo virsh list | tail -n +3 | grep bootstrap | awk {'print $2'});
    +do
    +  sudo virsh destroy $i;
    +  sudo virsh undefine $i;
    +  sudo virsh vol-delete $i --pool $i;
    +  sudo virsh vol-delete $i.ign --pool $i;
    +  sudo virsh pool-destroy $i;
    +  sudo virsh pool-undefine $i;
    +done
    +
    +
    +
  8. +
+
+
+
+

3.6.2. Setting proxy settings within the install-config.yaml file (optional)

+
+

To deploy an OpenShift Container Platform cluster using a proxy, make the following changes to the install-config.yaml file.

+
+
+
+
apiVersion: v1
+baseDomain: <domain>
+proxy:
+  httpProxy: http://USERNAME:PASSWORD@proxy.example.com:PORT
+  httpsProxy: https://USERNAME:PASSWORD@proxy.example.com:PORT
+  noProxy: <WILDCARD_OF_DOMAIN>,<PROVISIONING_NETWORK/CIDR>,<BMC_ADDRESS_RANGE/CIDR>
+
+
+
+

See below for an example of noProxy with values.

+
+
+
+
noProxy: .example.com,172.22.0.0/24,10.10.0.0/24
+
+
+
+

With a proxy enabled, set the appropriate values of the proxy in the corresponding key/value pair.

+
+
+

Key considerations:

+
+
+
    +
  • +

    If the proxy does not have an HTTPS proxy, change the value of httpsProxy from https:// to http://.

    +
  • +
  • +

    If using a provisioning network, include it in the noProxy setting, otherwise the installer will fail.

    +
  • +
  • +

    Set all of the proxy settings as environment variables within the provisioner node. For example, HTTP_PROXY, HTTPS_PROXY, and NO_PROXY.

    +
  • +
+
+
+
+

3.6.3. Modifying the install-config.yaml file for no provisioning network (optional)

+
+

To deploy an OpenShift Container Platform cluster without a provisioning network, make the following changes to the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    apiVIP: <apiVIP>
+    ingressVIP: <ingress/wildcard VIP>
+    provisioningNetwork: "Disabled"
+    provisioningHostIP: <baremetal_network_IP1>
+    bootstrapProvisioningIP: <baremetal_network_IP2>
+
+
+
+ + + + + +
+ + +
+

Requires providing two IP addresses from the baremetal network for the provisioningHostIP and bootstrapProvisioningIP configuration settings, and removing the provisioningBridge and provisioningNetworkCIDR configuration settings.

+
+
+
+
+
+

3.6.4. Additional install-config parameters

+
+

See the following tables for the required parameters, the hosts parameter, +and the bmc parameter for the install-config.yaml file.

+
+ + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 2. Required parameters
ParametersDefaultDescription

baseDomain

The domain name for the cluster. For example, example.com.

bootMode

legacy

The boot mode for a node. Options are legacy, UEFI and UEFISecureBoot.

sshKey

The sshKey configuration setting contains the key in the ~/.ssh/id_rsa.pub file required to access the control plane nodes and worker nodes. Typically, this key is from the provisioner node.

pullSecret

The pullSecret configuration setting contains a copy of the pull secret downloaded from the Install OpenShift on Bare Metal page when preparing the provisioner node.

+
+
metadata:
+    name:
+
+

The name to be given to the OpenShift Container Platform cluster. For example, openshift.

+
+
networking:
+    machineCIDR:
+
+

The public CIDR (Classless Inter-Domain Routing) of the external network. For example, 10.0.0.0/24 +or 2620:52:0:1302::/64 +.

+
+
compute:
+  - name: worker
+
+

The OpenShift Container Platform cluster requires a name be provided for worker (or compute) nodes even if there are zero nodes.

+
+
compute:
+    replicas: 2
+
+

Replicas sets the number of worker (or compute) nodes in the OpenShift Container Platform cluster.

+
+
controlPlane:
+    name: master
+
+

The OpenShift Container Platform cluster requires a name for control plane (master) nodes.

+
+
controlPlane:
+    replicas: 3
+
+

Replicas sets the number of control plane (master) nodes included as part of the OpenShift Container Platform cluster.

+

provisioningNetworkInterface

+

The name of the network interface on control plane nodes connected to the +provisioning network.

defaultMachinePlatform

The default configuration used for machine pools without a platform configuration.

apiVIP

api.<clustername.clusterdomain>

The VIP to use for internal API communication.

+

This setting must either be provided or pre-configured in the DNS so that the +default name resolves correctly.

disableCertificateVerification

False

redfish and redfish-virtualmedia need this parameter to manage BMC addresses. The value should be True when using a self-signed certificate for BMC addresses.

ingressVIP

test.apps.<clustername.clusterdomain>

The VIP to use for ingress traffic.

+ + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 3. Optional Parameters
ParametersDefaultDescription

provisioningDHCPRange

172.22.0.10,172.22.0.100

Defines the IP range for nodes on the provisioning network.

+

provisioningNetworkCIDR

+

172.22.0.0/24

The CIDR for the network to use for provisioning. This option is required when not using the default address range on the provisioning network.

clusterProvisioningIP

The third IP address of the provisioningNetworkCIDR.

The IP address within the cluster where the provisioning services run. Defaults to the third IP address of the provisioning subnet. For example, 172.22.0.3.

bootstrapProvisioningIP

The second IP address of the provisioningNetworkCIDR.

The IP address on the bootstrap VM where the provisioning services run while the installer is deploying the control plane (master) nodes. Defaults to the second IP address of the provisioning subnet. For example, 172.22.0.2 +or 2620:52:0:1307::2 +.

+

Set this parameter to an available IP address on the baremetal network when the provisioningNetwork configuration setting is set to Disabled.

externalBridge

baremetal

The name of the baremetal bridge of the hypervisor attached to the baremetal network.

provisioningBridge

provisioning

The name of the provisioning bridge on the provisioner host attached to the provisioning network.

defaultMachinePlatform

The default configuration used for machine pools without a platform configuration.

bootstrapOSImage

A URL to override the default operating system image for the bootstrap node. The URL must contain a SHA-256 hash of the image. For example: +https://mirror.openshift.com/rhcos-<version>-qemu.qcow2.gz?sha256=<uncompressed_sha256>; + or http://[2620:52:0:1307::1]/rhcos-<version>-qemu.x86_64.qcow2.gz?sha256=<uncompressed_sha256> +.

clusterOSImage

A URL to override the default operating system for cluster nodes. The URL must include a SHA-256 hash of the image. For example, https://mirror.openshift.com/images/rhcos-<version>-openstack.qcow2.gz?sha256=<compressed_sha256>;.

provisioningNetwork

Set this parameter to Disabled to disable the requirement for a provisioning network. User may only do virtual media based provisioning, or bring up the cluster using assisted installation. If using power management, BMC’s must be accessible from the machine networks. User must provide two IP addresses on the external network that are used for the provisioning services. +Set this parameter to Managed, which is the default, to fully manage the provisioning network, including DHCP, TFTP, and so on.

+

Set this parameter to Unmanaged to still enable the provisioning network but take care of manual configuration of DHCP. Virtual media provisioning is recommended but PXE is still available if required.

provisioningHostIP

Set this parameter to an available IP address on the baremetal network when the provisioningNetwork configuration setting is set to Disabled.

httpProxy

Set this parameter to the appropriate HTTP proxy used within your environment.

httpsProxy

Set this parameter to the appropriate HTTPS proxy used within your environment.

noProxy

Set this parameter to the appropriate list of exclusions for proxy usage within your environment.

+
+
Hosts
+

The hosts parameter is a list of separate bare metal assets used to build the cluster.

+
+ +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Name

Default

Description

name

The name of the BareMetalHost resource to associate with the details. For example, openshift-master-0.

role

The role of the bare metal node. Either master or worker.

bmc

Connection details for the baseboard management controller. See the BMC addressing section for additional details.

bootMACAddress

The MAC address of the NIC the host will use to boot on the provisioning network.

+
+
+

3.6.5. BMC addressing

+
+

Most vendors support BMC addressing with the Intelligent Platform Management Interface or IPMI. IPMI does not encrypt communications. It is suitable for use within a data center over a secured or dedicated management network. Check with your vendor to see if they support Redfish network boot. Redfish delivers simple and secure management for converged, hybrid IT and the Software Defined Data Center or SDDC. Redfish is human readable and machine capable, and leverages common Internet and web services standards to expose information directly to the modern tool chain. If your hardware does not support Redfish network boot, use IPMI.

+
+
+
IPMI
+

Hosts using IPMI use the ipmi://<out-of-band-ip>:<port> address format, which defaults to port 623 if not specified. The following example demonstrates an IPMI configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: ipmi://<out-of-band-ip>
+          username: <user>
+          password: <password>
+
+
+
+
Redfish network boot
+

To enable Redfish, use redfish:// or redfish+http:// to disable TLS. The installer requires both the host name or the IP address and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+
BMC addressing for Dell iDRAC
+
+

The address field for each bmc entry is a URL for connecting to the OpenShift Container Platform cluster nodes, including the type of controller in the URL scheme and its location on the network.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: <host name>
+        role: <master | worker>
+        bmc:
+          address: <address> (1)
+          username: <user>
+          password: <password>
+
+
+
+ + + + + +
1The address configuration setting specifies the protocol.
+
+
+

For Dell hardware, Red Hat supports integrated Dell Remote Access Controller (iDRAC) virtual media, Redfish network boot, and IPMI.

+
+ + ++++ + + + + + + + + + + + + + + + + + + + + +
Table 4. BMC address formats for Dell iDRAC
ProtocolAddress Format

iDRAC virtual media

idrac-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1

Redfish network boot

redfish://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1

IPMI

ipmi://<out-of-band-ip>

+
+ + + + + +
+ + +
+

Use idrac-virtualmedia as the protocol for Redfish virtual media. redfish-virtualmedia will not work on Dell hardware. Dell’s idrac-virtualmedia uses the Redfish standard with Dell’s OEM extensions.

+
+
+
+
+

See the following sections for additional details.

+
+
+
Redfish virtual media for Dell iDRAC
+

For Redfish virtual media on Dell servers, use idrac-virtualmedia:// in the address setting. Using redfish-virtualmedia:// will not work.

+
+
+ + + + + +
+ + +
+

Redfish virtual media on Dell servers has a known issue in OpenShift Container Platform 4.6, which will be resolved in a future release.

+
+
+
+
+

The following example demonstrates using iDRAC virtual media within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: idrac-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: idrac-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+ + + + + +
+ + +
+

Currently, Redfish is only supported on Dell with iDRAC firmware versions 4.20.20.20 through 04.40.00.00 for installer-provisioned installations on bare metal deployments. There is a known issue with version 04.40.00.00. With iDRAC 9 firmware version 04.40.00.00, the Virtual Console plug-in defaults to eHTML5, which causes problems with the InsertVirtualMedia workflow. Set the plug-in to HTML5 to avoid this issue. The menu path is: ConfigurationVirtual consolePlug-in TypeHTML5 .

+
+
+

Ensure the OpenShift Container Platform cluster nodes have AutoAttach Enabled through the iDRAC console. The menu path is: ConfigurationVirtual MediaAttach ModeAutoAttach .

+
+
+

Use idrac-virtualmedia:// as the protocol for Redfish virtual media. Using redfish-virtualmedia:// will not work on Dell hardware, because the idrac-virtualmedia:// protocol corresponds to the idrac hardware type and the Redfish protocol in Ironic. Dell’s idrac-virtualmedia:// protocol uses the Redfish standard with Dell’s OEM extensions. Ironic also supports the idrac type with the WSMAN protocol. Therefore, you must specify idrac-virtualmedia:// to avoid unexpected behavior when electing to use Redfish with virtual media on Dell hardware.

+
+
+
+
+
Redfish network boot for iDRAC
+

To enable Redfish, use redfish:// or redfish+http:// to disable transport layer security (TLS). The installer requires both the host name or the IP address and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+ + + + + +
+ + +
+

Currently, Redfish is only supported on Dell hardware with iDRAC firmware versions 4.20.20.20 through 04.40.00.00 for installer-provisioned installations on bare metal deployments. There is a known issue with version 04.40.00.00. With iDRAC 9 firmware version 04.40.00.00, the Virtual Console plug-in defaults to eHTML5, which causes problems with the InsertVirtualMedia workflow. Set the plug-in to HTML5 to avoid this issue. The menu path is: ConfigurationVirtual consolePlug-in TypeHTML5 .

+
+
+

Ensure the OpenShift Container Platform cluster nodes have AutoAttach Enabled through the iDRAC console. The menu path is: ConfigurationVirtual MediaAttach ModeAutoAttach .

+
+
+

The redfish:// URL protocol corresponds to the redfish hardware type in Ironic.

+
+
+
+
+
+
BMC addressing for HPE iLO
+
+

The address field for each bmc entry is a URL for connecting to the OpenShift Container Platform cluster nodes, including the type of controller in the URL scheme and its location on the network.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: <host name>
+        role: <master | worker>
+        bmc:
+          address: <address> (1)
+          username: <user>
+          password: <password>
+
+
+
+ + + + + +
1The address configuration setting specifies the protocol.
+
+
+

For HPE integrated Lights Out (iLO), Red Hat supports Redfish virtual media, Redfish network boot, and IPMI.

+
+ + ++++ + + + + + + + + + + + + + + + + + + + + +
Table 5. BMC address formats for HPE iLO
ProtocolAddress Format

Redfish virtual media

redfish-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/1

Redfish network boot

redfish://<out-of-band-ip>/redfish/v1/Systems/1

IPMI

ipmi://<out-of-band-ip>

+
+

See the following sections for additional details.

+
+
+
Redfish virtual media for HPE iLO
+

To enable Redfish virtual media for HPE servers, use redfish-virtualmedia:// in the address setting. The following example demonstrates using Redfish virtual media within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+ + + + + +
+ + +
+

Redfish virtual media is not supported on 9th generation systems running iLO4, because Ironic does not support iLO4 with virtual media.

+
+
+
+
+
Redfish network boot for HPE iLO
+

To enable Redfish, use redfish:// or redfish+http:// to disable TLS. The installer requires both the host name or the IP address and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+
+
BMC addressing for KVM with sushy-tools Redfish emulator
+
+

The address field for each bmc entry is a URL for connecting to the OpenShift Container Platform cluster nodes, including the type of controller in the URL scheme and its location on the network.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: <host name>
+        role: <master | worker>
+        bmc:
+          address: <address> (1)
+          username: <user>
+          password: <password>
+
+
+
+ + + + + +
1The address configuration setting specifies the protocol.
+
+
+

For KVM working with sushy-tools Redfish emulator, Red Hat supports Redfish virtual media and Redfish network boot.

+
+ + ++++ + + + + + + + + + + + + + + + + +
Table 6. BMC address formats for KVM with sushy-tools Redfish emulator
ProtocolAddress Format

Redfish virtual media

redfish-virtualmedia://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>

Redfish network boot

redfish://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>

+
+ + + + + +
+ + +
+

The sushy-tools Redfish emulator runs from the KVM hypervisor and a single instance acts as the virtual BMC for all the guest machines. This means both the out of band IP address and port, will be same and each individual machine must be identified by its System ID.

+
+
+

You may retrieve the System ID of your guest machines with the following command:

+
+
+
+
---
+$ virsh list --all --name --uuid
+d8ac6bf8-3062-4954-84c3-e097faa17025 compute-0
+84971a71-3935-4a92-8d90-a9f8440dac09 compute-1
+92430f42-8805-4412-959a-2a7252c7c540 compute-2
+0fea5296-db95-41d7-9295-f57cfa50255f control-plane-0
+4986e405-fd3a-483d-9210-8cb120b98f80 control-plane-1
+26bf228c-44fd-4c49-9e6f-44f4b5968b34 control-plane-2
+---
+
+
+
+
+
+

See the following sections for additional details.

+
+
+
Redfish virtual media for KVM with sushy-tools Redfish emulator
+

To enable Redfish virtual media for KVM environments running the sushy-tools Redfish emulator, use redfish-virtualmedia:// in the address setting. The following example demonstrates using Redfish virtual media within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish-virtualmedia://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish-virtualmedia://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+
Redfish network boot for KVM with sushy-tools Redfish emulator
+

To enable Redfish, use redfish:// or redfish+http:// to disable TLS. The installer requires the host name or the IP address, the Redfish emulator listening port and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+
+
+

3.6.6. Root device hints

+
+

The rootDeviceHints parameter enables the installer to provision the Red Hat Enterprise Linux CoreOS (RHCOS) image to a particular device. The installer examines the devices in the order it discovers them, and compares the discovered values with the hint values. The installer uses the first discovered device that matches the hint value. The configuration can combine multiple hints, but a device must match all hints for the installer to select it.

+
+ + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 7. Subfields
SubfieldDescription

deviceName

A string containing a Linux device name like /dev/vda. The hint must match the actual value exactly.

hctl

A string containing a SCSI bus address like 0:0:0:0. The hint must match the actual value exactly.

model

A string containing a vendor-specific device identifier. The hint can be a substring of the actual value.

vendor

A string containing the name of the vendor or manufacturer of the device. The hint can be a sub-string of the actual value.

serialNumber

A string containing the device serial number. The hint must match the actual value exactly.

minSizeGigabytes

An integer representing the minimum size of the device in gigabytes.

wwn

A string containing the unique storage identifier. The hint must match the actual value exactly.

wwnWithExtension

A string containing the unique storage identifier with the vendor extension appended. The hint must match the actual value exactly.

wwnVendorExtension

A string containing the unique vendor storage identifier. The hint must match the actual value exactly.

rotational

A Boolean indicating whether the device should be a rotating disk (true) or not (false).

+
+
Example usage
+
+
     - name: master-0
+       role: master
+       bmc:
+         address: ipmi://10.10.0.3:6203
+         username: admin
+         password: redhat
+       bootMACAddress: de:ad:be:ef:00:40
+       rootDeviceHints:
+         deviceName: "/dev/sda"
+
+
+
+
+

3.6.7. Creating the OpenShift Container Platform manifests

+
+
    +
  1. +

    Create the OpenShift Container Platform manifests.

    +
    +
    +
    [kni@provisioner ~]$ ./openshift-baremetal-install --dir ~/clusterconfigs create manifests
    +
    +
    +
    +
    +
    INFO Consuming Install Config from target directory
    +WARNING Making control-plane schedulable by setting MastersSchedulable to true for Scheduler cluster settings
    +WARNING Discarding the Openshift Manifest that was provided in the target directory because its dependencies are dirty and it needs to be regenerated
    +
    +
    +
  2. +
+
+
+
+
+

3.7. Creating a disconnected registry (optional)

+
+

In some cases, you might want to install an OpenShift Container Platform cluster using a local copy of the installation registry. This could be for enhancing network efficiency because the cluster nodes are on a network that does not have access to the internet.

+
+
+

A local, or mirrored, copy of the registry requires the following:

+
+
+
    +
  • +

    A certificate for the registry node. This can be a self-signed certificate.

    +
  • +
  • +

    A web server that a container on a system will serve.

    +
  • +
  • +

    An updated pull secret that contains the certificate and local repository information.

    +
  • +
+
+
+ + + + + +
+ + +
+

Creating a disconnected registry on a registry node is optional. The subsequent sections indicate that they are optional since they are steps you need to execute only when creating a disconnected registry on a registry node. You should execute all of the subsequent sub-sections labeled "(optional)" when creating a disconnected registry on a registry node.

+
+
+
+
+

3.7.1. Preparing the registry node to host the mirrored registry (optional)

+
+

Make the following changes to the registry node.

+
+
+
Procedure
+
    +
  1. +

    Open the firewall port on the registry node.

    +
    +
    +
    [user@registry ~]$ sudo firewall-cmd --add-port=5000/tcp --zone=libvirt  --permanent
    +[user@registry ~]$ sudo firewall-cmd --add-port=5000/tcp --zone=public   --permanent
    +[user@registry ~]$ sudo firewall-cmd --reload
    +
    +
    +
  2. +
  3. +

    Install the required packages for the registry node.

    +
    +
    +
    [user@registry ~]$ sudo yum -y install python3 podman httpd httpd-tools jq
    +
    +
    +
  4. +
  5. +

    Create the directory structure where the repository information will be held.

    +
    +
    +
    [user@registry ~]$ sudo mkdir -p /opt/registry/{auth,certs,data}
    +
    +
    +
  6. +
+
+
+
+

3.7.2. Generating the self-signed certificate (optional)

+
+

Generate a self-signed certificate for the registry node and put it in the /opt/registry/certs directory.

+
+
+
Procedure
+
    +
  1. +

    Adjust the certificate information as appropriate.

    +
    +
    +
    [user@registry ~]$ host_fqdn=$( hostname --long )
    +[user@registry ~]$ cert_c="<Country Name>"   # Country Name (C, 2 letter code)
    +[user@registry ~]$ cert_s="<State>"          # Certificate State (S)
    +[user@registry ~]$ cert_l="<Locality>"       # Certificate Locality (L)
    +[user@registry ~]$ cert_o="<Organization>"   # Certificate Organization (O)
    +[user@registry ~]$ cert_ou="<Org Unit>"      # Certificate Organizational Unit (OU)
    +[user@registry ~]$ cert_cn="${host_fqdn}"    # Certificate Common Name (CN)
    +
    +[user@registry ~]$ openssl req \
    +    -newkey rsa:4096 \
    +    -nodes \
    +    -sha256 \
    +    -keyout /opt/registry/certs/domain.key \
    +    -x509 \
    +    -days 365 \
    +    -out /opt/registry/certs/domain.crt \
    +    -addext "subjectAltName = DNS:${host_fqdn}" \
    +    -subj "/C=${cert_c}/ST=${cert_s}/L=${cert_l}/O=${cert_o}/OU=${cert_ou}/CN=${cert_cn}"
    +
    +
    +
    + + + + + +
    + + +When replacing <Country Name>, ensure that it only contains two letters. For example, US. +
    +
    +
  2. +
  3. +

    Update the registry node’s ca-trust with the new certificate.

    +
    +
    +
    [user@registry ~]$ sudo cp /opt/registry/certs/domain.crt /etc/pki/ca-trust/source/anchors/
    +[user@registry ~]$ sudo update-ca-trust extract
    +
    +
    +
  4. +
+
+
+
+

3.7.3. Creating the registry podman container (optional)

+
+

The registry container uses the /opt/registry directory for certificates, authentication files, and to store its data files.

+
+
+

The registry container uses httpd and needs an htpasswd file for authentication.

+
+
+
Procedure
+
    +
  1. +

    Create an htpasswd file in /opt/registry/auth for the container to use.

    +
    +
    +
    [user@registry ~]$ htpasswd -bBc /opt/registry/auth/htpasswd <user> <passwd>
    +
    +
    +
    +

    Replace <user> with the user name and <passwd> with the password.

    +
    +
  2. +
  3. +

    Create and start the registry container.

    +
    +
    +
    [user@registry ~]$ podman create \
    +  --name ocpdiscon-registry \
    +  -p 5000:5000 \
    +  -e "REGISTRY_AUTH=htpasswd" \
    +  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry" \
    +  -e "REGISTRY_HTTP_SECRET=ALongRandomSecretForRegistry" \
    +  -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \
    +  -e "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt" \
    +  -e "REGISTRY_HTTP_TLS_KEY=/certs/domain.key" \
    +  -e "REGISTRY_COMPATIBILITY_SCHEMA1_ENABLED=true" \
    +  -v /opt/registry/data:/var/lib/registry:z \
    +  -v /opt/registry/auth:/auth:z \
    +  -v /opt/registry/certs:/certs:z \
    +  docker.io/library/registry:2
    +
    +
    +
    +
    +
    [user@registry ~]$ podman start ocpdiscon-registry
    +
    +
    +
  4. +
+
+
+
+

3.7.4. Copy and update the pull-secret (optional)

+
+

Copy the pull secret file from the provisioner node to the registry node and modify it to include the authentication information for the new registry node.

+
+
+
Procedure
+
    +
  1. +

    Copy the pull-secret.txt file.

    +
    +
    +
    [user@registry ~]$ scp kni@provisioner:/home/kni/pull-secret.txt pull-secret.txt
    +
    +
    +
  2. +
  3. +

    Update the host_fqdn environment variable with the fully qualified domain name of the registry node.

    +
    +
    +
    [user@registry ~]$ host_fqdn=$( hostname --long )
    +
    +
    +
  4. +
  5. +

    Update the b64auth environment variable with the base64 encoding of the http credentials used to create the htpasswd file.

    +
    +
    +
    [user@registry ~]$ b64auth=$( echo -n '<username>:<passwd>' | openssl base64 )
    +
    +
    +
    +

    Replace <username> with the user name and <passwd> with the password.

    +
    +
  6. +
  7. +

    Set the AUTHSTRING environment variable to use the base64 authorization string. The $USER variable is an environment variable containing the name of the current user.

    +
    +
    +
    [user@registry ~]$ AUTHSTRING="{\"$host_fqdn:5000\": {\"auth\": \"$b64auth\",\"email\": \"$USER@redhat.com\"}}"
    +
    +
    +
  8. +
  9. +

    Update the pull-secret.txt file.

    +
    +
    +
    [user@registry ~]$ jq ".auths += $AUTHSTRING" < pull-secret.txt > pull-secret-update.txt
    +
    +
    +
  10. +
+
+
+
+

3.7.5. Mirroring the repository (optional)

+
+
Procedure
+
    +
  1. +

    Copy the oc binary from the provisioner node to the registry node.

    +
    +
    +
    [user@registry ~]$ sudo scp kni@provisioner:/usr/local/bin/oc /usr/local/bin
    +
    +
    +
  2. +
  3. +

    Get the release image and mirror the remote install images to the local repository.

    +
    +
    +
    [user@registry ~]$ export VERSION=latest-4.6
    +[user@registry ~]$ UPSTREAM_REPO=$(curl -s https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/$VERSION/release.txt | awk  '/Pull From/ {print $3}')
    +[user@registry ~]$ /usr/local/bin/oc adm release mirror \
    +  -a pull-secret-update.txt
    +  --from=$UPSTREAM_REPO \
    +  --to-release-image=$LOCAL_REG/$LOCAL_REPO:${VERSION} \
    +  --to=$LOCAL_REG/$LOCAL_REPO
    +
    +
    +
  4. +
+
+
+
+

3.7.6. Modify the install-config.yaml file to use the disconnected registry (optional)

+
+

On the provisioner node, the install-config.yaml file should use the newly created pull-secret from the pull-secret-update.txt file. The install-config.yaml file must also contain the disconnected registry node’s certificate and registry information.

+
+
+
Procedure
+
    +
  1. +

    Add the disconnected registry node’s certificate to the install-config.yaml file. The certificate should follow the "additionalTrustBundle: |" line and be properly indented, usually by two spaces.

    +
    +
    +
    $ echo "additionalTrustBundle: |" >> install-config.yaml
    +$ sed -e 's/^/  /' /opt/registry/certs/domain.crt >> install-config.yaml
    +
    +
    +
  2. +
  3. +

    Add the mirror information for the registry to the install-config.yaml file.

    +
    +
    +
    $ cat <<EOF >> install-config.yaml
    +<image-config>: (1)
    +- mirrors:
    +  - registry.example.com:5000/ocp4/openshift4
    +  source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
    +- mirrors:
    +  - registry.example.com:5000/ocp4/openshift4
    +  source: registry.svc.ci.openshift.org/ocp/release
    +- mirrors:
    +  - registry.example.com:5000/ocp4/openshift4
    +  source: quay.io/openshift-release-dev/ocp-release
    +EOF
    +
    +
    +
    +

    Where:

    +
    +
    + + + + + +
    1You must replace <image-config> with imageContentSources for OpenShift 4.13 and below, or imageDigestSources for Openshift 4.14 and above. +
    + + + + + +
    + + +Replace registry.example.com with the registry’s fully qualified domain name. +
    +
    +
    +
  4. +
+
+
+
+
+

3.8. Deploying routers on worker nodes

+
+

During installation, the installer deploys router pods on worker nodes. By default, the installer installs two router pods. If the initial cluster has only one worker node, or if a deployed cluster requires additional routers to handle external traffic loads destined for services within the OpenShift Container Platform cluster, you can create a yaml file to set an appropriate number of router replicas.

+
+
+ + + + + +
+ + +
+

By default, the installer deploys two routers. +If the cluster has at least two worker nodes, you can skip this section. +For more information on the Ingress Operator see: Ingress Operator in OpenShift Container Platform.

+
+
+
+
+ + + + + +
+ + +
+

If the cluster has no worker nodes, the installer deploys the two routers on the control plane nodes by default. If the cluster has no worker nodes, you can skip this section.

+
+
+
+
+
Procedure
+
    +
  1. +

    Create a router-replicas.yaml file.

    +
    +
    +
    apiVersion: operator.openshift.io/v1
    +kind: IngressController
    +metadata:
    +  name: default
    +  namespace: openshift-ingress-operator
    +spec:
    +  replicas: <num-of-router-pods>
    +  endpointPublishingStrategy:
    +    type: HostNetwork
    +  nodePlacement:
    +    nodeSelector:
    +      matchLabels:
    +        node-role.kubernetes.io/worker: ""
    +
    +
    +
    + + + + + +
    + + +
    +

    Replace <num-of-router-pods> with an appropriate value. If working with just one worker node, set replicas: to 1. If working with more than 3 worker nodes, you can increase replicas: from the default value 2 as appropriate.

    +
    +
    +
    +
  2. +
  3. +

    Save and copy the router-replicas.yaml file to the clusterconfigs/openshift directory.

    +
    +
    +
    cp ~/router-replicas.yaml clusterconfigs/openshift/99_router-replicas.yaml
    +
    +
    +
  4. +
+
+
+
+

3.9. Validation checklist for installation

+
+
    +
  • +

    OpenShift Container Platform installer has been retrieved.

    +
  • +
  • +

    OpenShift Container Platform installer has been extracted.

    +
  • +
  • +

    Required parameters for the install-config.yaml have been configured.

    +
  • +
  • +

    The hosts parameter for the install-config.yaml has been configured.

    +
  • +
  • +

    The bmc parameter for the install-config.yaml has been configured.

    +
  • +
  • +

    Conventions for the values configured in the bmc address field have been applied.

    +
  • +
  • +

    Created a disconnected registry (optional).

    +
  • +
  • +

    Validate disconnected registry settings if in use. (optional)

    +
  • +
  • +

    Deployed routers on worker nodes. (optional)

    +
  • +
+
+
+
+

3.10. Deploying the cluster via the OpenShift Container Platform installer

+
+

Run the OpenShift Container Platform installer:

+
+
+
+
[kni@provisioner ~]$ ./openshift-baremetal-install --dir ~/clusterconfigs --log-level debug create cluster
+
+
+
+
+

3.11. Following the installation

+
+

During the deployment process, you can check the installation’s overall status by issuing the tail command to the .openshift_install.log log file in the install directory folder.

+
+
+
+
[kni@provisioner ~]$ tail -f /path/to/install-dir/.openshift_install.log
+
+
+
+
+
+
+

4. Day 2 operations

+
+
+

The following sections are optional, but may be of interest after the initial deployment has been completed.

+
+
+

4.1. Accessing the web console

+
+

The web console runs as a pod on the master. The static assets required to run +the web console are served by the pod. Once OpenShift Container Platform is successfully +installed, find the URL for the web console and login credentials for your +installed cluster in the CLI output of the installation program. For example:

+
+
+
Example output
+
+
INFO Install complete!
+INFO Run 'export KUBECONFIG=<your working directory>/auth/kubeconfig' to manage the cluster with 'oc', the OpenShift CLI.
+INFO The cluster is ready when 'oc login -u kubeadmin -p <provided>' succeeds (wait a few minutes).
+INFO Access the OpenShift web-console here: https://console-openshift-console.apps.demo1.openshift4-beta-abcorp.com
+INFO Login to the console with user: kubeadmin, password: <provided>
+
+
+
+

Use those details to log in and access the web console.

+
+
+

Additionally, you can execute:

+
+
+
+
oc whoami --show-console
+
+
+
+

To obtain the url for the console.

+
+
+
+

4.2. Backing up the cluster configuration

+
+

At this point you have a working OpenShift 4 cluster on baremetal. +In order to take advantage of the baremetal hardware that was the provision node, +you can repurpose the provisioning node as a worker. +Prior to reprovisioning the node, it is recommended to backup some existing files.

+
+
+
Procedure
+
    +
  1. +

    Tar the clusterconfig folder and download it to your local machine.

    +
    +
    +
    tar cvfz clusterconfig.tar.gz ~/clusterconfig
    +
    +
    +
  2. +
  3. +

    Copy the Private part for the SSH Key configured on the install-config.yaml file to your local machine.

    +
    +
    +
    tar cvfz clusterconfigsh.tar.gz ~/.ssh/id_rsa*
    +
    +
    +
  4. +
  5. +

    Copy the install-config.yaml and metal3-config.yaml files.

    +
    +
    +
    tar cvfz yamlconfigs.tar.gz install-config.yaml metal3-config.yaml
    +
    +
    +
  6. +
+
+
+
+

4.3. Expanding the cluster

+
+

After deploying an installer-provisioned OpenShift Container Platform cluster, you can use the following procedures to expand the number of worker nodes. Ensure that each prospective worker node meets the prerequisites.

+
+
+ + + + + +
+ + +
+

Expanding the cluster using RedFish Virtual Media involves meeting minimum firmware requirements. See Firmware requirements for installing with virtual media in the Prerequisites section for additional details when expanding the cluster using RedFish Virtual Media.

+
+
+
+
+

4.3.1. Preparing the bare metal node

+
+

Expanding the cluster requires a DHCP server. Each node must have a DHCP reservation.

+
+
+

Preparing the bare metal node requires executing the following procedure from the provisioner node.

+
+
+
Procedure
+
    +
  1. +

    Get the oc binary, if needed. It should already exist on the provisioner node.

    +
    +
    +
    [kni@provisioner ~]$ export VERSION=latest-4.6
    +[kni@provisioner ~]$ curl -s https://mirror.openshift.com/pub/openshift-v4/clients/ocp/$VERSION/openshift-client-linux-$VERSION.tar.gz | tar zxvf - oc
    +
    +
    +
    +
    +
    [kni@provisioner ~]$ sudo cp oc /usr/local/bin
    +
    +
    +
  2. +
  3. +

    Power off the bare metal node via the baseboard management controller and ensure it is off.

    +
  4. +
  5. +

    Retrieve the user name and password of the bare metal node’s baseboard management controller. Then, create base64 strings from the user name and password. In the following example, the user name is root and the password is calvin.

    +
    +
    +
    [kni@provisioner ~]$ echo -ne "root" | base64
    +
    +
    +
    +
    +
    [kni@provisioner ~]$ echo -ne "calvin" | base64
    +
    +
    +
  6. +
  7. +

    Create a configuration file for the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ vim bmh.yaml
    +
    +
    +
    +
    +
    ---
    +apiVersion: v1
    +kind: Secret
    +metadata:
    +  name: openshift-worker-<num>-bmc-secret
    +type: Opaque
    +data:
    +  username: <base64-of-uid>
    +  password: <base64-of-pwd>
    +---
    +apiVersion: metal3.io/v1alpha1
    +kind: BareMetalHost
    +metadata:
    +  name: openshift-worker-<num>
    +spec:
    +  online: true
    +  bootMACAddress: <NIC1-mac-address>
    +  bmc:
    +    address: <protocol>://<bmc-ip>
    +    credentialsName: openshift-worker-<num>-bmc-secret
    +
    +
    +
    +

    Replace <num> for the worker number of the bare metal node in the two name fields and the credentialsName field. Replace <base64-of-uid> with the base64 string of the user name. Replace <base64-of-pwd> with the base64 string of the password. Replace <NIC1-mac-address> with the MAC address of the bare metal node’s first NIC.

    +
    +
    +

    Refer to the BMC addressing section for additional BMC configuration options. Replace <protocol> with the BMC protocol, such as IPMI, RedFish, or others. +Replace <bmc-ip> with the IP address of the bare metal node’s baseboard management controller.

    +
    +
    + + + + + +
    + + +
    +

    If the MAC address of an existing bare metal node matches the MAC address of a bare metal host that you are attempting to provision, then the Ironic installation will fail. If the host enrollment, inspection, cleaning, or other Ironic steps fail, the metal3-baremetal-operator will continuously retry. See Diagnosing a host duplicate MAC address for more information.

    +
    +
    +
    +
  8. +
  9. +

    Create the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api create -f bmh.yaml
    +
    +
    +
    +
    +
    secret/openshift-worker-<num>-bmc-secret created
    +baremetalhost.metal3.io/openshift-worker-<num> created
    +
    +
    +
    +

    Where <num> will be the worker number.

    +
    +
  10. +
  11. +

    Power up and inspect the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  12. +
+
+
+
+

4.3.2. Preparing to deploy with Virtual Media on the baremetal network

+
+

If the provisioning network is enabled, and you want to expand the cluster using Virtual Media on the baremetal network, execute the following procedure.

+
+
+
Procedure
+
    +
  1. +

    Edit the provisioning configuration resource (CR) to enable deploying with Virtual Media on the baremetal network.

    +
    +
    +
    oc edit provisioning
    +
    +
    +
    +
    +
      apiVersion: metal3.io/v1alpha1
    +  kind: Provisioning
    +  metadata:
    +    creationTimestamp: "2021-08-05T18:51:50Z"
    +    finalizers:
    +    - provisioning.metal3.io
    +    generation: 8
    +    name: provisioning-configuration
    +    resourceVersion: "551591"
    +    uid: f76e956f-24c6-4361-aa5b-feaf72c5b526
    +  spec:
    +    preProvisioningOSDownloadURLs: {}
    +    provisioningDHCPRange: 172.22.0.10,172.22.0.254
    +    provisioningIP: 172.22.0.3
    +    provisioningInterface: enp1s0
    +    provisioningNetwork: Managed
    +    provisioningNetworkCIDR: 172.22.0.0/24
    +    provisioningOSDownloadURL: http://192.168.111.1/images/rhcos-49.84.202107010027-0-openstack.x86_64.qcow2.gz?sha256=c7dde5f96826c33c97b5a4ad34110212281916128ae11100956f400db3d5299e
    +    virtualMediaViaExternalNetwork: true (1)
    +  status:
    +    generations:
    +    - group: apps
    +      hash: ""
    +      lastGeneration: 7
    +      name: metal3
    +      namespace: openshift-machine-api
    +      resource: deployments
    +    - group: apps
    +      hash: ""
    +      lastGeneration: 1
    +      name: metal3-image-cache
    +      namespace: openshift-machine-api
    +      resource: daemonsets
    +    observedGeneration: 8
    +    readyReplicas: 0
    +
    +
    +
    + + + + + +
    1Add virtualMediaViaExternalNetwork: true to the provisioning CR.
    +
    +
  2. +
  3. +

    Edit the machine set to use the API VIP address.

    +
    +
    +
    oc edit machineset
    +
    +
    +
    +
    +
      apiVersion: machine.openshift.io/v1beta1
    +  kind: MachineSet
    +  metadata:
    +    creationTimestamp: "2021-08-05T18:51:52Z"
    +    generation: 11
    +    labels:
    +      machine.openshift.io/cluster-api-cluster: ostest-hwmdt
    +      machine.openshift.io/cluster-api-machine-role: worker
    +      machine.openshift.io/cluster-api-machine-type: worker
    +    name: ostest-hwmdt-worker-0
    +    namespace: openshift-machine-api
    +    resourceVersion: "551513"
    +    uid: fad1c6e0-b9da-4d4a-8d73-286f78788931
    +  spec:
    +    replicas: 2
    +    selector:
    +      matchLabels:
    +        machine.openshift.io/cluster-api-cluster: ostest-hwmdt
    +        machine.openshift.io/cluster-api-machineset: ostest-hwmdt-worker-0
    +    template:
    +      metadata:
    +        labels:
    +          machine.openshift.io/cluster-api-cluster: ostest-hwmdt
    +          machine.openshift.io/cluster-api-machine-role: worker
    +          machine.openshift.io/cluster-api-machine-type: worker
    +          machine.openshift.io/cluster-api-machineset: ostest-hwmdt-worker-0
    +      spec:
    +        metadata: {}
    +        providerSpec:
    +          value:
    +            apiVersion: baremetal.cluster.k8s.io/v1alpha1
    +            hostSelector: {}
    +            image:
    +              checksum: http:/172.22.0.3:6181/images/rhcos-49.84.202107010027-0-openstack.x86_64.qcow2/cached-rhcos-49.84.202107010027-0-openstack.x86_64.qcow2.md5sum (1)
    +              url: http://172.22.0.3:6181/images/rhcos-49.84.202107010027-0-openstack.x86_64.qcow2/cached-rhcos-49.84.202107010027-0-openstack.x86_64.qcow2 (2)
    +            kind: BareMetalMachineProviderSpec
    +            metadata:
    +              creationTimestamp: null
    +            userData:
    +              name: worker-user-data
    +  status:
    +    availableReplicas: 2
    +    fullyLabeledReplicas: 2
    +    observedGeneration: 11
    +    readyReplicas: 2
    +    replicas: 2
    +
    +
    +
    + + + + + + + + + +
    1Edit the checksum URL to use the API VIP address.
    2Edit the url URL to use the API VIP address.
    +
    +
  4. +
+
+
+
Diagnosing a duplicate MAC address when provisioning a new host in the cluster
+
+

If the MAC address of an existing bare-metal node in the cluster matches the MAC address of a bare-metal host you are attempting to add to the cluster, the Bare Metal Operator associates the host with the existing node. If the host enrollment, inspection, cleaning, or other Ironic steps fail, the Bare Metal Operator retries the installation continuously. A registration error is displayed for the failed bare-metal host.

+
+
+

You can diagnose a duplicate MAC address by examining the bare-metal hosts that are running in the openshift-machine-api namespace.

+
+
+
Prerequisites
+
    +
  • +

    Install an OpenShift Container Platform cluster on bare metal.

    +
  • +
  • +

    Install the OpenShift Container Platform CLI oc.

    +
  • +
  • +

    Log in as a user with cluster-admin privileges.

    +
  • +
+
+
+
Procedure
+

To determine whether a bare-metal host that fails provisioning has the same MAC address as an existing node, do the following:

+
+
+
    +
  1. +

    Get the bare-metal hosts running in the openshift-machine-api namespace:

    +
    +
    +
    $ oc get bmh -n openshift-machine-api
    +
    +
    +
    +
    Example output
    +
    +
    NAME                 STATUS   PROVISIONING STATUS      CONSUMER
    +openshift-master-0   OK       externally provisioned   openshift-zpwpq-master-0
    +openshift-master-1   OK       externally provisioned   openshift-zpwpq-master-1
    +openshift-master-2   OK       externally provisioned   openshift-zpwpq-master-2
    +openshift-worker-0   OK       provisioned              openshift-zpwpq-worker-0-lv84n
    +openshift-worker-1   OK       provisioned              openshift-zpwpq-worker-0-zd8lm
    +openshift-worker-2   error    registering
    +
    +
    +
  2. +
  3. +

    To see more detailed information about the status of the failing host, run the following command replacing <bare_metal_host_name> with the name of the host:

    +
    +
    +
    $ oc get -n openshift-machine-api bmh <bare_metal_host_name> -o yaml
    +
    +
    +
    +
    Example output
    +
    +
    ...
    +status:
    +  errorCount: 12
    +  errorMessage: MAC address b4:96:91:1d:7c:20 conflicts with existing node openshift-worker-1
    +  errorType: registration error
    +...
    +
    +
    +
  4. +
+
+
+
+
+

4.3.3. Provisioning the bare metal node

+
+

Provisioning the bare metal node requires executing the following procedure from the provisioner node.

+
+
+
Procedure
+
    +
  1. +

    Ensure the PROVISIONING STATUS is ready before provisioning the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$  oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  2. +
  3. +

    Get a count of the number of worker nodes.

    +
    +
    +
    [kni@provisioner ~]$ oc get nodes
    +
    +
    +
    +
    +
    NAME                                                STATUS   ROLES           AGE     VERSION
    +provisioner.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-1.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-2.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-3.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-worker-0.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-worker-1.openshift.example.com            Ready    master          30h     v1.16.2
    +
    +
    +
  4. +
  5. +

    Get the machine set.

    +
    +
    +
    [kni@provisioner ~]$ oc get machinesets -n openshift-machine-api
    +
    +
    +
    +
    +
    NAME                                DESIRED   CURRENT   READY   AVAILABLE   AGE
    +...
    +openshift-worker-0.example.com      1         1         1       1           55m
    +openshift-worker-1.example.com      1         1         1       1           55m
    +
    +
    +
  6. +
  7. +

    Increase the number of worker nodes by one.

    +
    +
    +
    [kni@provisioner ~]$ oc scale --replicas=<num> machineset <machineset> -n openshift-machine-api
    +
    +
    +
    +

    Replace <num> with the new number of worker nodes. Replace <machineset> with the name of the machine set from the previous step.

    +
    +
  8. +
  9. +

    Check the status of the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number. The status changes from ready to provisioning.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       provisioning          openshift-worker-<num>-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
    +

    The provisioning status remains until the OpenShift Container Platform cluster provisions the node. This can take 30 minutes or more. Once complete, the status will change to provisioned.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       provisioned           openshift-worker-<num>-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  10. +
  11. +

    Once provisioned, ensure the bare metal node is ready.

    +
    +
    +
    [kni@provisioner ~]$ oc get nodes
    +
    +
    +
    +
    +
    NAME                                          STATUS   ROLES   AGE     VERSION
    +provisioner.openshift.example.com             Ready    master  30h     v1.16.2
    +openshift-master-1.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-master-2.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-master-3.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-worker-0.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-worker-1.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-worker-<num>.openshift.example.com  Ready    worker  3m27s   v1.16.2
    +
    +
    +
    +

    You can also check the kubelet.

    +
    +
    +
    +
    [kni@provisioner ~]$ ssh openshift-worker-<num>
    +
    +
    +
    +
    +
    [kni@openshift-worker-<num>]$ journalctl -fu kubelet
    +
    +
    +
  12. +
+
+
+
+

4.3.4. Preparing the provisioner node to be deployed as a worker node

+
+
Procedure
+

Perform the following steps prior to converting the provisioner node to a worker node.

+
+
+
    +
  1. +

    ssh to a system (for example, a laptop) that can access the out of band management network of the current provisioner node.

    +
  2. +
  3. +

    Copy the backups clusterconfig.tar.gz, clusterconfigsh.tar.gz, and amlconfigs.tar.gz to the new system.

    +
  4. +
  5. +

    Copy the oc binary from the existing provisioning node to the new system.

    +
  6. +
  7. +

    Make a note of the mac addresses, the baremetal network IP used for the provisioner node, and the IP address of +the Out of band Management Network.

    +
  8. +
  9. +

    Reboot the system and ensure that PXE is enabled on the provisioning network and PXE is disabled for all other NICs.

    +
  10. +
  11. +

    If installation was performed using a Satellite server, remove the Host entry for the existing provisioning node.

    +
  12. +
  13. +

    Install the ipmitool on the new system in order to power off the provisioner node.

    +
  14. +
+
+
+
+

4.3.5. Adding a worker node to an existing cluster

+
+
Procedure
+
    +
  1. +

    Retrieve the username and password of the bare metal node’s baseboard management controller. Then, create base64 strings from the username and password. In the following example, the username is root and the password is calvin.

    +
    +
    +
    [kni@provisioner ~]$ echo -ne "root" | base64
    +
    +
    +
    +
    +
    [kni@provisioner ~]$ echo -ne "calvin" | base64
    +
    +
    +
  2. +
  3. +

    Create a configuration file for the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ vim bmh.yaml
    +
    +
    +
    +
    +
    ---
    +apiVersion: v1
    +kind: Secret
    +metadata:
    +  name: openshift-worker-<num>-bmc-secret
    +type: Opaque
    +data:
    +  username: <base64-of-uid>
    +  password: <base64-of-pwd>
    +---
    +apiVersion: metal3.io/v1alpha1
    +kind: BareMetalHost
    +metadata:
    +  name: openshift-worker-<num>
    +spec:
    +  online: true
    +  bootMACAddress: <NIC1-mac-address>
    +  bmc:
    +    address: ipmi://<bmc-ip>
    +    credentialsName: openshift-worker-<num>-bmc-secret
    +
    +
    +
    +

    Replace <num> for the worker number of bare metal node in two name fields and credentialsName field. Replace <base64-of-uid> with the base64 string of the username. Replace <base64-of-pwd> with the base64 string of the password. Replace <NIC1-mac-address> with the MAC address of the bare metal node’s first NIC. Replace <bmc-ip> with the IP address of the bare metal node’s baseboard management controller.

    +
    +
  4. +
+
+
+ + + + + +
+ + +
+

When using redfish or redfish-virtualmedia, add the +appropriate addressing as described in the BMC addressing section. See BMC addressing for details.

+
+
+
+
+
    +
  1. +

    Create the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api create -f bmh.yaml
    +
    +
    +
    +
    +
    secret/openshift-worker-<num>-bmc-secret created
    +baremetalhost.metal3.io/openshift-worker-<num> created
    +
    +
    +
    +

    Where <num> will be the worker number.

    +
    +
  2. +
  3. +

    Power up and inspect the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  4. +
  5. +

    Ensure the PROVISIONING STATUS is ready before provisioning the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$  oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  6. +
  7. +

    Get a count of the number of worker nodes.

    +
    +
    +
    [kni@provisioner ~]$ oc get nodes
    +
    +
    +
  8. +
  9. +

    Get the machine set.

    +
    +
    +
    [kni@provisioner ~]$ oc get machinesets -n openshift-machine-api
    +
    +
    +
    +
    +
    NAME                                DESIRED   CURRENT   READY   AVAILABLE   AGE
    +openshift-worker-0.example.com      1         1         1       1           55m
    +openshift-worker-1.example.com      1         1         1       1           55m
    +openshift-worker-2.example.com      1         1         1       1           55m
    +
    +
    +
  10. +
  11. +

    Increase the number of worker nodes by 1.

    +
    +
    +
    [kni@provisioner ~]$ oc scale --replicas=<num> machineset <machineset> -n openshift-machine-api
    +
    +
    +
    +

    Replace <num> with the new number of worker nodes. Replace <machineset> with the name of the machine set from the previous step.

    +
    +
  12. +
  13. +

    Check the status of the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number. The status changes from ready to provisioning.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       provisioning          openshift-worker-<num>-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
    +

    The provisioning status remains until the OpenShift Container Platform cluster provisions the node. This may take 30 minutes or more. Once complete, the status will change to provisioned.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       provisioned           openshift-worker-<num>-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  14. +
  15. +

    Once provisioned, ensure the bare metal node is ready.

    +
    +
    +
    [kni@provisioner ~]$ oc get nodes
    +
    +
    +
    +
    +
    NAME                                                STATUS   ROLES           AGE     VERSION
    +provisioner.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-1.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-2.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-worker-<num>.openshift.example.com        Ready    worker          3m27s   v1.16.2
    +
    +
    +
    +

    You can also check the kubelet.

    +
    +
    +
    +
    [kni@provisioner ~]$ ssh openshift-worker-<num>
    +
    +
    +
    +
    +
    [kni@openshift-worker-<num>]$ journalctl -fu kubelet
    +
    +
    +
  16. +
+
+
+
Appending DNS records
+
+
Configuring Bind (Option 1)
+
+
Procedure
+
    +
  1. +

    Login to the DNS server using ssh.

    +
  2. +
  3. +

    Suspend updates to all dynamic zones: rndc freeze.

    +
  4. +
  5. +

    Edit /var/named/dynamic/example.com.

    +
    +
    +
    $ORIGIN openshift.example.com.
    +<OUTPUT_OMITTED>
    +openshift-worker-1      A       <ip-of-worker-1>
    +openshift-worker-2      A       <ip-of-worker-2>
    +
    +
    +
    + + + + + +
    + + +
    +

    Remove the provisioner as it is replaced by openshift-worker-2.

    +
    +
    +
    +
  6. +
  7. +

    Increase the SERIAL value by 1.

    +
  8. +
  9. +

    Edit /var/named/dynamic/1.0.10.in-addr.arpa.

    +
    + + + + + +
    + + +
    +

    The filename 1.0.10.in-addr.arpa is the reverse of the public CIDR example 10.0.1.0/24.

    +
    +
    +
    +
  10. +
  11. +

    Increase the SERIAL value by 1.

    +
  12. +
  13. +

    Enable updates to all dynamic zones and reload them: rndc thaw.

    +
  14. +
+
+
+
+
Configuring dnsmasq (Option 2)
+
+
Procedure
+

Append the following DNS record to the /etc/hosts file on the server hosting the dnsmasq service.

+
+
+
+
<OUTPUT_OMITTED>
+<NIC2-IP> openshift-worker-1.openshift.example.com openshift-worker-1
+<NIC2-IP> openshift-worker-2.openshift.example.com openshift-worker-2
+
+
+
+ + + + + +
+ + +
+

Remove the provisioner.openshift.example.com entry as it is replaced by worker-2

+
+
+
+
+
+
+
Appending DHCP reservations
+
+
Configuring dhcpd (Option 1)
+
+
Procedure
+
    +
  1. +

    Login to the DHCP server using ssh.

    +
  2. +
  3. +

    Edit /etc/dhcp/dhcpd.hosts.

    +
    +
    +
    host openshift-worker-2 {
    +     option host-name "worker-2";
    +     hardware ethernet <NIC2-mac-address>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +
    +
    +
    + + + + + +
    + + +
    +

    Remove the provisioner as it is replaced by openshift-worker-2.

    +
    +
    +
    +
  4. +
  5. +

    Restart the dhcpd service.

    +
    +
    +
    systemctl restart dhcpd
    +
    +
    +
  6. +
+
+
+
+
Configuring dnsmasq (Option 2)
+
+
Procedure
+
    +
  1. +

    Append the following DHCP reservation to the /etc/dnsmasq.d/example.dns file on the server hosting the dnsmasq service.

    +
    +
    +
    <OUTPUT_OMITTED>
    +dhcp-host=<NIC2-mac-address>,openshift-worker-1.openshift.example.com,<ip-of-worker-1>
    +dhcp-host=<NIC2-mac-address>,openshift-worker-2.openshift.example.com,<ip-of-worker-2>
    +
    +
    +
    + + + + + +
    + + +
    +

    Remove the provisioner.openshift.example.com entry as it is replaced by worker-2

    +
    +
    +
    +
  2. +
  3. +

    Restart the dnsmasq service.

    +
    +
    +
    systemctl restart dnsmasq
    +
    +
    +
  4. +
+
+
+
+
+
Deploying the provisioner node as a worker node using Metal3
+
+

After you have completed the prerequisites, perform the deployment process.

+
+
+
Procedure
+
    +
  1. +

    Power off the node using ipmitool and confirm the provisioning node is powered off.

    +
    +
    +
    ssh <server-with-access-to-management-net>
    +# Use the user, password and Management net IP adddress to shutdown the system
    +ipmitool -I lanplus -U <user> -P <password> -H <management-server-ip> power off
    +# Confirm the server is powered down
    +ipmitool -I lanplus -U <user> -P <password> -H <management-server-ip> power status
    +Chassis Power is off
    +
    +
    +
  2. +
  3. +

    Get base64 strings for the Out of band Management credentials. In this example, the user is root and the password is calvin.

    +
    +
    +
    # Use echo -ne, otherwise you will get your secrets with \n which will cause issues
    +# Get root username in base64
    +echo -ne "root" | base64
    +# Get root password in base64
    +echo -ne "calvin" | base64
    +
    +
    +
  4. +
  5. +

    Configure the BaremetalHost bmh.yaml file.

    +
    +
    +
    ---
    +apiVersion: v1
    +kind: Secret
    +metadata:
    +  name: openshift-worker-2-bmc-secret
    +type: Opaque
    +data:
    +  username: ca2vdAo=
    +  password: MWAwTWdtdC0K
    +---
    +apiVersion: metal3.io/v1alpha1
    +kind: BareMetalHost
    +metadata:
    +  name: openshift-worker-2
    +spec:
    +  online: true
    +  bootMACAddress: <NIC1-mac-address>
    +  bmc:
    +    address: ipmi://<out-of-band-ip>
    +    credentialsName: openshift-worker-2-bmc-secret
    +
    +
    +
  6. +
  7. +

    Create the BaremetalHost.

    +
    +
    +
    ./oc -n openshift-machine-api create -f bmh.yaml
    +secret/openshift-worker-2-bmc-secret created
    +baremetalhost.metal3.io/openshift-worker-2 created
    +
    +
    +
  8. +
  9. +

    Power up and inspect the node.

    +
    +
    +
    ./oc -n openshift-machine-api get bmh openshift-worker-2
    +
    +NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-2   OK       inspecting                       ipmi://<out-of-band-ip>                      true
    +
    +
    +
  10. +
  11. +

    After finishing the inspection, the node is ready to be provisioned.

    +
    +
    +
    ./oc -n openshift-machine-api get bmh openshift-worker-2
    +
    +NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-2   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  12. +
  13. +

    Scale the workers machineset. Previously, there were two replicas during original installation.

    +
    +
    +
    ./oc get machineset -n openshift-machine-api
    +NAME            DESIRED   CURRENT   READY   AVAILABLE   AGE
    +openshift-worker-2   0         0                             21h
    +
    +./oc -n openshift-machine-api scale machineset openshift-worker-2 --replicas=3
    +
    +
    +
  14. +
  15. +

    The baremetal host moves to provisioning status. This can take as long as 30 minutes. You can follow the status +from the node console.

    +
    +
    +
    oc -n openshift-machine-api get bmh openshift-worker-2
    +
    +NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-2   OK       provisioning          openshift-worker-0-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  16. +
  17. +

    When the node is provisioned it moves to provisioned status.

    +
    +
    +
    oc -n openshift-machine-api get bmh openshift-worker-2
    +
    +NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-2   OK       provisioned           openshift-worker-2-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  18. +
  19. +

    When the kubelet finishes initialization the node is ready for use. +You can connect to the node and run journalctl -fu kubelet to check the process.

    +
    +
    +
    oc get node
    +NAME                                            STATUS   ROLES           AGE     VERSION
    +openshift-master-0.openshift.example.com        Ready    master          30h     v1.16.2
    +openshift-master-1.openshift.example.com        Ready    master          30h     v1.16.2
    +openshift-master-2.openshift.example.com        Ready    master          30h     v1.16.2
    +openshift-worker-0.openshift.example.com        Ready    worker          3m27s   v1.16.2
    +openshift-worker-1.openshift.example.com        Ready    worker          3m27s   v1.16.2
    +openshift-worker-2.openshift.example.com        Ready    worker          3m27s   v1.16.2
    +
    +
    +
  20. +
+
+
+
+
+
+
+
+

5. Appendix

+
+
+

In this section of the document, extra information is provided that is outside of the regular workflow.

+
+
+

5.1. Troubleshooting

+
+

Troubleshooting the installation is out of scope of the Deployment Guide. For more details on troubleshooting deployment, refer to our Troubleshooting guide.

+
+
+
+

5.2. Creating DNS Records

+
+

Two options are documented for configuring DNS records:

+
+ +
+

5.2.1. Configuring Bind (Option 1)

+
+

Use Option 1 if access to the appropriate DNS server for the baremetal network is accessible or a request +to your network admin to create the DNS records is an option. +If this is not an option, skip this section and go to section Create DNS records using dnsmasq (Option 2).

+
+
+

Create a subzone with the name of the cluster that is going to be used on your domain. +In our example, the domain used is example.com and the cluster name used is openshift. +Make sure to change these according to your environment specifics.

+
+
+
Procedure
+
    +
  1. +

    Login to the DNS server using ssh.

    +
  2. +
  3. +

    Suspend updates to all dynamic zones: rndc freeze.

    +
  4. +
  5. +

    Edit /var/named/dynamic/example.com.

    +
    +
    +
    $ORIGIN openshift.example.com.
    +$TTL 300        ; 5 minutes
    +@  IN  SOA  dns1.example.com.  hostmaster.example.com. (
    +       2001062501  ; serial
    +       21600       ; refresh after 6 hours
    +       3600        ; retry after 1 hour
    +       604800      ; expire after 1 week
    +       86400 )     ; minimum TTL of 1 day
    +;
    +api                     A       <api-ip>
    +ns1                     A       <dns-vip-ip>
    +$ORIGIN apps.openshift.example.com.
    +*                       A       <wildcard-ingress-lb-ip>
    +$ORIGIN openshift.example.com.
    +provisioner             A       <NIC2-ip-of-provision>
    +openshift-master-0      A       <NIC2-ip-of-openshift-master-0>
    +openshift-master-1      A       <NIC2-ip-of-openshift-master-1>
    +openshift-master-2      A       <NIC2-ip-of-openshift-master-2>
    +openshift-worker-0      A       <NIC2-ip-of-openshift-worker-0>
    +openshift-worker-1      A       <NIC2-ip-of-openshift-worker-1>
    +
    +
    +
  6. +
  7. +

    Increase the serial value by 1.

    +
  8. +
  9. +

    Edit /var/named/dynamic/1.0.10.in-addr.arpa.

    +
    +
    +
    $ORIGIN 1.0.10.in-addr.arpa.
    +$TTL 300
    +@  IN  SOA  dns1.example.com.  hostmaster.example.com. (
    +       2001062501  ; serial
    +       21600       ; refresh after 6 hours
    +       3600        ; retry after 1 hour
    +       604800      ; expire after 1 week
    +       86400 )     ; minimum TTL of 1 day
    +;
    +126 IN      PTR      provisioner.openshift.example.com.
    +127	IN        	PTR    	openshift-master-0.openshift.example.com.
    +128	IN        	PTR    	openshift-master-1.openshift.example.com.
    +129	IN 	        PTR   	openshift-master-2.openshift.example.com.
    +130	IN 	        PTR   	openshift-worker-0.openshift.example.com.
    +131	IN        	PTR    	openshift-worker-1.openshift.example.com.
    +132 IN      PTR     api.openshift.example.com.
    +133 IN      PTR     ns1.openshift.example.com.
    +
    +
    +
    + + + + + +
    + + +
    +

    In this example, the IP addresses 10.0.1.126-133 are pointed to the corresponding fully qualified domain name.

    +
    +
    +
    +
    + + + + + +
    + + +
    +

    The filename 1.0.10.in-addr.arpa is the reverse of the public CIDR example 10.0.1.0/24.

    +
    +
    +
    +
  10. +
  11. +

    Increase the serial value by 1.

    +
  12. +
  13. +

    Enable updates to all dynamic zones and reload them: rndc thaw.

    +
  14. +
+
+
+
+

5.2.2. Configuring dnsmasq (Option 2)

+
+

To create DNS records, open the /etc/hosts file and add the NIC2 (baremetal net) IP followed by the hostname. +In our example, the domain used is example.com and the cluster name used is openshift. +Make sure to change these according to your environment specifics.

+
+
+
Procedure
+
    +
  1. +

    Edit /etc/hosts and add the NIC2 (baremetal net) IP followed by the hostname.

    +
    +
    +
    cat /etc/hosts
    +127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
    +::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
    +<NIC2-IP> provisioner.openshift.example.com provisioner
    +<NIC2-IP> openshift-master-0.openshift.example.com openshift-master-0
    +<NIC2-IP> openshift-master-1.openshift.example.com openshift-master-1
    +<NIC2-IP> openshift-master-2.openshift.example.com openshift-master-2
    +<NIC2-IP> openshift-worker-0.openshift.example.com openshift-worker-0
    +<NIC2-IP> openshift-worker-1.openshift.example.com openshift-worker-1
    +<API-IP>  api.openshift.example.com api
    +<DNS-VIP-IP> ns1.openshift.example.com ns1
    +
    +
    +
  2. +
  3. +

    Open the appropriate firewalld DNS service and reload the rules.

    +
    +
    +
    systemctl restart firewalld
    +firewall-cmd --add-service=dns --permanent
    +firewall-cmd --reload
    +
    +
    +
  4. +
+
+
+
+
+

5.3. Creating DHCP reservations

+
+

Two options are documented for configuring DHCP:

+
+ +
+

5.3.1. Configuring dhcpd (Option 1)

+
+

Use Option 1 if access to the appropriate DHCP server for the baremetal network is accessible or a request +to your network admin to create the DHCP reservations is an option. +If this is not an option, skip this section and go to section Create DHCP records using dnsmasq (Option 2).

+
+
+
    +
  1. +

    Login to the DHCP server using ssh.

    +
  2. +
  3. +

    Edit /etc/dhcp/dhcpd.hosts.

    +
    +
    +
    host provisioner {
    +     option host-name "provisioner";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +host openshift-master-0 {
    +     option host-name "openshift-master-0";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +
    +host openshift-master-1 {
    +     option host-name "openshift-master-1";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +
    +host openshift-master-2 {
    +     option host-name "openshift-master-2";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +host openshift-worker-0 {
    +     option host-name "openshift-worker-0";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +host openshift-worker-1 {
    +     option host-name "openshift-worker-1";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +
    +
    +
  4. +
  5. +

    Restart the dhcpd service.

    +
    +
    +
    systemctl restart dhcpd
    +
    +
    +
  6. +
+
+
+
+

5.3.2. Configuring dnsmasq (Option 2)

+
+

Set up dnsmasq on a server that can access the baremetal network.

+
+
+
Procedure
+
    +
  1. +

    Install dnsmasq.

    +
    +
    +
    dnf install -y dnsmasq
    +
    +
    +
  2. +
  3. +

    Change to the /etc/dnsmasq.d directory.

    +
    +
    +
    cd /etc/dnsmasq.d
    +
    +
    +
  4. +
  5. +

    Create a file that reflects your OpenShift cluster appended by .dns.

    +
    +
    +
    touch <filename>.dns
    +
    +
    +
  6. +
  7. +

    Open the appropriate firewalld DHCP service.

    +
    +
    +
    systemctl restart firewalld
    +firewall-cmd --add-service=dhcp --permanent
    +firewall-cmd --reload
    +
    +
    +
  8. +
  9. +

    Define DNS configuration file

    +
    IPv4
    +
    +

    Here is an example of the .dns file for IPv4.

    +
    +
    +
    +
    domain-needed
    +bind-dynamic
    +bogus-priv
    +domain=openshift.example.com
    +dhcp-range=<baremetal-net-starting-ip,baremetal-net-ending-ip>
    +#dhcp-range=10.0.1.4,10.0.14
    +dhcp-option=3,<baremetal-net-gateway-ip>
    +#dhcp-option=3,10.0.1.254
    +resolv-file=/etc/resolv.conf.upstream
    +interface=<nic-with-access-to-baremetal-net>
    +#interface=em2
    +server=<ip-of-existing-server-on-baremetal-net>
    +
    +
    +#Wildcard for apps -- make changes to cluster-name (openshift) and domain (example.com)
    +address=/.apps.openshift.example.com/<wildcard-ingress-lb-ip>
    +
    +#Static IPs for Masters
    +dhcp-host=<NIC2-mac-address>,provisioner.openshift.example.com,<ip-of-provisioner>
    +dhcp-host=<NIC2-mac-address>,openshift-master-0.openshift.example.com,<ip-of-openshift-master-0>
    +dhcp-host=<NIC2-mac-address>,openshift-master-1.openshift.example.com,<ip-of-openshift-master-1>
    +dhcp-host=<NIC2-mac-address>,openshift-master-2.openshift.example.com,<ip-of-openshift-master-2>
    +dhcp-host=<NIC2-mac-address>,openshift-worker-0.openshift.example.com,<ip-of-openshift-worker-0>
    +dhcp-host=<NIC2-mac-address>,openshift-worker-1.openshift.example.com,<ip-of-openshift-worker-1>
    +
    +
    +
    IPv6
    +
    +

    Here is an example of the .dns file for IPv6.

    +
    +
    +
    +
    strict-order
    +bind-dynamic
    +bogus-priv
    +dhcp-authoritative
    +dhcp-range=baremetal,<baremetal-IPv6-dhcp-range-start>,<baremetal-IPv6-dhcp-range-end>,<range-prefix>
    +dhcp-option=baremetal,option6:dns-server,[<IPv6-DNS-Server>]
    +
    +resolv-file=/etc/resolv.conf.upstream
    +except-interface=lo
    +dhcp-lease-max=81
    +log-dhcp
    +
    +domain=openshift.example.com,<baremetal-IPv6-cidr>,local
    +
    +# static host-records
    +address=/.apps.openshift.example.com/<wildcard-ingress-lb-ip>
    +host-record=api.openshift.example.com,<api-ip>
    +host-record=ns1.openshift.example.com,<dns-ip>
    +host-record=openshift-master-0.openshift.example.com,<ip-of-openshift-master-0>
    +host-record=openshift-master-1.openshift.example.com,<ip-of-openshift-master-1>
    +host-record=openshift-master-2.openshift.example.com,<ip-of-openshift-master-1>
    +# Registry
    +host-record=registry.openshift.example.com,<ip-of-registry-server>
    +
    +#Static IPs for Masters
    +dhcp-host=<baremetal-nic-duid>,openshift-master-0.openshift.example.com,<ip-of-openshift-master-0>
    +dhcp-host=<baremetal-nic-duid>,openshift-master-1.openshift.example.com,<ip-of-openshift-master-1>
    +dhcp-host=<baremetal-nic-duid>,openshift-master-2.openshift.example.com,<ip-of-openshift-master-2>
    +
    +
    +
  10. +
  11. +

    Create the resolv.conf.upstream file to provide DNS fowarding to an existing DNS server for resolution +to the outside world.

    +
    +
    +
    search <domain.com>
    +nameserver <ip-of-my-existing-dns-nameserver>
    +
    +
    +
  12. +
  13. +

    Restart the dnsmasq service.

    +
    +
    +
    systemctl restart dnsmasq
    +
    +
    +
  14. +
  15. +

    Verify the dnsmasq service is running.

    +
    +
    +
    systemctl status dnsmasq
    +
    +
    +
  16. +
+
+
+
+
+
+
+
+
+
+1. Stateless Address AutoConfiguration +
+
+ + + \ No newline at end of file diff --git a/4.6/Deployment.pdf b/4.6/Deployment.pdf new file mode 100644 index 0000000000..99eb7ccd61 Binary files /dev/null and b/4.6/Deployment.pdf differ diff --git a/4.6/Troubleshooting.html b/4.6/Troubleshooting.html new file mode 100644 index 0000000000..cbf7ddef42 --- /dev/null +++ b/4.6/Troubleshooting.html @@ -0,0 +1,1991 @@ + + + + + + + + + + +Troubleshooting Guide for IPI Installation + + + + + + + + + + + + + + + + +
+
+
+
+ + + + + +
+ + +
+

Download the PDF version of this document or visit https://openshift-kni.github.io/baremetal-deploy/

+
+
+
+
+

While attempting to deploy Installer Provisioned Infrastructure (IPI) of OpenShift on Bare Metal (BM), you may run into a situation where you need to troubleshoot your environment. This document provides troubleshooting guidance and tips in solving common issues that may arise.

+
+
+
+
+

1. Troubleshooting the installer workflow

+
+
+

Prior to troubleshooting the installation environment, it is critical to understand the overall flow of the IPI installation on bare metal. The diagrams below provide a troubleshooting flow with a step-by-step breakdown for the environment.

+
+
+

Flow-Diagram-1

+
+
+

Workflow 1 of 4 illustrates a troubleshooting workflow when the install-config.yaml file has errors or the Red Hat Enterprise Linux CoreOS (RHCOS) images are inaccessible. Troubleshooting suggestions can be found at

+
+ +
+

Flow-Diagram-2

+
+
+

Workflow 2 of 4 illustrates a troubleshooting workflow for bootstrap VM issues, bootstrap VMs that cannot boot up the cluster nodes, and inspecting logs.

+
+
+

Flow-Diagram-3

+
+
+

Workflow 3 of 4 illustrates a troubleshooting workflow for cluster nodes that will not PXE boot.

+
+
+

Flow-Diagram-4

+
+
+

Workflow 4 of 4 illustrates a troubleshooting workflow from + a non-accessible API to a validated installation.

+
+
+
+
+

2. Troubleshooting install-config.yaml

+
+
+

The install-config.yaml configuration file represents all of the nodes that are part of the OpenShift Container Platform cluster. The file contains the necessary options consisting of but not limited to apiVersion, baseDomain, imageContentSources (OpenShift 4.13 and below) or imageDigestSources (OpenShirt 4.14 and above), and virtual IP addresses. If errors occur early in the deployment of the OpenShift Container Platform cluster, the errors are likely in the install-config.yaml configuration file.

+
+
+
Procedure
+
    +
  1. +

    Use the guidelines in YAML-tips.

    +
  2. +
  3. +

    Verify the YAML syntax is correct using syntax-check.

    +
  4. +
  5. +

    Verify the Red Hat Enterprise Linux CoreOS (RHCOS) QEMU images are properly defined and accessible via the URL provided in the install-config.yaml. For example:

    +
    +
    +
    $ curl -s -o /dev/null -I -w "%{http_code}\n" http://webserver.example.com:8080/rhcos-44.81.202004250133-0-qemu.x86_64.qcow2.gz?sha256=7d884b46ee54fe87bbc3893bf2aa99af3b2d31f2e19ab5529c60636fbd0f1ce7
    +
    +
    +
    +

    If the output is 200, there is a valid response from the webserver storing the bootstrap VM image.

    +
    +
  6. +
+
+
+
+
+

3. Bootstrap VM issues

+
+
+

The OpenShift Container Platform installer spawns a bootstrap node virtual machine, which handles provisioning the OpenShift Container Platform cluster nodes.

+
+
+
Procedure
+
    +
  1. +

    About 10 to 15 minutes after triggering the installer, check to ensure the bootstrap VM is operational using the virsh command:

    +
    +
    +
    $ sudo virsh list
    +
    +
    +
    +
    +
     Id    Name                           State
    + --------------------------------------------
    + 12    openshift-xf6fq-bootstrap      running
    +
    +
    +
    + + + + + +
    + + +
    +

    The name of the bootstrap VM is always the cluster name followed by a random set of characters and ending in the word "bootstrap."

    +
    +
    +
    +
    +

    If the bootstrap VM is not running after 10-15 minutes, troubleshoot why it is not running. Possible issues include:

    +
    +
  2. +
  3. +

    Verify libvirtd is running on the system:

    +
    +
    +
    $ systemctl status libvirtd
    +
    +
    +
    +
    +
    ● libvirtd.service - Virtualization daemon
    +   Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor preset: enabled)
    +   Active: active (running) since Tue 2020-03-03 21:21:07 UTC; 3 weeks 5 days ago
    +     Docs: man:libvirtd(8)
    +           https://libvirt.org
    + Main PID: 9850 (libvirtd)
    +    Tasks: 20 (limit: 32768)
    +   Memory: 74.8M
    +   CGroup: /system.slice/libvirtd.service
    +           ├─ 9850 /usr/sbin/libvirtd
    +
    +
    +
    +

    If the bootstrap VM is operational, log into it.

    +
    +
  4. +
  5. +

    Use the virsh console command to find the IP address of the bootstrap VM:

    +
    +
    +
    $ sudo virsh console example.com
    +
    +
    +
    +
    +
    Connected to domain example.com
    +Escape character is ^]
    +
    +Red Hat Enterprise Linux CoreOS 43.81.202001142154.0 (Ootpa) 4.3
    +SSH host key: SHA256:BRWJktXZgQQRY5zjuAV0IKZ4WM7i4TiUyMVanqu9Pqg (ED25519)
    +SSH host key: SHA256:7+iKGA7VtG5szmk2jB5gl/5EZ+SNcJ3a2g23o0lnIio (ECDSA)
    +SSH host key: SHA256:DH5VWhvhvagOTaLsYiVNse9ca+ZSW/30OOMed8rIGOc (RSA)
    +ens3:  fd35:919d:4042:2:c7ed:9a9f:a9ec:7
    +ens4: 172.22.0.2 fe80::1d05:e52e:be5d:263f
    +localhost login:
    +
    +
    +
    + + + + + +
    + + +
    +

    When deploying a OpenShift Container Platform cluster without the provisioning network, you must use a public IP address and not a private IP address like 172.22.0.2.

    +
    +
    +
    +
  6. +
  7. +

    Once you obtain the IP address, log in to the bootstrap VM using the ssh command:

    +
    + + + + + +
    + + +
    +

    In the console output of the previous step, you can use the IPv6 IP address provided by ens3 or the IPv4 IP provided by ens4.

    +
    +
    +
    +
    +
    +
    $ ssh core@172.22.0.2
    +
    +
    +
  8. +
+
+
+

If you are not successful logging in to the bootstrap VM, you have likely encountered one of the following scenarios:

+
+
+
    +
  • +

    You cannot reach the 172.22.0.0/24 network. Verify network connectivity on the provisioner host specifically around the provisioning network bridge. This will not be the issue if you are not using the provisioning network.

    +
  • +
  • +

    You cannot reach the bootstrap VM via the public network. When attempting +to SSH via baremetal network, verify connectivity on the +provisioner host specifically around the baremetal network bridge.

    +
  • +
  • +

    You encountered Permission denied (publickey,password,keyboard-interactive). When +attempting to access the bootstrap VM, a Permission denied error +might occur. Verify that the SSH key for the user attempting to log +into the VM is set within the install-config.yaml file.

    +
  • +
+
+
+

3.1. Bootstrap VM cannot boot up the cluster nodes

+
+

During the deployment, it is possible for the bootstrap VM to fail to boot the cluster nodes, which prevents the VM from provisioning the nodes with the RHCOS image. This scenario can arise due to:

+
+
+
    +
  • +

    A problem with the install-config.yaml file.

    +
  • +
  • +

    Issues with out-of-band network access via the baremetal network.

    +
  • +
+
+
+

To verify the issue, there are three containers related to ironic:

+
+
+
    +
  • +

    ironic-api

    +
  • +
  • +

    ironic-conductor

    +
  • +
  • +

    ironic-inspector

    +
  • +
+
+
+
Procedure
+
    +
  1. +

    Log in to the bootstrap VM:

    +
    +
    +
    $ ssh core@172.22.0.2
    +
    +
    +
  2. +
  3. +

    To check the container logs, execute the following:

    +
    +
    +
    [core@localhost ~]$ sudo podman logs -f <container-name>
    +
    +
    +
    +

    Replace <container-name> with one of ironic-api, ironic-conductor, or ironic-inspector. If you encounter an issue where the control plane nodes are not booting up via PXE, check the ironic-conductor pod. The ironic-conductor pod contains the most detail about the attempt to boot the cluster nodes, because it attempts to log in to the node over IPMI.

    +
    +
  4. +
+
+
+
Potential reason
+

The cluster nodes might be in the ON state when deployment started.

+
+
+
Solution
+

Power off the OpenShift Container Platform cluster nodes before you begin the +installation over IPMI:

+
+
+
+
$ ipmitool -I lanplus -U root -P <password> -H <out-of-band-ip> power off
+
+
+
+
+

3.2. Inspecting logs

+
+

When experiencing issues downloading or accessing the RHCOS images, first verify that the URL is correct in the install-config.yaml configuration file.

+
+
+
Example of internal webserver hosting RHCOS images
+
+
bootstrapOSImage: http://<ip:port>/rhcos-43.81.202001142154.0-qemu.x86_64.qcow2.gz?sha256=9d999f55ff1d44f7ed7c106508e5deecd04dc3c06095d34d36bf1cd127837e0c
+clusterOSImage: http://<ip:port>/rhcos-43.81.202001142154.0-openstack.x86_64.qcow2.gz?sha256=a1bda656fa0892f7b936fdc6b6a6086bddaed5dafacedcd7a1e811abb78fe3b0
+
+
+
+

The ipa-downloader and coreos-downloader containers download resources from a webserver or the external quay.io registry, whichever the install-config.yaml configuration file specifies. Verify the following two containers are up and running and inspect their logs as needed:

+
+
+
    +
  • +

    ipa-downloader

    +
  • +
  • +

    coreos-downloader

    +
  • +
+
+
+
Procedure
+
    +
  1. +

    Log in to the bootstrap VM:

    +
    +
    +
    $ ssh core@172.22.0.2
    +
    +
    +
  2. +
  3. +

    Check the status of the ipa-downloader and coreos-downloader containers within the bootstrap VM:

    +
    +
    +
    [core@localhost ~]$ podman logs -f ipa-downloader
    +
    +
    +
    +
    +
    [core@localhost ~]$ podman logs -f coreos-downloader
    +
    +
    +
    +

    If the bootstrap VM cannot access the URL to the images, use the curl command to verify that the VM can access the images.

    +
    +
  4. +
  5. +

    To inspect the bootkube logs that indicate if all the containers launched during the deployment phase, execute the following:

    +
    +
    +
    [core@localhost ~]$ journalctl -xe
    +
    +
    +
    +
    +
    [core@localhost ~]$ journalctl -b -f -u bootkube.service
    +
    +
    +
  6. +
  7. +

    Verify all the pods, including dnsmasq, mariadb, httpd, and ironic, are running:

    +
    +
    +
    [core@localhost ~]$ sudo podman ps
    +
    +
    +
  8. +
  9. +

    If there are issues with the pods, check the logs of the containers with issues. To check the log of the ironic-api, execute the following:

    +
    +
    +
    [core@localhost ~]$ sudo podman logs <ironic-api>
    +
    +
    +
  10. +
+
+
+
+
+
+

4. Ironic Bootstrap issues

+
+
+

The OpenShift Container Platform installer spawns a bootstrap node virtual machine, which handles provisioning the OpenShift Container Platform cluster nodes. The cluster nodes are powered on, introspected and finally provisioned using Ironic.

+
+
+

Sometimes you might need to connect to the Ironic service running on the bootstrap node virtual machine to troubleshoot issues related to Ironic.

+
+
+
Procedure
+
    +
  1. +

    About 10 to 15 minutes after triggering the installer, check to ensure the bootstrap VM is operational using the virsh command:

    +
    +
    +
    [kni@provisioner ~]$ sudo virsh list
    +
    +
    +
    +
    +
     Id    Name                           State
    + --------------------------------------------
    + 12    openshift-xf6fq-bootstrap      running
    +
    +
    +
  2. +
  3. +

    Use the virsh console command to find the IP address of the bootstrap VM:

    +
    +
    +
    [kni@provisioner ~]$ sudo virsh console openshift-xf6fq-bootstrap
    +
    +
    +
    +
    +
    Connected to domain openshift-xf6fq-bootstrap
    +Escape character is ^]
    +
    +Red Hat Enterprise Linux CoreOS 43.81.202001142154.0 (Ootpa) 4.3
    +SSH host key: SHA256:BRWJktXZgQQRY5zjuAV0IKZ4WM7i4TiUyMVanqu9Pqg (ED25519)
    +SSH host key: SHA256:7+iKGA7VtG5szmk2jB5gl/5EZ+SNcJ3a2g23o0lnIio (ECDSA)
    +SSH host key: SHA256:DH5VWhvhvagOTaLsYiVNse9ca+ZSW/30OOMed8rIGOc (RSA)
    +ens3:  fd35:919d:4042:2:c7ed:9a9f:a9ec:7
    +ens4: 172.22.0.2 fe80::1d05:e52e:be5d:263f
    +localhost login:
    +
    +
    +
  4. +
  5. +

    Once you obtain the IP address, log in to the bootstrap VM using the ssh command:

    +
    + + + + + +
    + + +
    +

    In the console output of the previous step, the IPv6 IP provided by ens3 or the IPv4 IP provided by ens4 can be used.

    +
    +
    +
    +
    +
    +
    [kni@provisioner ~]$ ssh core@172.22.0.2
    +
    +
    +
  6. +
  7. +

    Make sure Ironic containers are running:

    +
    +
    +
    [core@localhost ~]$ sudo podman ps | grep ironic
    +90251a35d1e2  quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:a5603d959546a8293deaee66332da4fa3cb96bcd04c26967070c247085ca7203                        2 minutes ago  Up 2 minutes ago         ironic-api
    +168e712c9996  quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:c6af62509b3d66effe8e16c81e42e75e124ccb5770f82efb010ecc3ebadc48b8                        2 minutes ago  Up 2 minutes ago         ironic-inspector
    +025f8247bfb0  quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:a5603d959546a8293deaee66332da4fa3cb96bcd04c26967070c247085ca7203                        2 minutes ago  Up 2 minutes ago         ironic-conductor
    +
    +
    +
  8. +
  9. +

    Get the value for the bootstrapProvisioningIp property from your install-config.yaml.

    +
  10. +
  11. +

    Create a clouds.yaml file:

    +
    +
    +
    clouds:
    +  metal3-bootstrap:
    +    auth_type: none
    +    baremetal_endpoint_override: http://<bootstrapProvisioningIp>:6385
    +    baremetal_introspection_endpoint_override: http://<bootstrapProvisioningIp>:5050
    +
    +
    +
    + + + + + +
    + + +
    +

    Make sure in the file above you change <bootstrapProvisioningIp> with the value from your install-config.yaml file.

    +
    +
    +
    +
  12. +
  13. +

    Run the ironic-client on the bootstrap VM using podman:

    +
    +
    +
    [core@localhost ~]$ podman run -ti --rm --entrypoint /bin/bash -v /path/to/clouds.yaml:/clouds.yaml -e OS_CLOUD=metal3-bootstrap quay.io/metal3-io/ironic-client
    +
    +
    +
  14. +
  15. +

    Once you’re in the container, run the following command to see the status of the nodes on Ironic:

    +
    +
    +
    [root@1facad6bccff /]# baremetal node list
    +
    +
    +
    +

    The expected states for the nodes are clean-waitavailabledeployingwait call-backactive.

    +
    +
    +
      +
    • +

      clean-wait: The IPA (Ironic Python Agent) will clean the node main disk and write RHCOS to it. After that will report the node status back to Ironic.

      +
    • +
    • +

      available: The node has been introspected and it’s ready to be provisioned.

      +
    • +
    • +

      deploying: The node is being provisioned with RHCOS + the required Ignition configs.

      +
    • +
    • +

      wait call-back: The node is deployed and Ironic is waiting for the node to finish everything before marking the node as active.

      +
    • +
    • +

      active: The node is fully provisioned from an Ironic perspective.

      +
    • +
    +
    +
  16. +
+
+
+

If you are not getting any output, you have likely encountered of the following scenarios:

+
+
+
    +
  • +

    You cannot reach the bootstrapProvisioningIp from the bootstrap VM.

    +
  • +
  • +

    The Ironic conductor was not able to power on and configure the nodes to boot with the IPA image.

    +
  • +
  • +

    The machine running the openshift-install binary cannot access the bootstrapProvisioningIp on port 6385.

    +
  • +
+
+
+
+
+

5. Cluster nodes will not PXE boot

+
+
+

When OpenShift Container Platform cluster nodes will not PXE boot, execute the following checks on the cluster nodes that will not PXE boot. This procedure does not apply when installing a OpenShift Container Platform cluster without the provisioning network.

+
+
+
Procedure
+
    +
  1. +

    Check the network connectivity to the provisioning network.

    +
  2. +
  3. +

    Ensure PXE is enabled on the NIC for the provisioning network and PXE is disabled for all other NICs.

    +
  4. +
  5. +

    Verify that the install-config.yaml configuration file has the proper hardware profile and boot MAC address for the NIC connected to the provisioning network. For example:

    +
    +
    Master node settings
    +
    +
    bootMACAddress: 24:6E:96:1B:96:90 # MAC of bootable provisioning NIC
    +hardwareProfile: default          #master node settings
    +
    +
    +
    +
    Worker node settings
    +
    +
    bootMACAddress: 24:6E:96:1B:96:90 # MAC of bootable provisioning NIC
    +hardwareProfile: unknown          #worker node settings
    +
    +
    +
  6. +
+
+
+
+
+

6. The API is not accessible

+
+
+

When the cluster is running and clients cannot access the API, domain name resolution issues might impede access to the API.

+
+
+
Procedure
+
    +
  1. +

    Hostname Resolution: Check the cluster nodes to ensure they have a fully qualified domain name, and not just localhost.localdomain. For example:

    +
    +
    +
    $ hostname
    +
    +
    +
    +

    If a hostname is not set, set the correct hostname. For example:

    +
    +
    +
    +
    $ hostnamectl set-hostname <hostname>
    +
    +
    +
  2. +
  3. +

    Incorrect Name Resolution: Ensure that each node has the correct name resolution in the DNS server using dig and nslookup. For example:

    +
    +
    +
    $ dig api.<cluster-name>.example.com
    +
    +
    +
    +
    +
    ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> api.<cluster-name>.example.com
    +;; global options: +cmd
    +;; Got answer:
    +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37551
    +;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
    +
    +;; OPT PSEUDOSECTION:
    +; EDNS: version: 0, flags:; udp: 4096
    +; COOKIE: 866929d2f8e8563582af23f05ec44203d313e50948d43f60 (good)
    +;; QUESTION SECTION:
    +;api.<cluster-name>.example.com. IN A
    +
    +;; ANSWER SECTION:
    +api.<cluster-name>.example.com. 10800 IN	A 10.19.13.86
    +
    +;; AUTHORITY SECTION:
    +<cluster-name>.example.com. 10800 IN NS	<cluster-name>.example.com.
    +
    +;; ADDITIONAL SECTION:
    +<cluster-name>.example.com. 10800 IN A	10.19.14.247
    +
    +;; Query time: 0 msec
    +;; SERVER: 10.19.14.247#53(10.19.14.247)
    +;; WHEN: Tue May 19 20:30:59 UTC 2020
    +;; MSG SIZE  rcvd: 140
    +
    +
    +
    +

    The output in the foregoing example indicates that the appropriate IP address for the api.<cluster-name>.example.com VIP is 10.19.13.86. This IP address should reside on the baremetal network.

    +
    +
  4. +
+
+
+
+
+

7. Cleaning up previous installations

+
+
+

In the event of a previous failed deployment, remove the artifacts from the failed attempt before attempting to deploy OpenShift Container Platform again.

+
+
+
Procedure
+
    +
  1. +

    Power off all bare metal nodes prior to installing the OpenShift Container Platform cluster:

    +
    +
    +
    $ ipmitool -I lanplus -U <user> -P <password> -H <management-server-ip> power off
    +
    +
    +
  2. +
  3. +

    Remove all old bootstrap resources if any are left over from a previous deployment attempt:

    +
    +
    +
    for i in $(sudo virsh list | tail -n +3 | grep bootstrap | awk {'print $2'});
    +do
    +  sudo virsh destroy $i;
    +  sudo virsh undefine $i;
    +  sudo virsh vol-delete $i --pool $i;
    +  sudo virsh vol-delete $i.ign --pool $i;
    +  sudo virsh pool-destroy $i;
    +  sudo virsh pool-undefine $i;
    +done
    +
    +
    +
  4. +
  5. +

    Remove the following from the clusterconfigs directory to prevent Terraform from failing:

    +
    +
    +
    $ rm -rf ~/clusterconfigs/auth ~/clusterconfigs/terraform* ~/clusterconfigs/tls ~/clusterconfigs/metadata.json
    +
    +
    +
  6. +
+
+
+
+
+

8. Issues with creating the registry

+
+
+

When creating a disconnected registry, you might encounter a "User Not Authorized" error when attempting to mirror the registry. This error might occur if you fail to append the new authentication to the existing pull-secret.txt file.

+
+
+
Procedure
+
    +
  1. +

    Check to ensure authentication is successful:

    +
    +
    +
    [user@registry ~]$ /usr/local/bin/oc adm release mirror \
    +  -a pull-secret-update.json
    +  --from=$UPSTREAM_REPO \
    +  --to-release-image=$LOCAL_REG/$LOCAL_REPO:${VERSION} \
    +  --to=$LOCAL_REG/$LOCAL_REPO
    +
    +
    +
    + + + + + +
    + + +
    +

    Example output of the variables used to mirror the install images:

    +
    +
    +
    +
    UPSTREAM_REPO=${RELEASE_IMAGE}
    +LOCAL_REG=<registry_FQDN>:<registry_port>
    +LOCAL_REPO='ocp4/openshift4'
    +
    +
    +
    +

    The values of RELEASE_IMAGE and VERSION were set during the Retrieving OpenShift Installer step of the Setting up the environment for an OpenShift installation section.

    +
    +
    +
    +
  2. +
  3. +

    After mirroring the registry, confirm that you can access it in your +disconnected environment:

    +
    +
    +
    $ curl -k -u <user>:<password> https://registry.example.com:<registry-port>/v2/_catalog
    +{"repositories":["<Repo-Name>"]}
    +
    +
    +
  4. +
+
+
+
+
+

9. Miscellaneous issues

+
+
+

9.1. Addressing the runtime network not ready error

+
+

After the deployment of a cluster you might receive the following error:

+
+
+
+
`runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:Network plugin returns error: Missing CNI default network`
+
+
+
+

The Cluster Network Operator is responsible for deploying the networking components in response to a special object created by the installer. It runs very early in the installation process, after the control plane (master) nodes have come up, but before the bootstrap control plane has been torn down. It can be indicative of more subtle installer issues, such as long delays in bringing up control plane (master) nodes or issues with apiserver communication.

+
+
+
Procedure
+
    +
  1. +

    Inspect the pods in the openshift-network-operator namespace:

    +
    +
    +
    $ oc get all -n openshift-network-operator
    +
    +
    +
    +
    +
    NAME                                    READY STATUS            RESTARTS   AGE
    +pod/network-operator-69dfd7b577-bg89v   0/1   ContainerCreating 0          149m
    +
    +
    +
  2. +
  3. +

    On the provisioner node, determine that the network configuration exists:

    +
    +
    +
    $ kubectl get network.config.openshift.io cluster -oyaml
    +
    +
    +
    +
    +
    apiVersion: config.openshift.io/v1
    +kind: Network
    +metadata:
    +  name: cluster
    +spec:
    +  serviceNetwork:
    +  - 172.30.0.0/16
    +  clusterNetwork:
    +  - cidr: 10.128.0.0/14
    +    hostPrefix: 23
    +  networkType: OpenShiftSDN
    +
    +
    +
    +

    If it does not exist, the installer did not create it. To determine why the installer did not create it, execute the following:

    +
    +
    +
    +
    $ openshift-install create manifests
    +
    +
    +
  4. +
  5. +

    Check that the network-operator is running:

    +
    +
    +
    $ kubectl -n openshift-network-operator get pods
    +
    +
    +
  6. +
  7. +

    Retrieve the logs:

    +
    +
    +
    $ kubectl -n openshift-network-operator logs -l "name=network-operator"
    +
    +
    +
    +

    On high availability clusters with three or more control plane (master) nodes, the Operator will perform leader election and all other Operators will sleep. For additional details, see Troubleshooting.

    +
    +
  8. +
+
+
+
+

9.2. Cluster nodes not getting the correct IPv6 address over DHCP

+
+

If the cluster nodes are not getting the correct IPv6 address over DHCP, check the following:

+
+
+
    +
  1. +

    Ensure the reserved IPv6 addresses reside outside the DHCP range.

    +
  2. +
  3. +

    In the IP address reservation on the DHCP server, ensure the reservation specifies the correct DHCP Unique Identifier (DUID). For example:

    +
    +
    +
    # This is a dnsmasq dhcp reservation, 'id:00:03:00:01' is the client id and '18:db:f2:8c:d5:9f' is the MAC Address for the NIC
    +id:00:03:00:01:18:db:f2:8c:d5:9f,openshift-master-1,[2620:52:0:1302::6]
    +
    +
    +
  4. +
  5. +

    Ensure that route announcements are working.

    +
  6. +
  7. +

    Ensure that the DHCP server is listening on the required interfaces serving the IP address ranges.

    +
  8. +
+
+
+
+

9.3. Cluster nodes not getting the correct hostname over DHCP

+
+

During IPv6 deployment, cluster nodes must get their hostname over DHCP. Sometimes the NetworkManager does not assign the hostname immediately. A control plane (master) node might report an error such as:

+
+
+
+
Failed Units: 2
+  NetworkManager-wait-online.service
+  nodeip-configuration.service
+
+
+
+

This error indicates that the cluster node likely booted without first receiving a hostname from the DHCP server, which causes kubelet to boot +with a localhost.localdomain hostname. To address the error, force the node to renew the hostname.

+
+
+
Procedure
+
    +
  1. +

    Retrieve the hostname:

    +
    +
    +
    [core@master-X ~]$ hostname
    +
    +
    +
    +

    If the hostname is localhost, proceed with the following steps.

    +
    +
    + + + + + +
    + + +
    +

    Where X is the master node number.

    +
    +
    +
    +
  2. +
  3. +

    Force the cluster node to renew the DHCP lease:

    +
    +
    +
    [core@master-X ~]$ sudo nmcli con up "<bare-metal-nic>"
    +
    +
    +
    +

    Replace <bare-metal-nic> with the wired connection corresponding to the baremetal network.

    +
    +
  4. +
  5. +

    Check hostname again:

    +
    +
    +
    [core@master-X ~]$ hostname
    +
    +
    +
  6. +
  7. +

    If the hostname is still localhost.localdomain, restart NetworkManager:

    +
    +
    +
    [core@master-X ~]$ sudo systemctl restart NetworkManager
    +
    +
    +
  8. +
  9. +

    If the hostname is still localhost.localdomain, wait a few minutes and check again. If the hostname remains localhost.localdomain, repeat the previous steps.

    +
  10. +
  11. +

    Restart the nodeip-configuration service:

    +
    +
    +
    [core@master-X ~]$ sudo systemctl restart nodeip-configuration.service
    +
    +
    +
    +

    This service will reconfigure the kubelet service with the correct hostname references.

    +
    +
  12. +
  13. +

    Reload the unit files definition since the kubelet changed in the previous step:

    +
    +
    +
    [core@master-X ~]$ sudo systemctl daemon-reload
    +
    +
    +
  14. +
  15. +

    Restart the kubelet service:

    +
    +
    +
    [core@master-X ~]$ sudo systemctl restart kubelet.service
    +
    +
    +
  16. +
  17. +

    Ensure kubelet booted with the correct hostname:

    +
    +
    +
    [core@master-X ~]$ sudo journalctl -fu kubelet.service
    +
    +
    +
  18. +
+
+
+

If the cluster node is not getting the correct hostname over DHCP after the cluster is up and running, such as during a reboot, the cluster will have a pending csr. Do not approve a csr, or other issues might arise.

+
+
+
Addressing a csr
+
    +
  1. +

    Get CSRs on the cluster:

    +
    +
    +
    $ oc get csr
    +
    +
    +
  2. +
  3. +

    Verify if a pending csr contains Subject Name: localhost.localdomain:

    +
    +
    +
    $ oc get csr <pending_csr> -o jsonpath='{.spec.request}' | base64 -d | openssl req -noout -text
    +
    +
    +
  4. +
  5. +

    Remove any csr that contains Subject Name: localhost.localdomain:

    +
    +
    +
    $ oc delete csr <wrong_csr>
    +
    +
    +
  6. +
+
+
+
+

9.4. Routes do not reach endpoints

+
+

During the installation process, it is possible to encounter a Virtual Router Redundancy Protocol (VRRP) conflict. This conflict might occur if a previously used OpenShift Container Platform node that was once part of a cluster deployment using a specific cluster name is still running but not part of the current OpenShift Container Platform cluster deployment using that same cluster name. For example, a cluster was deployed using the cluster name openshift, deploying three control plane (master) nodes and three worker nodes. Later, a separate install uses the same cluster name openshift, but this redeployment only installed three control plane (master) nodes, leaving the three worker nodes from a previous deployment in an ON state. This might cause a Virtual Router Identifier (VRID) conflict and a VRRP conflict.

+
+
+
    +
  1. +

    Get the route:

    +
    +
    +
    $ oc get route oauth-openshift
    +
    +
    +
  2. +
  3. +

    Check the service endpoint:

    +
    +
    +
    $ oc get svc oauth-openshift
    +
    +
    +
    +
    +
    NAME              TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
    +oauth-openshift   ClusterIP   172.30.19.162   <none>        443/TCP   59m
    +
    +
    +
  4. +
  5. +

    Attempt to reach the service from a control plane (master) node:

    +
    +
    +
    [core@master0 ~]$ curl -k https://172.30.19.162
    +
    +
    +
    +
    +
    {
    +  "kind": "Status",
    +  "apiVersion": "v1",
    +  "metadata": {
    +  },
    +  "status": "Failure",
    +  "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
    +  "reason": "Forbidden",
    +  "details": {
    +  },
    +  "code": 403
    +
    +
    +
  6. +
  7. +

    Identify the authentication-operator errors from the provisioner node:

    +
    +
    +
    $ oc logs deployment/authentication-operator -n openshift-authentication-operator
    +
    +
    +
    +
    +
    Event(v1.ObjectReference{Kind:"Deployment", Namespace:"openshift-authentication-operator", Name:"authentication-operator", UID:"225c5bd5-b368-439b-9155-5fd3c0459d98", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Normal' reason: 'OperatorStatusChanged' Status for clusteroperator/authentication changed: Degraded message changed from "IngressStateEndpointsDegraded: All 2 endpoints for oauth-server are reporting"
    +
    +
    +
  8. +
+
+
+
Solution
+
    +
  1. +

    Ensure that the cluster name for every deployment is unique, ensuring no conflict.

    +
  2. +
  3. +

    Turn off all the rogue nodes which are not part of the cluster deployment that are using the same cluster name. Otherwise, the authentication pod of the OpenShift Container Platform cluster might never start successfully.

    +
  4. +
+
+
+
+

9.5. Failed Ignition during Firstboot

+
+

During the Firstboot, the Ignition configuration may fail.

+
+
+
Procedure
+
    +
  1. +

    Connect to the node where the Ignition configuration failed:

    +
    +
    +
    Failed Units: 1
    +  machine-config-daemon-firstboot.service
    +
    +
    +
  2. +
  3. +

    Restart the machine-config-daemon-firstboot service:

    +
    +
    +
    [core@worker-X ~]$ sudo systemctl restart machine-config-daemon-firstboot.service
    +
    +
    +
  4. +
+
+
+
+

9.6. NTP out of sync

+
+

The deployment of OpenShift Container Platform clusters depends on NTP synchronized clocks among the cluster nodes. Without synchronized clocks, the deployment may fail due to clock drift if the time difference is greater than two seconds.

+
+
+
Procedure
+
    +
  1. +

    Check for differences in the AGE of the cluster nodes. For example:

    +
    +
    +
    $ oc get nodes
    +
    +
    +
    +
    +
    NAME                         STATUS   ROLES    AGE   VERSION
    +master-0.cloud.example.com   Ready    master   145m   v1.16.2
    +master-1.cloud.example.com   Ready    master   135m   v1.16.2
    +master-2.cloud.example.com   Ready    master   145m   v1.16.2
    +worker-2.cloud.example.com   Ready    worker   100m   v1.16.2
    +
    +
    +
  2. +
  3. +

    Check for inconsistent timing delays due to clock drift. For example:

    +
    +
    +
    $ oc get bmh -n openshift-machine-api
    +
    +
    +
    +
    +
    master-1   error registering master-1  ipmi://<out-of-band-ip>
    +
    +
    +
    +
    +
    $ sudo timedatectl
    +
    +
    +
    +
    +
                   Local time: Tue 2020-03-10 18:20:02 UTC
    +           Universal time: Tue 2020-03-10 18:20:02 UTC
    +                 RTC time: Tue 2020-03-10 18:36:53
    +                Time zone: UTC (UTC, +0000)
    +System clock synchronized: no
    +              NTP service: active
    +          RTC in local TZ: no
    +
    +
    +
  4. +
+
+
+
Addressing clock drift in existing clusters
+
    +
  1. +

    Create a chrony.conf file and encode it as base64 string. For example:

    +
    +
    +
    $ cat << EOF | base 64
    +server <NTP-server> iburst(1)
    +stratumweight 0
    +driftfile /var/lib/chrony/drift
    +rtcsync
    +makestep 10 3
    +bindcmdaddress 127.0.0.1
    +bindcmdaddress ::1
    +keyfile /etc/chrony.keys
    +commandkey 1
    +generatecommandkey
    +noclientlog
    +logchange 0.5
    +logdir /var/log/chrony
    +EOF
    +
    +
    +
    + + + + + +
    1Replace <NTP-server> with the IP address of the NTP server. Copy the output. +
    +
    +
    [text-in-base-64]
    +
    +
    +
    +
  2. +
  3. +

    Create a MachineConfig object, replacing the base64 string with +the [text-in-base-64] string generated in the output of the previous step. The following example adds the file to the control plane (master) nodes. You can modify the file for worker nodes or make an additional machine config for the worker role.

    +
    +
    +
    $ cat << EOF > ./99_masters-chrony-configuration.yaml
    +apiVersion: machineconfiguration.openshift.io/v1
    +kind: MachineConfig
    +metadata:
    +  creationTimestamp: null
    +  labels:
    +    machineconfiguration.openshift.io/role: master
    +  name: 99-master-etc-chrony-conf
    +spec:
    +  config:
    +    ignition:
    +      config: {}
    +      security:
    +        tls: {}
    +      timeouts: {}
    +      version: 3.1.0
    +    networkd: {}
    +    passwd: {}
    +    storage:
    +      files:
    +      - contents:
    +          source: data:text/plain;charset=utf-8;base64,[text-in-base-64](1)
    +        group:
    +          name: root
    +        mode: 420
    +        overwrite: true
    +        path: /etc/chrony.conf
    +        user:
    +          name: root
    +  osImageURL: ""
    +
    +
    +
    + + + + + +
    1Replace [text-in-base-64] with the base64 string.
    +
    +
  4. +
  5. +

    Make a backup copy of the configuration file. For example:

    +
    +
    +
    $ cp 99_masters-chrony-configuration.yaml 99_masters-chrony-configuration.yaml.backup
    +
    +
    +
  6. +
  7. +

    Apply the configuration file:

    +
    +
    +
    $ oc apply -f ./masters-chrony-configuration.yaml
    +
    +
    +
  8. +
  9. +

    Ensure the System clock synchronized value is yes:

    +
    +
    +
    $ sudo timedatectl
    +
    +
    +
    +
    +
                   Local time: Tue 2020-03-10 19:10:02 UTC
    +           Universal time: Tue 2020-03-10 19:10:02 UTC
    +                 RTC time: Tue 2020-03-10 19:36:53
    +                Time zone: UTC (UTC, +0000)
    +System clock synchronized: yes
    +              NTP service: active
    +          RTC in local TZ: no
    +
    +
    +
    +

    To setup clock synchronization prior to deployment, generate the manifest files and add this file to the openshift directory. For example:

    +
    +
    +
    +
    $ cp chrony-masters.yaml ~/clusterconfigs/openshift/99_masters-chrony-configuration.yaml
    +
    +
    +
    +

    Then, continue to create the cluster.

    +
    +
  10. +
+
+
+
+
+
+

10. Reviewing the installation

+
+
+

After installation, ensure the installer deployed the nodes and pods successfully.

+
+
+
Procedure
+
    +
  1. +

    When the OpenShift Container Platform cluster nodes are installed appropriately, the following Ready state is seen within the STATUS column:

    +
    +
    +
    $ oc get nodes
    +
    +
    +
    +
    +
    NAME                   STATUS   ROLES           AGE  VERSION
    +master-0.example.com   Ready    master,worker   4h   v1.16.2
    +master-1.example.com   Ready    master,worker   4h   v1.16.2
    +master-2.example.com   Ready    master,worker   4h   v1.16.2
    +
    +
    +
  2. +
  3. +

    Confirm the installer deployed all pods successfully. The following command +removes any pods that are still running or have completed as part of the output.

    +
    +
    +
    $ oc get pods --all-namespaces | grep -iv running | grep -iv complete
    +
    +
    +
  4. +
+
+
+
+
+ + + \ No newline at end of file diff --git a/4.6/Troubleshooting.pdf b/4.6/Troubleshooting.pdf new file mode 100644 index 0000000000..49882b93cc Binary files /dev/null and b/4.6/Troubleshooting.pdf differ diff --git a/4.7/Deployment.html b/4.7/Deployment.html new file mode 100644 index 0000000000..f7dc475aa3 --- /dev/null +++ b/4.7/Deployment.html @@ -0,0 +1,5220 @@ + + + + + + + + + + +Deploying Installer Provisioned Infrastructure (IPI) of OpenShift on Bare Metal - 4.7 + + + + + + + + + + + + + + + + +
+
+
+
+ + + + + +
+ + +
+

Download the PDF version of this document or visit https://openshift-kni.github.io/baremetal-deploy/

+
+
+
+
+
+
+

1. Overview

+
+
+

Installer-provisioned installation provides support for installing OpenShift Container Platform on bare metal nodes. This guide provides a methodology to achieving a successful installation.

+
+
+

During installer-provisioned installation on bare metal, the installer on the bare metal node labeled as provisioner creates a bootstrap virtual machine (VM). The role of the bootstrap VM is to assist in the process of deploying an OpenShift Container Platform cluster. The bootstrap VM connects to the baremetal network and to the provisioning network, if present, via the network bridges.

+
+
+
+Deployment phase one +
+
+
+

When the installation of OpenShift control plane nodes is complete and fully operational, the installer destroys the bootstrap VM automatically and moves the virtual IP addresses (VIPs) to +the appropriate nodes. The API VIP moves to the control plane nodes and the Ingress VIP moves to the worker nodes.

+
+
+
+Deployment phase two +
+
+
+
+
+

2. Prerequisites

+
+ +
+

Installer-provisioned installation of OpenShift Container Platform requires:

+
+
+
    +
  1. +

    One provisioner node with Red Hat Enterprise Linux (RHEL) 8.x installed.

    +
  2. +
  3. +

    Three control plane nodes.

    +
  4. +
  5. +

    Baseboard Management Controller (BMC) access to each node.

    +
  6. +
  7. +

    At least one network:

    +
    +
      +
    1. +

      One required routable network

      +
    2. +
    3. +

      One optional network for provisioning nodes; and,

      +
    4. +
    5. +

      One optional management network.

      +
    6. +
    +
    +
  8. +
+
+
+

Before starting an installer-provisioned installation of OpenShift Container Platform, ensure the hardware environment meets the following requirements.

+
+
+

2.1. Node requirements

+
+

Installer-provisioned installation involves a number of hardware node requirements:

+
+
+
    +
  • +

    CPU architecture: All nodes must use x86_64 CPU architecture.

    +
  • +
  • +

    Similar nodes: Red Hat recommends nodes have an identical configuration per role. That is, Red Hat recommends nodes be the same brand and model with the same CPU, memory and storage configuration.

    +
  • +
  • +

    Baseboard Management Controller: The provisioner node must be able to access the baseboard management controller (BMC) of each OpenShift Container Platform cluster node. You may use IPMI, Redfish, or a proprietary protocol.

    +
  • +
  • +

    Latest generation: Nodes must be of the most recent generation. Installer-provisioned installation relies on BMC protocols, which must be compatible across nodes. Additionally, RHEL 8 ships with the most recent drivers for RAID controllers. Ensure that the nodes are recent enough to support RHEL 8 for the provisioner node and RHCOS 8 for the control plane and worker nodes.

    +
  • +
  • +

    Registry node: (Optional) If setting up a disconnected mirrored registry, it is recommended the registry reside in its own node.

    +
  • +
  • +

    Provisioner node: Installer-provisioned installation requires one provisioner node.

    +
  • +
  • +

    Control plane: Installer-provisioned installation requires three control plane nodes for high availability.

    +
  • +
  • +

    Worker nodes: While not required, a typical production cluster has one or more worker nodes. Smaller clusters are more resource efficient for administrators and developers during development, production, and testing.

    +
  • +
  • +

    Network interfaces: Each node must have at least one 10GB network interface for the routable baremetal network. Each node must have one 10GB network interface for a provisioning network when using the provisioning network for deployment. Using the provisioning network is the default configuration. Network interface names must follow the same naming convention across all nodes. For example, the first NIC name on a node, such as eth0 or eno1, must be the same name on all of the other nodes. The same principle applies to the remaining NICs on each node.

    +
  • +
  • +

    Unified Extensible Firmware Interface (UEFI): Installer-provisioned installation requires UEFI boot on all OpenShift Container Platform nodes when using IPv6 addressing on the provisioning network. In addition, UEFI Device PXE Settings must be set to use the IPv6 protocol on the provisioning network NIC, but omitting the provisioning network removes this requirement.

    +
  • +
  • +

    Secure Boot: Many production scenarios require nodes with Secure Boot enabled to verify the node only boots with trusted software, such as UEFI firmware drivers, EFI applications and the operating system. To deploy a OpenShift Container Platform cluster with Secure Boot, you must enable UEFI boot mode and Secure Boot on each control plane node and each worker node. Red Hat supports Secure Boot only when installer-provisioned installation uses Red Fish Virtual Media. Red Hat does not support Secure Boot with self-generated keys.

    +
  • +
+
+
+
+

2.2. Firmware requirements for installing with virtual media

+
+

The installer for installer-provisioned OpenShift Container Platform clusters validates the hardware and firmware compatibility with Redfish virtual media. The following table lists supported firmware for installer-provisioned OpenShift Container Platform clusters deployed with Redfish virtual media.

+
+ + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 1. Firmware compatibility for Redfish virtual media
HardwareModelManagementFirmware Versions

HP

10th Generation

iLO5

N/A

9th Generation

iLO4

N/A

Dell

14th Generation

iDRAC 9

v4.20.20.20 - 04.40.00.00

13th Generation

iDRAC 8

v2.75.75.75+

+
+ + + + + +
+ + +
+

Refer to the hardware documentation for the nodes or contact the hardware vendor for information on updating the firmware.

+
+
+

There are no known firmware limitations for HP servers.

+
+
+

For Dell servers, ensure the OpenShift Container Platform cluster nodes have AutoAttach Enabled through the iDRAC console. The menu path is: ConfigurationVirtual MediaAttach ModeAutoAttach . With iDRAC 9 firmware version 04.40.00.00, the Virtual Console plug-in defaults to eHTML5, which causes problems with the InsertVirtualMedia workflow. Set the plug-in to HTML5 to avoid this issue. The menu path is: ConfigurationVirtual consolePlug-in TypeHTML5 .

+
+
+
+
+ + + + + +
+ + +
+

The installer will not initiate installation on a node if the node firmware is below the foregoing versions when installing with virtual media.

+
+
+
+
+
+

2.3. Network requirements

+
+

Installer-provisioned installation of OpenShift Container Platform involves several network requirements by default. First, installer-provisioned installation involves a non-routable provisioning network for provisioning the operating system on each bare metal node and a routable baremetal network. Since installer-provisioned installation deploys ironic-dnsmasq, the networks should have no other DHCP servers running on the same broadcast domain. Network administrators must reserve IP addresses for each node in the OpenShift Container Platform cluster.

+
+
+
Network Time Protocol (NTP)
+

Each OpenShift Container Platform node in the cluster must have access to an NTP server. OpenShift Container Platform nodes use NTP to synchronize their clocks. For example, cluster nodes use SSL certificates that require validation, which might fail if the date and time between the nodes are not in sync.

+
+
+ + + + + +
+ + +
+

Define a consistent clock date and time format in each cluster node’s BIOS settings, or installation might fail.

+
+
+
+
+
Configuring NICs
+

OpenShift Container Platform deploys with two networks:

+
+
+
    +
  • +

    provisioning: The provisioning network is an optional non-routable network used for provisioning the underlying operating system on each node that is a part of the OpenShift Container Platform cluster. The network interface for the provisioning network on each cluster node must have the BIOS or UEFI configured to PXE boot. In OpenShift Container Platform 4.3, when deploying using the provisioning network, the first NIC on each node, such as eth0 or eno1, must interface with the provisioning network. In OpenShift Container Platform 4.4 and later releases, you can specify the provisioning network NIC with the provisioningNetworkInterface configuration setting.

    +
  • +
  • +

    baremetal: The baremetal network is a routable network. In OpenShift Container Platform 4.3, when deploying using the provisioning network, the second NIC on each node, such as eth1 or eno2, must interface with the baremetal network. In OpenShift Container Platform 4.4 and later releases, you can use any NIC order to interface with the baremetal network, provided it is the same NIC order across worker and control plane nodes and not the NIC specified in the provisioningNetworkInterface configuration setting for the provisioning network.

    +
  • +
+
+
+ + + + + +
+ + +
+

Use a compatible approach such that cluster nodes use the same NIC ordering on all cluster nodes. NICs must have heterogeneous hardware with the same NIC naming convention such as eth0 or eno1.

+
+
+
+
+ + + + + +
+ + +
+

When using a VLAN, each NIC must be on a separate VLAN corresponding to the appropriate network.

+
+
+
+
+
Configuring the DNS server
+

Clients access the OpenShift Container Platform cluster nodes over the baremetal network. A network administrator must configure a subdomain or subzone where the canonical name extension is the cluster name.

+
+
+
+
<cluster-name>.<domain-name>
+
+
+
+

For example:

+
+
+
+
test-cluster.example.com
+
+
+
+

For assistance in configuring the DNS server, check Appendix section for:

+
+ +
+
Reserving IP addresses for nodes with the DHCP server
+

For the baremetal network, a network administrator must reserve a number of IP addresses, including:

+
+
+
    +
  1. +

    Two virtual IP addresses.

    +
    +
      +
    • +

      One IP address for the API endpoint

      +
    • +
    • +

      One IP address for the wildcard ingress endpoint

      +
    • +
    +
    +
  2. +
  3. +

    One IP address for the provisioner node.

    +
  4. +
  5. +

    One IP address for each control plane (master) node.

    +
  6. +
  7. +

    One IP address for each worker node, if applicable.

    +
  8. +
+
+
+ + + + + +
+ + +
Reserving IP addresses so they become static IP addresses
+
+

Some administrators prefer to use static IP addresses so that each node’s IP address remains constant in the absence of a DHCP server. To use static IP addresses in the OpenShift Container Platform cluster, reserve the IP addresses with an infinite lease. During deployment, the installer will reconfigure the NICs from DHCP assigned addresses to static IP addresses. NICs with DHCP leases that are not infinite will remain configured to use DHCP.

+
+
+
+
+

The following table provides an exemplary embodiment of fully qualified domain names. The API and Nameserver addresses begin with canonical name extensions. The host names of the control plane and worker nodes are exemplary, so you can use any host naming convention you prefer.

+
+ +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
UsageHost NameIP

API

api.<cluster-name>.<domain>

<ip>

Ingress LB (apps)

*.apps.<cluster-name>.<domain>

<ip>

Provisioner node

provisioner.<cluster-name>.<domain>

<ip>

Master-0

openshift-master-0.<cluster-name>.<domain>

<ip>

Master-1

openshift-master-1.<cluster-name>-.<domain>

<ip>

Master-2

openshift-master-2.<cluster-name>.<domain>

<ip>

Worker-0

openshift-worker-0.<cluster-name>.<domain>

<ip>

Worker-1

openshift-worker-1.<cluster-name>.<domain>

<ip>

Worker-n

openshift-worker-n.<cluster-name>.<domain>

<ip>

+
+

For assistance in configuring the DHCP server, check Appendix section for:

+
+ +
+
State-driven network configuration requirements (Technology Preview)
+

OpenShift Container Platform supports additional post-installation state-driven network configuration on the secondary network interfaces of cluster nodes using kubernetes-nmstate. For example, system administrators might configure a secondary network interface on cluster nodes after installation for a storage network.

+
+
+ + + + + +
+ + +
+

Configuration must occur before scheduling pods.

+
+
+
+
+

State-driven network configuration requires installing kubernetes-nmstate, and also requires Network Manager running on the cluster nodes. See OpenShift Virtualization > Kubernetes NMState (Tech Preview) for additional details.

+
+

IPv6 considerations

+
+
SLAAC Addressing
+

If you do not plan to use SLAAC [1] addresses on your OpenShift Container Platform node, then it should be disabled for baremetal networks, that means that if your network equipment is configured to send SLAAC addresses when replying to Route Advertisements that behavior should be changed, so it only sends the route and not the SLAAC address.

+
+
+

Install ndptool on your system in order to check what your RAs look like:

+
+
+
+
# Turn down/up baremetal iface on a master Node
+$ sudo nmcli con down "Wired connection 5" && sudo nmcli con up "Wired connection 5"
+Connection 'Wired connection 5' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1983)
+Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2044)
+
+# ndptool monitor on Helper node
+$ sudo ndptool monitor -t ra
+NDP payload len 80, from addr: fe80::c0a4:6464:bcb3:d657, iface: baremetal.153
+  Type: RA
+  Hop limit: 64
+  Managed address configuration: yes
+  Other configuration: no
+  Default router preference: medium
+  Router lifetime: 0s
+  Reachable time: unspecified
+  Retransmit time: unspecified
+  Source linkaddr: 1c:40:24:1b:0c:34
+  Prefix: 2620:52:0:1303::/64, valid_time: 86400s, preferred_time: 14400s, on_link: yes, autonomous_addr_conf: no, router_addr: no
+  Route: ::/0, lifetime: 0s, preference: low
+
+
+
+

The ndptool monitor should report Managed address configuration: yes.

+
+
+
Network Ranges and Configurations
+

Different baremetal and provisioning networks are required for each environment; each environment will have a different IPv6 range for each one of those networks.

+
+
+

In our configuration we used subinterfaces attached to two different physical interfaces, VLAN tagging was done at O.S. level (this required switch ports configured with trunk mode).

+
+
+

Our different IPv6 networks were all routable but usually, the only routable networks are the baremetal ones.

+
+
+

Keep in mind that provisioning networks cannot be in the same broadcast domain, since services such as DHCP are running.

+
+
+ + + + + +
+ + +
Route Advertisement
+
+

Route Advertisement must be enabled for both networks baremetal and provisioning.

+
+
+
+
+
Route Advertisements
+

As mentioned previously, both the baremetal and the provisioning networks must have Route Advertisement enabled. For the baremetal network, the radvd daemon was used, while the provisioning network has RA enabled in the Metal³ dnsmasq, so no configuration is needed.

+
+
+
+

2.4. Configuring nodes

+
+
Configuring nodes when using the provisioning network
+

Each node in the cluster requires the following configuration for proper installation.

+
+
+ + + + + +
+ + +
+

A mismatch between nodes will cause an installation failure.

+
+
+
+
+

While the cluster nodes can contain more than two NICs, the installation process only focuses on the first two NICs:

+
+ +++++ + + + + + + + + + + + + + + + + + +

NIC

Network

VLAN

NIC1

provisioning

<provisioning-vlan>

NIC2

baremetal

<baremetal-vlan>

+
+

NIC1 is a non-routable network (provisioning) that is only used for the installation of the OpenShift Container Platform cluster.

+
+
+

The Red Hat Enterprise Linux (RHEL) 8.x installation process on the provisioner node might vary. To install Red Hat Enterprise Linux (RHEL) 8.x using a local Satellite server or a PXE server, PXE-enable NIC2.

+
+ ++++ + + + + + + + + + + + + + + +

PXE

Boot order

NIC1 PXE-enabled provisioning network

1

NIC2 baremetal network. PXE-enabled is optional.

2

+
+ + + + + +
+ + +
+

Ensure PXE is disabled on all other NICs.

+
+
+
+
+

Configure the control plane and worker nodes as follows:

+
+ ++++ + + + + + + + + + + +

PXE

Boot order

NIC1 PXE-enabled (provisioning network)

1

+
+
Configuring nodes without the provisioning network
+

The installation process requires one NIC:

+
+ +++++ + + + + + + + + + + + + +

NIC

Network

VLAN

NICx

baremetal

<baremetal-vlan>

+
+

NICx is a routable network (baremetal) that is used for the installation of the OpenShift Container Platform cluster, and routable to the internet.

+
+
+
Configuring nodes for Secure Boot manually
+

Secure Boot prevents a node from booting unless it verifies the node is using only trusted software, such as UEFI firmware drivers, EFI applications and the operating system.

+
+
+ + + + + +
+ + +
+

Red Hat only supports manually configured Secure Boot when deploying with Redfish virtual media.

+
+
+
+
+

To enable Secure Boot manually, refer to the hardware guide for the node and execute the following:

+
+
+
    +
  1. +

    Boot the node and enter the BIOS menu.

    +
  2. +
  3. +

    Set the node’s boot mode to UEFI Enabled.

    +
  4. +
  5. +

    Enable Secure Boot.

    +
  6. +
+
+
+ + + + + +
+ + +
+

Red Hat does not support Secure Boot with self-generated keys.

+
+
+
+
+
+

2.5. Out-of-band management

+
+

Nodes will typically have an additional NIC used by the Baseboard Management Controllers (BMCs). These BMCs must be accessible from the provisioner node.

+
+
+

Each node must be accessible via out-of-band management. When using an out-of-band management network, the provisioner node requires access to the out-of-band management network for a successful OpenShift Container Platform 4 installation.

+
+
+

The out-of-band management setup is out of scope for this document. We recommend setting up a separate management network for out-of-band management. However, using the provisioning network or the baremetal network are valid options.

+
+
+
+

2.6. Required data for installation

+
+

Prior to the installation of the OpenShift Container Platform cluster, gather the following information from all cluster nodes:

+
+
+
    +
  • +

    Out-of-band management IP

    +
    +
      +
    • +

      Examples

      +
      +
        +
      • +

        Dell (iDRAC) IP

        +
      • +
      • +

        HP (iLO) IP

        +
      • +
      +
      +
    • +
    +
    +
  • +
+
+
+
When using the provisioning network
+
    +
  • +

    NIC1 (provisioning) MAC address

    +
  • +
  • +

    NIC2 (baremetal) MAC address

    +
  • +
+
+
+
When omitting the provisioning network
+
    +
  • +

    NICx (baremetal) MAC address

    +
  • +
+
+
+
+

2.7. Validation checklist for nodes

+
+
When using the provisioning network
+
    +
  • +

    DHCP reservations use infinite leases to deploy the cluster with static IP addresses. (optional)

    +
  • +
  • +

    NIC1 VLAN is configured for the provisioning network.

    +
  • +
  • +

    NIC2 VLAN is configured for the baremetal network.

    +
  • +
  • +

    NIC1 is PXE-enabled on the provisioner, Control Plane (master), and worker nodes.

    +
  • +
  • +

    PXE has been disabled on all other NICs.

    +
  • +
  • +

    Control plane and worker nodes are configured.

    +
  • +
  • +

    All nodes accessible via out-of-band management.

    +
  • +
  • +

    A separate management network has been created. (optional)

    +
  • +
  • +

    Required data for installation.

    +
  • +
+
+
+
When omitting the provisioning network
+
    +
  • +

    DHCP reservations use infinite leases to deploy the cluster with static IP addresses. (optional)

    +
  • +
  • +

    NICx VLAN is configured for the baremetal network.

    +
  • +
  • +

    Control plane and worker nodes are configured.

    +
  • +
  • +

    All nodes accessible via out-of-band management.

    +
  • +
  • +

    A separate management network has been created. (optional)

    +
  • +
  • +

    Required data for installation.

    +
  • +
+
+
+
Summary
+

After an environment has been prepared according to the documented prerequisites, the installation process is the same as other installer-provisioned platforms.

+
+
+
+
+
+

3. Setting up the environment for an OpenShift installation

+
+ +
+

3.1. Installing RHEL on the provisioner node

+
+

With the networking configuration complete, the next step is to install RHEL 8.X on the provisioner node. The installer uses the provisioner node as the orchestrator while installing the OpenShift Container Platform cluster. For the purposes of this document, installing RHEL on the provisioner node is out of scope. However, options include but are not limited to using a RHEL Satellite server, PXE, or installation media.

+
+
+
+

3.2. Preparing the provisioner node for OpenShift Container Platform installation

+
+

Perform the following steps to prepare the environment.

+
+
+
Procedure
+
    +
  1. +

    Log in to the provisioner node via ssh.

    +
  2. +
  3. +

    Create a non-root user (kni) and provide that user with sudo privileges.

    +
    +
    +
    [root@provisioner ~]# useradd kni
    +[root@provisioner ~]# passwd kni
    +[root@provisioner ~]# echo "kni ALL=(root) NOPASSWD:ALL" | tee -a /etc/sudoers.d/kni
    +[root@provisioner ~]# chmod 0440 /etc/sudoers.d/kni
    +
    +
    +
  4. +
  5. +

    Create an ssh key for the new user.

    +
    +
    +
    [root@provisioner ~]# su - kni -c "ssh-keygen -t rsa -f /home/kni/.ssh/id_rsa -N ''"
    +
    +
    +
  6. +
  7. +

    Log in as the new user on the provisioner node.

    +
    +
    +
    [root@provisioner ~]# su - kni
    +[kni@provisioner ~]$
    +
    +
    +
  8. +
  9. +

    Use Red Hat Subscription Manager to register the provisioner node.

    +
    +
    +
    [kni@provisioner ~]$ sudo subscription-manager register --username=<user> --password=<pass> --auto-attach
    +[kni@provisioner ~]$ sudo subscription-manager repos --enable=rhel-8-for-x86_64-appstream-rpms --enable=rhel-8-for-x86_64-baseos-rpms
    +
    +
    +
    + + + + + +
    + + +
    +

    For more information about Red Hat Subscription Manager, see Using and Configuring Red Hat Subscription Manager.

    +
    +
    +
    +
  10. +
  11. +

    Install the following packages.

    +
    +
    +
    [kni@provisioner ~]$ sudo dnf install -y libvirt qemu-kvm mkisofs python3-devel jq ipmitool
    +
    +
    +
  12. +
  13. +

    Modify the user to add the libvirt group to the newly created user.

    +
    +
    +
    [kni@provisioner ~]$ sudo usermod --append --groups libvirt <user>
    +
    +
    +
  14. +
  15. +

    Restart firewalld and enable the http service.

    +
    +
    +
    [kni@provisioner ~]$ sudo systemctl start firewalld
    +[kni@provisioner ~]$ sudo firewall-cmd --zone=public --add-service=http --permanent
    +[kni@provisioner ~]$ sudo firewall-cmd --add-port=5000/tcp --zone=libvirt  --permanent
    +[kni@provisioner ~]$ sudo firewall-cmd --add-port=5000/tcp --zone=public   --permanent
    +[kni@provisioner ~]$ sudo firewall-cmd --reload
    +
    +
    +
  16. +
  17. +

    Start and enable the libvirtd service.

    +
    +
    +
    [kni@provisioner ~]$ sudo systemctl start libvirtd
    +[kni@provisioner ~]$ sudo systemctl enable libvirtd --now
    +
    +
    +
  18. +
  19. +

    Create the default storage pool and start it.

    +
    +
    +
    [kni@provisioner ~]$ sudo virsh pool-define-as --name default --type dir --target /var/lib/libvirt/images
    +[kni@provisioner ~]$ sudo virsh pool-start default
    +[kni@provisioner ~]$ sudo virsh pool-autostart default
    +
    +
    +
  20. +
  21. +

    Configure networking.

    +
    + + + + + +
    + + +
    +

    This step can also be run from the web console.

    +
    +
    +
    +
    +
    Provisioning Network (IPv4 address)
    +
    +
    [kni@provisioner ~]$ sudo nohup bash -c """
    +    nmcli con down "$PROV_CONN"
    +    nmcli con delete "$PROV_CONN"
    +    # RHEL 8.1 appends the word "System" in front of the connection, delete in case it exists
    +    nmcli con down "System $PROV_CONN"
    +    nmcli con delete "System $PROV_CONN"
    +    nmcli connection add ifname provisioning type bridge con-name provisioning
    +    nmcli con add type bridge-slave ifname "$PROV_CONN" master provisioning
    +    nmcli connection modify provisioning ipv4.addresses 172.22.0.1/24 ipv4.method manual
    +    nmcli con down provisioning
    +    nmcli con up provisioning"""
    +
    +
    +
    + + + + + +
    + + +
    +

    The ssh connection might disconnect after executing this step.

    +
    +
    +

    The IPv4 address may be any address as long as it is not routable via the baremetal network.

    +
    +
    +
    +
    +
    Provisioning Network (IPv6 address)
    +
    +
    [kni@provisioner ~]$ sudo nohup bash -c """
    +    nmcli con down "$PROV_CONN"
    +    nmcli con delete "$PROV_CONN"
    +    # RHEL 8.1 appends the word "System" in front of the connection, delete in case it exists
    +    nmcli con down "System $PROV_CONN"
    +    nmcli con delete "System $PROV_CONN"
    +    nmcli connection add ifname provisioning type bridge con-name provisioning
    +    nmcli con add type bridge-slave ifname "$PROV_CONN" master provisioning
    +    nmcli connection modify provisioning ipv6.addresses fd00:1101::1/64 ipv6.method manual
    +    nmcli con down provisioning
    +    nmcli con up provisioning"""
    +
    +
    +
    + + + + + +
    + + +
    +

    The ssh connection might disconnect after executing this step.

    +
    +
    +

    The IPv6 address may be any address as long as it is not routable via the baremetal network.

    +
    +
    +
    +
    + + + + + +
    + + +
    +

    Ensure that UEFI is enabled and UEFI PXE settings are set to the IPv6 protocol when using IPv6 addressing.

    +
    +
    +
    +
  22. +
  23. +

    ssh back into the provisioner node (if required).

    +
    +
    +
    # ssh kni@provisioner.<cluster-name>.<domain>
    +
    +
    +
  24. +
  25. +

    Verify the connection bridges have been properly created.

    +
    +
    +
    [kni@provisioner ~]$ nmcli con show
    +
    +
    +
    +
    +
    NAME               UUID                                  TYPE      DEVICE
    +baremetal          4d5133a5-8351-4bb9-bfd4-3af264801530  bridge    baremetal
    +provisioning       43942805-017f-4d7d-a2c2-7cb3324482ed  bridge    provisioning
    +virbr0             d9bca40f-eee1-410b-8879-a2d4bb0465e7  bridge    virbr0
    +bridge-slave-eno1  76a8ed50-c7e5-4999-b4f6-6d9014dd0812  ethernet  eno1
    +bridge-slave-eno2  f31c3353-54b7-48de-893a-02d2b34c4736  ethernet  eno2
    +
    +
    +
  26. +
  27. +

    Create a pull-secret.txt file.

    +
    +
    +
    [kni@provisioner ~]$ vim pull-secret.txt
    +
    +
    +
    +

    In a web browser, navigate to Install on Bare Metal with user-provisioned infrastructure, and scroll down to the Downloads section. Click Copy pull secret. Paste the contents into the pull-secret.txt file and save the contents in the kni user’s home directory.

    +
    +
  28. +
+
+
+
+

3.3. Retrieving the OpenShift Container Platform installer (GA Release)

+
+

Use the latest-4.x version of the installer to deploy the latest generally +available version of OpenShift Container Platform:

+
+
+
+
[kni@provisioner ~]$ export VERSION=latest-4.7
+export RELEASE_IMAGE=$(curl -s https://mirror.openshift.com/pub/openshift-v4/clients/ocp/$VERSION/release.txt | grep 'Pull From: quay.io' | awk -F ' ' '{print $3}')
+
+
+
+
+

3.4. Extracting the OpenShift Container Platform installer (GA Release)

+
+

After retrieving the installer, the next step is to extract it.

+
+
+
Procedure
+
    +
  1. +

    Set the environment variables:

    +
    +
    +
    [kni@provisioner ~]$ export cmd=openshift-baremetal-install
    +[kni@provisioner ~]$ export pullsecret_file=~/pull-secret.txt
    +[kni@provisioner ~]$ export extract_dir=$(pwd)
    +
    +
    +
  2. +
  3. +

    Get the oc binary:

    +
    +
    +
    [kni@provisioner ~]$ curl -s https://mirror.openshift.com/pub/openshift-v4/clients/ocp/$VERSION/openshift-client-linux.tar.gz | tar zxvf - oc
    +
    +
    +
  4. +
  5. +

    Extract the installer:

    +
    +
    +
    [kni@provisioner ~]$ sudo cp oc /usr/local/bin
    +[kni@provisioner ~]$ oc adm release extract --registry-config "${pullsecret_file}" --command=$cmd --to "${extract_dir}" ${RELEASE_IMAGE}
    +[kni@provisioner ~]$ sudo cp openshift-baremetal-install /usr/local/bin
    +
    +
    +
  6. +
+
+
+
+

3.5. Creating an RHCOS images cache (optional)

+
+

To employ image caching, you must download two images: the Red Hat Enterprise Linux CoreOS (RHCOS) image used by the bootstrap VM and the RHCOS image used by the installer to provision the different nodes. Image caching is optional, but especially useful when running the installer on a network with limited bandwidth.

+
+
+

If you are running the installer on a network with limited bandwidth and the RHCOS images download takes more than 15 to 20 minutes, the installer will timeout. Caching images on a web server will help in such scenarios.

+
+
+

Use the following steps to install a container that contains the images.

+
+
+
    +
  1. +

    Install podman.

    +
    +
    +
    $ sudo dnf install -y podman
    +
    +
    +
  2. +
  3. +

    Open firewall port 8080 to be used for RHCOS image caching.

    +
    +
    +
    $ sudo firewall-cmd --add-port=8080/tcp --zone=public --permanent
    +$ sudo firewall-cmd --reload
    +
    +
    +
  4. +
  5. +

    Create a directory to store the bootstraposimage and clusterosimage.

    +
    +
    +
    $ mkdir /home/kni/rhcos_image_cache
    +
    +
    +
  6. +
  7. +

    Set the appropriate SELinux context for the newly created directory.

    +
    +
    +
    $ sudo semanage fcontext -a -t httpd_sys_content_t "/home/kni/rhcos_image_cache(/.*)?"
    +$ sudo restorecon -Rv rhcos_image_cache/
    +
    +
    +
  8. +
  9. +

    Get the commit ID from the installer. The ID determines which images the installer needs to download.

    +
    +
    +
    $ export COMMIT_ID=$(/usr/local/bin/openshift-baremetal-install version | grep '^built from commit' | awk '{print $4}')
    +
    +
    +
  10. +
  11. +

    Get the URI for the RHCOS image that the installer will deploy on the nodes.

    +
    +
    +
    $ export RHCOS_OPENSTACK_URI=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json  | jq .images.openstack.path | sed 's/"//g')
    +
    +
    +
  12. +
  13. +

    Get the URI for the RHCOS image that the installer will deploy on the bootstrap VM.

    +
    +
    +
    $ export RHCOS_QEMU_URI=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json  | jq .images.qemu.path | sed 's/"//g')
    +
    +
    +
  14. +
  15. +

    Get the path where the images are published.

    +
    +
    +
    $ export RHCOS_PATH=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json | jq .baseURI | sed 's/"//g')
    +
    +
    +
  16. +
  17. +

    Get the SHA hash for the RHCOS image that will be deployed on the bootstrap VM.

    +
    +
    +
    $ export RHCOS_QEMU_SHA_UNCOMPRESSED=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json  | jq -r '.images.qemu["uncompressed-sha256"]')
    +
    +
    +
  18. +
  19. +

    Get the SHA hash for the RHCOS image that will be deployed on the nodes.

    +
    +
    +
    $ export RHCOS_OPENSTACK_SHA_COMPRESSED=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json  | jq -r '.images.openstack.sha256')
    +
    +
    +
  20. +
  21. +

    Download the images and place them in the /home/kni/rhcos_image_cache directory.

    +
    +
    +
    $ curl -L ${RHCOS_PATH}${RHCOS_QEMU_URI} -o /home/kni/rhcos_image_cache/${RHCOS_QEMU_URI}
    +$ curl -L ${RHCOS_PATH}${RHCOS_OPENSTACK_URI} -o /home/kni/rhcos_image_cache/${RHCOS_OPENSTACK_URI}
    +
    +
    +
  22. +
  23. +

    Confirm SELinux type is of httpd_sys_content_t for the newly created files.

    +
    +
    +
    $ ls -Z /home/kni/rhcos_image_cache
    +
    +
    +
  24. +
  25. +

    Create the pod.

    +
    +
    +
    $ podman run -d --name rhcos_image_cache \
    +-v /home/kni/rhcos_image_cache:/var/www/html \
    +-p 8080:8080/tcp \
    +quay.io/centos7/httpd-24-centos7:latest
    +
    +
    +
  26. +
  27. +

    Generate the bootstrapOSImage and clusterOSImage configuration.

    +
    +
    +
    $ export BAREMETAL_IP=$(ip addr show dev baremetal | awk '/inet /{print $2}' | cut -d"/" -f1)
    +$ export RHCOS_OPENSTACK_SHA256=$(zcat /home/kni/rhcos_image_cache/${RHCOS_OPENSTACK_URI} | sha256sum | awk '{print $1}')
    +$ export RHCOS_QEMU_SHA256=$(zcat /home/kni/rhcos_image_cache/${RHCOS_QEMU_URI} | sha256sum | awk '{print $1}')
    +$ export CLUSTER_OS_IMAGE="http://${BAREMETAL_IP}:8080/${RHCOS_OPENSTACK_URI}?sha256=${RHCOS_OPENSTACK_SHA256}"
    +$ export BOOTSTRAP_OS_IMAGE="http://${BAREMETAL_IP}:8080/${RHCOS_QEMU_URI}?sha256=${RHCOS_QEMU_SHA256}"
    +$ echo "${RHCOS_OPENSTACK_SHA256}  ${RHCOS_OPENSTACK_URI}" > /home/kni/rhcos_image_cache/rhcos-ootpa-latest.qcow2.md5sum
    +$ echo "    bootstrapOSImage=${BOOTSTRAP_OS_IMAGE}"
    +$ echo "    clusterOSImage=${CLUSTER_OS_IMAGE}"
    +
    +
    +
  28. +
  29. +

    Add the required configuration to the install-config.yaml file under platform.baremetal.

    +
    +
    +
    platform:
    +  baremetal:
    +    bootstrapOSImage: http://<BAREMETAL_IP>:8080/<RHCOS_QEMU_URI>?sha256=<RHCOS_QEMU_SHA256>
    +    clusterOSImage: http://<BAREMETAL_IP>:8080/<RHCOS_OPENSTACK_URI>?sha256=<RHCOS_OPENSTACK_SHA256>
    +
    +
    +
    +

    See the Configuring the install-config.yaml file section for additional details.

    +
    +
  30. +
+
+
+
+

3.6. Configuration files

+
+

3.6.1. Configuring the install-config.yaml file

+
+

The install-config.yaml file requires some additional details. +Most of the information is teaching the installer and the resulting cluster enough about the available hardware so that it is able to fully manage it.

+
+
+
    +
  1. +

    Configure install-config.yaml. Change the appropriate variables to match the environment, including pullSecret and sshKey.

    +
    +
    +
    apiVersion: v1
    +basedomain: <domain>
    +metadata:
    +  name: <cluster-name>
    +networking:
    +  machineCIDR: <public-cidr>
    +  networkType: OVNKubernetes
    +compute:
    +- name: worker
    +  replicas: 2 (1)
    +controlPlane:
    +  name: master
    +  replicas: 3
    +  platform:
    +    baremetal: {}
    +platform:
    +  baremetal:
    +    apiVIP: <api-ip>
    +    ingressVIP: <wildcard-ip>
    +    provisioningNetworkInterface: <NIC1>
    +    provisioningNetworkCIDR: <CIDR>
    +    hosts:
    +      - name: openshift-master-0
    +        role: master
    +        bmc:
    +          address: ipmi://<out-of-band-ip> (2)
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: default
    +      - name: openshift-master-1
    +        role: master
    +        bmc:
    +          address: ipmi://<out-of-band-ip>
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: default
    +      - name: openshift-master-2
    +        role: master
    +        bmc:
    +          address: ipmi://<out-of-band-ip>
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: default
    +      - name: openshift-worker-0
    +        role: worker
    +        bmc:
    +          address: ipmi://<out-of-band-ip>
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: unknown
    +      - name: openshift-worker-1
    +        role: worker
    +        bmc:
    +          address: ipmi://<out-of-band-ip>
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: unknown
    +pullSecret: '<pull_secret>'
    +sshKey: '<ssh_pub_key>'
    +
    +
    +
    + + + + + + + + + +
    1Scale the worker machines based on the number of worker nodes that are part of the OpenShift Container Platform cluster.
    2Refer to the BMC addressing for more options
    +
    +
  2. +
  3. +

    Create a directory to store cluster configs.

    +
    +
    +
    [kni@provisioner ~]$ mkdir ~/clusterconfigs
    +[kni@provisioner ~]$ cp install-config.yaml ~/clusterconfigs
    +
    +
    +
  4. +
  5. +

    Ensure all bare metal nodes are powered off prior to installing the OpenShift Container Platform cluster.

    +
    +
    +
    [kni@provisioner ~]$ ipmitool -I lanplus -U <user> -P <password> -H <management-server-ip> power off
    +
    +
    +
  6. +
  7. +

    Remove old bootstrap resources if any are left over from a previous deployment attempt.

    +
    +
    +
    for i in $(sudo virsh list | tail -n +3 | grep bootstrap | awk {'print $2'});
    +do
    +  sudo virsh destroy $i;
    +  sudo virsh undefine $i;
    +  sudo virsh vol-delete $i --pool $i;
    +  sudo virsh vol-delete $i.ign --pool $i;
    +  sudo virsh pool-destroy $i;
    +  sudo virsh pool-undefine $i;
    +done
    +
    +
    +
  8. +
+
+
+
+

3.6.2. Setting proxy settings within the install-config.yaml file (optional)

+
+

To deploy an OpenShift Container Platform cluster using a proxy, make the following changes to the install-config.yaml file.

+
+
+
+
apiVersion: v1
+baseDomain: <domain>
+proxy:
+  httpProxy: http://USERNAME:PASSWORD@proxy.example.com:PORT
+  httpsProxy: https://USERNAME:PASSWORD@proxy.example.com:PORT
+  noProxy: <WILDCARD_OF_DOMAIN>,<PROVISIONING_NETWORK/CIDR>,<BMC_ADDRESS_RANGE/CIDR>
+
+
+
+

See below for an example of noProxy with values.

+
+
+
+
noProxy: .example.com,172.22.0.0/24,10.10.0.0/24
+
+
+
+

With a proxy enabled, set the appropriate values of the proxy in the corresponding key/value pair.

+
+
+

Key considerations:

+
+
+
    +
  • +

    If the proxy does not have an HTTPS proxy, change the value of httpsProxy from https:// to http://.

    +
  • +
  • +

    If using a provisioning network, include it in the noProxy setting, otherwise the installer will fail.

    +
  • +
  • +

    Set all of the proxy settings as environment variables within the provisioner node. For example, HTTP_PROXY, HTTPS_PROXY, and NO_PROXY.

    +
  • +
+
+
+
+

3.6.3. Modifying the install-config.yaml file for no provisioning network (optional)

+
+

To deploy an OpenShift Container Platform cluster without a provisioning network, make the following changes to the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    apiVIP: <apiVIP>
+    ingressVIP: <ingress/wildcard VIP>
+    provisioningNetwork: "Disabled"
+
+
+
+
+

3.6.4. Modifying the install-config.yaml file for dual-stack network (optional)

+
+

To deploy an OpenShift Container Platform cluster with dual-stack networking, make the following changes to the install-config.yaml file.

+
+
+
+
machineNetwork:
+- cidr: {{ extcidrnet }}
+- cidr: {{ extcidrnet6 }}
+clusterNetwork:
+- cidr: 10.128.0.0/14
+  hostPrefix: 23
+- cidr: fd02::/48
+  hostPrefix: 64
+serviceNetwork:
+- 172.30.0.0/16
+- fd03::/112
+
+
+
+ + + + + +
+ + +In the above snippet, the network settings must match the settings for the cluster’s network environment. The machineNetwork, clusterNetwork, and serviceNetwork configuration settings must have two CIDR entries each. The first CIDR entry is the IPv4 setting and the second CIDR entry is the IPv6 setting. +
+
+
+ + + + + +
+ + +
+

The IPv4 entries must go before the IPv6 entries.

+
+
+
+
+

To deploy an OpenShift Container Platform cluster with dual-stack, deploy an additional manifest to enable the FeatureGate with the following contents:

+
+
+
+
apiVersion: config.openshift.io/v1
+kind: FeatureGate
+metadata:
+  name: cluster
+spec:
+  featureSet: IPv6DualStackNoUpgrade
+
+
+
+
+

3.6.5. Additional install-config parameters

+
+

See the following tables for the required parameters, the hosts parameter, +and the bmc parameter for the install-config.yaml file.

+
+ + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 2. Required parameters
ParametersDefaultDescription

baseDomain

The domain name for the cluster. For example, example.com.

bootMode

legacy

The boot mode for a node. Options are legacy, UEFI and UEFISecureBoot.

sshKey

The sshKey configuration setting contains the key in the ~/.ssh/id_rsa.pub file required to access the control plane nodes and worker nodes. Typically, this key is from the provisioner node.

pullSecret

The pullSecret configuration setting contains a copy of the pull secret downloaded from the Install OpenShift on Bare Metal page when preparing the provisioner node.

+
+
metadata:
+    name:
+
+

The name to be given to the OpenShift Container Platform cluster. For example, openshift.

+
+
networking:
+    machineCIDR:
+
+

The public CIDR (Classless Inter-Domain Routing) of the external network. For example, 10.0.0.0/24 +or 2620:52:0:1302::/64 +.

+
+
compute:
+  - name: worker
+
+

The OpenShift Container Platform cluster requires a name be provided for worker (or compute) nodes even if there are zero nodes.

+
+
compute:
+    replicas: 2
+
+

Replicas sets the number of worker (or compute) nodes in the OpenShift Container Platform cluster.

+
+
controlPlane:
+    name: master
+
+

The OpenShift Container Platform cluster requires a name for control plane (master) nodes.

+
+
controlPlane:
+    replicas: 3
+
+

Replicas sets the number of control plane (master) nodes included as part of the OpenShift Container Platform cluster.

+

provisioningNetworkInterface

+

The name of the network interface on control plane nodes connected to the +provisioning network.

defaultMachinePlatform

The default configuration used for machine pools without a platform configuration.

apiVIP

api.<clustername.clusterdomain>

The VIP to use for internal API communication.

+

This setting must either be provided or pre-configured in the DNS so that the +default name resolves correctly.

disableCertificateVerification

False

redfish and redfish-virtualmedia need this parameter to manage BMC addresses. The value should be True when using a self-signed certificate for BMC addresses.

ingressVIP

test.apps.<clustername.clusterdomain>

The VIP to use for ingress traffic.

+ + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 3. Optional Parameters
ParametersDefaultDescription

provisioningDHCPRange

172.22.0.10,172.22.0.100

Defines the IP range for nodes on the provisioning network.

+

provisioningNetworkCIDR

+

172.22.0.0/24

The CIDR for the network to use for provisioning. This option is required when not using the default address range on the provisioning network.

clusterProvisioningIP

The third IP address of the provisioningNetworkCIDR.

The IP address within the cluster where the provisioning services run. Defaults to the third IP address of the provisioning subnet. For example, 172.22.0.3.

bootstrapProvisioningIP

The second IP address of the provisioningNetworkCIDR.

The IP address on the bootstrap VM where the provisioning services run while the installer is deploying the control plane (master) nodes. Defaults to the second IP address of the provisioning subnet. For example, 172.22.0.2 +or 2620:52:0:1307::2 +.

externalBridge

baremetal

The name of the baremetal bridge of the hypervisor attached to the baremetal network.

provisioningBridge

provisioning

The name of the provisioning bridge on the provisioner host attached to the provisioning network.

defaultMachinePlatform

The default configuration used for machine pools without a platform configuration.

bootstrapOSImage

A URL to override the default operating system image for the bootstrap node. The URL must contain a SHA-256 hash of the image. For example: +https://mirror.openshift.com/rhcos-<version>-qemu.qcow2.gz?sha256=<uncompressed_sha256>; + or http://[2620:52:0:1307::1]/rhcos-<version>-qemu.x86_64.qcow2.gz?sha256=<uncompressed_sha256> +.

clusterOSImage

A URL to override the default operating system for cluster nodes. The URL must include a SHA-256 hash of the image. For example, https://mirror.openshift.com/images/rhcos-<version>-openstack.qcow2.gz?sha256=<compressed_sha256>;.

provisioningNetwork

Set this parameter to Disabled to disable the requirement for a provisioning network. User may only do virtual media based provisioning, or bring up the cluster using assisted installation. If using power management, BMC’s must be accessible from the machine networks. User must provide two IP addresses on the external network that are used for the provisioning services. +Set this parameter to Managed, which is the default, to fully manage the provisioning network, including DHCP, TFTP, and so on.

+

Set this parameter to Unmanaged to still enable the provisioning network but take care of manual configuration of DHCP. Virtual media provisioning is recommended but PXE is still available if required.

httpProxy

Set this parameter to the appropriate HTTP proxy used within your environment.

httpsProxy

Set this parameter to the appropriate HTTPS proxy used within your environment.

noProxy

Set this parameter to the appropriate list of exclusions for proxy usage within your environment.

+
+
Hosts
+

The hosts parameter is a list of separate bare metal assets used to build the cluster.

+
+ +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Name

Default

Description

name

The name of the BareMetalHost resource to associate with the details. For example, openshift-master-0.

role

The role of the bare metal node. Either master or worker.

bmc

Connection details for the baseboard management controller. See the BMC addressing section for additional details.

bootMACAddress

The MAC address of the NIC the host will use to boot on the provisioning network.

+
+
+

3.6.6. BMC addressing

+
+

Most vendors support BMC addressing with the Intelligent Platform Management Interface or IPMI. IPMI does not encrypt communications. It is suitable for use within a data center over a secured or dedicated management network. Check with your vendor to see if they support Redfish network boot. Redfish delivers simple and secure management for converged, hybrid IT and the Software Defined Data Center or SDDC. Redfish is human readable and machine capable, and leverages common Internet and web services standards to expose information directly to the modern tool chain. If your hardware does not support Redfish network boot, use IPMI.

+
+
+
IPMI
+

Hosts using IPMI use the ipmi://<out-of-band-ip>:<port> address format, which defaults to port 623 if not specified. The following example demonstrates an IPMI configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: ipmi://<out-of-band-ip>
+          username: <user>
+          password: <password>
+
+
+
+
Redfish network boot
+

To enable Redfish, use redfish:// or redfish+http:// to disable TLS. The installer requires both the host name or the IP address and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+
BMC addressing for Dell iDRAC
+
+

The address field for each bmc entry is a URL for connecting to the OpenShift Container Platform cluster nodes, including the type of controller in the URL scheme and its location on the network.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: <host name>
+        role: <master | worker>
+        bmc:
+          address: <address> (1)
+          username: <user>
+          password: <password>
+
+
+
+ + + + + +
1The address configuration setting specifies the protocol.
+
+
+

For Dell hardware, Red Hat supports integrated Dell Remote Access Controller (iDRAC) virtual media, Redfish network boot, and IPMI.

+
+ + ++++ + + + + + + + + + + + + + + + + + + + + +
Table 4. BMC address formats for Dell iDRAC
ProtocolAddress Format

iDRAC virtual media

idrac-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1

Redfish network boot

redfish://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1

IPMI

ipmi://<out-of-band-ip>

+
+ + + + + +
+ + +
+

Use idrac-virtualmedia as the protocol for Redfish virtual media. redfish-virtualmedia will not work on Dell hardware. Dell’s idrac-virtualmedia uses the Redfish standard with Dell’s OEM extensions.

+
+
+
+
+

See the following sections for additional details.

+
+
+
Redfish virtual media for Dell iDRAC
+

For Redfish virtual media on Dell servers, use idrac-virtualmedia:// in the address setting. Using redfish-virtualmedia:// will not work.

+
+
+

The following example demonstrates using iDRAC virtual media within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: idrac-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: idrac-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+ + + + + +
+ + +
+

Currently, Redfish is only supported on Dell with iDRAC firmware versions 4.20.20.20 through 04.40.00.00 for installer-provisioned installations on bare metal deployments. There is a known issue with version 04.40.00.00. With iDRAC 9 firmware version 04.40.00.00, the Virtual Console plug-in defaults to eHTML5, which causes problems with the InsertVirtualMedia workflow. Set the plug-in to HTML5 to avoid this issue. The menu path is: ConfigurationVirtual consolePlug-in TypeHTML5 .

+
+
+

Ensure the OpenShift Container Platform cluster nodes have AutoAttach Enabled through the iDRAC console. The menu path is: ConfigurationVirtual MediaAttach ModeAutoAttach .

+
+
+

Use idrac-virtualmedia:// as the protocol for Redfish virtual media. Using redfish-virtualmedia:// will not work on Dell hardware, because the idrac-virtualmedia:// protocol corresponds to the idrac hardware type and the Redfish protocol in Ironic. Dell’s idrac-virtualmedia:// protocol uses the Redfish standard with Dell’s OEM extensions. Ironic also supports the idrac type with the WSMAN protocol. Therefore, you must specify idrac-virtualmedia:// to avoid unexpected behavior when electing to use Redfish with virtual media on Dell hardware.

+
+
+
+
+
Redfish network boot for iDRAC
+

To enable Redfish, use redfish:// or redfish+http:// to disable transport layer security (TLS). The installer requires both the host name or the IP address and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+ + + + + +
+ + +
+

Currently, Redfish is only supported on Dell hardware with iDRAC firmware versions 4.20.20.20 through 04.40.00.00 for installer-provisioned installations on bare metal deployments. There is a known issue with version 04.40.00.00. With iDRAC 9 firmware version 04.40.00.00, the Virtual Console plug-in defaults to eHTML5, which causes problems with the InsertVirtualMedia workflow. Set the plug-in to HTML5 to avoid this issue. The menu path is: ConfigurationVirtual consolePlug-in TypeHTML5 .

+
+
+

Ensure the OpenShift Container Platform cluster nodes have AutoAttach Enabled through the iDRAC console. The menu path is: ConfigurationVirtual MediaAttach ModeAutoAttach .

+
+
+

The redfish:// URL protocol corresponds to the redfish hardware type in Ironic.

+
+
+
+
+
+
BMC addressing for HPE iLO
+
+

The address field for each bmc entry is a URL for connecting to the OpenShift Container Platform cluster nodes, including the type of controller in the URL scheme and its location on the network.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: <host name>
+        role: <master | worker>
+        bmc:
+          address: <address> (1)
+          username: <user>
+          password: <password>
+
+
+
+ + + + + +
1The address configuration setting specifies the protocol.
+
+
+

For HPE integrated Lights Out (iLO), Red Hat supports Redfish virtual media, Redfish network boot, and IPMI.

+
+ + ++++ + + + + + + + + + + + + + + + + + + + + +
Table 5. BMC address formats for HPE iLO
ProtocolAddress Format

Redfish virtual media

redfish-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/1

Redfish network boot

redfish://<out-of-band-ip>/redfish/v1/Systems/1

IPMI

ipmi://<out-of-band-ip>

+
+

See the following sections for additional details.

+
+
+
Redfish virtual media for HPE iLO
+

To enable Redfish virtual media for HPE servers, use redfish-virtualmedia:// in the address setting. The following example demonstrates using Redfish virtual media within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+ + + + + +
+ + +
+

Redfish virtual media is not supported on 9th generation systems running iLO4, because Ironic does not support iLO4 with virtual media.

+
+
+
+
+
Redfish network boot for HPE iLO
+

To enable Redfish, use redfish:// or redfish+http:// to disable TLS. The installer requires both the host name or the IP address and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+
+
BMC addressing for KVM with sushy-tools Redfish emulator
+
+

The address field for each bmc entry is a URL for connecting to the OpenShift Container Platform cluster nodes, including the type of controller in the URL scheme and its location on the network.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: <host name>
+        role: <master | worker>
+        bmc:
+          address: <address> (1)
+          username: <user>
+          password: <password>
+
+
+
+ + + + + +
1The address configuration setting specifies the protocol.
+
+
+

For KVM working with sushy-tools Redfish emulator, Red Hat supports Redfish virtual media and Redfish network boot.

+
+ + ++++ + + + + + + + + + + + + + + + + +
Table 6. BMC address formats for KVM with sushy-tools Redfish emulator
ProtocolAddress Format

Redfish virtual media

redfish-virtualmedia://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>

Redfish network boot

redfish://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>

+
+ + + + + +
+ + +
+

The sushy-tools Redfish emulator runs from the KVM hypervisor and a single instance acts as the virtual BMC for all the guest machines. This means both the out of band IP address and port, will be same and each individual machine must be identified by its System ID.

+
+
+

You may retrieve the System ID of your guest machines with the following command:

+
+
+
+
---
+$ virsh list --all --name --uuid
+d8ac6bf8-3062-4954-84c3-e097faa17025 compute-0
+84971a71-3935-4a92-8d90-a9f8440dac09 compute-1
+92430f42-8805-4412-959a-2a7252c7c540 compute-2
+0fea5296-db95-41d7-9295-f57cfa50255f control-plane-0
+4986e405-fd3a-483d-9210-8cb120b98f80 control-plane-1
+26bf228c-44fd-4c49-9e6f-44f4b5968b34 control-plane-2
+---
+
+
+
+
+
+

See the following sections for additional details.

+
+
+
Redfish virtual media for KVM with sushy-tools Redfish emulator
+

To enable Redfish virtual media for KVM environments running the sushy-tools Redfish emulator, use redfish-virtualmedia:// in the address setting. The following example demonstrates using Redfish virtual media within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish-virtualmedia://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish-virtualmedia://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+
Redfish network boot for KVM with sushy-tools Redfish emulator
+

To enable Redfish, use redfish:// or redfish+http:// to disable TLS. The installer requires the host name or the IP address, the Redfish emulator listening port and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+
+
+

3.6.7. Root device hints

+
+

The rootDeviceHints parameter enables the installer to provision the Red Hat Enterprise Linux CoreOS (RHCOS) image to a particular device. The installer examines the devices in the order it discovers them, and compares the discovered values with the hint values. The installer uses the first discovered device that matches the hint value. The configuration can combine multiple hints, but a device must match all hints for the installer to select it.

+
+ + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 7. Subfields
SubfieldDescription

deviceName

A string containing a Linux device name like /dev/vda. The hint must match the actual value exactly.

hctl

A string containing a SCSI bus address like 0:0:0:0. The hint must match the actual value exactly.

model

A string containing a vendor-specific device identifier. The hint can be a substring of the actual value.

vendor

A string containing the name of the vendor or manufacturer of the device. The hint can be a sub-string of the actual value.

serialNumber

A string containing the device serial number. The hint must match the actual value exactly.

minSizeGigabytes

An integer representing the minimum size of the device in gigabytes.

wwn

A string containing the unique storage identifier. The hint must match the actual value exactly.

wwnWithExtension

A string containing the unique storage identifier with the vendor extension appended. The hint must match the actual value exactly.

wwnVendorExtension

A string containing the unique vendor storage identifier. The hint must match the actual value exactly.

rotational

A Boolean indicating whether the device should be a rotating disk (true) or not (false).

+
+
Example usage
+
+
     - name: master-0
+       role: master
+       bmc:
+         address: ipmi://10.10.0.3:6203
+         username: admin
+         password: redhat
+       bootMACAddress: de:ad:be:ef:00:40
+       rootDeviceHints:
+         deviceName: "/dev/sda"
+
+
+
+
+

3.6.8. Creating the OpenShift Container Platform manifests

+
+
    +
  1. +

    Create the OpenShift Container Platform manifests.

    +
    +
    +
    [kni@provisioner ~]$ ./openshift-baremetal-install --dir ~/clusterconfigs create manifests
    +
    +
    +
    +
    +
    INFO Consuming Install Config from target directory
    +WARNING Making control-plane schedulable by setting MastersSchedulable to true for Scheduler cluster settings
    +WARNING Discarding the Openshift Manifest that was provided in the target directory because its dependencies are dirty and it needs to be regenerated
    +
    +
    +
  2. +
+
+
+
+
+

3.7. Creating a disconnected registry (optional)

+
+

In some cases, you might want to install an OpenShift Container Platform cluster using a local copy of the installation registry. This could be for enhancing network efficiency because the cluster nodes are on a network that does not have access to the internet.

+
+
+

A local, or mirrored, copy of the registry requires the following:

+
+
+
    +
  • +

    A certificate for the registry node. This can be a self-signed certificate.

    +
  • +
  • +

    A web server that a container on a system will serve.

    +
  • +
  • +

    An updated pull secret that contains the certificate and local repository information.

    +
  • +
+
+
+ + + + + +
+ + +
+

Creating a disconnected registry on a registry node is optional. The subsequent sections indicate that they are optional since they are steps you need to execute only when creating a disconnected registry on a registry node. You should execute all of the subsequent sub-sections labeled "(optional)" when creating a disconnected registry on a registry node.

+
+
+
+
+

3.7.1. Preparing the registry node to host the mirrored registry (optional)

+
+

Make the following changes to the registry node.

+
+
+
Procedure
+
    +
  1. +

    Open the firewall port on the registry node.

    +
    +
    +
    [user@registry ~]$ sudo firewall-cmd --add-port=5000/tcp --zone=libvirt  --permanent
    +[user@registry ~]$ sudo firewall-cmd --add-port=5000/tcp --zone=public   --permanent
    +[user@registry ~]$ sudo firewall-cmd --reload
    +
    +
    +
  2. +
  3. +

    Install the required packages for the registry node.

    +
    +
    +
    [user@registry ~]$ sudo yum -y install python3 podman httpd httpd-tools jq
    +
    +
    +
  4. +
  5. +

    Create the directory structure where the repository information will be held.

    +
    +
    +
    [user@registry ~]$ sudo mkdir -p /opt/registry/{auth,certs,data}
    +
    +
    +
  6. +
+
+
+
+

3.7.2. Generating the self-signed certificate (optional)

+
+

Generate a self-signed certificate for the registry node and put it in the /opt/registry/certs directory.

+
+
+
Procedure
+
    +
  1. +

    Adjust the certificate information as appropriate.

    +
    +
    +
    [user@registry ~]$ host_fqdn=$( hostname --long )
    +[user@registry ~]$ cert_c="<Country Name>"   # Country Name (C, 2 letter code)
    +[user@registry ~]$ cert_s="<State>"          # Certificate State (S)
    +[user@registry ~]$ cert_l="<Locality>"       # Certificate Locality (L)
    +[user@registry ~]$ cert_o="<Organization>"   # Certificate Organization (O)
    +[user@registry ~]$ cert_ou="<Org Unit>"      # Certificate Organizational Unit (OU)
    +[user@registry ~]$ cert_cn="${host_fqdn}"    # Certificate Common Name (CN)
    +
    +[user@registry ~]$ openssl req \
    +    -newkey rsa:4096 \
    +    -nodes \
    +    -sha256 \
    +    -keyout /opt/registry/certs/domain.key \
    +    -x509 \
    +    -days 365 \
    +    -out /opt/registry/certs/domain.crt \
    +    -addext "subjectAltName = DNS:${host_fqdn}" \
    +    -subj "/C=${cert_c}/ST=${cert_s}/L=${cert_l}/O=${cert_o}/OU=${cert_ou}/CN=${cert_cn}"
    +
    +
    +
    + + + + + +
    + + +When replacing <Country Name>, ensure that it only contains two letters. For example, US. +
    +
    +
  2. +
  3. +

    Update the registry node’s ca-trust with the new certificate.

    +
    +
    +
    [user@registry ~]$ sudo cp /opt/registry/certs/domain.crt /etc/pki/ca-trust/source/anchors/
    +[user@registry ~]$ sudo update-ca-trust extract
    +
    +
    +
  4. +
+
+
+
+

3.7.3. Creating the registry podman container (optional)

+
+

The registry container uses the /opt/registry directory for certificates, authentication files, and to store its data files.

+
+
+

The registry container uses httpd and needs an htpasswd file for authentication.

+
+
+
Procedure
+
    +
  1. +

    Create an htpasswd file in /opt/registry/auth for the container to use.

    +
    +
    +
    [user@registry ~]$ htpasswd -bBc /opt/registry/auth/htpasswd <user> <passwd>
    +
    +
    +
    +

    Replace <user> with the user name and <passwd> with the password.

    +
    +
  2. +
  3. +

    Create and start the registry container.

    +
    +
    +
    [user@registry ~]$ podman create \
    +  --name ocpdiscon-registry \
    +  -p 5000:5000 \
    +  -e "REGISTRY_AUTH=htpasswd" \
    +  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry" \
    +  -e "REGISTRY_HTTP_SECRET=ALongRandomSecretForRegistry" \
    +  -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \
    +  -e "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt" \
    +  -e "REGISTRY_HTTP_TLS_KEY=/certs/domain.key" \
    +  -e "REGISTRY_COMPATIBILITY_SCHEMA1_ENABLED=true" \
    +  -v /opt/registry/data:/var/lib/registry:z \
    +  -v /opt/registry/auth:/auth:z \
    +  -v /opt/registry/certs:/certs:z \
    +  docker.io/library/registry:2
    +
    +
    +
    +
    +
    [user@registry ~]$ podman start ocpdiscon-registry
    +
    +
    +
  4. +
+
+
+
+

3.7.4. Copy and update the pull-secret (optional)

+
+

Copy the pull secret file from the provisioner node to the registry node and modify it to include the authentication information for the new registry node.

+
+
+
Procedure
+
    +
  1. +

    Copy the pull-secret.txt file.

    +
    +
    +
    [user@registry ~]$ scp kni@provisioner:/home/kni/pull-secret.txt pull-secret.txt
    +
    +
    +
  2. +
  3. +

    Update the host_fqdn environment variable with the fully qualified domain name of the registry node.

    +
    +
    +
    [user@registry ~]$ host_fqdn=$( hostname --long )
    +
    +
    +
  4. +
  5. +

    Update the b64auth environment variable with the base64 encoding of the http credentials used to create the htpasswd file.

    +
    +
    +
    [user@registry ~]$ b64auth=$( echo -n '<username>:<passwd>' | openssl base64 )
    +
    +
    +
    +

    Replace <username> with the user name and <passwd> with the password.

    +
    +
  6. +
  7. +

    Set the AUTHSTRING environment variable to use the base64 authorization string. The $USER variable is an environment variable containing the name of the current user.

    +
    +
    +
    [user@registry ~]$ AUTHSTRING="{\"$host_fqdn:5000\": {\"auth\": \"$b64auth\",\"email\": \"$USER@redhat.com\"}}"
    +
    +
    +
  8. +
  9. +

    Update the pull-secret.txt file.

    +
    +
    +
    [user@registry ~]$ jq ".auths += $AUTHSTRING" < pull-secret.txt > pull-secret-update.txt
    +
    +
    +
  10. +
+
+
+
+

3.7.5. Mirroring the repository (optional)

+
+
Procedure
+
    +
  1. +

    Copy the oc binary from the provisioner node to the registry node.

    +
    +
    +
    [user@registry ~]$ sudo scp kni@provisioner:/usr/local/bin/oc /usr/local/bin
    +
    +
    +
  2. +
  3. +

    Get the release image and mirror the remote install images to the local repository.

    +
    +
    +
    [user@registry ~]$ export VERSION=latest-4.7
    +[user@registry ~]$ UPSTREAM_REPO=$(curl -s https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/$VERSION/release.txt | awk  '/Pull From/ {print $3}')
    +[user@registry ~]$ /usr/local/bin/oc adm release mirror \
    +  -a pull-secret-update.txt
    +  --from=$UPSTREAM_REPO \
    +  --to-release-image=$LOCAL_REG/$LOCAL_REPO:${VERSION} \
    +  --to=$LOCAL_REG/$LOCAL_REPO
    +
    +
    +
  4. +
+
+
+
+

3.7.6. Modify the install-config.yaml file to use the disconnected registry (optional)

+
+

On the provisioner node, the install-config.yaml file should use the newly created pull-secret from the pull-secret-update.txt file. The install-config.yaml file must also contain the disconnected registry node’s certificate and registry information.

+
+
+
Procedure
+
    +
  1. +

    Add the disconnected registry node’s certificate to the install-config.yaml file. The certificate should follow the "additionalTrustBundle: |" line and be properly indented, usually by two spaces.

    +
    +
    +
    $ echo "additionalTrustBundle: |" >> install-config.yaml
    +$ sed -e 's/^/  /' /opt/registry/certs/domain.crt >> install-config.yaml
    +
    +
    +
  2. +
  3. +

    Add the mirror information for the registry to the install-config.yaml file.

    +
    +
    +
    $ cat <<EOF >> install-config.yaml
    +<image-config>: (1)
    +- mirrors:
    +  - registry.example.com:5000/ocp4/openshift4
    +  source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
    +- mirrors:
    +  - registry.example.com:5000/ocp4/openshift4
    +  source: registry.svc.ci.openshift.org/ocp/release
    +- mirrors:
    +  - registry.example.com:5000/ocp4/openshift4
    +  source: quay.io/openshift-release-dev/ocp-release
    +EOF
    +
    +
    +
    +

    Where:

    +
    +
    + + + + + +
    1You must replace <image-config> with imageContentSources for OpenShift 4.13 and below, or imageDigestSources for Openshift 4.14 and above. +
    + + + + + +
    + + +Replace registry.example.com with the registry’s fully qualified domain name. +
    +
    +
    +
  4. +
+
+
+
+
+

3.8. Deploying routers on worker nodes

+
+

During installation, the installer deploys router pods on worker nodes. By default, the installer installs two router pods. If the initial cluster has only one worker node, or if a deployed cluster requires additional routers to handle external traffic loads destined for services within the OpenShift Container Platform cluster, you can create a yaml file to set an appropriate number of router replicas.

+
+
+ + + + + +
+ + +
+

By default, the installer deploys two routers. +If the cluster has at least two worker nodes, you can skip this section. +For more information on the Ingress Operator see: Ingress Operator in OpenShift Container Platform.

+
+
+
+
+ + + + + +
+ + +
+

If the cluster has no worker nodes, the installer deploys the two routers on the control plane nodes by default. If the cluster has no worker nodes, you can skip this section.

+
+
+
+
+
Procedure
+
    +
  1. +

    Create a router-replicas.yaml file.

    +
    +
    +
    apiVersion: operator.openshift.io/v1
    +kind: IngressController
    +metadata:
    +  name: default
    +  namespace: openshift-ingress-operator
    +spec:
    +  replicas: <num-of-router-pods>
    +  endpointPublishingStrategy:
    +    type: HostNetwork
    +  nodePlacement:
    +    nodeSelector:
    +      matchLabels:
    +        node-role.kubernetes.io/worker: ""
    +
    +
    +
    + + + + + +
    + + +
    +

    Replace <num-of-router-pods> with an appropriate value. If working with just one worker node, set replicas: to 1. If working with more than 3 worker nodes, you can increase replicas: from the default value 2 as appropriate.

    +
    +
    +
    +
  2. +
  3. +

    Save and copy the router-replicas.yaml file to the clusterconfigs/openshift directory.

    +
    +
    +
    cp ~/router-replicas.yaml clusterconfigs/openshift/99_router-replicas.yaml
    +
    +
    +
  4. +
+
+
+
+

3.9. Validation checklist for installation

+
+
    +
  • +

    OpenShift Container Platform installer has been retrieved.

    +
  • +
  • +

    OpenShift Container Platform installer has been extracted.

    +
  • +
  • +

    Required parameters for the install-config.yaml have been configured.

    +
  • +
  • +

    The hosts parameter for the install-config.yaml has been configured.

    +
  • +
  • +

    The bmc parameter for the install-config.yaml has been configured.

    +
  • +
  • +

    Conventions for the values configured in the bmc address field have been applied.

    +
  • +
  • +

    Created a disconnected registry (optional).

    +
  • +
  • +

    Validate disconnected registry settings if in use. (optional)

    +
  • +
  • +

    Deployed routers on worker nodes. (optional)

    +
  • +
+
+
+
+

3.10. Deploying the cluster via the OpenShift Container Platform installer

+
+

Run the OpenShift Container Platform installer:

+
+
+
+
[kni@provisioner ~]$ ./openshift-baremetal-install --dir ~/clusterconfigs --log-level debug create cluster
+
+
+
+
+

3.11. Following the installation

+
+

During the deployment process, you can check the installation’s overall status by issuing the tail command to the .openshift_install.log log file in the install directory folder.

+
+
+
+
[kni@provisioner ~]$ tail -f /path/to/install-dir/.openshift_install.log
+
+
+
+
+

3.12. Verifying static IP address configuration

+
+

If the DHCP reservation for a cluster node specifies an infinite leases, after the installer successfully provisions the node, the dispatcher script will check the node’s network configuration. If the script determines that the network configuration contains an infinite DHCP lease, it creates a new connection using the IP address of the DHCP lease as a static IP address.

+
+
+ + + + + +
+ + +
+

The dispatcher script may run on successfully provisioned nodes while the provisioning of other nodes in the cluster is ongoing.

+
+
+
+
+

To verify the network configuration is working properly, you can:

+
+
+
    +
  • +

    Check the network interface configuration on the node.

    +
  • +
  • +

    Turn off the DHCP server and reboot the OpenShift Container Platform node and and ensure that the network configuration works properly.

    +
  • +
+
+
+
+
+
+

4. Day 2 operations

+
+
+

The following sections are optional, but may be of interest after the initial deployment has been completed.

+
+
+

4.1. Accessing the web console

+
+

The web console runs as a pod on the master. The static assets required to run +the web console are served by the pod. Once OpenShift Container Platform is successfully +installed, find the URL for the web console and login credentials for your +installed cluster in the CLI output of the installation program. For example:

+
+
+
Example output
+
+
INFO Install complete!
+INFO Run 'export KUBECONFIG=<your working directory>/auth/kubeconfig' to manage the cluster with 'oc', the OpenShift CLI.
+INFO The cluster is ready when 'oc login -u kubeadmin -p <provided>' succeeds (wait a few minutes).
+INFO Access the OpenShift web-console here: https://console-openshift-console.apps.demo1.openshift4-beta-abcorp.com
+INFO Login to the console with user: kubeadmin, password: <provided>
+
+
+
+

Use those details to log in and access the web console.

+
+
+

Additionally, you can execute:

+
+
+
+
oc whoami --show-console
+
+
+
+

To obtain the url for the console.

+
+
+
+

4.2. Backing up the cluster configuration

+
+

At this point you have a working OpenShift 4 cluster on baremetal. +In order to take advantage of the baremetal hardware that was the provision node, +you can repurpose the provisioning node as a worker. +Prior to reprovisioning the node, it is recommended to backup some existing files.

+
+
+
Procedure
+
    +
  1. +

    Tar the clusterconfig folder and download it to your local machine.

    +
    +
    +
    tar cvfz clusterconfig.tar.gz ~/clusterconfig
    +
    +
    +
  2. +
  3. +

    Copy the Private part for the SSH Key configured on the install-config.yaml file to your local machine.

    +
    +
    +
    tar cvfz clusterconfigsh.tar.gz ~/.ssh/id_rsa*
    +
    +
    +
  4. +
  5. +

    Copy the install-config.yaml and metal3-config.yaml files.

    +
    +
    +
    tar cvfz yamlconfigs.tar.gz install-config.yaml metal3-config.yaml
    +
    +
    +
  6. +
+
+
+
+

4.3. Expanding the cluster

+
+

After deploying an installer-provisioned OpenShift Container Platform cluster, you can use the following procedures to expand the number of worker nodes. Ensure that each prospective worker node meets the prerequisites.

+
+
+ + + + + +
+ + +
+

Expanding the cluster using RedFish Virtual Media involves meeting minimum firmware requirements. See Firmware requirements for installing with virtual media in the Prerequisites section for additional details when expanding the cluster using RedFish Virtual Media.

+
+
+
+
+

4.3.1. Preparing the bare metal node

+
+

Expanding the cluster requires a DHCP server. Each node must have a DHCP reservation.

+
+
+ + + + + +
+ + +
Reserving IP addresses so they become static IP addresses
+
+

Some administrators prefer to use static IP addresses so that each node’s IP address remains constant in the absence of a DHCP server. To use static IP addresses in the OpenShift Container Platform cluster, reserve the IP addresses in the DHCP server with an infinite lease. After the installer provisions the node successfully, the dispatcher script will check the node’s network configuration. If the dispatcher script finds that the network configuration contains a DHCP infinite lease, it will recreate the connection as a static IP connection using the IP address from the DHCP infinite lease. NICs without DHCP infinite leases will remain unmodified.

+
+
+
+
+

Preparing the bare metal node requires executing the following procedure from the provisioner node.

+
+
+
Procedure
+
    +
  1. +

    Get the oc binary, if needed. It should already exist on the provisioner node.

    +
    +
    +
    [kni@provisioner ~]$ export VERSION=latest-4.7
    +[kni@provisioner ~]$ curl -s https://mirror.openshift.com/pub/openshift-v4/clients/ocp/$VERSION/openshift-client-linux-$VERSION.tar.gz | tar zxvf - oc
    +
    +
    +
    +
    +
    [kni@provisioner ~]$ sudo cp oc /usr/local/bin
    +
    +
    +
  2. +
  3. +

    Power off the bare metal node via the baseboard management controller and ensure it is off.

    +
  4. +
  5. +

    Retrieve the user name and password of the bare metal node’s baseboard management controller. Then, create base64 strings from the user name and password. In the following example, the user name is root and the password is calvin.

    +
    +
    +
    [kni@provisioner ~]$ echo -ne "root" | base64
    +
    +
    +
    +
    +
    [kni@provisioner ~]$ echo -ne "calvin" | base64
    +
    +
    +
  6. +
  7. +

    Create a configuration file for the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ vim bmh.yaml
    +
    +
    +
    +
    +
    ---
    +apiVersion: v1
    +kind: Secret
    +metadata:
    +  name: openshift-worker-<num>-bmc-secret
    +type: Opaque
    +data:
    +  username: <base64-of-uid>
    +  password: <base64-of-pwd>
    +---
    +apiVersion: metal3.io/v1alpha1
    +kind: BareMetalHost
    +metadata:
    +  name: openshift-worker-<num>
    +spec:
    +  online: true
    +  bootMACAddress: <NIC1-mac-address>
    +  bmc:
    +    address: <protocol>://<bmc-ip>
    +    credentialsName: openshift-worker-<num>-bmc-secret
    +
    +
    +
    +

    Replace <num> for the worker number of the bare metal node in the two name fields and the credentialsName field. Replace <base64-of-uid> with the base64 string of the user name. Replace <base64-of-pwd> with the base64 string of the password. Replace <NIC1-mac-address> with the MAC address of the bare metal node’s first NIC.

    +
    +
    +

    Refer to the BMC addressing section for additional BMC configuration options. Replace <protocol> with the BMC protocol, such as IPMI, RedFish, or others. +Replace <bmc-ip> with the IP address of the bare metal node’s baseboard management controller.

    +
    +
    + + + + + +
    + + +
    +

    If the MAC address of an existing bare metal node matches the MAC address of a bare metal host that you are attempting to provision, then the Ironic installation will fail. If the host enrollment, inspection, cleaning, or other Ironic steps fail, the metal3-baremetal-operator will continuously retry. See Diagnosing a host duplicate MAC address for more information.

    +
    +
    +
    +
  8. +
  9. +

    Create the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api create -f bmh.yaml
    +
    +
    +
    +
    +
    secret/openshift-worker-<num>-bmc-secret created
    +baremetalhost.metal3.io/openshift-worker-<num> created
    +
    +
    +
    +

    Where <num> will be the worker number.

    +
    +
  10. +
  11. +

    Power up and inspect the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  12. +
+
+
+
+

4.3.2. Preparing to deploy with Virtual Media on the baremetal network

+
+

If the provisioning network is enabled, and you want to expand the cluster using Virtual Media on the baremetal network, execute the following procedure.

+
+
+
Procedure
+
    +
  1. +

    Edit the provisioning configuration resource (CR) to enable deploying with Virtual Media on the baremetal network.

    +
    +
    +
    oc edit provisioning
    +
    +
    +
    +
    +
      apiVersion: metal3.io/v1alpha1
    +  kind: Provisioning
    +  metadata:
    +    creationTimestamp: "2021-08-05T18:51:50Z"
    +    finalizers:
    +    - provisioning.metal3.io
    +    generation: 8
    +    name: provisioning-configuration
    +    resourceVersion: "551591"
    +    uid: f76e956f-24c6-4361-aa5b-feaf72c5b526
    +  spec:
    +    preProvisioningOSDownloadURLs: {}
    +    provisioningDHCPRange: 172.22.0.10,172.22.0.254
    +    provisioningIP: 172.22.0.3
    +    provisioningInterface: enp1s0
    +    provisioningNetwork: Managed
    +    provisioningNetworkCIDR: 172.22.0.0/24
    +    provisioningOSDownloadURL: http://192.168.111.1/images/rhcos-49.84.202107010027-0-openstack.x86_64.qcow2.gz?sha256=c7dde5f96826c33c97b5a4ad34110212281916128ae11100956f400db3d5299e
    +    virtualMediaViaExternalNetwork: true (1)
    +  status:
    +    generations:
    +    - group: apps
    +      hash: ""
    +      lastGeneration: 7
    +      name: metal3
    +      namespace: openshift-machine-api
    +      resource: deployments
    +    - group: apps
    +      hash: ""
    +      lastGeneration: 1
    +      name: metal3-image-cache
    +      namespace: openshift-machine-api
    +      resource: daemonsets
    +    observedGeneration: 8
    +    readyReplicas: 0
    +
    +
    +
    + + + + + +
    1Add virtualMediaViaExternalNetwork: true to the provisioning CR.
    +
    +
  2. +
  3. +

    Edit the machine set to use the API VIP address.

    +
    +
    +
    oc edit machineset
    +
    +
    +
    +
    +
      apiVersion: machine.openshift.io/v1beta1
    +  kind: MachineSet
    +  metadata:
    +    creationTimestamp: "2021-08-05T18:51:52Z"
    +    generation: 11
    +    labels:
    +      machine.openshift.io/cluster-api-cluster: ostest-hwmdt
    +      machine.openshift.io/cluster-api-machine-role: worker
    +      machine.openshift.io/cluster-api-machine-type: worker
    +    name: ostest-hwmdt-worker-0
    +    namespace: openshift-machine-api
    +    resourceVersion: "551513"
    +    uid: fad1c6e0-b9da-4d4a-8d73-286f78788931
    +  spec:
    +    replicas: 2
    +    selector:
    +      matchLabels:
    +        machine.openshift.io/cluster-api-cluster: ostest-hwmdt
    +        machine.openshift.io/cluster-api-machineset: ostest-hwmdt-worker-0
    +    template:
    +      metadata:
    +        labels:
    +          machine.openshift.io/cluster-api-cluster: ostest-hwmdt
    +          machine.openshift.io/cluster-api-machine-role: worker
    +          machine.openshift.io/cluster-api-machine-type: worker
    +          machine.openshift.io/cluster-api-machineset: ostest-hwmdt-worker-0
    +      spec:
    +        metadata: {}
    +        providerSpec:
    +          value:
    +            apiVersion: baremetal.cluster.k8s.io/v1alpha1
    +            hostSelector: {}
    +            image:
    +              checksum: http:/172.22.0.3:6181/images/rhcos-49.84.202107010027-0-openstack.x86_64.qcow2/cached-rhcos-49.84.202107010027-0-openstack.x86_64.qcow2.md5sum (1)
    +              url: http://172.22.0.3:6181/images/rhcos-49.84.202107010027-0-openstack.x86_64.qcow2/cached-rhcos-49.84.202107010027-0-openstack.x86_64.qcow2 (2)
    +            kind: BareMetalMachineProviderSpec
    +            metadata:
    +              creationTimestamp: null
    +            userData:
    +              name: worker-user-data
    +  status:
    +    availableReplicas: 2
    +    fullyLabeledReplicas: 2
    +    observedGeneration: 11
    +    readyReplicas: 2
    +    replicas: 2
    +
    +
    +
    + + + + + + + + + +
    1Edit the checksum URL to use the API VIP address.
    2Edit the url URL to use the API VIP address.
    +
    +
  4. +
+
+
+
Diagnosing a duplicate MAC address when provisioning a new host in the cluster
+
+

If the MAC address of an existing bare-metal node in the cluster matches the MAC address of a bare-metal host you are attempting to add to the cluster, the Bare Metal Operator associates the host with the existing node. If the host enrollment, inspection, cleaning, or other Ironic steps fail, the Bare Metal Operator retries the installation continuously. A registration error is displayed for the failed bare-metal host.

+
+
+

You can diagnose a duplicate MAC address by examining the bare-metal hosts that are running in the openshift-machine-api namespace.

+
+
+
Prerequisites
+
    +
  • +

    Install an OpenShift Container Platform cluster on bare metal.

    +
  • +
  • +

    Install the OpenShift Container Platform CLI oc.

    +
  • +
  • +

    Log in as a user with cluster-admin privileges.

    +
  • +
+
+
+
Procedure
+

To determine whether a bare-metal host that fails provisioning has the same MAC address as an existing node, do the following:

+
+
+
    +
  1. +

    Get the bare-metal hosts running in the openshift-machine-api namespace:

    +
    +
    +
    $ oc get bmh -n openshift-machine-api
    +
    +
    +
    +
    Example output
    +
    +
    NAME                 STATUS   PROVISIONING STATUS      CONSUMER
    +openshift-master-0   OK       externally provisioned   openshift-zpwpq-master-0
    +openshift-master-1   OK       externally provisioned   openshift-zpwpq-master-1
    +openshift-master-2   OK       externally provisioned   openshift-zpwpq-master-2
    +openshift-worker-0   OK       provisioned              openshift-zpwpq-worker-0-lv84n
    +openshift-worker-1   OK       provisioned              openshift-zpwpq-worker-0-zd8lm
    +openshift-worker-2   error    registering
    +
    +
    +
  2. +
  3. +

    To see more detailed information about the status of the failing host, run the following command replacing <bare_metal_host_name> with the name of the host:

    +
    +
    +
    $ oc get -n openshift-machine-api bmh <bare_metal_host_name> -o yaml
    +
    +
    +
    +
    Example output
    +
    +
    ...
    +status:
    +  errorCount: 12
    +  errorMessage: MAC address b4:96:91:1d:7c:20 conflicts with existing node openshift-worker-1
    +  errorType: registration error
    +...
    +
    +
    +
  4. +
+
+
+
+
+

4.3.3. Provisioning the bare metal node

+
+

Provisioning the bare metal node requires executing the following procedure from the provisioner node.

+
+
+
Procedure
+
    +
  1. +

    Ensure the PROVISIONING STATUS is ready before provisioning the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$  oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  2. +
  3. +

    Get a count of the number of worker nodes.

    +
    +
    +
    [kni@provisioner ~]$ oc get nodes
    +
    +
    +
    +
    +
    NAME                                                STATUS   ROLES           AGE     VERSION
    +provisioner.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-1.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-2.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-3.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-worker-0.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-worker-1.openshift.example.com            Ready    master          30h     v1.16.2
    +
    +
    +
  4. +
  5. +

    Get the machine set.

    +
    +
    +
    [kni@provisioner ~]$ oc get machinesets -n openshift-machine-api
    +
    +
    +
    +
    +
    NAME                                DESIRED   CURRENT   READY   AVAILABLE   AGE
    +...
    +openshift-worker-0.example.com      1         1         1       1           55m
    +openshift-worker-1.example.com      1         1         1       1           55m
    +
    +
    +
  6. +
  7. +

    Increase the number of worker nodes by one.

    +
    +
    +
    [kni@provisioner ~]$ oc scale --replicas=<num> machineset <machineset> -n openshift-machine-api
    +
    +
    +
    +

    Replace <num> with the new number of worker nodes. Replace <machineset> with the name of the machine set from the previous step.

    +
    +
  8. +
  9. +

    Check the status of the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number. The status changes from ready to provisioning.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       provisioning          openshift-worker-<num>-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
    +

    The provisioning status remains until the OpenShift Container Platform cluster provisions the node. This can take 30 minutes or more. Once complete, the status will change to provisioned.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       provisioned           openshift-worker-<num>-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  10. +
  11. +

    Once provisioned, ensure the bare metal node is ready.

    +
    +
    +
    [kni@provisioner ~]$ oc get nodes
    +
    +
    +
    +
    +
    NAME                                          STATUS   ROLES   AGE     VERSION
    +provisioner.openshift.example.com             Ready    master  30h     v1.16.2
    +openshift-master-1.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-master-2.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-master-3.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-worker-0.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-worker-1.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-worker-<num>.openshift.example.com  Ready    worker  3m27s   v1.16.2
    +
    +
    +
    +

    You can also check the kubelet.

    +
    +
    +
    +
    [kni@provisioner ~]$ ssh openshift-worker-<num>
    +
    +
    +
    +
    +
    [kni@openshift-worker-<num>]$ journalctl -fu kubelet
    +
    +
    +
  12. +
+
+
+
+

4.3.4. Preparing the provisioner node to be deployed as a worker node

+
+
Procedure
+

Perform the following steps prior to converting the provisioner node to a worker node.

+
+
+
    +
  1. +

    ssh to a system (for example, a laptop) that can access the out of band management network of the current provisioner node.

    +
  2. +
  3. +

    Copy the backups clusterconfig.tar.gz, clusterconfigsh.tar.gz, and amlconfigs.tar.gz to the new system.

    +
  4. +
  5. +

    Copy the oc binary from the existing provisioning node to the new system.

    +
  6. +
  7. +

    Make a note of the mac addresses, the baremetal network IP used for the provisioner node, and the IP address of +the Out of band Management Network.

    +
  8. +
  9. +

    Reboot the system and ensure that PXE is enabled on the provisioning network and PXE is disabled for all other NICs.

    +
  10. +
  11. +

    If installation was performed using a Satellite server, remove the Host entry for the existing provisioning node.

    +
  12. +
  13. +

    Install the ipmitool on the new system in order to power off the provisioner node.

    +
  14. +
+
+
+
+

4.3.5. Adding a worker node to an existing cluster

+
+
Procedure
+
    +
  1. +

    Retrieve the username and password of the bare metal node’s baseboard management controller. Then, create base64 strings from the username and password. In the following example, the username is root and the password is calvin.

    +
    +
    +
    [kni@provisioner ~]$ echo -ne "root" | base64
    +
    +
    +
    +
    +
    [kni@provisioner ~]$ echo -ne "calvin" | base64
    +
    +
    +
  2. +
  3. +

    Create a configuration file for the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ vim bmh.yaml
    +
    +
    +
    +
    +
    ---
    +apiVersion: v1
    +kind: Secret
    +metadata:
    +  name: openshift-worker-<num>-bmc-secret
    +type: Opaque
    +data:
    +  username: <base64-of-uid>
    +  password: <base64-of-pwd>
    +---
    +apiVersion: metal3.io/v1alpha1
    +kind: BareMetalHost
    +metadata:
    +  name: openshift-worker-<num>
    +spec:
    +  online: true
    +  bootMACAddress: <NIC1-mac-address>
    +  bmc:
    +    address: ipmi://<bmc-ip>
    +    credentialsName: openshift-worker-<num>-bmc-secret
    +
    +
    +
    +

    Replace <num> for the worker number of bare metal node in two name fields and credentialsName field. Replace <base64-of-uid> with the base64 string of the username. Replace <base64-of-pwd> with the base64 string of the password. Replace <NIC1-mac-address> with the MAC address of the bare metal node’s first NIC. Replace <bmc-ip> with the IP address of the bare metal node’s baseboard management controller.

    +
    +
  4. +
+
+
+ + + + + +
+ + +
+

When using redfish or redfish-virtualmedia, add the +appropriate addressing as described in the BMC addressing section. See BMC addressing for details.

+
+
+
+
+
    +
  1. +

    Create the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api create -f bmh.yaml
    +
    +
    +
    +
    +
    secret/openshift-worker-<num>-bmc-secret created
    +baremetalhost.metal3.io/openshift-worker-<num> created
    +
    +
    +
    +

    Where <num> will be the worker number.

    +
    +
  2. +
  3. +

    Power up and inspect the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  4. +
  5. +

    Ensure the PROVISIONING STATUS is ready before provisioning the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$  oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  6. +
  7. +

    Get a count of the number of worker nodes.

    +
    +
    +
    [kni@provisioner ~]$ oc get nodes
    +
    +
    +
  8. +
  9. +

    Get the machine set.

    +
    +
    +
    [kni@provisioner ~]$ oc get machinesets -n openshift-machine-api
    +
    +
    +
    +
    +
    NAME                                DESIRED   CURRENT   READY   AVAILABLE   AGE
    +openshift-worker-0.example.com      1         1         1       1           55m
    +openshift-worker-1.example.com      1         1         1       1           55m
    +openshift-worker-2.example.com      1         1         1       1           55m
    +
    +
    +
  10. +
  11. +

    Increase the number of worker nodes by 1.

    +
    +
    +
    [kni@provisioner ~]$ oc scale --replicas=<num> machineset <machineset> -n openshift-machine-api
    +
    +
    +
    +

    Replace <num> with the new number of worker nodes. Replace <machineset> with the name of the machine set from the previous step.

    +
    +
  12. +
  13. +

    Check the status of the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number. The status changes from ready to provisioning.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       provisioning          openshift-worker-<num>-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
    +

    The provisioning status remains until the OpenShift Container Platform cluster provisions the node. This may take 30 minutes or more. Once complete, the status will change to provisioned.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       provisioned           openshift-worker-<num>-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  14. +
  15. +

    Once provisioned, ensure the bare metal node is ready.

    +
    +
    +
    [kni@provisioner ~]$ oc get nodes
    +
    +
    +
    +
    +
    NAME                                                STATUS   ROLES           AGE     VERSION
    +provisioner.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-1.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-2.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-worker-<num>.openshift.example.com        Ready    worker          3m27s   v1.16.2
    +
    +
    +
    +

    You can also check the kubelet.

    +
    +
    +
    +
    [kni@provisioner ~]$ ssh openshift-worker-<num>
    +
    +
    +
    +
    +
    [kni@openshift-worker-<num>]$ journalctl -fu kubelet
    +
    +
    +
  16. +
+
+
+
Appending DNS records
+
+
Configuring Bind (Option 1)
+
+
Procedure
+
    +
  1. +

    Login to the DNS server using ssh.

    +
  2. +
  3. +

    Suspend updates to all dynamic zones: rndc freeze.

    +
  4. +
  5. +

    Edit /var/named/dynamic/example.com.

    +
    +
    +
    $ORIGIN openshift.example.com.
    +<OUTPUT_OMITTED>
    +openshift-worker-1      A       <ip-of-worker-1>
    +openshift-worker-2      A       <ip-of-worker-2>
    +
    +
    +
    + + + + + +
    + + +
    +

    Remove the provisioner as it is replaced by openshift-worker-2.

    +
    +
    +
    +
  6. +
  7. +

    Increase the SERIAL value by 1.

    +
  8. +
  9. +

    Edit /var/named/dynamic/1.0.10.in-addr.arpa.

    +
    + + + + + +
    + + +
    +

    The filename 1.0.10.in-addr.arpa is the reverse of the public CIDR example 10.0.1.0/24.

    +
    +
    +
    +
  10. +
  11. +

    Increase the SERIAL value by 1.

    +
  12. +
  13. +

    Enable updates to all dynamic zones and reload them: rndc thaw.

    +
  14. +
+
+
+
+
Configuring dnsmasq (Option 2)
+
+
Procedure
+

Append the following DNS record to the /etc/hosts file on the server hosting the dnsmasq service.

+
+
+
+
<OUTPUT_OMITTED>
+<NIC2-IP> openshift-worker-1.openshift.example.com openshift-worker-1
+<NIC2-IP> openshift-worker-2.openshift.example.com openshift-worker-2
+
+
+
+ + + + + +
+ + +
+

Remove the provisioner.openshift.example.com entry as it is replaced by worker-2

+
+
+
+
+
+
+
Appending DHCP reservations
+
+
Configuring dhcpd (Option 1)
+
+
Procedure
+
    +
  1. +

    Login to the DHCP server using ssh.

    +
  2. +
  3. +

    Edit /etc/dhcp/dhcpd.hosts.

    +
    +
    +
    host openshift-worker-2 {
    +     option host-name "worker-2";
    +     hardware ethernet <NIC2-mac-address>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +
    +
    +
    + + + + + +
    + + +
    +

    Remove the provisioner as it is replaced by openshift-worker-2.

    +
    +
    +
    +
  4. +
  5. +

    Restart the dhcpd service.

    +
    +
    +
    systemctl restart dhcpd
    +
    +
    +
  6. +
+
+
+
+
Configuring dnsmasq (Option 2)
+
+
Procedure
+
    +
  1. +

    Append the following DHCP reservation to the /etc/dnsmasq.d/example.dns file on the server hosting the dnsmasq service.

    +
    +
    +
    <OUTPUT_OMITTED>
    +dhcp-host=<NIC2-mac-address>,openshift-worker-1.openshift.example.com,<ip-of-worker-1>
    +dhcp-host=<NIC2-mac-address>,openshift-worker-2.openshift.example.com,<ip-of-worker-2>
    +
    +
    +
    + + + + + +
    + + +
    +

    Remove the provisioner.openshift.example.com entry as it is replaced by worker-2

    +
    +
    +
    +
  2. +
  3. +

    Restart the dnsmasq service.

    +
    +
    +
    systemctl restart dnsmasq
    +
    +
    +
  4. +
+
+
+
+
+
Deploying the provisioner node as a worker node using Metal3
+
+

After you have completed the prerequisites, perform the deployment process.

+
+
+
Procedure
+
    +
  1. +

    Power off the node using ipmitool and confirm the provisioning node is powered off.

    +
    +
    +
    ssh <server-with-access-to-management-net>
    +# Use the user, password and Management net IP adddress to shutdown the system
    +ipmitool -I lanplus -U <user> -P <password> -H <management-server-ip> power off
    +# Confirm the server is powered down
    +ipmitool -I lanplus -U <user> -P <password> -H <management-server-ip> power status
    +Chassis Power is off
    +
    +
    +
  2. +
  3. +

    Get base64 strings for the Out of band Management credentials. In this example, the user is root and the password is calvin.

    +
    +
    +
    # Use echo -ne, otherwise you will get your secrets with \n which will cause issues
    +# Get root username in base64
    +echo -ne "root" | base64
    +# Get root password in base64
    +echo -ne "calvin" | base64
    +
    +
    +
  4. +
  5. +

    Configure the BaremetalHost bmh.yaml file.

    +
    +
    +
    ---
    +apiVersion: v1
    +kind: Secret
    +metadata:
    +  name: openshift-worker-2-bmc-secret
    +type: Opaque
    +data:
    +  username: ca2vdAo=
    +  password: MWAwTWdtdC0K
    +---
    +apiVersion: metal3.io/v1alpha1
    +kind: BareMetalHost
    +metadata:
    +  name: openshift-worker-2
    +spec:
    +  online: true
    +  bootMACAddress: <NIC1-mac-address>
    +  bmc:
    +    address: ipmi://<out-of-band-ip>
    +    credentialsName: openshift-worker-2-bmc-secret
    +
    +
    +
  6. +
  7. +

    Create the BaremetalHost.

    +
    +
    +
    ./oc -n openshift-machine-api create -f bmh.yaml
    +secret/openshift-worker-2-bmc-secret created
    +baremetalhost.metal3.io/openshift-worker-2 created
    +
    +
    +
  8. +
  9. +

    Power up and inspect the node.

    +
    +
    +
    ./oc -n openshift-machine-api get bmh openshift-worker-2
    +
    +NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-2   OK       inspecting                       ipmi://<out-of-band-ip>                      true
    +
    +
    +
  10. +
  11. +

    After finishing the inspection, the node is ready to be provisioned.

    +
    +
    +
    ./oc -n openshift-machine-api get bmh openshift-worker-2
    +
    +NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-2   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  12. +
  13. +

    Scale the workers machineset. Previously, there were two replicas during original installation.

    +
    +
    +
    ./oc get machineset -n openshift-machine-api
    +NAME            DESIRED   CURRENT   READY   AVAILABLE   AGE
    +openshift-worker-2   0         0                             21h
    +
    +./oc -n openshift-machine-api scale machineset openshift-worker-2 --replicas=3
    +
    +
    +
  14. +
  15. +

    The baremetal host moves to provisioning status. This can take as long as 30 minutes. You can follow the status +from the node console.

    +
    +
    +
    oc -n openshift-machine-api get bmh openshift-worker-2
    +
    +NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-2   OK       provisioning          openshift-worker-0-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  16. +
  17. +

    When the node is provisioned it moves to provisioned status.

    +
    +
    +
    oc -n openshift-machine-api get bmh openshift-worker-2
    +
    +NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-2   OK       provisioned           openshift-worker-2-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  18. +
  19. +

    When the kubelet finishes initialization the node is ready for use. +You can connect to the node and run journalctl -fu kubelet to check the process.

    +
    +
    +
    oc get node
    +NAME                                            STATUS   ROLES           AGE     VERSION
    +openshift-master-0.openshift.example.com        Ready    master          30h     v1.16.2
    +openshift-master-1.openshift.example.com        Ready    master          30h     v1.16.2
    +openshift-master-2.openshift.example.com        Ready    master          30h     v1.16.2
    +openshift-worker-0.openshift.example.com        Ready    worker          3m27s   v1.16.2
    +openshift-worker-1.openshift.example.com        Ready    worker          3m27s   v1.16.2
    +openshift-worker-2.openshift.example.com        Ready    worker          3m27s   v1.16.2
    +
    +
    +
  20. +
+
+
+
+
+
+
+
+

5. Appendix

+
+
+

In this section of the document, extra information is provided that is outside of the regular workflow.

+
+
+

5.1. Troubleshooting

+
+

Troubleshooting the installation is out of scope of the Deployment Guide. For more details on troubleshooting deployment, refer to our Troubleshooting guide.

+
+
+
+

5.2. Creating DNS Records

+
+

Two options are documented for configuring DNS records:

+
+ +
+

5.2.1. Configuring Bind (Option 1)

+
+

Use Option 1 if access to the appropriate DNS server for the baremetal network is accessible or a request +to your network admin to create the DNS records is an option. +If this is not an option, skip this section and go to section Create DNS records using dnsmasq (Option 2).

+
+
+

Create a subzone with the name of the cluster that is going to be used on your domain. +In our example, the domain used is example.com and the cluster name used is openshift. +Make sure to change these according to your environment specifics.

+
+
+
Procedure
+
    +
  1. +

    Login to the DNS server using ssh.

    +
  2. +
  3. +

    Suspend updates to all dynamic zones: rndc freeze.

    +
  4. +
  5. +

    Edit /var/named/dynamic/example.com.

    +
    +
    +
    $ORIGIN openshift.example.com.
    +$TTL 300        ; 5 minutes
    +@  IN  SOA  dns1.example.com.  hostmaster.example.com. (
    +       2001062501  ; serial
    +       21600       ; refresh after 6 hours
    +       3600        ; retry after 1 hour
    +       604800      ; expire after 1 week
    +       86400 )     ; minimum TTL of 1 day
    +;
    +api                     A       <api-ip>
    +ns1                     A       <dns-vip-ip>
    +$ORIGIN apps.openshift.example.com.
    +*                       A       <wildcard-ingress-lb-ip>
    +$ORIGIN openshift.example.com.
    +provisioner             A       <NIC2-ip-of-provision>
    +openshift-master-0      A       <NIC2-ip-of-openshift-master-0>
    +openshift-master-1      A       <NIC2-ip-of-openshift-master-1>
    +openshift-master-2      A       <NIC2-ip-of-openshift-master-2>
    +openshift-worker-0      A       <NIC2-ip-of-openshift-worker-0>
    +openshift-worker-1      A       <NIC2-ip-of-openshift-worker-1>
    +
    +
    +
  6. +
  7. +

    Increase the serial value by 1.

    +
  8. +
  9. +

    Edit /var/named/dynamic/1.0.10.in-addr.arpa.

    +
    +
    +
    $ORIGIN 1.0.10.in-addr.arpa.
    +$TTL 300
    +@  IN  SOA  dns1.example.com.  hostmaster.example.com. (
    +       2001062501  ; serial
    +       21600       ; refresh after 6 hours
    +       3600        ; retry after 1 hour
    +       604800      ; expire after 1 week
    +       86400 )     ; minimum TTL of 1 day
    +;
    +126 IN      PTR      provisioner.openshift.example.com.
    +127	IN        	PTR    	openshift-master-0.openshift.example.com.
    +128	IN        	PTR    	openshift-master-1.openshift.example.com.
    +129	IN 	        PTR   	openshift-master-2.openshift.example.com.
    +130	IN 	        PTR   	openshift-worker-0.openshift.example.com.
    +131	IN        	PTR    	openshift-worker-1.openshift.example.com.
    +132 IN      PTR     api.openshift.example.com.
    +133 IN      PTR     ns1.openshift.example.com.
    +
    +
    +
    + + + + + +
    + + +
    +

    In this example, the IP addresses 10.0.1.126-133 are pointed to the corresponding fully qualified domain name.

    +
    +
    +
    +
    + + + + + +
    + + +
    +

    The filename 1.0.10.in-addr.arpa is the reverse of the public CIDR example 10.0.1.0/24.

    +
    +
    +
    +
  10. +
  11. +

    Increase the serial value by 1.

    +
  12. +
  13. +

    Enable updates to all dynamic zones and reload them: rndc thaw.

    +
  14. +
+
+
+
+

5.2.2. Configuring dnsmasq (Option 2)

+
+

To create DNS records, open the /etc/hosts file and add the NIC2 (baremetal net) IP followed by the hostname. +In our example, the domain used is example.com and the cluster name used is openshift. +Make sure to change these according to your environment specifics.

+
+
+
Procedure
+
    +
  1. +

    Edit /etc/hosts and add the NIC2 (baremetal net) IP followed by the hostname.

    +
    +
    +
    cat /etc/hosts
    +127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
    +::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
    +<NIC2-IP> provisioner.openshift.example.com provisioner
    +<NIC2-IP> openshift-master-0.openshift.example.com openshift-master-0
    +<NIC2-IP> openshift-master-1.openshift.example.com openshift-master-1
    +<NIC2-IP> openshift-master-2.openshift.example.com openshift-master-2
    +<NIC2-IP> openshift-worker-0.openshift.example.com openshift-worker-0
    +<NIC2-IP> openshift-worker-1.openshift.example.com openshift-worker-1
    +<API-IP>  api.openshift.example.com api
    +<DNS-VIP-IP> ns1.openshift.example.com ns1
    +
    +
    +
  2. +
  3. +

    Open the appropriate firewalld DNS service and reload the rules.

    +
    +
    +
    systemctl restart firewalld
    +firewall-cmd --add-service=dns --permanent
    +firewall-cmd --reload
    +
    +
    +
  4. +
+
+
+
+
+

5.3. Creating DHCP reservations

+
+

Two options are documented for configuring DHCP:

+
+ +
+

5.3.1. Configuring dhcpd (Option 1)

+
+

Use Option 1 if access to the appropriate DHCP server for the baremetal network is accessible or a request +to your network admin to create the DHCP reservations is an option. +If this is not an option, skip this section and go to section Create DHCP records using dnsmasq (Option 2).

+
+
+
    +
  1. +

    Login to the DHCP server using ssh.

    +
  2. +
  3. +

    Edit /etc/dhcp/dhcpd.hosts.

    +
    +
    +
    host provisioner {
    +     option host-name "provisioner";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +host openshift-master-0 {
    +     option host-name "openshift-master-0";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +
    +host openshift-master-1 {
    +     option host-name "openshift-master-1";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +
    +host openshift-master-2 {
    +     option host-name "openshift-master-2";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +host openshift-worker-0 {
    +     option host-name "openshift-worker-0";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +host openshift-worker-1 {
    +     option host-name "openshift-worker-1";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +
    +
    +
  4. +
  5. +

    Restart the dhcpd service.

    +
    +
    +
    systemctl restart dhcpd
    +
    +
    +
  6. +
+
+
+
+

5.3.2. Configuring dnsmasq (Option 2)

+
+

Set up dnsmasq on a server that can access the baremetal network.

+
+
+
Procedure
+
    +
  1. +

    Install dnsmasq.

    +
    +
    +
    dnf install -y dnsmasq
    +
    +
    +
  2. +
  3. +

    Change to the /etc/dnsmasq.d directory.

    +
    +
    +
    cd /etc/dnsmasq.d
    +
    +
    +
  4. +
  5. +

    Create a file that reflects your OpenShift cluster appended by .dns.

    +
    +
    +
    touch <filename>.dns
    +
    +
    +
  6. +
  7. +

    Open the appropriate firewalld DHCP service.

    +
    +
    +
    systemctl restart firewalld
    +firewall-cmd --add-service=dhcp --permanent
    +firewall-cmd --reload
    +
    +
    +
  8. +
  9. +

    Define DNS configuration file

    +
    IPv4
    +
    +

    Here is an example of the .dns file for IPv4.

    +
    +
    +
    +
    domain-needed
    +bind-dynamic
    +bogus-priv
    +domain=openshift.example.com
    +dhcp-range=<baremetal-net-starting-ip,baremetal-net-ending-ip>
    +#dhcp-range=10.0.1.4,10.0.14
    +dhcp-option=3,<baremetal-net-gateway-ip>
    +#dhcp-option=3,10.0.1.254
    +resolv-file=/etc/resolv.conf.upstream
    +interface=<nic-with-access-to-baremetal-net>
    +#interface=em2
    +server=<ip-of-existing-server-on-baremetal-net>
    +
    +
    +#Wildcard for apps -- make changes to cluster-name (openshift) and domain (example.com)
    +address=/.apps.openshift.example.com/<wildcard-ingress-lb-ip>
    +
    +#Static IPs for Masters
    +dhcp-host=<NIC2-mac-address>,provisioner.openshift.example.com,<ip-of-provisioner>
    +dhcp-host=<NIC2-mac-address>,openshift-master-0.openshift.example.com,<ip-of-openshift-master-0>
    +dhcp-host=<NIC2-mac-address>,openshift-master-1.openshift.example.com,<ip-of-openshift-master-1>
    +dhcp-host=<NIC2-mac-address>,openshift-master-2.openshift.example.com,<ip-of-openshift-master-2>
    +dhcp-host=<NIC2-mac-address>,openshift-worker-0.openshift.example.com,<ip-of-openshift-worker-0>
    +dhcp-host=<NIC2-mac-address>,openshift-worker-1.openshift.example.com,<ip-of-openshift-worker-1>
    +
    +
    +
    IPv6
    +
    +

    Here is an example of the .dns file for IPv6.

    +
    +
    +
    +
    strict-order
    +bind-dynamic
    +bogus-priv
    +dhcp-authoritative
    +dhcp-range=baremetal,<baremetal-IPv6-dhcp-range-start>,<baremetal-IPv6-dhcp-range-end>,<range-prefix>
    +dhcp-option=baremetal,option6:dns-server,[<IPv6-DNS-Server>]
    +
    +resolv-file=/etc/resolv.conf.upstream
    +except-interface=lo
    +dhcp-lease-max=81
    +log-dhcp
    +
    +domain=openshift.example.com,<baremetal-IPv6-cidr>,local
    +
    +# static host-records
    +address=/.apps.openshift.example.com/<wildcard-ingress-lb-ip>
    +host-record=api.openshift.example.com,<api-ip>
    +host-record=ns1.openshift.example.com,<dns-ip>
    +host-record=openshift-master-0.openshift.example.com,<ip-of-openshift-master-0>
    +host-record=openshift-master-1.openshift.example.com,<ip-of-openshift-master-1>
    +host-record=openshift-master-2.openshift.example.com,<ip-of-openshift-master-1>
    +# Registry
    +host-record=registry.openshift.example.com,<ip-of-registry-server>
    +
    +#Static IPs for Masters
    +dhcp-host=<baremetal-nic-duid>,openshift-master-0.openshift.example.com,<ip-of-openshift-master-0>
    +dhcp-host=<baremetal-nic-duid>,openshift-master-1.openshift.example.com,<ip-of-openshift-master-1>
    +dhcp-host=<baremetal-nic-duid>,openshift-master-2.openshift.example.com,<ip-of-openshift-master-2>
    +
    +
    +
  10. +
  11. +

    Create the resolv.conf.upstream file to provide DNS fowarding to an existing DNS server for resolution +to the outside world.

    +
    +
    +
    search <domain.com>
    +nameserver <ip-of-my-existing-dns-nameserver>
    +
    +
    +
  12. +
  13. +

    Restart the dnsmasq service.

    +
    +
    +
    systemctl restart dnsmasq
    +
    +
    +
  14. +
  15. +

    Verify the dnsmasq service is running.

    +
    +
    +
    systemctl status dnsmasq
    +
    +
    +
  16. +
+
+
+
+
+
+
+
+
+
+1. Stateless Address AutoConfiguration +
+
+ + + \ No newline at end of file diff --git a/4.7/Deployment.pdf b/4.7/Deployment.pdf new file mode 100644 index 0000000000..0c7ce945c1 Binary files /dev/null and b/4.7/Deployment.pdf differ diff --git a/4.7/Troubleshooting.html b/4.7/Troubleshooting.html new file mode 100644 index 0000000000..cbf7ddef42 --- /dev/null +++ b/4.7/Troubleshooting.html @@ -0,0 +1,1991 @@ + + + + + + + + + + +Troubleshooting Guide for IPI Installation + + + + + + + + + + + + + + + + +
+
+
+
+ + + + + +
+ + +
+

Download the PDF version of this document or visit https://openshift-kni.github.io/baremetal-deploy/

+
+
+
+
+

While attempting to deploy Installer Provisioned Infrastructure (IPI) of OpenShift on Bare Metal (BM), you may run into a situation where you need to troubleshoot your environment. This document provides troubleshooting guidance and tips in solving common issues that may arise.

+
+
+
+
+

1. Troubleshooting the installer workflow

+
+
+

Prior to troubleshooting the installation environment, it is critical to understand the overall flow of the IPI installation on bare metal. The diagrams below provide a troubleshooting flow with a step-by-step breakdown for the environment.

+
+
+

Flow-Diagram-1

+
+
+

Workflow 1 of 4 illustrates a troubleshooting workflow when the install-config.yaml file has errors or the Red Hat Enterprise Linux CoreOS (RHCOS) images are inaccessible. Troubleshooting suggestions can be found at

+
+ +
+

Flow-Diagram-2

+
+
+

Workflow 2 of 4 illustrates a troubleshooting workflow for bootstrap VM issues, bootstrap VMs that cannot boot up the cluster nodes, and inspecting logs.

+
+
+

Flow-Diagram-3

+
+
+

Workflow 3 of 4 illustrates a troubleshooting workflow for cluster nodes that will not PXE boot.

+
+
+

Flow-Diagram-4

+
+
+

Workflow 4 of 4 illustrates a troubleshooting workflow from + a non-accessible API to a validated installation.

+
+
+
+
+

2. Troubleshooting install-config.yaml

+
+
+

The install-config.yaml configuration file represents all of the nodes that are part of the OpenShift Container Platform cluster. The file contains the necessary options consisting of but not limited to apiVersion, baseDomain, imageContentSources (OpenShift 4.13 and below) or imageDigestSources (OpenShirt 4.14 and above), and virtual IP addresses. If errors occur early in the deployment of the OpenShift Container Platform cluster, the errors are likely in the install-config.yaml configuration file.

+
+
+
Procedure
+
    +
  1. +

    Use the guidelines in YAML-tips.

    +
  2. +
  3. +

    Verify the YAML syntax is correct using syntax-check.

    +
  4. +
  5. +

    Verify the Red Hat Enterprise Linux CoreOS (RHCOS) QEMU images are properly defined and accessible via the URL provided in the install-config.yaml. For example:

    +
    +
    +
    $ curl -s -o /dev/null -I -w "%{http_code}\n" http://webserver.example.com:8080/rhcos-44.81.202004250133-0-qemu.x86_64.qcow2.gz?sha256=7d884b46ee54fe87bbc3893bf2aa99af3b2d31f2e19ab5529c60636fbd0f1ce7
    +
    +
    +
    +

    If the output is 200, there is a valid response from the webserver storing the bootstrap VM image.

    +
    +
  6. +
+
+
+
+
+

3. Bootstrap VM issues

+
+
+

The OpenShift Container Platform installer spawns a bootstrap node virtual machine, which handles provisioning the OpenShift Container Platform cluster nodes.

+
+
+
Procedure
+
    +
  1. +

    About 10 to 15 minutes after triggering the installer, check to ensure the bootstrap VM is operational using the virsh command:

    +
    +
    +
    $ sudo virsh list
    +
    +
    +
    +
    +
     Id    Name                           State
    + --------------------------------------------
    + 12    openshift-xf6fq-bootstrap      running
    +
    +
    +
    + + + + + +
    + + +
    +

    The name of the bootstrap VM is always the cluster name followed by a random set of characters and ending in the word "bootstrap."

    +
    +
    +
    +
    +

    If the bootstrap VM is not running after 10-15 minutes, troubleshoot why it is not running. Possible issues include:

    +
    +
  2. +
  3. +

    Verify libvirtd is running on the system:

    +
    +
    +
    $ systemctl status libvirtd
    +
    +
    +
    +
    +
    ● libvirtd.service - Virtualization daemon
    +   Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor preset: enabled)
    +   Active: active (running) since Tue 2020-03-03 21:21:07 UTC; 3 weeks 5 days ago
    +     Docs: man:libvirtd(8)
    +           https://libvirt.org
    + Main PID: 9850 (libvirtd)
    +    Tasks: 20 (limit: 32768)
    +   Memory: 74.8M
    +   CGroup: /system.slice/libvirtd.service
    +           ├─ 9850 /usr/sbin/libvirtd
    +
    +
    +
    +

    If the bootstrap VM is operational, log into it.

    +
    +
  4. +
  5. +

    Use the virsh console command to find the IP address of the bootstrap VM:

    +
    +
    +
    $ sudo virsh console example.com
    +
    +
    +
    +
    +
    Connected to domain example.com
    +Escape character is ^]
    +
    +Red Hat Enterprise Linux CoreOS 43.81.202001142154.0 (Ootpa) 4.3
    +SSH host key: SHA256:BRWJktXZgQQRY5zjuAV0IKZ4WM7i4TiUyMVanqu9Pqg (ED25519)
    +SSH host key: SHA256:7+iKGA7VtG5szmk2jB5gl/5EZ+SNcJ3a2g23o0lnIio (ECDSA)
    +SSH host key: SHA256:DH5VWhvhvagOTaLsYiVNse9ca+ZSW/30OOMed8rIGOc (RSA)
    +ens3:  fd35:919d:4042:2:c7ed:9a9f:a9ec:7
    +ens4: 172.22.0.2 fe80::1d05:e52e:be5d:263f
    +localhost login:
    +
    +
    +
    + + + + + +
    + + +
    +

    When deploying a OpenShift Container Platform cluster without the provisioning network, you must use a public IP address and not a private IP address like 172.22.0.2.

    +
    +
    +
    +
  6. +
  7. +

    Once you obtain the IP address, log in to the bootstrap VM using the ssh command:

    +
    + + + + + +
    + + +
    +

    In the console output of the previous step, you can use the IPv6 IP address provided by ens3 or the IPv4 IP provided by ens4.

    +
    +
    +
    +
    +
    +
    $ ssh core@172.22.0.2
    +
    +
    +
  8. +
+
+
+

If you are not successful logging in to the bootstrap VM, you have likely encountered one of the following scenarios:

+
+
+
    +
  • +

    You cannot reach the 172.22.0.0/24 network. Verify network connectivity on the provisioner host specifically around the provisioning network bridge. This will not be the issue if you are not using the provisioning network.

    +
  • +
  • +

    You cannot reach the bootstrap VM via the public network. When attempting +to SSH via baremetal network, verify connectivity on the +provisioner host specifically around the baremetal network bridge.

    +
  • +
  • +

    You encountered Permission denied (publickey,password,keyboard-interactive). When +attempting to access the bootstrap VM, a Permission denied error +might occur. Verify that the SSH key for the user attempting to log +into the VM is set within the install-config.yaml file.

    +
  • +
+
+
+

3.1. Bootstrap VM cannot boot up the cluster nodes

+
+

During the deployment, it is possible for the bootstrap VM to fail to boot the cluster nodes, which prevents the VM from provisioning the nodes with the RHCOS image. This scenario can arise due to:

+
+
+
    +
  • +

    A problem with the install-config.yaml file.

    +
  • +
  • +

    Issues with out-of-band network access via the baremetal network.

    +
  • +
+
+
+

To verify the issue, there are three containers related to ironic:

+
+
+
    +
  • +

    ironic-api

    +
  • +
  • +

    ironic-conductor

    +
  • +
  • +

    ironic-inspector

    +
  • +
+
+
+
Procedure
+
    +
  1. +

    Log in to the bootstrap VM:

    +
    +
    +
    $ ssh core@172.22.0.2
    +
    +
    +
  2. +
  3. +

    To check the container logs, execute the following:

    +
    +
    +
    [core@localhost ~]$ sudo podman logs -f <container-name>
    +
    +
    +
    +

    Replace <container-name> with one of ironic-api, ironic-conductor, or ironic-inspector. If you encounter an issue where the control plane nodes are not booting up via PXE, check the ironic-conductor pod. The ironic-conductor pod contains the most detail about the attempt to boot the cluster nodes, because it attempts to log in to the node over IPMI.

    +
    +
  4. +
+
+
+
Potential reason
+

The cluster nodes might be in the ON state when deployment started.

+
+
+
Solution
+

Power off the OpenShift Container Platform cluster nodes before you begin the +installation over IPMI:

+
+
+
+
$ ipmitool -I lanplus -U root -P <password> -H <out-of-band-ip> power off
+
+
+
+
+

3.2. Inspecting logs

+
+

When experiencing issues downloading or accessing the RHCOS images, first verify that the URL is correct in the install-config.yaml configuration file.

+
+
+
Example of internal webserver hosting RHCOS images
+
+
bootstrapOSImage: http://<ip:port>/rhcos-43.81.202001142154.0-qemu.x86_64.qcow2.gz?sha256=9d999f55ff1d44f7ed7c106508e5deecd04dc3c06095d34d36bf1cd127837e0c
+clusterOSImage: http://<ip:port>/rhcos-43.81.202001142154.0-openstack.x86_64.qcow2.gz?sha256=a1bda656fa0892f7b936fdc6b6a6086bddaed5dafacedcd7a1e811abb78fe3b0
+
+
+
+

The ipa-downloader and coreos-downloader containers download resources from a webserver or the external quay.io registry, whichever the install-config.yaml configuration file specifies. Verify the following two containers are up and running and inspect their logs as needed:

+
+
+
    +
  • +

    ipa-downloader

    +
  • +
  • +

    coreos-downloader

    +
  • +
+
+
+
Procedure
+
    +
  1. +

    Log in to the bootstrap VM:

    +
    +
    +
    $ ssh core@172.22.0.2
    +
    +
    +
  2. +
  3. +

    Check the status of the ipa-downloader and coreos-downloader containers within the bootstrap VM:

    +
    +
    +
    [core@localhost ~]$ podman logs -f ipa-downloader
    +
    +
    +
    +
    +
    [core@localhost ~]$ podman logs -f coreos-downloader
    +
    +
    +
    +

    If the bootstrap VM cannot access the URL to the images, use the curl command to verify that the VM can access the images.

    +
    +
  4. +
  5. +

    To inspect the bootkube logs that indicate if all the containers launched during the deployment phase, execute the following:

    +
    +
    +
    [core@localhost ~]$ journalctl -xe
    +
    +
    +
    +
    +
    [core@localhost ~]$ journalctl -b -f -u bootkube.service
    +
    +
    +
  6. +
  7. +

    Verify all the pods, including dnsmasq, mariadb, httpd, and ironic, are running:

    +
    +
    +
    [core@localhost ~]$ sudo podman ps
    +
    +
    +
  8. +
  9. +

    If there are issues with the pods, check the logs of the containers with issues. To check the log of the ironic-api, execute the following:

    +
    +
    +
    [core@localhost ~]$ sudo podman logs <ironic-api>
    +
    +
    +
  10. +
+
+
+
+
+
+

4. Ironic Bootstrap issues

+
+
+

The OpenShift Container Platform installer spawns a bootstrap node virtual machine, which handles provisioning the OpenShift Container Platform cluster nodes. The cluster nodes are powered on, introspected and finally provisioned using Ironic.

+
+
+

Sometimes you might need to connect to the Ironic service running on the bootstrap node virtual machine to troubleshoot issues related to Ironic.

+
+
+
Procedure
+
    +
  1. +

    About 10 to 15 minutes after triggering the installer, check to ensure the bootstrap VM is operational using the virsh command:

    +
    +
    +
    [kni@provisioner ~]$ sudo virsh list
    +
    +
    +
    +
    +
     Id    Name                           State
    + --------------------------------------------
    + 12    openshift-xf6fq-bootstrap      running
    +
    +
    +
  2. +
  3. +

    Use the virsh console command to find the IP address of the bootstrap VM:

    +
    +
    +
    [kni@provisioner ~]$ sudo virsh console openshift-xf6fq-bootstrap
    +
    +
    +
    +
    +
    Connected to domain openshift-xf6fq-bootstrap
    +Escape character is ^]
    +
    +Red Hat Enterprise Linux CoreOS 43.81.202001142154.0 (Ootpa) 4.3
    +SSH host key: SHA256:BRWJktXZgQQRY5zjuAV0IKZ4WM7i4TiUyMVanqu9Pqg (ED25519)
    +SSH host key: SHA256:7+iKGA7VtG5szmk2jB5gl/5EZ+SNcJ3a2g23o0lnIio (ECDSA)
    +SSH host key: SHA256:DH5VWhvhvagOTaLsYiVNse9ca+ZSW/30OOMed8rIGOc (RSA)
    +ens3:  fd35:919d:4042:2:c7ed:9a9f:a9ec:7
    +ens4: 172.22.0.2 fe80::1d05:e52e:be5d:263f
    +localhost login:
    +
    +
    +
  4. +
  5. +

    Once you obtain the IP address, log in to the bootstrap VM using the ssh command:

    +
    + + + + + +
    + + +
    +

    In the console output of the previous step, the IPv6 IP provided by ens3 or the IPv4 IP provided by ens4 can be used.

    +
    +
    +
    +
    +
    +
    [kni@provisioner ~]$ ssh core@172.22.0.2
    +
    +
    +
  6. +
  7. +

    Make sure Ironic containers are running:

    +
    +
    +
    [core@localhost ~]$ sudo podman ps | grep ironic
    +90251a35d1e2  quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:a5603d959546a8293deaee66332da4fa3cb96bcd04c26967070c247085ca7203                        2 minutes ago  Up 2 minutes ago         ironic-api
    +168e712c9996  quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:c6af62509b3d66effe8e16c81e42e75e124ccb5770f82efb010ecc3ebadc48b8                        2 minutes ago  Up 2 minutes ago         ironic-inspector
    +025f8247bfb0  quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:a5603d959546a8293deaee66332da4fa3cb96bcd04c26967070c247085ca7203                        2 minutes ago  Up 2 minutes ago         ironic-conductor
    +
    +
    +
  8. +
  9. +

    Get the value for the bootstrapProvisioningIp property from your install-config.yaml.

    +
  10. +
  11. +

    Create a clouds.yaml file:

    +
    +
    +
    clouds:
    +  metal3-bootstrap:
    +    auth_type: none
    +    baremetal_endpoint_override: http://<bootstrapProvisioningIp>:6385
    +    baremetal_introspection_endpoint_override: http://<bootstrapProvisioningIp>:5050
    +
    +
    +
    + + + + + +
    + + +
    +

    Make sure in the file above you change <bootstrapProvisioningIp> with the value from your install-config.yaml file.

    +
    +
    +
    +
  12. +
  13. +

    Run the ironic-client on the bootstrap VM using podman:

    +
    +
    +
    [core@localhost ~]$ podman run -ti --rm --entrypoint /bin/bash -v /path/to/clouds.yaml:/clouds.yaml -e OS_CLOUD=metal3-bootstrap quay.io/metal3-io/ironic-client
    +
    +
    +
  14. +
  15. +

    Once you’re in the container, run the following command to see the status of the nodes on Ironic:

    +
    +
    +
    [root@1facad6bccff /]# baremetal node list
    +
    +
    +
    +

    The expected states for the nodes are clean-waitavailabledeployingwait call-backactive.

    +
    +
    +
      +
    • +

      clean-wait: The IPA (Ironic Python Agent) will clean the node main disk and write RHCOS to it. After that will report the node status back to Ironic.

      +
    • +
    • +

      available: The node has been introspected and it’s ready to be provisioned.

      +
    • +
    • +

      deploying: The node is being provisioned with RHCOS + the required Ignition configs.

      +
    • +
    • +

      wait call-back: The node is deployed and Ironic is waiting for the node to finish everything before marking the node as active.

      +
    • +
    • +

      active: The node is fully provisioned from an Ironic perspective.

      +
    • +
    +
    +
  16. +
+
+
+

If you are not getting any output, you have likely encountered of the following scenarios:

+
+
+
    +
  • +

    You cannot reach the bootstrapProvisioningIp from the bootstrap VM.

    +
  • +
  • +

    The Ironic conductor was not able to power on and configure the nodes to boot with the IPA image.

    +
  • +
  • +

    The machine running the openshift-install binary cannot access the bootstrapProvisioningIp on port 6385.

    +
  • +
+
+
+
+
+

5. Cluster nodes will not PXE boot

+
+
+

When OpenShift Container Platform cluster nodes will not PXE boot, execute the following checks on the cluster nodes that will not PXE boot. This procedure does not apply when installing a OpenShift Container Platform cluster without the provisioning network.

+
+
+
Procedure
+
    +
  1. +

    Check the network connectivity to the provisioning network.

    +
  2. +
  3. +

    Ensure PXE is enabled on the NIC for the provisioning network and PXE is disabled for all other NICs.

    +
  4. +
  5. +

    Verify that the install-config.yaml configuration file has the proper hardware profile and boot MAC address for the NIC connected to the provisioning network. For example:

    +
    +
    Master node settings
    +
    +
    bootMACAddress: 24:6E:96:1B:96:90 # MAC of bootable provisioning NIC
    +hardwareProfile: default          #master node settings
    +
    +
    +
    +
    Worker node settings
    +
    +
    bootMACAddress: 24:6E:96:1B:96:90 # MAC of bootable provisioning NIC
    +hardwareProfile: unknown          #worker node settings
    +
    +
    +
  6. +
+
+
+
+
+

6. The API is not accessible

+
+
+

When the cluster is running and clients cannot access the API, domain name resolution issues might impede access to the API.

+
+
+
Procedure
+
    +
  1. +

    Hostname Resolution: Check the cluster nodes to ensure they have a fully qualified domain name, and not just localhost.localdomain. For example:

    +
    +
    +
    $ hostname
    +
    +
    +
    +

    If a hostname is not set, set the correct hostname. For example:

    +
    +
    +
    +
    $ hostnamectl set-hostname <hostname>
    +
    +
    +
  2. +
  3. +

    Incorrect Name Resolution: Ensure that each node has the correct name resolution in the DNS server using dig and nslookup. For example:

    +
    +
    +
    $ dig api.<cluster-name>.example.com
    +
    +
    +
    +
    +
    ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> api.<cluster-name>.example.com
    +;; global options: +cmd
    +;; Got answer:
    +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37551
    +;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
    +
    +;; OPT PSEUDOSECTION:
    +; EDNS: version: 0, flags:; udp: 4096
    +; COOKIE: 866929d2f8e8563582af23f05ec44203d313e50948d43f60 (good)
    +;; QUESTION SECTION:
    +;api.<cluster-name>.example.com. IN A
    +
    +;; ANSWER SECTION:
    +api.<cluster-name>.example.com. 10800 IN	A 10.19.13.86
    +
    +;; AUTHORITY SECTION:
    +<cluster-name>.example.com. 10800 IN NS	<cluster-name>.example.com.
    +
    +;; ADDITIONAL SECTION:
    +<cluster-name>.example.com. 10800 IN A	10.19.14.247
    +
    +;; Query time: 0 msec
    +;; SERVER: 10.19.14.247#53(10.19.14.247)
    +;; WHEN: Tue May 19 20:30:59 UTC 2020
    +;; MSG SIZE  rcvd: 140
    +
    +
    +
    +

    The output in the foregoing example indicates that the appropriate IP address for the api.<cluster-name>.example.com VIP is 10.19.13.86. This IP address should reside on the baremetal network.

    +
    +
  4. +
+
+
+
+
+

7. Cleaning up previous installations

+
+
+

In the event of a previous failed deployment, remove the artifacts from the failed attempt before attempting to deploy OpenShift Container Platform again.

+
+
+
Procedure
+
    +
  1. +

    Power off all bare metal nodes prior to installing the OpenShift Container Platform cluster:

    +
    +
    +
    $ ipmitool -I lanplus -U <user> -P <password> -H <management-server-ip> power off
    +
    +
    +
  2. +
  3. +

    Remove all old bootstrap resources if any are left over from a previous deployment attempt:

    +
    +
    +
    for i in $(sudo virsh list | tail -n +3 | grep bootstrap | awk {'print $2'});
    +do
    +  sudo virsh destroy $i;
    +  sudo virsh undefine $i;
    +  sudo virsh vol-delete $i --pool $i;
    +  sudo virsh vol-delete $i.ign --pool $i;
    +  sudo virsh pool-destroy $i;
    +  sudo virsh pool-undefine $i;
    +done
    +
    +
    +
  4. +
  5. +

    Remove the following from the clusterconfigs directory to prevent Terraform from failing:

    +
    +
    +
    $ rm -rf ~/clusterconfigs/auth ~/clusterconfigs/terraform* ~/clusterconfigs/tls ~/clusterconfigs/metadata.json
    +
    +
    +
  6. +
+
+
+
+
+

8. Issues with creating the registry

+
+
+

When creating a disconnected registry, you might encounter a "User Not Authorized" error when attempting to mirror the registry. This error might occur if you fail to append the new authentication to the existing pull-secret.txt file.

+
+
+
Procedure
+
    +
  1. +

    Check to ensure authentication is successful:

    +
    +
    +
    [user@registry ~]$ /usr/local/bin/oc adm release mirror \
    +  -a pull-secret-update.json
    +  --from=$UPSTREAM_REPO \
    +  --to-release-image=$LOCAL_REG/$LOCAL_REPO:${VERSION} \
    +  --to=$LOCAL_REG/$LOCAL_REPO
    +
    +
    +
    + + + + + +
    + + +
    +

    Example output of the variables used to mirror the install images:

    +
    +
    +
    +
    UPSTREAM_REPO=${RELEASE_IMAGE}
    +LOCAL_REG=<registry_FQDN>:<registry_port>
    +LOCAL_REPO='ocp4/openshift4'
    +
    +
    +
    +

    The values of RELEASE_IMAGE and VERSION were set during the Retrieving OpenShift Installer step of the Setting up the environment for an OpenShift installation section.

    +
    +
    +
    +
  2. +
  3. +

    After mirroring the registry, confirm that you can access it in your +disconnected environment:

    +
    +
    +
    $ curl -k -u <user>:<password> https://registry.example.com:<registry-port>/v2/_catalog
    +{"repositories":["<Repo-Name>"]}
    +
    +
    +
  4. +
+
+
+
+
+

9. Miscellaneous issues

+
+
+

9.1. Addressing the runtime network not ready error

+
+

After the deployment of a cluster you might receive the following error:

+
+
+
+
`runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:Network plugin returns error: Missing CNI default network`
+
+
+
+

The Cluster Network Operator is responsible for deploying the networking components in response to a special object created by the installer. It runs very early in the installation process, after the control plane (master) nodes have come up, but before the bootstrap control plane has been torn down. It can be indicative of more subtle installer issues, such as long delays in bringing up control plane (master) nodes or issues with apiserver communication.

+
+
+
Procedure
+
    +
  1. +

    Inspect the pods in the openshift-network-operator namespace:

    +
    +
    +
    $ oc get all -n openshift-network-operator
    +
    +
    +
    +
    +
    NAME                                    READY STATUS            RESTARTS   AGE
    +pod/network-operator-69dfd7b577-bg89v   0/1   ContainerCreating 0          149m
    +
    +
    +
  2. +
  3. +

    On the provisioner node, determine that the network configuration exists:

    +
    +
    +
    $ kubectl get network.config.openshift.io cluster -oyaml
    +
    +
    +
    +
    +
    apiVersion: config.openshift.io/v1
    +kind: Network
    +metadata:
    +  name: cluster
    +spec:
    +  serviceNetwork:
    +  - 172.30.0.0/16
    +  clusterNetwork:
    +  - cidr: 10.128.0.0/14
    +    hostPrefix: 23
    +  networkType: OpenShiftSDN
    +
    +
    +
    +

    If it does not exist, the installer did not create it. To determine why the installer did not create it, execute the following:

    +
    +
    +
    +
    $ openshift-install create manifests
    +
    +
    +
  4. +
  5. +

    Check that the network-operator is running:

    +
    +
    +
    $ kubectl -n openshift-network-operator get pods
    +
    +
    +
  6. +
  7. +

    Retrieve the logs:

    +
    +
    +
    $ kubectl -n openshift-network-operator logs -l "name=network-operator"
    +
    +
    +
    +

    On high availability clusters with three or more control plane (master) nodes, the Operator will perform leader election and all other Operators will sleep. For additional details, see Troubleshooting.

    +
    +
  8. +
+
+
+
+

9.2. Cluster nodes not getting the correct IPv6 address over DHCP

+
+

If the cluster nodes are not getting the correct IPv6 address over DHCP, check the following:

+
+
+
    +
  1. +

    Ensure the reserved IPv6 addresses reside outside the DHCP range.

    +
  2. +
  3. +

    In the IP address reservation on the DHCP server, ensure the reservation specifies the correct DHCP Unique Identifier (DUID). For example:

    +
    +
    +
    # This is a dnsmasq dhcp reservation, 'id:00:03:00:01' is the client id and '18:db:f2:8c:d5:9f' is the MAC Address for the NIC
    +id:00:03:00:01:18:db:f2:8c:d5:9f,openshift-master-1,[2620:52:0:1302::6]
    +
    +
    +
  4. +
  5. +

    Ensure that route announcements are working.

    +
  6. +
  7. +

    Ensure that the DHCP server is listening on the required interfaces serving the IP address ranges.

    +
  8. +
+
+
+
+

9.3. Cluster nodes not getting the correct hostname over DHCP

+
+

During IPv6 deployment, cluster nodes must get their hostname over DHCP. Sometimes the NetworkManager does not assign the hostname immediately. A control plane (master) node might report an error such as:

+
+
+
+
Failed Units: 2
+  NetworkManager-wait-online.service
+  nodeip-configuration.service
+
+
+
+

This error indicates that the cluster node likely booted without first receiving a hostname from the DHCP server, which causes kubelet to boot +with a localhost.localdomain hostname. To address the error, force the node to renew the hostname.

+
+
+
Procedure
+
    +
  1. +

    Retrieve the hostname:

    +
    +
    +
    [core@master-X ~]$ hostname
    +
    +
    +
    +

    If the hostname is localhost, proceed with the following steps.

    +
    +
    + + + + + +
    + + +
    +

    Where X is the master node number.

    +
    +
    +
    +
  2. +
  3. +

    Force the cluster node to renew the DHCP lease:

    +
    +
    +
    [core@master-X ~]$ sudo nmcli con up "<bare-metal-nic>"
    +
    +
    +
    +

    Replace <bare-metal-nic> with the wired connection corresponding to the baremetal network.

    +
    +
  4. +
  5. +

    Check hostname again:

    +
    +
    +
    [core@master-X ~]$ hostname
    +
    +
    +
  6. +
  7. +

    If the hostname is still localhost.localdomain, restart NetworkManager:

    +
    +
    +
    [core@master-X ~]$ sudo systemctl restart NetworkManager
    +
    +
    +
  8. +
  9. +

    If the hostname is still localhost.localdomain, wait a few minutes and check again. If the hostname remains localhost.localdomain, repeat the previous steps.

    +
  10. +
  11. +

    Restart the nodeip-configuration service:

    +
    +
    +
    [core@master-X ~]$ sudo systemctl restart nodeip-configuration.service
    +
    +
    +
    +

    This service will reconfigure the kubelet service with the correct hostname references.

    +
    +
  12. +
  13. +

    Reload the unit files definition since the kubelet changed in the previous step:

    +
    +
    +
    [core@master-X ~]$ sudo systemctl daemon-reload
    +
    +
    +
  14. +
  15. +

    Restart the kubelet service:

    +
    +
    +
    [core@master-X ~]$ sudo systemctl restart kubelet.service
    +
    +
    +
  16. +
  17. +

    Ensure kubelet booted with the correct hostname:

    +
    +
    +
    [core@master-X ~]$ sudo journalctl -fu kubelet.service
    +
    +
    +
  18. +
+
+
+

If the cluster node is not getting the correct hostname over DHCP after the cluster is up and running, such as during a reboot, the cluster will have a pending csr. Do not approve a csr, or other issues might arise.

+
+
+
Addressing a csr
+
    +
  1. +

    Get CSRs on the cluster:

    +
    +
    +
    $ oc get csr
    +
    +
    +
  2. +
  3. +

    Verify if a pending csr contains Subject Name: localhost.localdomain:

    +
    +
    +
    $ oc get csr <pending_csr> -o jsonpath='{.spec.request}' | base64 -d | openssl req -noout -text
    +
    +
    +
  4. +
  5. +

    Remove any csr that contains Subject Name: localhost.localdomain:

    +
    +
    +
    $ oc delete csr <wrong_csr>
    +
    +
    +
  6. +
+
+
+
+

9.4. Routes do not reach endpoints

+
+

During the installation process, it is possible to encounter a Virtual Router Redundancy Protocol (VRRP) conflict. This conflict might occur if a previously used OpenShift Container Platform node that was once part of a cluster deployment using a specific cluster name is still running but not part of the current OpenShift Container Platform cluster deployment using that same cluster name. For example, a cluster was deployed using the cluster name openshift, deploying three control plane (master) nodes and three worker nodes. Later, a separate install uses the same cluster name openshift, but this redeployment only installed three control plane (master) nodes, leaving the three worker nodes from a previous deployment in an ON state. This might cause a Virtual Router Identifier (VRID) conflict and a VRRP conflict.

+
+
+
    +
  1. +

    Get the route:

    +
    +
    +
    $ oc get route oauth-openshift
    +
    +
    +
  2. +
  3. +

    Check the service endpoint:

    +
    +
    +
    $ oc get svc oauth-openshift
    +
    +
    +
    +
    +
    NAME              TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
    +oauth-openshift   ClusterIP   172.30.19.162   <none>        443/TCP   59m
    +
    +
    +
  4. +
  5. +

    Attempt to reach the service from a control plane (master) node:

    +
    +
    +
    [core@master0 ~]$ curl -k https://172.30.19.162
    +
    +
    +
    +
    +
    {
    +  "kind": "Status",
    +  "apiVersion": "v1",
    +  "metadata": {
    +  },
    +  "status": "Failure",
    +  "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
    +  "reason": "Forbidden",
    +  "details": {
    +  },
    +  "code": 403
    +
    +
    +
  6. +
  7. +

    Identify the authentication-operator errors from the provisioner node:

    +
    +
    +
    $ oc logs deployment/authentication-operator -n openshift-authentication-operator
    +
    +
    +
    +
    +
    Event(v1.ObjectReference{Kind:"Deployment", Namespace:"openshift-authentication-operator", Name:"authentication-operator", UID:"225c5bd5-b368-439b-9155-5fd3c0459d98", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Normal' reason: 'OperatorStatusChanged' Status for clusteroperator/authentication changed: Degraded message changed from "IngressStateEndpointsDegraded: All 2 endpoints for oauth-server are reporting"
    +
    +
    +
  8. +
+
+
+
Solution
+
    +
  1. +

    Ensure that the cluster name for every deployment is unique, ensuring no conflict.

    +
  2. +
  3. +

    Turn off all the rogue nodes which are not part of the cluster deployment that are using the same cluster name. Otherwise, the authentication pod of the OpenShift Container Platform cluster might never start successfully.

    +
  4. +
+
+
+
+

9.5. Failed Ignition during Firstboot

+
+

During the Firstboot, the Ignition configuration may fail.

+
+
+
Procedure
+
    +
  1. +

    Connect to the node where the Ignition configuration failed:

    +
    +
    +
    Failed Units: 1
    +  machine-config-daemon-firstboot.service
    +
    +
    +
  2. +
  3. +

    Restart the machine-config-daemon-firstboot service:

    +
    +
    +
    [core@worker-X ~]$ sudo systemctl restart machine-config-daemon-firstboot.service
    +
    +
    +
  4. +
+
+
+
+

9.6. NTP out of sync

+
+

The deployment of OpenShift Container Platform clusters depends on NTP synchronized clocks among the cluster nodes. Without synchronized clocks, the deployment may fail due to clock drift if the time difference is greater than two seconds.

+
+
+
Procedure
+
    +
  1. +

    Check for differences in the AGE of the cluster nodes. For example:

    +
    +
    +
    $ oc get nodes
    +
    +
    +
    +
    +
    NAME                         STATUS   ROLES    AGE   VERSION
    +master-0.cloud.example.com   Ready    master   145m   v1.16.2
    +master-1.cloud.example.com   Ready    master   135m   v1.16.2
    +master-2.cloud.example.com   Ready    master   145m   v1.16.2
    +worker-2.cloud.example.com   Ready    worker   100m   v1.16.2
    +
    +
    +
  2. +
  3. +

    Check for inconsistent timing delays due to clock drift. For example:

    +
    +
    +
    $ oc get bmh -n openshift-machine-api
    +
    +
    +
    +
    +
    master-1   error registering master-1  ipmi://<out-of-band-ip>
    +
    +
    +
    +
    +
    $ sudo timedatectl
    +
    +
    +
    +
    +
                   Local time: Tue 2020-03-10 18:20:02 UTC
    +           Universal time: Tue 2020-03-10 18:20:02 UTC
    +                 RTC time: Tue 2020-03-10 18:36:53
    +                Time zone: UTC (UTC, +0000)
    +System clock synchronized: no
    +              NTP service: active
    +          RTC in local TZ: no
    +
    +
    +
  4. +
+
+
+
Addressing clock drift in existing clusters
+
    +
  1. +

    Create a chrony.conf file and encode it as base64 string. For example:

    +
    +
    +
    $ cat << EOF | base 64
    +server <NTP-server> iburst(1)
    +stratumweight 0
    +driftfile /var/lib/chrony/drift
    +rtcsync
    +makestep 10 3
    +bindcmdaddress 127.0.0.1
    +bindcmdaddress ::1
    +keyfile /etc/chrony.keys
    +commandkey 1
    +generatecommandkey
    +noclientlog
    +logchange 0.5
    +logdir /var/log/chrony
    +EOF
    +
    +
    +
    + + + + + +
    1Replace <NTP-server> with the IP address of the NTP server. Copy the output. +
    +
    +
    [text-in-base-64]
    +
    +
    +
    +
  2. +
  3. +

    Create a MachineConfig object, replacing the base64 string with +the [text-in-base-64] string generated in the output of the previous step. The following example adds the file to the control plane (master) nodes. You can modify the file for worker nodes or make an additional machine config for the worker role.

    +
    +
    +
    $ cat << EOF > ./99_masters-chrony-configuration.yaml
    +apiVersion: machineconfiguration.openshift.io/v1
    +kind: MachineConfig
    +metadata:
    +  creationTimestamp: null
    +  labels:
    +    machineconfiguration.openshift.io/role: master
    +  name: 99-master-etc-chrony-conf
    +spec:
    +  config:
    +    ignition:
    +      config: {}
    +      security:
    +        tls: {}
    +      timeouts: {}
    +      version: 3.1.0
    +    networkd: {}
    +    passwd: {}
    +    storage:
    +      files:
    +      - contents:
    +          source: data:text/plain;charset=utf-8;base64,[text-in-base-64](1)
    +        group:
    +          name: root
    +        mode: 420
    +        overwrite: true
    +        path: /etc/chrony.conf
    +        user:
    +          name: root
    +  osImageURL: ""
    +
    +
    +
    + + + + + +
    1Replace [text-in-base-64] with the base64 string.
    +
    +
  4. +
  5. +

    Make a backup copy of the configuration file. For example:

    +
    +
    +
    $ cp 99_masters-chrony-configuration.yaml 99_masters-chrony-configuration.yaml.backup
    +
    +
    +
  6. +
  7. +

    Apply the configuration file:

    +
    +
    +
    $ oc apply -f ./masters-chrony-configuration.yaml
    +
    +
    +
  8. +
  9. +

    Ensure the System clock synchronized value is yes:

    +
    +
    +
    $ sudo timedatectl
    +
    +
    +
    +
    +
                   Local time: Tue 2020-03-10 19:10:02 UTC
    +           Universal time: Tue 2020-03-10 19:10:02 UTC
    +                 RTC time: Tue 2020-03-10 19:36:53
    +                Time zone: UTC (UTC, +0000)
    +System clock synchronized: yes
    +              NTP service: active
    +          RTC in local TZ: no
    +
    +
    +
    +

    To setup clock synchronization prior to deployment, generate the manifest files and add this file to the openshift directory. For example:

    +
    +
    +
    +
    $ cp chrony-masters.yaml ~/clusterconfigs/openshift/99_masters-chrony-configuration.yaml
    +
    +
    +
    +

    Then, continue to create the cluster.

    +
    +
  10. +
+
+
+
+
+
+

10. Reviewing the installation

+
+
+

After installation, ensure the installer deployed the nodes and pods successfully.

+
+
+
Procedure
+
    +
  1. +

    When the OpenShift Container Platform cluster nodes are installed appropriately, the following Ready state is seen within the STATUS column:

    +
    +
    +
    $ oc get nodes
    +
    +
    +
    +
    +
    NAME                   STATUS   ROLES           AGE  VERSION
    +master-0.example.com   Ready    master,worker   4h   v1.16.2
    +master-1.example.com   Ready    master,worker   4h   v1.16.2
    +master-2.example.com   Ready    master,worker   4h   v1.16.2
    +
    +
    +
  2. +
  3. +

    Confirm the installer deployed all pods successfully. The following command +removes any pods that are still running or have completed as part of the output.

    +
    +
    +
    $ oc get pods --all-namespaces | grep -iv running | grep -iv complete
    +
    +
    +
  4. +
+
+
+
+
+ + + \ No newline at end of file diff --git a/4.7/Troubleshooting.pdf b/4.7/Troubleshooting.pdf new file mode 100644 index 0000000000..21ef113f4f Binary files /dev/null and b/4.7/Troubleshooting.pdf differ diff --git a/4.8/Deployment.html b/4.8/Deployment.html new file mode 100644 index 0000000000..bdae30c379 --- /dev/null +++ b/4.8/Deployment.html @@ -0,0 +1,6391 @@ + + + + + + + + + + +Deploying Installer Provisioned Infrastructure (IPI) of OpenShift on Bare Metal - 4.8 + + + + + + + + + + + + + + + + +
+
+
+
+ + + + + +
+ + +
+

Download the PDF version of this document or visit https://openshift-kni.github.io/baremetal-deploy/

+
+
+
+
+
+
+

1. Overview

+
+
+

Installer-provisioned installation provides support for installing OpenShift Container Platform on bare metal nodes. This guide provides a methodology to achieving a successful installation.

+
+
+

During installer-provisioned installation on bare metal, the installer on the bare metal node labeled as provisioner creates a bootstrap virtual machine (VM). The role of the bootstrap VM is to assist in the process of deploying an OpenShift Container Platform cluster. The bootstrap VM connects to the baremetal network and to the provisioning network, if present, via the network bridges.

+
+
+
+Deployment phase one +
+
+
+

When the installation of OpenShift control plane nodes is complete and fully operational, the installer destroys the bootstrap VM automatically and moves the virtual IP addresses (VIPs) to +the control plane nodes.

+
+
+
+Deployment phase two +
+
+
+
+
+

2. Prerequisites

+
+ +
+

Installer-provisioned installation of OpenShift Container Platform requires:

+
+
+
    +
  1. +

    One provisioner node with Red Hat Enterprise Linux (RHEL) 8.x installed.

    +
  2. +
  3. +

    Three control plane nodes.

    +
  4. +
  5. +

    Baseboard Management Controller (BMC) access to each node.

    +
  6. +
  7. +

    At least one network:

    +
    +
      +
    1. +

      One required routable network

      +
    2. +
    3. +

      One optional network for provisioning nodes; and,

      +
    4. +
    5. +

      One optional management network.

      +
    6. +
    +
    +
  8. +
+
+
+

Before starting an installer-provisioned installation of OpenShift Container Platform, ensure the hardware environment meets the following requirements.

+
+
+

2.1. Node requirements

+
+

Installer-provisioned installation involves a number of hardware node requirements:

+
+
+
    +
  • +

    CPU architecture: All nodes must use x86_64 CPU architecture.

    +
  • +
  • +

    Similar nodes: Red Hat recommends nodes have an identical configuration per role. That is, Red Hat recommends nodes be the same brand and model with the same CPU, memory and storage configuration.

    +
  • +
  • +

    Baseboard Management Controller: The provisioner node must be able to access the baseboard management controller (BMC) of each OpenShift Container Platform cluster node. You may use IPMI, Redfish, or a proprietary protocol.

    +
  • +
  • +

    Latest generation: Nodes must be of the most recent generation. Installer-provisioned installation relies on BMC protocols, which must be compatible across nodes. Additionally, RHEL 8 ships with the most recent drivers for RAID controllers. Ensure that the nodes are recent enough to support RHEL 8 for the provisioner node and RHCOS 8 for the control plane and worker nodes.

    +
  • +
  • +

    Registry node: (Optional) If setting up a disconnected mirrored registry, it is recommended the registry reside in its own node.

    +
  • +
  • +

    Provisioner node: Installer-provisioned installation requires one provisioner node.

    +
  • +
  • +

    Control plane: Installer-provisioned installation requires three control plane nodes for high availability.

    +
  • +
  • +

    Worker nodes: While not required, a typical production cluster has one or more worker nodes. Smaller clusters are more resource efficient for administrators and developers during development, production, and testing.

    +
  • +
  • +

    Network interfaces: Each node must have at least one 10GB network interface for the routable baremetal network. Each node must have one 10GB network interface for a provisioning network when using the provisioning network for deployment. Using the provisioning network is the default configuration. Network interface names must follow the same naming convention across all nodes. For example, the first NIC name on a node, such as eth0 or eno1, must be the same name on all of the other nodes. The same principle applies to the remaining NICs on each node.

    +
  • +
  • +

    Unified Extensible Firmware Interface (UEFI): Installer-provisioned installation requires UEFI boot on all OpenShift Container Platform nodes when using IPv6 addressing on the provisioning network. In addition, UEFI Device PXE Settings must be set to use the IPv6 protocol on the provisioning network NIC, but omitting the provisioning network removes this requirement.

    +
  • +
  • +

    Secure Boot: Many production scenarios require nodes with Secure Boot enabled to verify the node only boots with trusted software, such as UEFI firmware drivers, EFI applications and the operating system. You may deploy with secure boot manually or managed.

    +
    +
      +
    1. +

      Manually: To deploy a OpenShift Container Platform cluster with Secure Boot manually, you must enable UEFI boot mode and Secure Boot on each control plane node and each worker node. Red Hat supports Secure Boot with manually enabled UEFI and Secure Boot only when installer-provisioned installation uses Redfish virtual media.

      +
    2. +
    3. +

      Managed: To deploy a OpenShift Container Platform cluster with managed Secure Boot, you must set the bootMode value to UEFISecureBoot in the install-config.yaml file. Red Hat only supports installer-provisioned installation with managed Secure Boot on 10th generation HPE hardware and 13th generation Dell hardware running firmware version 2.75.75.75 or greater. Deploying with managed Secure Boot does not require Redfish virtual media.

      +
      + + + + + +
      + + +
      +

      Red Hat does not support Secure Boot with self-generated keys.

      +
      +
      +
      +
    4. +
    +
    +
  • +
+
+
+
+

2.2. Firmware requirements for installing with virtual media

+
+

The installer for installer-provisioned OpenShift Container Platform clusters validates the hardware and firmware compatibility with Redfish virtual media. The following table lists supported firmware for installer-provisioned OpenShift Container Platform clusters deployed with Redfish virtual media.

+
+ + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 1. Firmware compatibility for Redfish virtual media
HardwareModelManagementFirmware Versions

HP

10th Generation

iLO5

N/A

9th Generation

iLO4

N/A

Dell

14th Generation

iDRAC 9

v4.20.20.20 - 04.40.00.00

13th Generation

iDRAC 8

v2.75.75.75+

+
+ + + + + +
+ + +
+

Refer to the hardware documentation for the nodes or contact the hardware vendor for information on updating the firmware.

+
+
+

There are no known firmware limitations for HP servers.

+
+
+

For Dell servers, ensure the OpenShift Container Platform cluster nodes have AutoAttach Enabled through the iDRAC console. The menu path is: ConfigurationVirtual MediaAttach ModeAutoAttach . With iDRAC 9 firmware version 04.40.00.00, the Virtual Console plug-in defaults to eHTML5, which causes problems with the InsertVirtualMedia workflow. Set the plug-in to HTML5 to avoid this issue. The menu path is: ConfigurationVirtual consolePlug-in TypeHTML5 .

+
+
+
+
+ + + + + +
+ + +
+

The installer will not initiate installation on a node if the node firmware is below the foregoing versions when installing with virtual media.

+
+
+
+
+
+

2.3. Network requirements

+
+

Installer-provisioned installation of OpenShift Container Platform involves several network requirements by default. First, installer-provisioned installation involves a non-routable provisioning network for provisioning the operating system on each bare metal node and a routable baremetal network. Since installer-provisioned installation deploys ironic-dnsmasq, the networks should have no other DHCP servers running on the same broadcast domain. Network administrators must reserve IP addresses for each node in the OpenShift Container Platform cluster.

+
+
+

OpenShift Container Platform 4.8 and later releases include functionality that uses cluster membership information to generate A/AAAA records. This resolves the node names to their IP addresses. Once the nodes are registered with the API, the cluster can disperse node information without using CoreDNS-mDNS. This eliminates the network traffic associated with multicast DNS.

+
+
+
Network Time Protocol (NTP)
+

Each OpenShift Container Platform node in the cluster must have access to an NTP server. OpenShift Container Platform nodes use NTP to synchronize their clocks. For example, cluster nodes use SSL certificates that require validation, which might fail if the date and time between the nodes are not in sync.

+
+
+ + + + + +
+ + +
+

Define a consistent clock date and time format in each cluster node’s BIOS settings, or installation might fail.

+
+
+
+
+

In OpenShift Container Platform 4.8 and later releases, you may reconfigure the control plane nodes to act as NTP servers on disconnected clusters, and reconfigure worker nodes to retrieve time from the control plane nodes.

+
+
+
Configuring NICs
+

OpenShift Container Platform deploys with two networks:

+
+
+
    +
  • +

    provisioning: The provisioning network is an optional non-routable network used for provisioning the underlying operating system on each node that is a part of the OpenShift Container Platform cluster. The network interface for the provisioning network on each cluster node must have the BIOS or UEFI configured to PXE boot. In OpenShift Container Platform 4.3, when deploying using the provisioning network, the first NIC on each node, such as eth0 or eno1, must interface with the provisioning network. In OpenShift Container Platform 4.4 and later releases, you can specify the provisioning network NIC with the provisioningNetworkInterface configuration setting.

    +
  • +
  • +

    baremetal: The baremetal network is a routable network. In OpenShift Container Platform 4.3, when deploying using the provisioning network, the second NIC on each node, such as eth1 or eno2, must interface with the baremetal network. In OpenShift Container Platform 4.4 and later releases, you can use any NIC order to interface with the baremetal network, provided it is the same NIC order across worker and control plane nodes and not the NIC specified in the provisioningNetworkInterface configuration setting for the provisioning network.

    +
  • +
+
+
+ + + + + +
+ + +
+

Use a compatible approach such that cluster nodes use the same NIC ordering on all cluster nodes. NICs must have heterogeneous hardware with the same NIC naming convention such as eth0 or eno1.

+
+
+
+
+ + + + + +
+ + +
+

When using a VLAN, each NIC must be on a separate VLAN corresponding to the appropriate network.

+
+
+
+
+
Configuring the DNS server
+

Clients access the OpenShift Container Platform cluster nodes over the baremetal network. A network administrator must configure a subdomain or subzone where the canonical name extension is the cluster name.

+
+
+
+
<cluster-name>.<domain-name>
+
+
+
+

For example:

+
+
+
+
test-cluster.example.com
+
+
+
+

You must also specify an api.<cluster-name>.<domain> record in the DNS. In subsequent configuration steps, when you configure network components to run exclusively on the control plane, the internal DNS resolution no longer works. This is an expected outcome.

+
+
+ + + + + +
+ + +
+

Failure to create a DNS record for the API precludes worker nodes from joining the cluster.

+
+
+
+
+

For assistance in configuring the DNS server, check Appendix section for:

+
+ +
+
Reserving IP addresses for nodes with the DHCP server
+

For the baremetal network, a network administrator must reserve a number of IP addresses, including:

+
+
+
    +
  1. +

    Two virtual IP addresses.

    +
    +
      +
    • +

      One IP address for the API endpoint

      +
    • +
    • +

      One IP address for the wildcard ingress endpoint

      +
    • +
    +
    +
  2. +
  3. +

    One IP address for the provisioner node.

    +
  4. +
  5. +

    One IP address for each control plane (master) node.

    +
  6. +
  7. +

    One IP address for each worker node, if applicable.

    +
  8. +
+
+
+ + + + + +
+ + +
Reserving IP addresses so they become static IP addresses
+
+

Some administrators prefer to use static IP addresses so that each node’s IP address remains constant in the absence of a DHCP server. To use static IP addresses in the OpenShift Container Platform cluster, reserve the IP addresses with an infinite lease. During deployment, the installer will reconfigure the NICs from DHCP assigned addresses to static IP addresses. NICs with DHCP leases that are not infinite will remain configured to use DHCP.

+
+
+
+
+ + + + + +
+ + +
Networking between external load balancers and control plane nodes
+
+

External load balancing services and the control plane nodes must run on the same L2 network, and on the same VLAN when using VLANs to route traffic between the load balancing services and the control plane nodes.

+
+
+
+
+

The following table provides an exemplary embodiment of fully qualified domain names. The API and Nameserver addresses begin with canonical name extensions. The host names of the control plane and worker nodes are exemplary, so you can use any host naming convention you prefer.

+
+ +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
UsageHost NameIP

API

api.<cluster-name>.<domain>

<ip>

Ingress LB (apps)

*.apps.<cluster-name>.<domain>

<ip>

Provisioner node

provisioner.<cluster-name>.<domain>

<ip>

Master-0

openshift-master-0.<cluster-name>.<domain>

<ip>

Master-1

openshift-master-1.<cluster-name>-.<domain>

<ip>

Master-2

openshift-master-2.<cluster-name>.<domain>

<ip>

Worker-0

openshift-worker-0.<cluster-name>.<domain>

<ip>

Worker-1

openshift-worker-1.<cluster-name>.<domain>

<ip>

Worker-n

openshift-worker-n.<cluster-name>.<domain>

<ip>

+
+

For assistance in configuring the DHCP server, check Appendix section for:

+
+ +
+
State-driven network configuration requirements (Technology Preview)
+

OpenShift Container Platform supports additional post-installation state-driven network configuration on the secondary network interfaces of cluster nodes using kubernetes-nmstate. For example, system administrators might configure a secondary network interface on cluster nodes after installation for a storage network.

+
+
+ + + + + +
+ + +
+

Configuration must occur before scheduling pods.

+
+
+
+
+

State-driven network configuration requires installing kubernetes-nmstate, and also requires Network Manager running on the cluster nodes. See OpenShift Virtualization > Kubernetes NMState (Tech Preview) for additional details.

+
+

IPv6 considerations

+
+
SLAAC Addressing
+

If you do not plan to use SLAAC [1] addresses on your OpenShift Container Platform node, then it should be disabled for baremetal networks, that means that if your network equipment is configured to send SLAAC addresses when replying to Route Advertisements that behavior should be changed, so it only sends the route and not the SLAAC address.

+
+
+

Install ndptool on your system in order to check what your RAs look like:

+
+
+
+
# Turn down/up baremetal iface on a master Node
+$ sudo nmcli con down "Wired connection 5" && sudo nmcli con up "Wired connection 5"
+Connection 'Wired connection 5' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1983)
+Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2044)
+
+# ndptool monitor on Helper node
+$ sudo ndptool monitor -t ra
+NDP payload len 80, from addr: fe80::c0a4:6464:bcb3:d657, iface: baremetal.153
+  Type: RA
+  Hop limit: 64
+  Managed address configuration: yes
+  Other configuration: no
+  Default router preference: medium
+  Router lifetime: 0s
+  Reachable time: unspecified
+  Retransmit time: unspecified
+  Source linkaddr: 1c:40:24:1b:0c:34
+  Prefix: 2620:52:0:1303::/64, valid_time: 86400s, preferred_time: 14400s, on_link: yes, autonomous_addr_conf: no, router_addr: no
+  Route: ::/0, lifetime: 0s, preference: low
+
+
+
+

The ndptool monitor should report Managed address configuration: yes.

+
+
+
Network Ranges and Configurations
+

Different baremetal and provisioning networks are required for each environment; each environment will have a different IPv6 range for each one of those networks.

+
+
+

In our configuration we used subinterfaces attached to two different physical interfaces, VLAN tagging was done at O.S. level (this required switch ports configured with trunk mode).

+
+
+

Our different IPv6 networks were all routable but usually, the only routable networks are the baremetal ones.

+
+
+

Keep in mind that provisioning networks cannot be in the same broadcast domain, since services such as DHCP are running.

+
+
+ + + + + +
+ + +
Route Advertisement
+
+

Route Advertisement must be enabled for both networks baremetal and provisioning.

+
+
+
+
+
Route Advertisements
+

As mentioned previously, both the baremetal and the provisioning networks must have Route Advertisement enabled. For the baremetal network, the radvd daemon was used, while the provisioning network has RA enabled in the Metal³ dnsmasq, so no configuration is needed.

+
+
+
+

2.4. Configuring nodes

+
+
Configuring nodes when using the provisioning network
+

Each node in the cluster requires the following configuration for proper installation.

+
+
+ + + + + +
+ + +
+

A mismatch between nodes will cause an installation failure.

+
+
+
+
+

While the cluster nodes can contain more than two NICs, the installation process only focuses on the first two NICs:

+
+ +++++ + + + + + + + + + + + + + + + + + +

NIC

Network

VLAN

NIC1

provisioning

<provisioning-vlan>

NIC2

baremetal

<baremetal-vlan>

+
+

NIC1 is a non-routable network (provisioning) that is only used for the installation of the OpenShift Container Platform cluster.

+
+
+

The Red Hat Enterprise Linux (RHEL) 8.x installation process on the provisioner node might vary. To install Red Hat Enterprise Linux (RHEL) 8.x using a local Satellite server or a PXE server, PXE-enable NIC2.

+
+ ++++ + + + + + + + + + + + + + + +

PXE

Boot order

NIC1 PXE-enabled provisioning network

1

NIC2 baremetal network. PXE-enabled is optional.

2

+
+ + + + + +
+ + +
+

Ensure PXE is disabled on all other NICs.

+
+
+
+
+

Configure the control plane and worker nodes as follows:

+
+ ++++ + + + + + + + + + + +

PXE

Boot order

NIC1 PXE-enabled (provisioning network)

1

+
+
Configuring nodes without the provisioning network
+

The installation process requires one NIC:

+
+ +++++ + + + + + + + + + + + + +

NIC

Network

VLAN

NICx

baremetal

<baremetal-vlan>

+
+

NICx is a routable network (baremetal) that is used for the installation of the OpenShift Container Platform cluster, and routable to the internet.

+
+
+
Configuring nodes for Secure Boot manually
+

Secure Boot prevents a node from booting unless it verifies the node is using only trusted software, such as UEFI firmware drivers, EFI applications and the operating system.

+
+
+ + + + + +
+ + +
+

Red Hat only supports manually configured Secure Boot when deploying with Redfish virtual media.

+
+
+
+
+

To enable Secure Boot manually, refer to the hardware guide for the node and execute the following:

+
+
+
    +
  1. +

    Boot the node and enter the BIOS menu.

    +
  2. +
  3. +

    Set the node’s boot mode to UEFI Enabled.

    +
  4. +
  5. +

    Enable Secure Boot.

    +
  6. +
+
+
+ + + + + +
+ + +
+

Red Hat does not support Secure Boot with self-generated keys.

+
+
+
+
+
+

2.5. Out-of-band management

+
+

Nodes will typically have an additional NIC used by the Baseboard Management Controllers (BMCs). These BMCs must be accessible from the provisioner node.

+
+
+

Each node must be accessible via out-of-band management. When using an out-of-band management network, the provisioner node requires access to the out-of-band management network for a successful OpenShift Container Platform 4 installation.

+
+
+

The out-of-band management setup is out of scope for this document. We recommend setting up a separate management network for out-of-band management. However, using the provisioning network or the baremetal network are valid options.

+
+
+
+

2.6. Required data for installation

+
+

Prior to the installation of the OpenShift Container Platform cluster, gather the following information from all cluster nodes:

+
+
+
    +
  • +

    Out-of-band management IP

    +
    +
      +
    • +

      Examples

      +
      +
        +
      • +

        Dell (iDRAC) IP

        +
      • +
      • +

        HP (iLO) IP

        +
      • +
      +
      +
    • +
    +
    +
  • +
+
+
+
When using the provisioning network
+
    +
  • +

    NIC1 (provisioning) MAC address

    +
  • +
  • +

    NIC2 (baremetal) MAC address

    +
  • +
+
+
+
When omitting the provisioning network
+
    +
  • +

    NICx (baremetal) MAC address

    +
  • +
+
+
+
+

2.7. Validation checklist for nodes

+
+
When using the provisioning network
+
    +
  • +

    DHCP reservations use infinite leases to deploy the cluster with static IP addresses. (optional)

    +
  • +
  • +

    NIC1 VLAN is configured for the provisioning network.

    +
  • +
  • +

    NIC2 VLAN is configured for the baremetal network.

    +
  • +
  • +

    NIC1 is PXE-enabled on the provisioner, Control Plane (master), and worker nodes.

    +
  • +
  • +

    PXE has been disabled on all other NICs.

    +
  • +
  • +

    Control plane and worker nodes are configured.

    +
  • +
  • +

    All nodes accessible via out-of-band management.

    +
  • +
  • +

    A separate management network has been created. (optional)

    +
  • +
  • +

    Required data for installation.

    +
  • +
+
+
+
When omitting the provisioning network
+
    +
  • +

    DHCP reservations use infinite leases to deploy the cluster with static IP addresses. (optional)

    +
  • +
  • +

    NICx VLAN is configured for the baremetal network.

    +
  • +
  • +

    Control plane and worker nodes are configured.

    +
  • +
  • +

    All nodes accessible via out-of-band management.

    +
  • +
  • +

    A separate management network has been created. (optional)

    +
  • +
  • +

    Required data for installation.

    +
  • +
+
+
+
Summary
+

After an environment has been prepared according to the documented prerequisites, the installation process is the same as other installer-provisioned platforms.

+
+
+
+
+
+

3. Setting up the environment for an OpenShift installation

+
+ +
+

3.1. Installing RHEL on the provisioner node

+
+

With the networking configuration complete, the next step is to install RHEL 8.X on the provisioner node. The installer uses the provisioner node as the orchestrator while installing the OpenShift Container Platform cluster. For the purposes of this document, installing RHEL on the provisioner node is out of scope. However, options include but are not limited to using a RHEL Satellite server, PXE, or installation media.

+
+
+
+

3.2. Preparing the provisioner node for OpenShift Container Platform installation

+
+

Perform the following steps to prepare the environment.

+
+
+
Procedure
+
    +
  1. +

    Log in to the provisioner node via ssh.

    +
  2. +
  3. +

    Create a non-root user (kni) and provide that user with sudo privileges.

    +
    +
    +
    [root@provisioner ~]# useradd kni
    +[root@provisioner ~]# passwd kni
    +[root@provisioner ~]# echo "kni ALL=(root) NOPASSWD:ALL" | tee -a /etc/sudoers.d/kni
    +[root@provisioner ~]# chmod 0440 /etc/sudoers.d/kni
    +
    +
    +
  4. +
  5. +

    Create an ssh key for the new user.

    +
    +
    +
    [root@provisioner ~]# su - kni -c "ssh-keygen -t rsa -f /home/kni/.ssh/id_rsa -N ''"
    +
    +
    +
  6. +
  7. +

    Log in as the new user on the provisioner node.

    +
    +
    +
    [root@provisioner ~]# su - kni
    +[kni@provisioner ~]$
    +
    +
    +
  8. +
  9. +

    Use Red Hat Subscription Manager to register the provisioner node.

    +
    +
    +
    [kni@provisioner ~]$ sudo subscription-manager register --username=<user> --password=<pass> --auto-attach
    +[kni@provisioner ~]$ sudo subscription-manager repos --enable=rhel-8-for-x86_64-appstream-rpms --enable=rhel-8-for-x86_64-baseos-rpms
    +
    +
    +
    + + + + + +
    + + +
    +

    For more information about Red Hat Subscription Manager, see Using and Configuring Red Hat Subscription Manager.

    +
    +
    +
    +
  10. +
  11. +

    Install the following packages.

    +
    +
    +
    [kni@provisioner ~]$ sudo dnf install -y libvirt qemu-kvm mkisofs python3-devel jq ipmitool
    +
    +
    +
  12. +
  13. +

    Modify the user to add the libvirt group to the newly created user.

    +
    +
    +
    [kni@provisioner ~]$ sudo usermod --append --groups libvirt <user>
    +
    +
    +
  14. +
  15. +

    Restart firewalld and enable the http service.

    +
    +
    +
    [kni@provisioner ~]$ sudo systemctl start firewalld
    +[kni@provisioner ~]$ sudo firewall-cmd --zone=public --add-service=http --permanent
    +[kni@provisioner ~]$ sudo firewall-cmd --add-port=5000/tcp --zone=libvirt  --permanent
    +[kni@provisioner ~]$ sudo firewall-cmd --add-port=5000/tcp --zone=public   --permanent
    +[kni@provisioner ~]$ sudo firewall-cmd --reload
    +
    +
    +
  16. +
  17. +

    Start and enable the libvirtd service.

    +
    +
    +
    [kni@provisioner ~]$ sudo systemctl start libvirtd
    +[kni@provisioner ~]$ sudo systemctl enable libvirtd --now
    +
    +
    +
  18. +
  19. +

    Create the default storage pool and start it.

    +
    +
    +
    [kni@provisioner ~]$ sudo virsh pool-define-as --name default --type dir --target /var/lib/libvirt/images
    +[kni@provisioner ~]$ sudo virsh pool-start default
    +[kni@provisioner ~]$ sudo virsh pool-autostart default
    +
    +
    +
  20. +
  21. +

    Configure networking.

    +
    + + + + + +
    + + +
    +

    This step can also be run from the web console.

    +
    +
    +
    +
    +
    Provisioning Network (IPv4 address)
    +
    +
    [kni@provisioner ~]$ sudo nohup bash -c """
    +    nmcli con down "$PROV_CONN"
    +    nmcli con delete "$PROV_CONN"
    +    # RHEL 8.1 appends the word "System" in front of the connection, delete in case it exists
    +    nmcli con down "System $PROV_CONN"
    +    nmcli con delete "System $PROV_CONN"
    +    nmcli connection add ifname provisioning type bridge con-name provisioning
    +    nmcli con add type bridge-slave ifname "$PROV_CONN" master provisioning
    +    nmcli connection modify provisioning ipv4.addresses 172.22.0.1/24 ipv4.method manual
    +    nmcli con down provisioning
    +    nmcli con up provisioning"""
    +
    +
    +
    + + + + + +
    + + +
    +

    The ssh connection might disconnect after executing this step.

    +
    +
    +

    The IPv4 address may be any address as long as it is not routable via the baremetal network.

    +
    +
    +
    +
    +
    Provisioning Network (IPv6 address)
    +
    +
    [kni@provisioner ~]$ sudo nohup bash -c """
    +    nmcli con down "$PROV_CONN"
    +    nmcli con delete "$PROV_CONN"
    +    # RHEL 8.1 appends the word "System" in front of the connection, delete in case it exists
    +    nmcli con down "System $PROV_CONN"
    +    nmcli con delete "System $PROV_CONN"
    +    nmcli connection add ifname provisioning type bridge con-name provisioning
    +    nmcli con add type bridge-slave ifname "$PROV_CONN" master provisioning
    +    nmcli connection modify provisioning ipv6.addresses fd00:1101::1/64 ipv6.method manual
    +    nmcli con down provisioning
    +    nmcli con up provisioning"""
    +
    +
    +
    + + + + + +
    + + +
    +

    The ssh connection might disconnect after executing this step.

    +
    +
    +

    The IPv6 address may be any address as long as it is not routable via the baremetal network.

    +
    +
    +
    +
    + + + + + +
    + + +
    +

    Ensure that UEFI is enabled and UEFI PXE settings are set to the IPv6 protocol when using IPv6 addressing.

    +
    +
    +
    +
  22. +
  23. +

    ssh back into the provisioner node (if required).

    +
    +
    +
    # ssh kni@provisioner.<cluster-name>.<domain>
    +
    +
    +
  24. +
  25. +

    Verify the connection bridges have been properly created.

    +
    +
    +
    [kni@provisioner ~]$ nmcli con show
    +
    +
    +
    +
    +
    NAME               UUID                                  TYPE      DEVICE
    +baremetal          4d5133a5-8351-4bb9-bfd4-3af264801530  bridge    baremetal
    +provisioning       43942805-017f-4d7d-a2c2-7cb3324482ed  bridge    provisioning
    +virbr0             d9bca40f-eee1-410b-8879-a2d4bb0465e7  bridge    virbr0
    +bridge-slave-eno1  76a8ed50-c7e5-4999-b4f6-6d9014dd0812  ethernet  eno1
    +bridge-slave-eno2  f31c3353-54b7-48de-893a-02d2b34c4736  ethernet  eno2
    +
    +
    +
  26. +
  27. +

    Create a pull-secret.txt file.

    +
    +
    +
    [kni@provisioner ~]$ vim pull-secret.txt
    +
    +
    +
    +

    In a web browser, navigate to Install on Bare Metal with user-provisioned infrastructure, and scroll down to the Downloads section. Click Copy pull secret. Paste the contents into the pull-secret.txt file and save the contents in the kni user’s home directory.

    +
    +
  28. +
+
+
+
+

3.3. Retrieving the OpenShift Container Platform installer (GA Release)

+
+

Use the latest-4.x version of the installer to deploy the latest generally +available version of OpenShift Container Platform:

+
+
+
+
[kni@provisioner ~]$ export VERSION=latest-4.8
+export RELEASE_IMAGE=$(curl -s https://mirror.openshift.com/pub/openshift-v4/clients/ocp/$VERSION/release.txt | grep 'Pull From: quay.io' | awk -F ' ' '{print $3}')
+
+
+
+
+

3.4. Extracting the OpenShift Container Platform installer (GA Release)

+
+

After retrieving the installer, the next step is to extract it.

+
+
+
Procedure
+
    +
  1. +

    Set the environment variables:

    +
    +
    +
    [kni@provisioner ~]$ export cmd=openshift-baremetal-install
    +[kni@provisioner ~]$ export pullsecret_file=~/pull-secret.txt
    +[kni@provisioner ~]$ export extract_dir=$(pwd)
    +
    +
    +
  2. +
  3. +

    Get the oc binary:

    +
    +
    +
    [kni@provisioner ~]$ curl -s https://mirror.openshift.com/pub/openshift-v4/clients/ocp/$VERSION/openshift-client-linux.tar.gz | tar zxvf - oc
    +
    +
    +
  4. +
  5. +

    Extract the installer:

    +
    +
    +
    [kni@provisioner ~]$ sudo cp oc /usr/local/bin
    +[kni@provisioner ~]$ oc adm release extract --registry-config "${pullsecret_file}" --command=$cmd --to "${extract_dir}" ${RELEASE_IMAGE}
    +[kni@provisioner ~]$ sudo cp openshift-baremetal-install /usr/local/bin
    +
    +
    +
  6. +
+
+
+
+

3.5. Creating an RHCOS images cache (optional)

+
+

To employ image caching, you must download two images: the Red Hat Enterprise Linux CoreOS (RHCOS) image used by the bootstrap VM and the RHCOS image used by the installer to provision the different nodes. Image caching is optional, but especially useful when running the installer on a network with limited bandwidth.

+
+
+

If you are running the installer on a network with limited bandwidth and the RHCOS images download takes more than 15 to 20 minutes, the installer will timeout. Caching images on a web server will help in such scenarios.

+
+
+

Use the following steps to install a container that contains the images.

+
+
+
    +
  1. +

    Install podman.

    +
    +
    +
    $ sudo dnf install -y podman
    +
    +
    +
  2. +
  3. +

    Open firewall port 8080 to be used for RHCOS image caching.

    +
    +
    +
    $ sudo firewall-cmd --add-port=8080/tcp --zone=public --permanent
    +$ sudo firewall-cmd --reload
    +
    +
    +
  4. +
  5. +

    Create a directory to store the bootstraposimage and clusterosimage.

    +
    +
    +
    $ mkdir /home/kni/rhcos_image_cache
    +
    +
    +
  6. +
  7. +

    Set the appropriate SELinux context for the newly created directory.

    +
    +
    +
    $ sudo semanage fcontext -a -t httpd_sys_content_t "/home/kni/rhcos_image_cache(/.*)?"
    +$ sudo restorecon -Rv rhcos_image_cache/
    +
    +
    +
  8. +
  9. +

    Get the commit ID from the installer. The ID determines which images the installer needs to download.

    +
    +
    +
    $ export COMMIT_ID=$(/usr/local/bin/openshift-baremetal-install version | grep '^built from commit' | awk '{print $4}')
    +
    +
    +
  10. +
  11. +

    Get the URI for the RHCOS image that the installer will deploy on the nodes.

    +
    +
    +
    $ export RHCOS_OPENSTACK_URI=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json  | jq .images.openstack.path | sed 's/"//g')
    +
    +
    +
  12. +
  13. +

    Get the URI for the RHCOS image that the installer will deploy on the bootstrap VM.

    +
    +
    +
    $ export RHCOS_QEMU_URI=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json  | jq .images.qemu.path | sed 's/"//g')
    +
    +
    +
  14. +
  15. +

    Get the path where the images are published.

    +
    +
    +
    $ export RHCOS_PATH=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json | jq .baseURI | sed 's/"//g')
    +
    +
    +
  16. +
  17. +

    Get the SHA hash for the RHCOS image that will be deployed on the bootstrap VM.

    +
    +
    +
    $ export RHCOS_QEMU_SHA_UNCOMPRESSED=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json  | jq -r '.images.qemu["uncompressed-sha256"]')
    +
    +
    +
  18. +
  19. +

    Get the SHA hash for the RHCOS image that will be deployed on the nodes.

    +
    +
    +
    $ export RHCOS_OPENSTACK_SHA_COMPRESSED=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json  | jq -r '.images.openstack.sha256')
    +
    +
    +
  20. +
  21. +

    Download the images and place them in the /home/kni/rhcos_image_cache directory.

    +
    +
    +
    $ curl -L ${RHCOS_PATH}${RHCOS_QEMU_URI} -o /home/kni/rhcos_image_cache/${RHCOS_QEMU_URI}
    +$ curl -L ${RHCOS_PATH}${RHCOS_OPENSTACK_URI} -o /home/kni/rhcos_image_cache/${RHCOS_OPENSTACK_URI}
    +
    +
    +
  22. +
  23. +

    Confirm SELinux type is of httpd_sys_content_t for the newly created files.

    +
    +
    +
    $ ls -Z /home/kni/rhcos_image_cache
    +
    +
    +
  24. +
  25. +

    Create the pod.

    +
    +
    +
    $ podman run -d --name rhcos_image_cache \
    +-v /home/kni/rhcos_image_cache:/var/www/html \
    +-p 8080:8080/tcp \
    +quay.io/centos7/httpd-24-centos7:latest
    +
    +
    +
  26. +
  27. +

    Generate the bootstrapOSImage and clusterOSImage configuration.

    +
    +
    +
    $ export BAREMETAL_IP=$(ip addr show dev baremetal | awk '/inet /{print $2}' | cut -d"/" -f1)
    +$ export RHCOS_OPENSTACK_SHA256=$(zcat /home/kni/rhcos_image_cache/${RHCOS_OPENSTACK_URI} | sha256sum | awk '{print $1}')
    +$ export RHCOS_QEMU_SHA256=$(zcat /home/kni/rhcos_image_cache/${RHCOS_QEMU_URI} | sha256sum | awk '{print $1}')
    +$ export CLUSTER_OS_IMAGE="http://${BAREMETAL_IP}:8080/${RHCOS_OPENSTACK_URI}?sha256=${RHCOS_OPENSTACK_SHA256}"
    +$ export BOOTSTRAP_OS_IMAGE="http://${BAREMETAL_IP}:8080/${RHCOS_QEMU_URI}?sha256=${RHCOS_QEMU_SHA256}"
    +$ echo "${RHCOS_OPENSTACK_SHA256}  ${RHCOS_OPENSTACK_URI}" > /home/kni/rhcos_image_cache/rhcos-ootpa-latest.qcow2.md5sum
    +$ echo "    bootstrapOSImage=${BOOTSTRAP_OS_IMAGE}"
    +$ echo "    clusterOSImage=${CLUSTER_OS_IMAGE}"
    +
    +
    +
  28. +
  29. +

    Add the required configuration to the install-config.yaml file under platform.baremetal.

    +
    +
    +
    platform:
    +  baremetal:
    +    bootstrapOSImage: http://<BAREMETAL_IP>:8080/<RHCOS_QEMU_URI>?sha256=<RHCOS_QEMU_SHA256>
    +    clusterOSImage: http://<BAREMETAL_IP>:8080/<RHCOS_OPENSTACK_URI>?sha256=<RHCOS_OPENSTACK_SHA256>
    +
    +
    +
    +

    See the Configuring the install-config.yaml file section for additional details.

    +
    +
  30. +
+
+
+
+

3.6. Configuration files

+
+

3.6.1. Configuring the install-config.yaml file

+
+

The install-config.yaml file requires some additional details. +Most of the information is teaching the installer and the resulting cluster enough about the available hardware so that it is able to fully manage it.

+
+
+
    +
  1. +

    Configure install-config.yaml. Change the appropriate variables to match the environment, including pullSecret and sshKey.

    +
    +
    +
    apiVersion: v1
    +basedomain: <domain>
    +metadata:
    +  name: <cluster-name>
    +networking:
    +  machineCIDR: <public-cidr>
    +  networkType: OVNKubernetes
    +compute:
    +- name: worker
    +  replicas: 2 (1)
    +controlPlane:
    +  name: master
    +  replicas: 3
    +  platform:
    +    baremetal: {}
    +platform:
    +  baremetal:
    +    apiVIP: <api-ip>
    +    ingressVIP: <wildcard-ip>
    +    provisioningNetworkInterface: <NIC1>
    +    provisioningNetworkCIDR: <CIDR>
    +    hosts:
    +      - name: openshift-master-0
    +        role: master
    +        bmc:
    +          address: ipmi://<out-of-band-ip> (2)
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: default
    +      - name: openshift-master-1
    +        role: master
    +        bmc:
    +          address: ipmi://<out-of-band-ip>
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: default
    +      - name: openshift-master-2
    +        role: master
    +        bmc:
    +          address: ipmi://<out-of-band-ip>
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: default
    +      - name: openshift-worker-0
    +        role: worker
    +        bmc:
    +          address: ipmi://<out-of-band-ip>
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: unknown
    +      - name: openshift-worker-1
    +        role: worker
    +        bmc:
    +          address: ipmi://<out-of-band-ip>
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: unknown
    +pullSecret: '<pull_secret>'
    +sshKey: '<ssh_pub_key>'
    +
    +
    +
    + + + + + + + + + +
    1Scale the worker machines based on the number of worker nodes that are part of the OpenShift Container Platform cluster.
    2Refer to the BMC addressing for more options
    +
    +
  2. +
  3. +

    Create a directory to store cluster configs.

    +
    +
    +
    [kni@provisioner ~]$ mkdir ~/clusterconfigs
    +[kni@provisioner ~]$ cp install-config.yaml ~/clusterconfigs
    +
    +
    +
  4. +
  5. +

    Ensure all bare metal nodes are powered off prior to installing the OpenShift Container Platform cluster.

    +
    +
    +
    [kni@provisioner ~]$ ipmitool -I lanplus -U <user> -P <password> -H <management-server-ip> power off
    +
    +
    +
  6. +
  7. +

    Remove old bootstrap resources if any are left over from a previous deployment attempt.

    +
    +
    +
    for i in $(sudo virsh list | tail -n +3 | grep bootstrap | awk {'print $2'});
    +do
    +  sudo virsh destroy $i;
    +  sudo virsh undefine $i;
    +  sudo virsh vol-delete $i --pool $i;
    +  sudo virsh vol-delete $i.ign --pool $i;
    +  sudo virsh pool-destroy $i;
    +  sudo virsh pool-undefine $i;
    +done
    +
    +
    +
  8. +
+
+
+
+

3.6.2. Setting proxy settings within the install-config.yaml file (optional)

+
+

To deploy an OpenShift Container Platform cluster using a proxy, make the following changes to the install-config.yaml file.

+
+
+
+
apiVersion: v1
+baseDomain: <domain>
+proxy:
+  httpProxy: http://USERNAME:PASSWORD@proxy.example.com:PORT
+  httpsProxy: https://USERNAME:PASSWORD@proxy.example.com:PORT
+  noProxy: <WILDCARD_OF_DOMAIN>,<PROVISIONING_NETWORK/CIDR>,<BMC_ADDRESS_RANGE/CIDR>
+
+
+
+

See below for an example of noProxy with values.

+
+
+
+
noProxy: .example.com,172.22.0.0/24,10.10.0.0/24
+
+
+
+

With a proxy enabled, set the appropriate values of the proxy in the corresponding key/value pair.

+
+
+

Key considerations:

+
+
+
    +
  • +

    If the proxy does not have an HTTPS proxy, change the value of httpsProxy from https:// to http://.

    +
  • +
  • +

    If using a provisioning network, include it in the noProxy setting, otherwise the installer will fail.

    +
  • +
  • +

    Set all of the proxy settings as environment variables within the provisioner node. For example, HTTP_PROXY, HTTPS_PROXY, and NO_PROXY.

    +
  • +
+
+
+
+

3.6.3. Modifying the install-config.yaml file for no provisioning network (optional)

+
+

To deploy an OpenShift Container Platform cluster without a provisioning network, make the following changes to the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    apiVIP: <apiVIP>
+    ingressVIP: <ingress/wildcard VIP>
+    provisioningNetwork: "Disabled"
+
+
+
+
+

3.6.4. Modifying the install-config.yaml file for dual-stack network (optional)

+
+

To deploy an OpenShift Container Platform cluster with dual-stack networking, make the following changes to the install-config.yaml file.

+
+
+
+
machineNetwork:
+- cidr: {{ extcidrnet }}
+- cidr: {{ extcidrnet6 }}
+clusterNetwork:
+- cidr: 10.128.0.0/14
+  hostPrefix: 23
+- cidr: fd02::/48
+  hostPrefix: 64
+serviceNetwork:
+- 172.30.0.0/16
+- fd03::/112
+
+
+
+ + + + + +
+ + +In the above snippet, the network settings must match the settings for the cluster’s network environment. The machineNetwork, clusterNetwork, and serviceNetwork configuration settings must have two CIDR entries each. The first CIDR entry is the IPv4 setting and the second CIDR entry is the IPv6 setting. +
+
+
+ + + + + +
+ + +
+

The IPv4 entries must go before the IPv6 entries.

+
+
+
+
+
+

3.6.5. Configuring managed Secure Boot in the install-config.yaml file (optional)

+
+

To enable managed Secure Boot, add the bootMode configuration setting to each node.

+
+
+
Example
+
+
hosts:
+  - name: openshift-master-0
+    role: master
+    bmc:
+      address: ipmi://<out-of-band-ip>
+      username: <user>
+      password: <password>
+    bootMACAddress: <NIC1-mac-address>
+    hardwareProfile: default
+    bootMode: UEFISecureBoot (1)
+
+
+
+ + + + + +
1The bootMode setting is legacy by default. Change it to UEFISecureBoot to enable managed Secure Boot.
+
+
+ + + + + +
+ + +
+

See Node requirements to ensure the nodes can support managed Secure Boot. If not, you can enable Secure Boot manually, which requires Redfish virtual media.

+
+
+
+
+
+

3.6.6. Additional install-config parameters

+
+

See the following tables for the required parameters, the hosts parameter, +and the bmc parameter for the install-config.yaml file.

+
+ + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 2. Required parameters
ParametersDefaultDescription

baseDomain

The domain name for the cluster. For example, example.com.

bootMode

legacy

The boot mode for a node. Options are legacy, UEFI and UEFISecureBoot.

sshKey

The sshKey configuration setting contains the key in the ~/.ssh/id_rsa.pub file required to access the control plane nodes and worker nodes. Typically, this key is from the provisioner node.

pullSecret

The pullSecret configuration setting contains a copy of the pull secret downloaded from the Install OpenShift on Bare Metal page when preparing the provisioner node.

+
+
metadata:
+    name:
+
+

The name to be given to the OpenShift Container Platform cluster. For example, openshift.

+
+
networking:
+    machineCIDR:
+
+

The public CIDR (Classless Inter-Domain Routing) of the external network. For example, 10.0.0.0/24 +or 2620:52:0:1302::/64 +.

+
+
compute:
+  - name: worker
+
+

The OpenShift Container Platform cluster requires a name be provided for worker (or compute) nodes even if there are zero nodes.

+
+
compute:
+    replicas: 2
+
+

Replicas sets the number of worker (or compute) nodes in the OpenShift Container Platform cluster.

+
+
controlPlane:
+    name: master
+
+

The OpenShift Container Platform cluster requires a name for control plane (master) nodes.

+
+
controlPlane:
+    replicas: 3
+
+

Replicas sets the number of control plane (master) nodes included as part of the OpenShift Container Platform cluster.

+

provisioningNetworkInterface

+

The name of the network interface on control plane nodes connected to the +provisioning network.

defaultMachinePlatform

The default configuration used for machine pools without a platform configuration.

apiVIP

api.<clustername.clusterdomain>

The VIP to use for internal API communication.

+

This setting must either be provided or pre-configured in the DNS so that the +default name resolves correctly.

disableCertificateVerification

False

redfish and redfish-virtualmedia need this parameter to manage BMC addresses. The value should be True when using a self-signed certificate for BMC addresses.

ingressVIP

test.apps.<clustername.clusterdomain>

The VIP to use for ingress traffic.

+ + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 3. Optional Parameters
ParametersDefaultDescription

provisioningDHCPRange

172.22.0.10,172.22.0.100

Defines the IP range for nodes on the provisioning network.

+

provisioningNetworkCIDR

+

172.22.0.0/24

The CIDR for the network to use for provisioning. This option is required when not using the default address range on the provisioning network.

clusterProvisioningIP

The third IP address of the provisioningNetworkCIDR.

The IP address within the cluster where the provisioning services run. Defaults to the third IP address of the provisioning subnet. For example, 172.22.0.3.

bootstrapProvisioningIP

The second IP address of the provisioningNetworkCIDR.

The IP address on the bootstrap VM where the provisioning services run while the installer is deploying the control plane (master) nodes. Defaults to the second IP address of the provisioning subnet. For example, 172.22.0.2 +or 2620:52:0:1307::2 +.

externalBridge

baremetal

The name of the baremetal bridge of the hypervisor attached to the baremetal network.

provisioningBridge

provisioning

The name of the provisioning bridge on the provisioner host attached to the provisioning network.

defaultMachinePlatform

The default configuration used for machine pools without a platform configuration.

bootstrapOSImage

A URL to override the default operating system image for the bootstrap node. The URL must contain a SHA-256 hash of the image. For example: +https://mirror.openshift.com/rhcos-<version>-qemu.qcow2.gz?sha256=<uncompressed_sha256>; + or http://[2620:52:0:1307::1]/rhcos-<version>-qemu.x86_64.qcow2.gz?sha256=<uncompressed_sha256> +.

clusterOSImage

A URL to override the default operating system for cluster nodes. The URL must include a SHA-256 hash of the image. For example, https://mirror.openshift.com/images/rhcos-<version>-openstack.qcow2.gz?sha256=<compressed_sha256>;.

provisioningNetwork

Set this parameter to Disabled to disable the requirement for a provisioning network. User may only do virtual media based provisioning, or bring up the cluster using assisted installation. If using power management, BMC’s must be accessible from the machine networks. User must provide two IP addresses on the external network that are used for the provisioning services. +Set this parameter to Managed, which is the default, to fully manage the provisioning network, including DHCP, TFTP, and so on.

+

Set this parameter to Unmanaged to still enable the provisioning network but take care of manual configuration of DHCP. Virtual media provisioning is recommended but PXE is still available if required.

httpProxy

Set this parameter to the appropriate HTTP proxy used within your environment.

httpsProxy

Set this parameter to the appropriate HTTPS proxy used within your environment.

noProxy

Set this parameter to the appropriate list of exclusions for proxy usage within your environment.

+
+
Hosts
+

The hosts parameter is a list of separate bare metal assets used to build the cluster.

+
+ +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Name

Default

Description

name

The name of the BareMetalHost resource to associate with the details. For example, openshift-master-0.

role

The role of the bare metal node. Either master or worker.

bmc

Connection details for the baseboard management controller. See the BMC addressing section for additional details.

bootMACAddress

The MAC address of the NIC the host will use to boot on the provisioning network.

+
+
+

3.6.7. BMC addressing

+
+

Most vendors support BMC addressing with the Intelligent Platform Management Interface or IPMI. IPMI does not encrypt communications. It is suitable for use within a data center over a secured or dedicated management network. Check with your vendor to see if they support Redfish network boot. Redfish delivers simple and secure management for converged, hybrid IT and the Software Defined Data Center or SDDC. Redfish is human readable and machine capable, and leverages common Internet and web services standards to expose information directly to the modern tool chain. If your hardware does not support Redfish network boot, use IPMI.

+
+
+
IPMI
+

Hosts using IPMI use the ipmi://<out-of-band-ip>:<port> address format, which defaults to port 623 if not specified. The following example demonstrates an IPMI configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: ipmi://<out-of-band-ip>
+          username: <user>
+          password: <password>
+
+
+
+
Redfish network boot
+

To enable Redfish, use redfish:// or redfish+http:// to disable TLS. The installer requires both the host name or the IP address and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+
BMC addressing for Dell iDRAC
+
+

The address field for each bmc entry is a URL for connecting to the OpenShift Container Platform cluster nodes, including the type of controller in the URL scheme and its location on the network.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: <host name>
+        role: <master | worker>
+        bmc:
+          address: <address> (1)
+          username: <user>
+          password: <password>
+
+
+
+ + + + + +
1The address configuration setting specifies the protocol.
+
+
+

For Dell hardware, Red Hat supports integrated Dell Remote Access Controller (iDRAC) virtual media, Redfish network boot, and IPMI.

+
+ + ++++ + + + + + + + + + + + + + + + + + + + + +
Table 4. BMC address formats for Dell iDRAC
ProtocolAddress Format

iDRAC virtual media

idrac-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1

Redfish network boot

redfish://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1

IPMI

ipmi://<out-of-band-ip>

+
+ + + + + +
+ + +
+

Use idrac-virtualmedia as the protocol for Redfish virtual media. redfish-virtualmedia will not work on Dell hardware. Dell’s idrac-virtualmedia uses the Redfish standard with Dell’s OEM extensions.

+
+
+
+
+

See the following sections for additional details.

+
+
+
Redfish virtual media for Dell iDRAC
+

For Redfish virtual media on Dell servers, use idrac-virtualmedia:// in the address setting. Using redfish-virtualmedia:// will not work.

+
+
+

The following example demonstrates using iDRAC virtual media within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: idrac-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: idrac-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+ + + + + +
+ + +
+

Currently, Redfish is only supported on Dell with iDRAC firmware versions 4.20.20.20 through 04.40.00.00 for installer-provisioned installations on bare metal deployments. There is a known issue with version 04.40.00.00. With iDRAC 9 firmware version 04.40.00.00, the Virtual Console plug-in defaults to eHTML5, which causes problems with the InsertVirtualMedia workflow. Set the plug-in to HTML5 to avoid this issue. The menu path is: ConfigurationVirtual consolePlug-in TypeHTML5 .

+
+
+

Ensure the OpenShift Container Platform cluster nodes have AutoAttach Enabled through the iDRAC console. The menu path is: ConfigurationVirtual MediaAttach ModeAutoAttach .

+
+
+

Use idrac-virtualmedia:// as the protocol for Redfish virtual media. Using redfish-virtualmedia:// will not work on Dell hardware, because the idrac-virtualmedia:// protocol corresponds to the idrac hardware type and the Redfish protocol in Ironic. Dell’s idrac-virtualmedia:// protocol uses the Redfish standard with Dell’s OEM extensions. Ironic also supports the idrac type with the WSMAN protocol. Therefore, you must specify idrac-virtualmedia:// to avoid unexpected behavior when electing to use Redfish with virtual media on Dell hardware.

+
+
+
+
+
Redfish network boot for iDRAC
+

To enable Redfish, use redfish:// or redfish+http:// to disable transport layer security (TLS). The installer requires both the host name or the IP address and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+ + + + + +
+ + +
+

Currently, Redfish is only supported on Dell hardware with iDRAC firmware versions 4.20.20.20 through 04.40.00.00 for installer-provisioned installations on bare metal deployments. There is a known issue with version 04.40.00.00. With iDRAC 9 firmware version 04.40.00.00, the Virtual Console plug-in defaults to eHTML5, which causes problems with the InsertVirtualMedia workflow. Set the plug-in to HTML5 to avoid this issue. The menu path is: ConfigurationVirtual consolePlug-in TypeHTML5 .

+
+
+

Ensure the OpenShift Container Platform cluster nodes have AutoAttach Enabled through the iDRAC console. The menu path is: ConfigurationVirtual MediaAttach ModeAutoAttach .

+
+
+

The redfish:// URL protocol corresponds to the redfish hardware type in Ironic.

+
+
+
+
+
+
BMC addressing for HPE iLO
+
+

The address field for each bmc entry is a URL for connecting to the OpenShift Container Platform cluster nodes, including the type of controller in the URL scheme and its location on the network.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: <host name>
+        role: <master | worker>
+        bmc:
+          address: <address> (1)
+          username: <user>
+          password: <password>
+
+
+
+ + + + + +
1The address configuration setting specifies the protocol.
+
+
+

For HPE integrated Lights Out (iLO), Red Hat supports Redfish virtual media, Redfish network boot, and IPMI.

+
+ + ++++ + + + + + + + + + + + + + + + + + + + + +
Table 5. BMC address formats for HPE iLO
ProtocolAddress Format

Redfish virtual media

redfish-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/1

Redfish network boot

redfish://<out-of-band-ip>/redfish/v1/Systems/1

IPMI

ipmi://<out-of-band-ip>

+
+

See the following sections for additional details.

+
+
+
Redfish virtual media for HPE iLO
+

To enable Redfish virtual media for HPE servers, use redfish-virtualmedia:// in the address setting. The following example demonstrates using Redfish virtual media within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+ + + + + +
+ + +
+

Redfish virtual media is not supported on 9th generation systems running iLO4, because Ironic does not support iLO4 with virtual media.

+
+
+
+
+
Redfish network boot for HPE iLO
+

To enable Redfish, use redfish:// or redfish+http:// to disable TLS. The installer requires both the host name or the IP address and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+
+
BMC addressing for Fujitsu iRMC
+
+

The address field for each bmc entry is a URL for connecting to the OpenShift Container Platform cluster nodes, including the type of controller in the URL scheme and its location on the network.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: <host name>
+        role: <master | worker>
+        bmc:
+          address: <address> (1)
+          username: <user>
+          password: <password>
+
+
+
+ + + + + +
1The address configuration setting specifies the protocol.
+
+
+

For Fujitsu hardware, Red Hat supports integrated Remote Management Controller (iRMC) and IPMI.

+
+ + ++++ + + + + + + + + + + + + + + + + +
Table 6. BMC address formats for Fujitsu iRMC
ProtocolAddress Format

iRMC

irmc://<out-of-band-ip>

IPMI

ipmi://<out-of-band-ip>

+
+
iRMC
+

Fujitsu nodes can use irmc://<out-of-band-ip> and defaults to port 623. The following example demonstrates an iRMC configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: irmc://<out-of-band-ip>
+          username: <user>
+          password: <password>
+
+
+
+ + + + + +
+ + +
+

Currently Fujitsu supports iRMC S5 firmware version 3.05P and above for installer-provisioned installation on bare metal.

+
+
+
+
+
+
BMC addressing for KVM with sushy-tools Redfish emulator
+
+

The address field for each bmc entry is a URL for connecting to the OpenShift Container Platform cluster nodes, including the type of controller in the URL scheme and its location on the network.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: <host name>
+        role: <master | worker>
+        bmc:
+          address: <address> (1)
+          username: <user>
+          password: <password>
+
+
+
+ + + + + +
1The address configuration setting specifies the protocol.
+
+
+

For KVM working with sushy-tools Redfish emulator, Red Hat supports Redfish virtual media and Redfish network boot.

+
+ + ++++ + + + + + + + + + + + + + + + + +
Table 7. BMC address formats for KVM with sushy-tools Redfish emulator
ProtocolAddress Format

Redfish virtual media

redfish-virtualmedia://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>

Redfish network boot

redfish://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>

+
+ + + + + +
+ + +
+

The sushy-tools Redfish emulator runs from the KVM hypervisor and a single instance acts as the virtual BMC for all the guest machines. This means both the out of band IP address and port, will be same and each individual machine must be identified by its System ID.

+
+
+

You may retrieve the System ID of your guest machines with the following command:

+
+
+
+
---
+$ virsh list --all --name --uuid
+d8ac6bf8-3062-4954-84c3-e097faa17025 compute-0
+84971a71-3935-4a92-8d90-a9f8440dac09 compute-1
+92430f42-8805-4412-959a-2a7252c7c540 compute-2
+0fea5296-db95-41d7-9295-f57cfa50255f control-plane-0
+4986e405-fd3a-483d-9210-8cb120b98f80 control-plane-1
+26bf228c-44fd-4c49-9e6f-44f4b5968b34 control-plane-2
+---
+
+
+
+
+
+

See the following sections for additional details.

+
+
+
Redfish virtual media for KVM with sushy-tools Redfish emulator
+

To enable Redfish virtual media for KVM environments running the sushy-tools Redfish emulator, use redfish-virtualmedia:// in the address setting. The following example demonstrates using Redfish virtual media within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish-virtualmedia://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish-virtualmedia://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+
Redfish network boot for KVM with sushy-tools Redfish emulator
+

To enable Redfish, use redfish:// or redfish+http:// to disable TLS. The installer requires the host name or the IP address, the Redfish emulator listening port and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+
+
+

3.6.8. Root device hints

+
+

The rootDeviceHints parameter enables the installer to provision the Red Hat Enterprise Linux CoreOS (RHCOS) image to a particular device. The installer examines the devices in the order it discovers them, and compares the discovered values with the hint values. The installer uses the first discovered device that matches the hint value. The configuration can combine multiple hints, but a device must match all hints for the installer to select it.

+
+ + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 8. Subfields
SubfieldDescription

deviceName

A string containing a Linux device name like /dev/vda. The hint must match the actual value exactly.

hctl

A string containing a SCSI bus address like 0:0:0:0. The hint must match the actual value exactly.

model

A string containing a vendor-specific device identifier. The hint can be a substring of the actual value.

vendor

A string containing the name of the vendor or manufacturer of the device. The hint can be a sub-string of the actual value.

serialNumber

A string containing the device serial number. The hint must match the actual value exactly.

minSizeGigabytes

An integer representing the minimum size of the device in gigabytes.

wwn

A string containing the unique storage identifier. The hint must match the actual value exactly.

wwnWithExtension

A string containing the unique storage identifier with the vendor extension appended. The hint must match the actual value exactly.

wwnVendorExtension

A string containing the unique vendor storage identifier. The hint must match the actual value exactly.

rotational

A Boolean indicating whether the device should be a rotating disk (true) or not (false).

+
+
Example usage
+
+
     - name: master-0
+       role: master
+       bmc:
+         address: ipmi://10.10.0.3:6203
+         username: admin
+         password: redhat
+       bootMACAddress: de:ad:be:ef:00:40
+       rootDeviceHints:
+         deviceName: "/dev/sda"
+
+
+
+
+

3.6.9. Creating the OpenShift Container Platform manifests

+
+
    +
  1. +

    Create the OpenShift Container Platform manifests.

    +
    +
    +
    [kni@provisioner ~]$ ./openshift-baremetal-install --dir ~/clusterconfigs create manifests
    +
    +
    +
    +
    +
    INFO Consuming Install Config from target directory
    +WARNING Making control-plane schedulable by setting MastersSchedulable to true for Scheduler cluster settings
    +WARNING Discarding the Openshift Manifest that was provided in the target directory because its dependencies are dirty and it needs to be regenerated
    +
    +
    +
  2. +
+
+
+
+

3.6.10. Configuring NTP for disconnected clusters (optional)

+
+

OpenShift Container Platform installs the chrony Network Time Protocol (NTP) service on the cluster nodes. +Use the following procedure to configure NTP servers on the control plane nodes and configure worker nodes as NTP clients of the control plane nodes before deployment.

+
+
+
+Configuring NTP for disconnected clusters +
+
+
+

OpenShift Container Platform nodes must agree on a date and time to run properly. When worker nodes retrieve the date and time from the NTP servers on the control plane nodes, it enables the installation and operation of clusters that are not connected to a routable network and thereby do not have access to a higher stratum NTP server.

+
+
+
Procedure
+
    +
  1. +

    Create a ~/control-plane-chrony.conf configuration file for the control plane nodes.

    +
    +
    Configuration file example
    +
    +
    # Use public servers from the pool.ntp.org project.
    +# Please consider joining the pool (https://www.pool.ntp.org/join.html).
    +
    +# This file is managed by the machine config operator
    +server openshift-master-0.<cluster-name>.<domain> iburst (1)
    +server openshift-master-1.<cluster-name>.<domain> iburst
    +server openshift-master-2.<cluster-name>.<domain> iburst
    +
    +stratumweight 0
    +driftfile /var/lib/chrony/drift
    +rtcsync
    +makestep 10 3
    +bindcmdaddress 127.0.0.1
    +bindcmdaddress ::1
    +keyfile /etc/chrony.keys
    +commandkey 1
    +generatecommandkey
    +noclientlog
    +logchange 0.5
    +logdir /var/log/chrony
    +
    +# Configure the control plane nodes to serve as local NTP servers
    +# for all worker nodes, even if they are not in sync with an
    +# upstream NTP server.
    +
    +# Allow NTP client access from the local network.
    +allow all
    +# Serve time even if not synchronized to a time source.
    +local stratum 3 orphan
    +
    +
    +
    +

    Where:

    +
    +
    + + + + + +
    1You must replace <cluster-name> with the name of the cluster and replace <domain> with the fully qualified domain name.
    +
    +
  2. +
  3. +

    Create a ~/worker-chrony.conf configuration file for the worker nodes such that worker nodes reference the NTP servers on the control plane nodes.

    +
    +
    Configuration file example
    +
    +
    # This file is managed by the machine config operator
    +server openshift-master-0.<cluster-name>.<domain> iburst (1)
    +server openshift-master-1.<cluster-name>.<domain> iburst
    +server openshift-master-2.<cluster-name>.<domain> iburst
    +
    +stratumweight 0
    +driftfile /var/lib/chrony/drift
    +rtcsync
    +makestep 10 3
    +bindcmdaddress 127.0.0.1
    +bindcmdaddress ::1
    +keyfile /etc/chrony.keys
    +commandkey 1
    +generatecommandkey
    +noclientlog
    +logchange 0.5
    +logdir /var/log/chrony
    +
    +
    +
    +

    Where:

    +
    +
    + + + + + +
    1You must replace <cluster-name> with the name of the cluster and replace <domain> with the fully qualified domain name.
    +
    +
  4. +
  5. +

    Create a ~/ntp-server.yaml configuration file for telling the Machine Configuration Operator to apply the ~/control-plane-chrony.conf settings to the NTP servers on the control plane nodes.

    +
    +
    Configuration file example
    +
    +
    # This example MachineConfig replaces ~/control-plane-chrony.conf
    +apiVersion: machineconfiguration.openshift.io/v1
    +kind: MachineConfig
    +metadata:
    +  labels:
    +    machineconfiguration.openshift.io/role: master
    +  name: 99-master-etc-chrony-conf-override-to-server
    +spec:
    +  config:
    +    ignition:
    +      version: 2.2.0
    +    storage:
    +      files:
    +        - contents:
    +            source: data:text/plain;charset=utf-8;base64,BASE64ENCODEDCONFIGFILE(1)
    +          filesystem: root
    +          mode: 0644
    +          path: /etc/control-plane-chrony.conf
    +
    +
    +
    +

    Where:

    +
    +
    + + + + + +
    1You must replace the BASE64ENCODEDCONFIGFILE string with the base64-encoded string of the ~/control-plane-chrony.conf file in the subsequent step.
    +
    +
  6. +
  7. +

    Generate a base64 string of the ~/control-plane-chrony.conf file.

    +
    +
    +
    $ base64 ~/control-plane-chrony.conf
    +
    +
    +
    +
    Example output
    +
    +
    IyBVc2UgcHVibGljIHNlcnZlcnMgZnJvbSB0aGUgcG9vbC5udHAub3JnIHByb2plY3QuCiMgUGxl
    +YXNlIGNvbnNpZGVyIGpvaW5pbmcgdGhlIHBvb2wgKGh0dHBzOi8vd3d3LnBvb2wubnRwLm9yZy9q
    +b2luLmh0bWwpLgoKIyBUaGlzIGZpbGUgaXMgbWFuYWdlZCBieSB0aGUgbWFjaGluZSBjb25maWcg
    +b3BlcmF0b3IKc2VydmVyIG9wZW5zaGlmdC1tYXN0ZXItMC48Y2x1c3Rlci1uYW1lPi48ZG9tYWlu
    +PiBpYnVyc3QKc2VydmVyIG9wZW5zaGlmdC1tYXN0ZXItMS48Y2x1c3Rlci1uYW1lPi48ZG9tYWlu
    +PiBpYnVyc3QKc2VydmVyIG9wZW5zaGlmdC1tYXN0ZXItMi48Y2x1c3Rlci1uYW1lPi48ZG9tYWlu
    +PiBpYnVyc3QKCnN0cmF0dW13ZWlnaHQgMApkcmlmdGZpbGUgL3Zhci9saWIvY2hyb255L2RyaWZ0
    +CnJ0Y3N5bmMKbWFrZXN0ZXAgMTAgMwpiaW5kY21kYWRkcmVzcyAxMjcuMC4wLjEKYmluZGNtZGFk
    +ZHJlc3MgOjoxCmtleWZpbGUgL2V0Yy9jaHJvbnkua2V5cwpjb21tYW5ka2V5IDEKZ2VuZXJhdGVj
    +b21tYW5ka2V5Cm5vY2xpZW50bG9nCmxvZ2NoYW5nZSAwLjUKbG9nZGlyIC92YXIvbG9nL2Nocm9u
    +eQoKIyBDb25maWd1cmUgdGhlIGNvbnRyb2wgcGxhbmUgbm9kZXMgdG8gc2VydmUgYXMgbG9jYWwg
    +TlRQIHNlcnZlcnMKIyBmb3IgYWxsIHdvcmtlciBub2RlcywgZXZlbiBpZiB0aGV5IGFyZSBub3Qg
    +aW4gc3luYyB3aXRoIGFuCiMgdXBzdHJlYW0gTlRQIHNlcnZlci4KCiMgQWxsb3cgTlRQIGNsaWVu
    +dCBhY2Nlc3MgZnJvbSB0aGUgbG9jYWwgbmV0d29yay4KYWxsb3cgYWxsCiMgU2VydmUgdGltZSBl
    +dmVuIGlmIG5vdCBzeW5jaHJvbml6ZWQgdG8gYSB0aW1lIHNvdXJjZS4KbG9jYWwgc3RyYXR1bSAz
    +IG9ycGhhbgo=
    +
    +
    +
    +

    Replace the BASE64ENCODEDCONFIGFILE string in the ~/ntp-server.yaml with the base64-encoded string.

    +
    +
  8. +
  9. +

    Create a ~/ntp-client.yaml configuration file for telling the Machine Configuration Operator to apply the ~/worker-chrony.conf settings to the NTP clients on the worker nodes.

    +
    +
    Configuration file example
    +
    +
    # This example MachineConfig replaces ~/worker-chrony.conf
    +apiVersion: machineconfiguration.openshift.io/v1
    +kind: MachineConfig
    +metadata:
    +  labels:
    +    machineconfiguration.openshift.io/role: worker
    +  name: 99-master-etc-chrony-conf-override-for-worker
    +spec:
    +  config:
    +    ignition:
    +      version: 2.2.0
    +    storage:
    +      files:
    +        - contents:
    +            source: data:text/plain;charset=utf-8;base64,BASE64ENCODEDCONFIGFILE(1)
    +          filesystem: root
    +          mode: 0644
    +          path: /etc/worker-chrony.conf
    +
    +
    +
    +

    Where:

    +
    +
    + + + + + +
    1You must replace the BASE64ENCODEDCONFIGFILE string with the base64-encoded string of the ~/worker-chrony.conf file in the subsequent step.
    +
    +
  10. +
  11. +

    Generate a base64-encoded string of the ~/worker-chrony.conf file.

    +
    +
    +
    $ base64 ~/worker-chrony.conf
    +
    +
    +
    +
    Example output
    +
    +
    IyBUaGlzIGZpbGUgaXMgbWFuYWdlZCBieSB0aGUgbWFjaGluZSBjb25maWcgb3BlcmF0b3IKc2Vy
    +dmVyIG9wZW5zaGlmdC1tYXN0ZXItMC48Y2x1c3Rlci1uYW1lPi48ZG9tYWluPiBpYnVyc3QKc2Vy
    +dmVyIG9wZW5zaGlmdC1tYXN0ZXItMS48Y2x1c3Rlci1uYW1lPi48ZG9tYWluPiBpYnVyc3QKc2Vy
    +dmVyIG9wZW5zaGlmdC1tYXN0ZXItMi48Y2x1c3Rlci1uYW1lPi48ZG9tYWluPiBpYnVyc3QKCnN0
    +cmF0dW13ZWlnaHQgMApkcmlmdGZpbGUgL3Zhci9saWIvY2hyb255L2RyaWZ0CnJ0Y3N5bmMKbWFr
    +ZXN0ZXAgMTAgMwpiaW5kY21kYWRkcmVzcyAxMjcuMC4wLjEKYmluZGNtZGFkZHJlc3MgOjoxCmtl
    +eWZpbGUgL2V0Yy9jaHJvbnkua2V5cwpjb21tYW5ka2V5IDEKZ2VuZXJhdGVjb21tYW5ka2V5Cm5v
    +Y2xpZW50bG9nCmxvZ2NoYW5nZSAwLjUKbG9nZGlyIC92YXIvbG9nL2Nocm9ueQo=
    +
    +
    +
    +

    Replace the BASE64ENCODEDCONFIGFILE string in the ~/ntp-client.yaml file with the base64-encoded string.

    +
    +
  12. +
  13. +

    Copy the ~/ntp-server.yaml file to the ~/clusterconfigs/manifests directory.

    +
    +
    +
    $ cp ~/ntp-server.yaml ~/clusterconfigs/manifests
    +
    +
    +
  14. +
  15. +

    Copy the ~/ntp-client.yaml file to the ~/clusterconfigs/manifests directory.

    +
    +
    +
    $ cp ~/ntp-client.yaml ~/clusterconfigs/manifests
    +
    +
    +
  16. +
+
+
+
+

3.6.11. Configure network components to run on the control plane

+
+

Configure networking components to run exclusively on the control plane nodes. By default, OpenShift Container Platform allows any node in the machine config pool to host the apiVIP and ingressVIP virtual IP addresses. However, many environments deploy worker nodes in separate subnets from the control plane nodes. Consequently, you must place the apiVIP and ingressVIP virtual IP addresses exclusively with the control plane nodes.

+
+
+
Procedure
+
    +
  1. +

    Change to the directory storing the install-config.yaml file.

    +
    +
    +
    $ cd ~/clusterconfigs
    +
    +
    +
  2. +
  3. +

    Switch to the manifests subdirectory.

    +
    +
    +
    $ cd manifests
    +
    +
    +
  4. +
  5. +

    Create a file named cluster-network-avoid-workers-99-config.yaml.

    +
    +
    +
    $ touch cluster-network-avoid-workers-99-config.yaml
    +
    +
    +
  6. +
  7. +

    Open the cluster-network-avoid-workers-99-config.yaml file in an editor and enter a custom resource (CR) that describes the Operator configuration:

    +
    +
    +
    apiVersion: machineconfiguration.openshift.io/v1
    +kind: MachineConfig
    +metadata:
    +  name: 50-worker-fix-ipi-rwn
    +  labels:
    +    machineconfiguration.openshift.io/role: worker
    +spec:
    +  config:
    +    ignition:
    +      version: 3.1.0
    +    systemd:
    +      units:
    +      - name: nodeip-configuration.service
    +        enabled: true
    +        contents: |
    +          [Unit]
    +          Description=Writes IP address configuration so that kubelet and crio services select a valid node IP
    +          Wants=network-online.target
    +          After=network-online.target ignition-firstboot-complete.service
    +          Before=kubelet.service crio.service
    +          [Service]
    +          Type=oneshot
    +          ExecStart=/bin/bash -c "exit 0 "
    +          [Install]
    +          WantedBy=multi-user.target
    +    storage:
    +      files:
    +        - contents:
    +            source: data:,
    +            verification: {}
    +          filesystem: root
    +          mode: 420
    +          path: /etc/kubernetes/manifests/keepalived.yaml
    +        - contents:
    +            source: data:,
    +            verification: {}
    +          filesystem: root
    +          mode: 420
    +          path: /etc/kubernetes/manifests/mdns-publisher.yaml
    +        - contents:
    +            source: data:,
    +            verification: {}
    +          filesystem: root
    +          mode: 420
    +          path: /etc/kubernetes/manifests/coredns.yaml
    +
    +
    +
    +

    This manifest places the apiVIP and ingressVIP virtual IP addresses on the control plane nodes. Additionally, this manifest deploys the following processes on the control plane nodes only:

    +
    +
    +
      +
    • +

      openshift-ingress-operator

      +
    • +
    • +

      keepalived

      +
    • +
    +
    +
  8. +
  9. +

    Save the cluster-network-avoid-workers-99-config.yaml file.

    +
  10. +
  11. +

    Create a manifests/cluster-ingress-default-ingresscontroller.yaml file.

    +
    +
    +
    apiVersion: operator.openshift.io/v1
    +kind: IngressController
    +metadata:
    +  name: default
    +  namespace: openshift-ingress-operator
    +spec:
    +  nodePlacement:
    +    nodeSelector:
    +      matchLabels:
    +        node-role.kubernetes.io/master: ""
    +
    +
    +
  12. +
  13. +

    Consider backing up the manifests directory. The installer deletes the manifests/ directory when creating the cluster.

    +
  14. +
  15. +

    Modify the cluster-scheduler-02-config.yml manifest to make the control plane nodes schedulable by setting the mastersSchedulable field to true. Control plane nodes are not schedulable by default. For example:

    +
    +
    +
    $ sed -i "s;mastersSchedulable: false;mastersSchedulable: true;g" clusterconfigs/manifests/cluster-scheduler-02-config.yml
    +
    +
    +
    + + + + + +
    + + +
    +

    If control plane nodes are not schedulable, deploying the cluster will fail.

    +
    +
    +
    +
  16. +
  17. +

    Before deploying the cluster, ensure that the api.<cluster-name>.<domain> domain name is resolvable in the DNS. When you configure network components to run exclusively on the control plane, the internal DNS resolution no longer works for worker nodes, which is an expected outcome.

    +
    + + + + + +
    + + +
    +

    Failure to create a DNS record for the API precludes worker nodes from joining the cluster.

    +
    +
    +
    +
  18. +
+
+
+
+
+

3.7. Creating a disconnected registry (optional)

+
+

In some cases, you might want to install an OpenShift Container Platform cluster using a local copy of the installation registry. This could be for enhancing network efficiency because the cluster nodes are on a network that does not have access to the internet.

+
+
+

A local, or mirrored, copy of the registry requires the following:

+
+
+
    +
  • +

    A certificate for the registry node. This can be a self-signed certificate.

    +
  • +
  • +

    A web server that a container on a system will serve.

    +
  • +
  • +

    An updated pull secret that contains the certificate and local repository information.

    +
  • +
+
+
+ + + + + +
+ + +
+

Creating a disconnected registry on a registry node is optional. The subsequent sections indicate that they are optional since they are steps you need to execute only when creating a disconnected registry on a registry node. You should execute all of the subsequent sub-sections labeled "(optional)" when creating a disconnected registry on a registry node.

+
+
+
+
+

3.7.1. Preparing the registry node to host the mirrored registry (optional)

+
+

Make the following changes to the registry node.

+
+
+
Procedure
+
    +
  1. +

    Open the firewall port on the registry node.

    +
    +
    +
    [user@registry ~]$ sudo firewall-cmd --add-port=5000/tcp --zone=libvirt  --permanent
    +[user@registry ~]$ sudo firewall-cmd --add-port=5000/tcp --zone=public   --permanent
    +[user@registry ~]$ sudo firewall-cmd --reload
    +
    +
    +
  2. +
  3. +

    Install the required packages for the registry node.

    +
    +
    +
    [user@registry ~]$ sudo yum -y install python3 podman httpd httpd-tools jq
    +
    +
    +
  4. +
  5. +

    Create the directory structure where the repository information will be held.

    +
    +
    +
    [user@registry ~]$ sudo mkdir -p /opt/registry/{auth,certs,data}
    +
    +
    +
  6. +
+
+
+
+

3.7.2. Generating the self-signed certificate (optional)

+
+

Generate a self-signed certificate for the registry node and put it in the /opt/registry/certs directory.

+
+
+
Procedure
+
    +
  1. +

    Adjust the certificate information as appropriate.

    +
    +
    +
    [user@registry ~]$ host_fqdn=$( hostname --long )
    +[user@registry ~]$ cert_c="<Country Name>"   # Country Name (C, 2 letter code)
    +[user@registry ~]$ cert_s="<State>"          # Certificate State (S)
    +[user@registry ~]$ cert_l="<Locality>"       # Certificate Locality (L)
    +[user@registry ~]$ cert_o="<Organization>"   # Certificate Organization (O)
    +[user@registry ~]$ cert_ou="<Org Unit>"      # Certificate Organizational Unit (OU)
    +[user@registry ~]$ cert_cn="${host_fqdn}"    # Certificate Common Name (CN)
    +
    +[user@registry ~]$ openssl req \
    +    -newkey rsa:4096 \
    +    -nodes \
    +    -sha256 \
    +    -keyout /opt/registry/certs/domain.key \
    +    -x509 \
    +    -days 365 \
    +    -out /opt/registry/certs/domain.crt \
    +    -addext "subjectAltName = DNS:${host_fqdn}" \
    +    -subj "/C=${cert_c}/ST=${cert_s}/L=${cert_l}/O=${cert_o}/OU=${cert_ou}/CN=${cert_cn}"
    +
    +
    +
    + + + + + +
    + + +When replacing <Country Name>, ensure that it only contains two letters. For example, US. +
    +
    +
  2. +
  3. +

    Update the registry node’s ca-trust with the new certificate.

    +
    +
    +
    [user@registry ~]$ sudo cp /opt/registry/certs/domain.crt /etc/pki/ca-trust/source/anchors/
    +[user@registry ~]$ sudo update-ca-trust extract
    +
    +
    +
  4. +
+
+
+
+

3.7.3. Creating the registry podman container (optional)

+
+

The registry container uses the /opt/registry directory for certificates, authentication files, and to store its data files.

+
+
+

The registry container uses httpd and needs an htpasswd file for authentication.

+
+
+
Procedure
+
    +
  1. +

    Create an htpasswd file in /opt/registry/auth for the container to use.

    +
    +
    +
    [user@registry ~]$ htpasswd -bBc /opt/registry/auth/htpasswd <user> <passwd>
    +
    +
    +
    +

    Replace <user> with the user name and <passwd> with the password.

    +
    +
  2. +
  3. +

    Create and start the registry container.

    +
    +
    +
    [user@registry ~]$ podman create \
    +  --name ocpdiscon-registry \
    +  -p 5000:5000 \
    +  -e "REGISTRY_AUTH=htpasswd" \
    +  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry" \
    +  -e "REGISTRY_HTTP_SECRET=ALongRandomSecretForRegistry" \
    +  -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \
    +  -e "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt" \
    +  -e "REGISTRY_HTTP_TLS_KEY=/certs/domain.key" \
    +  -e "REGISTRY_COMPATIBILITY_SCHEMA1_ENABLED=true" \
    +  -v /opt/registry/data:/var/lib/registry:z \
    +  -v /opt/registry/auth:/auth:z \
    +  -v /opt/registry/certs:/certs:z \
    +  docker.io/library/registry:2
    +
    +
    +
    +
    +
    [user@registry ~]$ podman start ocpdiscon-registry
    +
    +
    +
  4. +
+
+
+
+

3.7.4. Copy and update the pull-secret (optional)

+
+

Copy the pull secret file from the provisioner node to the registry node and modify it to include the authentication information for the new registry node.

+
+
+
Procedure
+
    +
  1. +

    Copy the pull-secret.txt file.

    +
    +
    +
    [user@registry ~]$ scp kni@provisioner:/home/kni/pull-secret.txt pull-secret.txt
    +
    +
    +
  2. +
  3. +

    Update the host_fqdn environment variable with the fully qualified domain name of the registry node.

    +
    +
    +
    [user@registry ~]$ host_fqdn=$( hostname --long )
    +
    +
    +
  4. +
  5. +

    Update the b64auth environment variable with the base64 encoding of the http credentials used to create the htpasswd file.

    +
    +
    +
    [user@registry ~]$ b64auth=$( echo -n '<username>:<passwd>' | openssl base64 )
    +
    +
    +
    +

    Replace <username> with the user name and <passwd> with the password.

    +
    +
  6. +
  7. +

    Set the AUTHSTRING environment variable to use the base64 authorization string. The $USER variable is an environment variable containing the name of the current user.

    +
    +
    +
    [user@registry ~]$ AUTHSTRING="{\"$host_fqdn:5000\": {\"auth\": \"$b64auth\",\"email\": \"$USER@redhat.com\"}}"
    +
    +
    +
  8. +
  9. +

    Update the pull-secret.txt file.

    +
    +
    +
    [user@registry ~]$ jq ".auths += $AUTHSTRING" < pull-secret.txt > pull-secret-update.txt
    +
    +
    +
  10. +
+
+
+
+

3.7.5. Mirroring the repository (optional)

+
+
Procedure
+
    +
  1. +

    Copy the oc binary from the provisioner node to the registry node.

    +
    +
    +
    [user@registry ~]$ sudo scp kni@provisioner:/usr/local/bin/oc /usr/local/bin
    +
    +
    +
  2. +
  3. +

    Get the release image and mirror the remote install images to the local repository.

    +
    +
    +
    [user@registry ~]$ export VERSION=latest-4.8
    +[user@registry ~]$ UPSTREAM_REPO=$(curl -s https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/$VERSION/release.txt | awk  '/Pull From/ {print $3}')
    +[user@registry ~]$ /usr/local/bin/oc adm release mirror \
    +  -a pull-secret-update.txt
    +  --from=$UPSTREAM_REPO \
    +  --to-release-image=$LOCAL_REG/$LOCAL_REPO:${VERSION} \
    +  --to=$LOCAL_REG/$LOCAL_REPO
    +
    +
    +
  4. +
+
+
+
+

3.7.6. Modify the install-config.yaml file to use the disconnected registry (optional)

+
+

On the provisioner node, the install-config.yaml file should use the newly created pull-secret from the pull-secret-update.txt file. The install-config.yaml file must also contain the disconnected registry node’s certificate and registry information.

+
+
+
Procedure
+
    +
  1. +

    Add the disconnected registry node’s certificate to the install-config.yaml file. The certificate should follow the "additionalTrustBundle: |" line and be properly indented, usually by two spaces.

    +
    +
    +
    $ echo "additionalTrustBundle: |" >> install-config.yaml
    +$ sed -e 's/^/  /' /opt/registry/certs/domain.crt >> install-config.yaml
    +
    +
    +
  2. +
  3. +

    Add the mirror information for the registry to the install-config.yaml file.

    +
    +
    +
    $ cat <<EOF >> install-config.yaml
    +<image-config>: (1)
    +- mirrors:
    +  - registry.example.com:5000/ocp4/openshift4
    +  source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
    +- mirrors:
    +  - registry.example.com:5000/ocp4/openshift4
    +  source: registry.svc.ci.openshift.org/ocp/release
    +- mirrors:
    +  - registry.example.com:5000/ocp4/openshift4
    +  source: quay.io/openshift-release-dev/ocp-release
    +EOF
    +
    +
    +
    +

    Where:

    +
    +
    + + + + + +
    1You must replace <image-config> with imageContentSources for OpenShift 4.13 and below, or imageDigestSources for Openshift 4.14 and above. +
    + + + + + +
    + + +Replace registry.example.com with the registry’s fully qualified domain name. +
    +
    +
    +
  4. +
+
+
+
+
+

3.8. Deploying routers on worker nodes

+
+

During installation, the installer deploys router pods on worker nodes. By default, the installer installs two router pods. If the initial cluster has only one worker node, or if a deployed cluster requires additional routers to handle external traffic loads destined for services within the OpenShift Container Platform cluster, you can create a yaml file to set an appropriate number of router replicas.

+
+
+ + + + + +
+ + +
+

By default, the installer deploys two routers. +If the cluster has at least two worker nodes, you can skip this section. +For more information on the Ingress Operator see: Ingress Operator in OpenShift Container Platform.

+
+
+
+
+ + + + + +
+ + +
+

If the cluster has no worker nodes, the installer deploys the two routers on the control plane nodes by default. If the cluster has no worker nodes, you can skip this section.

+
+
+
+
+
Procedure
+
    +
  1. +

    Create a router-replicas.yaml file.

    +
    +
    +
    apiVersion: operator.openshift.io/v1
    +kind: IngressController
    +metadata:
    +  name: default
    +  namespace: openshift-ingress-operator
    +spec:
    +  replicas: <num-of-router-pods>
    +  endpointPublishingStrategy:
    +    type: HostNetwork
    +  nodePlacement:
    +    nodeSelector:
    +      matchLabels:
    +        node-role.kubernetes.io/worker: ""
    +
    +
    +
    + + + + + +
    + + +
    +

    Replace <num-of-router-pods> with an appropriate value. If working with just one worker node, set replicas: to 1. If working with more than 3 worker nodes, you can increase replicas: from the default value 2 as appropriate.

    +
    +
    +
    +
  2. +
  3. +

    Save and copy the router-replicas.yaml file to the clusterconfigs/openshift directory.

    +
    +
    +
    cp ~/router-replicas.yaml clusterconfigs/openshift/99_router-replicas.yaml
    +
    +
    +
  4. +
+
+
+
+

3.9. Validation checklist for installation

+
+
    +
  • +

    OpenShift Container Platform installer has been retrieved.

    +
  • +
  • +

    OpenShift Container Platform installer has been extracted.

    +
  • +
  • +

    Required parameters for the install-config.yaml have been configured.

    +
  • +
  • +

    The hosts parameter for the install-config.yaml has been configured.

    +
  • +
  • +

    The bmc parameter for the install-config.yaml has been configured.

    +
  • +
  • +

    Conventions for the values configured in the bmc address field have been applied.

    +
  • +
  • +

    Created a disconnected registry (optional).

    +
  • +
  • +

    Validate disconnected registry settings if in use. (optional)

    +
  • +
  • +

    Deployed routers on worker nodes. (optional)

    +
  • +
+
+
+
+

3.10. Deploying the cluster via the OpenShift Container Platform installer

+
+

Run the OpenShift Container Platform installer:

+
+
+
+
[kni@provisioner ~]$ ./openshift-baremetal-install --dir ~/clusterconfigs --log-level debug create cluster
+
+
+
+
+

3.11. Following the installation

+
+

During the deployment process, you can check the installation’s overall status by issuing the tail command to the .openshift_install.log log file in the install directory folder.

+
+
+
+
[kni@provisioner ~]$ tail -f /path/to/install-dir/.openshift_install.log
+
+
+
+
+

3.12. Verifying static IP address configuration

+
+

If the DHCP reservation for a cluster node specifies an infinite leases, after the installer successfully provisions the node, the dispatcher script will check the node’s network configuration. If the script determines that the network configuration contains an infinite DHCP lease, it creates a new connection using the IP address of the DHCP lease as a static IP address.

+
+
+ + + + + +
+ + +
+

The dispatcher script may run on successfully provisioned nodes while the provisioning of other nodes in the cluster is ongoing.

+
+
+
+
+

To verify the network configuration is working properly, you can:

+
+
+
    +
  • +

    Check the network interface configuration on the node.

    +
  • +
  • +

    Turn off the DHCP server and reboot the OpenShift Container Platform node and and ensure that the network configuration works properly.

    +
  • +
+
+
+
+
+
+

4. Installer-provisioned post-installation configuration

+
+
+

After successfully deploying an installer-provisioned cluster, consider the following post-installation procedures.

+
+
+

4.1. Configuring NTP for disconnected clusters (optional)

+
+

OpenShift Container Platform installs the chrony Network Time Protocol (NTP) service on the cluster nodes. +Use the following procedure to configure NTP servers on the control plane nodes and configure worker nodes as NTP clients of the control plane nodes after a successful deployment.

+
+
+
+Configuring NTP for disconnected clusters +
+
+
+

OpenShift Container Platform nodes must agree on a date and time to run properly. When worker nodes retrieve the date and time from the NTP servers on the control plane nodes, it enables the installation and operation of clusters that are not connected to a routable network and thereby do not have access to a higher stratum NTP server.

+
+
+
Procedure
+
    +
  1. +

    Create a ~/control-plane-chrony.conf configuration file for the control plane nodes.

    +
    +
    Configuration file example
    +
    +
    # Use public servers from the pool.ntp.org project.
    +# Please consider joining the pool (https://www.pool.ntp.org/join.html).
    +
    +# This file is managed by the machine config operator
    +server openshift-master-0.<cluster-name>.<domain> iburst (1)
    +server openshift-master-1.<cluster-name>.<domain> iburst
    +server openshift-master-2.<cluster-name>.<domain> iburst
    +
    +stratumweight 0
    +driftfile /var/lib/chrony/drift
    +rtcsync
    +makestep 10 3
    +bindcmdaddress 127.0.0.1
    +bindcmdaddress ::1
    +keyfile /etc/chrony.keys
    +commandkey 1
    +generatecommandkey
    +noclientlog
    +logchange 0.5
    +logdir /var/log/chrony
    +
    +# Configure the control plane nodes to serve as local NTP servers
    +# for all worker nodes, even if they are not in sync with an
    +# upstream NTP server.
    +
    +# Allow NTP client access from the local network.
    +allow all
    +# Serve time even if not synchronized to a time source.
    +local stratum 3 orphan
    +
    +
    +
    +

    Where:

    +
    +
    + + + + + +
    1You must replace <cluster-name> with the name of the cluster and replace <domain> with the fully qualified domain name.
    +
    +
  2. +
  3. +

    Create a ~/worker-chrony.conf configuration file for the worker nodes such that worker nodes reference the NTP servers on the control plane nodes.

    +
    +
    Configuration file example
    +
    +
    # This file is managed by the machine config operator
    +server openshift-master-0.<cluster-name>.<domain> iburst (1)
    +server openshift-master-1.<cluster-name>.<domain> iburst
    +server openshift-master-2.<cluster-name>.<domain> iburst
    +
    +stratumweight 0
    +driftfile /var/lib/chrony/drift
    +rtcsync
    +makestep 10 3
    +bindcmdaddress 127.0.0.1
    +bindcmdaddress ::1
    +keyfile /etc/chrony.keys
    +commandkey 1
    +generatecommandkey
    +noclientlog
    +logchange 0.5
    +logdir /var/log/chrony
    +
    +
    +
    +

    Where:

    +
    +
    + + + + + +
    1You must replace <cluster-name> with the name of the cluster and replace <domain> with the fully qualified domain name.
    +
    +
  4. +
  5. +

    Create a ~/ntp-server.yaml configuration file for telling the Machine Configuration Operator to apply the ~/control-plane-chrony.conf settings to the NTP servers on the control plane nodes.

    +
    +
    Configuration file example
    +
    +
    # This example MachineConfig replaces ~/control-plane-chrony.conf
    +apiVersion: machineconfiguration.openshift.io/v1
    +kind: MachineConfig
    +metadata:
    +  labels:
    +    machineconfiguration.openshift.io/role: master
    +  name: 99-master-etc-chrony-conf-override-to-server
    +spec:
    +  config:
    +    ignition:
    +      version: 2.2.0
    +    storage:
    +      files:
    +        - contents:
    +            source: data:text/plain;charset=utf-8;base64,BASE64ENCODEDCONFIGFILE(1)
    +          filesystem: root
    +          mode: 0644
    +          path: /etc/control-plane-chrony.conf
    +
    +
    +
    +

    Where:

    +
    +
    + + + + + +
    1You must replace the BASE64ENCODEDCONFIGFILE string with the base64-encoded string of the ~/control-plane-chrony.conf file in the subsequent step.
    +
    +
  6. +
  7. +

    Generate a base64 string of the ~/control-plane-chrony.conf file.

    +
    +
    +
    $ base64 ~/control-plane-chrony.conf
    +
    +
    +
    +
    Example output
    +
    +
    IyBVc2UgcHVibGljIHNlcnZlcnMgZnJvbSB0aGUgcG9vbC5udHAub3JnIHByb2plY3QuCiMgUGxl
    +YXNlIGNvbnNpZGVyIGpvaW5pbmcgdGhlIHBvb2wgKGh0dHBzOi8vd3d3LnBvb2wubnRwLm9yZy9q
    +b2luLmh0bWwpLgoKIyBUaGlzIGZpbGUgaXMgbWFuYWdlZCBieSB0aGUgbWFjaGluZSBjb25maWcg
    +b3BlcmF0b3IKc2VydmVyIG9wZW5zaGlmdC1tYXN0ZXItMC48Y2x1c3Rlci1uYW1lPi48ZG9tYWlu
    +PiBpYnVyc3QKc2VydmVyIG9wZW5zaGlmdC1tYXN0ZXItMS48Y2x1c3Rlci1uYW1lPi48ZG9tYWlu
    +PiBpYnVyc3QKc2VydmVyIG9wZW5zaGlmdC1tYXN0ZXItMi48Y2x1c3Rlci1uYW1lPi48ZG9tYWlu
    +PiBpYnVyc3QKCnN0cmF0dW13ZWlnaHQgMApkcmlmdGZpbGUgL3Zhci9saWIvY2hyb255L2RyaWZ0
    +CnJ0Y3N5bmMKbWFrZXN0ZXAgMTAgMwpiaW5kY21kYWRkcmVzcyAxMjcuMC4wLjEKYmluZGNtZGFk
    +ZHJlc3MgOjoxCmtleWZpbGUgL2V0Yy9jaHJvbnkua2V5cwpjb21tYW5ka2V5IDEKZ2VuZXJhdGVj
    +b21tYW5ka2V5Cm5vY2xpZW50bG9nCmxvZ2NoYW5nZSAwLjUKbG9nZGlyIC92YXIvbG9nL2Nocm9u
    +eQoKIyBDb25maWd1cmUgdGhlIGNvbnRyb2wgcGxhbmUgbm9kZXMgdG8gc2VydmUgYXMgbG9jYWwg
    +TlRQIHNlcnZlcnMKIyBmb3IgYWxsIHdvcmtlciBub2RlcywgZXZlbiBpZiB0aGV5IGFyZSBub3Qg
    +aW4gc3luYyB3aXRoIGFuCiMgdXBzdHJlYW0gTlRQIHNlcnZlci4KCiMgQWxsb3cgTlRQIGNsaWVu
    +dCBhY2Nlc3MgZnJvbSB0aGUgbG9jYWwgbmV0d29yay4KYWxsb3cgYWxsCiMgU2VydmUgdGltZSBl
    +dmVuIGlmIG5vdCBzeW5jaHJvbml6ZWQgdG8gYSB0aW1lIHNvdXJjZS4KbG9jYWwgc3RyYXR1bSAz
    +IG9ycGhhbgo=
    +
    +
    +
    +

    Replace the BASE64ENCODEDCONFIGFILE string in the ~/ntp-server.yaml with the base64-encoded string.

    +
    +
  8. +
  9. +

    Create a ~/ntp-client.yaml configuration file for telling the Machine Configuration Operator to apply the ~/worker-chrony.conf settings to the NTP clients on the worker nodes.

    +
    +
    Configuration file example
    +
    +
    # This example MachineConfig replaces ~/worker-chrony.conf
    +apiVersion: machineconfiguration.openshift.io/v1
    +kind: MachineConfig
    +metadata:
    +  labels:
    +    machineconfiguration.openshift.io/role: worker
    +  name: 99-master-etc-chrony-conf-override-for-worker
    +spec:
    +  config:
    +    ignition:
    +      version: 2.2.0
    +    storage:
    +      files:
    +        - contents:
    +            source: data:text/plain;charset=utf-8;base64,BASE64ENCODEDCONFIGFILE(1)
    +          filesystem: root
    +          mode: 0644
    +          path: /etc/worker-chrony.conf
    +
    +
    +
    +

    Where:

    +
    +
    + + + + + +
    1You must replace the BASE64ENCODEDCONFIGFILE string with the base64-encoded string of the ~/worker-chrony.conf file in the subsequent step.
    +
    +
  10. +
  11. +

    Generate a base64-encoded string of the ~/worker-chrony.conf file.

    +
    +
    +
    $ base64 ~/worker-chrony.conf
    +
    +
    +
    +
    Example output
    +
    +
    IyBUaGlzIGZpbGUgaXMgbWFuYWdlZCBieSB0aGUgbWFjaGluZSBjb25maWcgb3BlcmF0b3IKc2Vy
    +dmVyIG9wZW5zaGlmdC1tYXN0ZXItMC48Y2x1c3Rlci1uYW1lPi48ZG9tYWluPiBpYnVyc3QKc2Vy
    +dmVyIG9wZW5zaGlmdC1tYXN0ZXItMS48Y2x1c3Rlci1uYW1lPi48ZG9tYWluPiBpYnVyc3QKc2Vy
    +dmVyIG9wZW5zaGlmdC1tYXN0ZXItMi48Y2x1c3Rlci1uYW1lPi48ZG9tYWluPiBpYnVyc3QKCnN0
    +cmF0dW13ZWlnaHQgMApkcmlmdGZpbGUgL3Zhci9saWIvY2hyb255L2RyaWZ0CnJ0Y3N5bmMKbWFr
    +ZXN0ZXAgMTAgMwpiaW5kY21kYWRkcmVzcyAxMjcuMC4wLjEKYmluZGNtZGFkZHJlc3MgOjoxCmtl
    +eWZpbGUgL2V0Yy9jaHJvbnkua2V5cwpjb21tYW5ka2V5IDEKZ2VuZXJhdGVjb21tYW5ka2V5Cm5v
    +Y2xpZW50bG9nCmxvZ2NoYW5nZSAwLjUKbG9nZGlyIC92YXIvbG9nL2Nocm9ueQo=
    +
    +
    +
    +

    Replace the BASE64ENCODEDCONFIGFILE string in the ~/ntp-client.yaml file with the base64-encoded string.

    +
    +
  12. +
  13. +

    Apply the ntp-server.yaml policy to the control plane nodes.

    +
    +
    +
    $ oc apply -f ~/ntp-server.yaml
    +
    +
    +
    +
    Example output
    +
    +
    machineconfig.machineconfiguration.openshift.io/99-master-etc-chrony-conf-override-for-server created
    +
    +
    +
  14. +
  15. +

    Apply the ~/ntp-client.yaml policy to the worker nodes.

    +
    +
    +
    $ oc apply -f ~/worker-chrony.conf
    +
    +
    +
    +
    Example output
    +
    +
    machineconfig.machineconfiguration.openshift.io/99-master-etc-chrony-conf-override-for-worker created
    +
    +
    +
  16. +
  17. +

    Check the status of the applied NTP settings.

    +
    +
    +
    $ oc describe machineconfigpool
    +
    +
    +
  18. +
+
+
+
+

4.2. Configuring an external load balancer

+
+

You can configure an OpenShift Container Platform cluster +to use an external load balancer in place of the default load balancer.

+
+
+
Prerequisites
+
    +
  • +

    On your load balancer, TCP over ports 6443, 443, and 80 must be available to any users of your system.

    +
  • +
  • +

    Load balance the API port, 6443, between each of the control plane nodes.

    +
  • +
  • +

    Load balance the application ports, 443 and 80, between all of the compute nodes.

    +
  • +
  • +

    On your load balancer, port 22623, which is used to serve ignition start-up configurations to nodes, is not exposed outside of the cluster.

    +
  • +
  • +

    Your load balancer must be able to access every machine in your cluster. Methods to allow this access include:

    +
    +
      +
    • +

      Attaching the load balancer to the cluster’s machine subnet.

      +
    • +
    • +

      Attaching floating IP addresses to machines that use the load balancer.

      +
    • +
    +
    +
  • +
+
+
+ + + + + +
+ + +
+

External load balancing services and the control plane nodes must run on the same L2 network, and on the same VLAN when using VLANs to route traffic between the load balancing services and the control plane nodes.

+
+
+
+
+
Procedure
+
    +
  1. +

    Enable access to the cluster from your load balancer on ports 6443, 443, and 80.

    +
    +

    As an example, note this HAProxy configuration:

    +
    +
    +
    A section of a sample HAProxy configuration
    +
    +
    ...
    +listen my-cluster-api-6443
    +    bind 0.0.0.0:6443
    +    mode tcp
    +    balance roundrobin
    +    server my-cluster-master-2 192.0.2.2:6443 check
    +    server my-cluster-master-0 192.0.2.3:6443 check
    +    server my-cluster-master-1 192.0.2.1:6443 check
    +listenmy-cluster-apps-443
    +        bind 0.0.0.0:443
    +        mode tcp
    +        balance roundrobin
    +        server my-cluster-worker-0 192.0.2.6:443 check
    +        server my-cluster-worker-1 192.0.2.5:443 check
    +        server my-cluster-worker-2 192.0.2.4:443 check
    +listenmy-cluster-apps-80
    +        bind 0.0.0.0:80
    +        mode tcp
    +        balance roundrobin
    +        server my-cluster-worker-0 192.0.2.7:80 check
    +        server my-cluster-worker-1 192.0.2.9:80 check
    +        server my-cluster-worker-2 192.0.2.8:80 check
    +
    +
    +
  2. +
  3. +

    Add records to your DNS server for the cluster API and apps over the load balancer. For example:

    +
    +
    +
    <load_balancer_ip_address> api.<cluster_name>.<base_domain>
    +<load_balancer_ip_address> apps.<cluster_name>.<base_domain>
    +
    +
    +
  4. +
  5. +

    From a command line, use curl to verify that the external load balancer and DNS configuration are operational.

    +
    +
      +
    1. +

      Verify that the cluster API is accessible:

      +
      +
      +
      $ curl https://<loadbalancer_ip_address>:6443/version --insecure
      +
      +
      +
      +

      If the configuration is correct, you receive a JSON object in response:

      +
      +
      +
      +
      {
      +  "major": "1",
      +  "minor": "11+",
      +  "gitVersion": "v1.11.0+ad103ed",
      +  "gitCommit": "ad103ed",
      +  "gitTreeState": "clean",
      +  "buildDate": "2019-01-09T06:44:10Z",
      +  "goVersion": "go1.10.3",
      +  "compiler": "gc",
      +  "platform": "linux/amd64"
      +}
      +
      +
      +
    2. +
    3. +

      Verify that cluster applications are accessible:

      +
      + + + + + +
      + + +
      +

      You can also verify application accessibility by opening the OpenShift Container Platform console in a web browser.

      +
      +
      +
      +
      +
      +
      $ curl http://console-openshift-console.apps.<cluster_name>.<base_domain> -I -L --insecure
      +
      +
      +
      +

      If the configuration is correct, you receive an HTTP response:

      +
      +
      +
      +
      HTTP/1.1 302 Found
      +content-length: 0
      +location: https://console-openshift-console.apps.<cluster-name>.<base domain>/
      +cache-control: no-cacheHTTP/1.1 200 OK
      +referrer-policy: strict-origin-when-cross-origin
      +set-cookie: csrf-token=39HoZgztDnzjJkq/JuLJMeoKNXlfiVv2YgZc09c3TBOBU4NI6kDXaJH1LdicNhN1UsQWzon4Dor9GWGfopaTEQ==; Path=/; Secure
      +x-content-type-options: nosniff
      +x-dns-prefetch-control: off
      +x-frame-options: DENY
      +x-xss-protection: 1; mode=block
      +date: Tue, 17 Nov 2020 08:42:10 GMT
      +content-type: text/html; charset=utf-8
      +set-cookie: 1e2670d92730b515ce3a1bb65da45062=9b714eb87e93cf34853e87a92d6894be; path=/; HttpOnly; Secure; SameSite=None
      +cache-control: private
      +
      +
      +
    4. +
    +
    +
  6. +
+
+
+
+

4.3. Enabling a provisioning network after installation

+
+

The assisted installer and installer-provisioned installation for bare metal clusters provide the ability to deploy a cluster without a provisioning network. This capability is for scenarios such as proof-of-concept clusters or deploying exclusively with Redfish virtual media when each node’s baseboard management controller is routable via the baremetal network.

+
+
+

In OpenShift Container Platform 4.8 and later, you can enable a provisioning network after installation using the Cluster Baremetal Operator (CBO).

+
+
+
Prerequisites
+
    +
  • +

    A dedicated physical network must exist, connected to all worker and control plane nodes.

    +
  • +
  • +

    You must isolate the native, untagged physical network.

    +
  • +
  • +

    The network cannot have a DHCP server when the provisioningNetwork configuration setting is set to Managed.

    +
  • +
  • +

    You must connect the control plane nodes to the network with the same network interface, such as eth0 or eno1.

    +
  • +
+
+
+
Procedure
+
    +
  1. +

    Identify the provisioning interface name for the cluster nodes. For example, eth0 or eno1.

    +
  2. +
  3. +

    Enable the Preboot eXecution Environment (PXE) on the provisioning network interface of the cluster nodes.

    +
  4. +
  5. +

    Retrieve the current state of the provisioning network and save it to a provisioning configuration resource file:

    +
    +
    +
    $ oc get provisioning -o yaml > enable-provisioning-nw.yaml
    +
    +
    +
  6. +
  7. +

    Modify the provisioning configuration resource file:

    +
    +
    +
    $ vim ~/enable-provisioning-nw.yaml
    +
    +
    +
    +

    Scroll down to the provisioningNetwork configuration setting and change it from Disabled to Managed. Then, add the provisioningOSDownloadURL, provisioningIP, provisioningNetworkCIDR, provisioningDHCPRange, provisioningInterface, and watchAllNameSpaces configuration settings after the provisioningNetwork setting. Provide appropriate values for each setting.

    +
    +
    +
    +
    apiVersion: v1
    +items:
    +- apiVersion: metal3.io/v1alpha1
    +  kind: Provisioning
    +  metadata:
    +    name: provisioning-configuration
    +  spec:
    +    provisioningNetwork: (1)
    +    provisioningOSDownloadURL: (2)
    +    provisioningIP: (3)
    +    provisioningNetworkCIDR: (4)
    +    provisioningDHCPRange: (5)
    +    provisioningInterface: (6)
    +    watchAllNameSpaces: (7)
    +
    +
    +
    +

    where:

    +
    +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    1The provisioningNetwork is one of Managed, Unmanaged, or Disabled. When set to Managed, Metal3 manages the provisioning network and the CBO deploys the Metal3 pod with a configured DHCP server. When set to Unmanaged, the system administrator configures the DHCP server manually.
    2The provisioningOSDownloadURL is a valid HTTPS URL with a valid sha256 checksum that enables the Metal3 pod to download a qcow2 operating system image ending in .qcow2.gz or .qcow2.xz. This field is required whether the provisioning network is Managed, Unmanaged, or Disabled. For example: http://192.168.0.1/images/rhcos-<version>.x86_64.qcow2.gz?sha256=<sha>.
    3The provisioningIP is the static IP address that the DHCP server and ironic use to provision the network. This static IP address must be within the provisioning subnet, and outside of the DHCP range. If you configure this setting, it must have a valid IP address even if the provisioning network is Disabled. The static IP address is bound to the metal3 pod. If the metal3 pod fails and moves to another server, the static IP address also moves to the new server.
    4The Classless Inter-Domain Routing (CIDR) address. If you configure this setting, it must have a valid CIDR address even if the provisioning network is Disabled. For example: 192.168.0.1/24.
    5The DHCP range. This setting is only applicable to a Managed provisioning network. Omit this configuration setting if the provisioning network is Disabled. For example: 192.168.0.64, 192.168.0.253.
    6The NIC name for the provisioning interface on cluster nodes. This setting is only applicable to Managed and Unamanged provisioning networks. Omit this configuration setting if the provisioning network is Disabled.
    7Set this setting to true if you want metal3 to watch namespaces other than the default openshift-machine-api namespace. The default value is false.
    +
    +
  8. +
  9. +

    Save the changes to the provisioning configuration resource file.

    +
  10. +
  11. +

    Apply the provisioning configuration resource file to the cluster:

    +
    +
    +
    $ oc apply -f enable-provisioning-nw.yaml
    +
    +
    +
  12. +
+
+
+
+
+
+

5. Day 2 operations

+
+
+

The following sections are optional, but may be of interest after the initial deployment has been completed.

+
+
+

5.1. Accessing the web console

+
+

The web console runs as a pod on the master. The static assets required to run +the web console are served by the pod. Once OpenShift Container Platform is successfully +installed, find the URL for the web console and login credentials for your +installed cluster in the CLI output of the installation program. For example:

+
+
+
Example output
+
+
INFO Install complete!
+INFO Run 'export KUBECONFIG=<your working directory>/auth/kubeconfig' to manage the cluster with 'oc', the OpenShift CLI.
+INFO The cluster is ready when 'oc login -u kubeadmin -p <provided>' succeeds (wait a few minutes).
+INFO Access the OpenShift web-console here: https://console-openshift-console.apps.demo1.openshift4-beta-abcorp.com
+INFO Login to the console with user: kubeadmin, password: <provided>
+
+
+
+

Use those details to log in and access the web console.

+
+
+

Additionally, you can execute:

+
+
+
+
oc whoami --show-console
+
+
+
+

To obtain the url for the console.

+
+
+
+

5.2. Backing up the cluster configuration

+
+

At this point you have a working OpenShift 4 cluster on baremetal. +In order to take advantage of the baremetal hardware that was the provision node, +you can repurpose the provisioning node as a worker. +Prior to reprovisioning the node, it is recommended to backup some existing files.

+
+
+
Procedure
+
    +
  1. +

    Tar the clusterconfig folder and download it to your local machine.

    +
    +
    +
    tar cvfz clusterconfig.tar.gz ~/clusterconfig
    +
    +
    +
  2. +
  3. +

    Copy the Private part for the SSH Key configured on the install-config.yaml file to your local machine.

    +
    +
    +
    tar cvfz clusterconfigsh.tar.gz ~/.ssh/id_rsa*
    +
    +
    +
  4. +
  5. +

    Copy the install-config.yaml and metal3-config.yaml files.

    +
    +
    +
    tar cvfz yamlconfigs.tar.gz install-config.yaml metal3-config.yaml
    +
    +
    +
  6. +
+
+
+
+

5.3. Expanding the cluster

+
+

After deploying an installer-provisioned OpenShift Container Platform cluster, you can use the following procedures to expand the number of worker nodes. Ensure that each prospective worker node meets the prerequisites.

+
+
+ + + + + +
+ + +
+

Expanding the cluster using RedFish Virtual Media involves meeting minimum firmware requirements. See Firmware requirements for installing with virtual media in the Prerequisites section for additional details when expanding the cluster using RedFish Virtual Media.

+
+
+
+
+

5.3.1. Preparing the bare metal node

+
+

Expanding the cluster requires a DHCP server. Each node must have a DHCP reservation.

+
+
+ + + + + +
+ + +
Reserving IP addresses so they become static IP addresses
+
+

Some administrators prefer to use static IP addresses so that each node’s IP address remains constant in the absence of a DHCP server. To use static IP addresses in the OpenShift Container Platform cluster, reserve the IP addresses in the DHCP server with an infinite lease. After the installer provisions the node successfully, the dispatcher script will check the node’s network configuration. If the dispatcher script finds that the network configuration contains a DHCP infinite lease, it will recreate the connection as a static IP connection using the IP address from the DHCP infinite lease. NICs without DHCP infinite leases will remain unmodified.

+
+
+
+
+

Preparing the bare metal node requires executing the following procedure from the provisioner node.

+
+
+
Procedure
+
    +
  1. +

    Get the oc binary, if needed. It should already exist on the provisioner node.

    +
    +
    +
    [kni@provisioner ~]$ export VERSION=latest-4.8
    +[kni@provisioner ~]$ curl -s https://mirror.openshift.com/pub/openshift-v4/clients/ocp/$VERSION/openshift-client-linux-$VERSION.tar.gz | tar zxvf - oc
    +
    +
    +
    +
    +
    [kni@provisioner ~]$ sudo cp oc /usr/local/bin
    +
    +
    +
  2. +
  3. +

    Power off the bare metal node via the baseboard management controller and ensure it is off.

    +
  4. +
  5. +

    Retrieve the user name and password of the bare metal node’s baseboard management controller. Then, create base64 strings from the user name and password. In the following example, the user name is root and the password is calvin.

    +
    +
    +
    [kni@provisioner ~]$ echo -ne "root" | base64
    +
    +
    +
    +
    +
    [kni@provisioner ~]$ echo -ne "calvin" | base64
    +
    +
    +
  6. +
  7. +

    Create a configuration file for the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ vim bmh.yaml
    +
    +
    +
    +
    +
    ---
    +apiVersion: v1
    +kind: Secret
    +metadata:
    +  name: openshift-worker-<num>-bmc-secret
    +type: Opaque
    +data:
    +  username: <base64-of-uid>
    +  password: <base64-of-pwd>
    +---
    +apiVersion: metal3.io/v1alpha1
    +kind: BareMetalHost
    +metadata:
    +  name: openshift-worker-<num>
    +spec:
    +  online: true
    +  bootMACAddress: <NIC1-mac-address>
    +  bmc:
    +    address: <protocol>://<bmc-ip>
    +    credentialsName: openshift-worker-<num>-bmc-secret
    +
    +
    +
    +

    Replace <num> for the worker number of the bare metal node in the two name fields and the credentialsName field. Replace <base64-of-uid> with the base64 string of the user name. Replace <base64-of-pwd> with the base64 string of the password. Replace <NIC1-mac-address> with the MAC address of the bare metal node’s first NIC.

    +
    +
    +

    Refer to the BMC addressing section for additional BMC configuration options. Replace <protocol> with the BMC protocol, such as IPMI, RedFish, or others. +Replace <bmc-ip> with the IP address of the bare metal node’s baseboard management controller.

    +
    +
    + + + + + +
    + + +
    +

    If the MAC address of an existing bare metal node matches the MAC address of a bare metal host that you are attempting to provision, then the Ironic installation will fail. If the host enrollment, inspection, cleaning, or other Ironic steps fail, the metal3-baremetal-operator will continuously retry. See Diagnosing a host duplicate MAC address for more information.

    +
    +
    +
    +
  8. +
  9. +

    Create the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api create -f bmh.yaml
    +
    +
    +
    +
    +
    secret/openshift-worker-<num>-bmc-secret created
    +baremetalhost.metal3.io/openshift-worker-<num> created
    +
    +
    +
    +

    Where <num> will be the worker number.

    +
    +
  10. +
  11. +

    Power up and inspect the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  12. +
+
+
+
+

5.3.2. Preparing to deploy with Virtual Media on the baremetal network

+
+

If the provisioning network is enabled, and you want to expand the cluster using Virtual Media on the baremetal network, execute the following procedure.

+
+
+
Procedure
+
    +
  1. +

    Edit the provisioning configuration resource (CR) to enable deploying with Virtual Media on the baremetal network.

    +
    +
    +
    oc edit provisioning
    +
    +
    +
    +
    +
      apiVersion: metal3.io/v1alpha1
    +  kind: Provisioning
    +  metadata:
    +    creationTimestamp: "2021-08-05T18:51:50Z"
    +    finalizers:
    +    - provisioning.metal3.io
    +    generation: 8
    +    name: provisioning-configuration
    +    resourceVersion: "551591"
    +    uid: f76e956f-24c6-4361-aa5b-feaf72c5b526
    +  spec:
    +    preProvisioningOSDownloadURLs: {}
    +    provisioningDHCPRange: 172.22.0.10,172.22.0.254
    +    provisioningIP: 172.22.0.3
    +    provisioningInterface: enp1s0
    +    provisioningNetwork: Managed
    +    provisioningNetworkCIDR: 172.22.0.0/24
    +    provisioningOSDownloadURL: http://192.168.111.1/images/rhcos-49.84.202107010027-0-openstack.x86_64.qcow2.gz?sha256=c7dde5f96826c33c97b5a4ad34110212281916128ae11100956f400db3d5299e
    +    virtualMediaViaExternalNetwork: true (1)
    +  status:
    +    generations:
    +    - group: apps
    +      hash: ""
    +      lastGeneration: 7
    +      name: metal3
    +      namespace: openshift-machine-api
    +      resource: deployments
    +    - group: apps
    +      hash: ""
    +      lastGeneration: 1
    +      name: metal3-image-cache
    +      namespace: openshift-machine-api
    +      resource: daemonsets
    +    observedGeneration: 8
    +    readyReplicas: 0
    +
    +
    +
    + + + + + +
    1Add virtualMediaViaExternalNetwork: true to the provisioning CR.
    +
    +
  2. +
  3. +

    Edit the machine set to use the API VIP address.

    +
    +
    +
    oc edit machineset
    +
    +
    +
    +
    +
      apiVersion: machine.openshift.io/v1beta1
    +  kind: MachineSet
    +  metadata:
    +    creationTimestamp: "2021-08-05T18:51:52Z"
    +    generation: 11
    +    labels:
    +      machine.openshift.io/cluster-api-cluster: ostest-hwmdt
    +      machine.openshift.io/cluster-api-machine-role: worker
    +      machine.openshift.io/cluster-api-machine-type: worker
    +    name: ostest-hwmdt-worker-0
    +    namespace: openshift-machine-api
    +    resourceVersion: "551513"
    +    uid: fad1c6e0-b9da-4d4a-8d73-286f78788931
    +  spec:
    +    replicas: 2
    +    selector:
    +      matchLabels:
    +        machine.openshift.io/cluster-api-cluster: ostest-hwmdt
    +        machine.openshift.io/cluster-api-machineset: ostest-hwmdt-worker-0
    +    template:
    +      metadata:
    +        labels:
    +          machine.openshift.io/cluster-api-cluster: ostest-hwmdt
    +          machine.openshift.io/cluster-api-machine-role: worker
    +          machine.openshift.io/cluster-api-machine-type: worker
    +          machine.openshift.io/cluster-api-machineset: ostest-hwmdt-worker-0
    +      spec:
    +        metadata: {}
    +        providerSpec:
    +          value:
    +            apiVersion: baremetal.cluster.k8s.io/v1alpha1
    +            hostSelector: {}
    +            image:
    +              checksum: http:/172.22.0.3:6181/images/rhcos-49.84.202107010027-0-openstack.x86_64.qcow2/cached-rhcos-49.84.202107010027-0-openstack.x86_64.qcow2.md5sum (1)
    +              url: http://172.22.0.3:6181/images/rhcos-49.84.202107010027-0-openstack.x86_64.qcow2/cached-rhcos-49.84.202107010027-0-openstack.x86_64.qcow2 (2)
    +            kind: BareMetalMachineProviderSpec
    +            metadata:
    +              creationTimestamp: null
    +            userData:
    +              name: worker-user-data
    +  status:
    +    availableReplicas: 2
    +    fullyLabeledReplicas: 2
    +    observedGeneration: 11
    +    readyReplicas: 2
    +    replicas: 2
    +
    +
    +
    + + + + + + + + + +
    1Edit the checksum URL to use the API VIP address.
    2Edit the url URL to use the API VIP address.
    +
    +
  4. +
+
+
+
Diagnosing a duplicate MAC address when provisioning a new host in the cluster
+
+

If the MAC address of an existing bare-metal node in the cluster matches the MAC address of a bare-metal host you are attempting to add to the cluster, the Bare Metal Operator associates the host with the existing node. If the host enrollment, inspection, cleaning, or other Ironic steps fail, the Bare Metal Operator retries the installation continuously. A registration error is displayed for the failed bare-metal host.

+
+
+

You can diagnose a duplicate MAC address by examining the bare-metal hosts that are running in the openshift-machine-api namespace.

+
+
+
Prerequisites
+
    +
  • +

    Install an OpenShift Container Platform cluster on bare metal.

    +
  • +
  • +

    Install the OpenShift Container Platform CLI oc.

    +
  • +
  • +

    Log in as a user with cluster-admin privileges.

    +
  • +
+
+
+
Procedure
+

To determine whether a bare-metal host that fails provisioning has the same MAC address as an existing node, do the following:

+
+
+
    +
  1. +

    Get the bare-metal hosts running in the openshift-machine-api namespace:

    +
    +
    +
    $ oc get bmh -n openshift-machine-api
    +
    +
    +
    +
    Example output
    +
    +
    NAME                 STATUS   PROVISIONING STATUS      CONSUMER
    +openshift-master-0   OK       externally provisioned   openshift-zpwpq-master-0
    +openshift-master-1   OK       externally provisioned   openshift-zpwpq-master-1
    +openshift-master-2   OK       externally provisioned   openshift-zpwpq-master-2
    +openshift-worker-0   OK       provisioned              openshift-zpwpq-worker-0-lv84n
    +openshift-worker-1   OK       provisioned              openshift-zpwpq-worker-0-zd8lm
    +openshift-worker-2   error    registering
    +
    +
    +
  2. +
  3. +

    To see more detailed information about the status of the failing host, run the following command replacing <bare_metal_host_name> with the name of the host:

    +
    +
    +
    $ oc get -n openshift-machine-api bmh <bare_metal_host_name> -o yaml
    +
    +
    +
    +
    Example output
    +
    +
    ...
    +status:
    +  errorCount: 12
    +  errorMessage: MAC address b4:96:91:1d:7c:20 conflicts with existing node openshift-worker-1
    +  errorType: registration error
    +...
    +
    +
    +
  4. +
+
+
+
+
+

5.3.3. Provisioning the bare metal node

+
+

Provisioning the bare metal node requires executing the following procedure from the provisioner node.

+
+
+
Procedure
+
    +
  1. +

    Ensure the PROVISIONING STATUS is ready before provisioning the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$  oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  2. +
  3. +

    Get a count of the number of worker nodes.

    +
    +
    +
    [kni@provisioner ~]$ oc get nodes
    +
    +
    +
    +
    +
    NAME                                                STATUS   ROLES           AGE     VERSION
    +provisioner.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-1.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-2.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-3.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-worker-0.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-worker-1.openshift.example.com            Ready    master          30h     v1.16.2
    +
    +
    +
  4. +
  5. +

    Get the machine set.

    +
    +
    +
    [kni@provisioner ~]$ oc get machinesets -n openshift-machine-api
    +
    +
    +
    +
    +
    NAME                                DESIRED   CURRENT   READY   AVAILABLE   AGE
    +...
    +openshift-worker-0.example.com      1         1         1       1           55m
    +openshift-worker-1.example.com      1         1         1       1           55m
    +
    +
    +
  6. +
  7. +

    Increase the number of worker nodes by one.

    +
    +
    +
    [kni@provisioner ~]$ oc scale --replicas=<num> machineset <machineset> -n openshift-machine-api
    +
    +
    +
    +

    Replace <num> with the new number of worker nodes. Replace <machineset> with the name of the machine set from the previous step.

    +
    +
  8. +
  9. +

    Check the status of the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number. The status changes from ready to provisioning.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       provisioning          openshift-worker-<num>-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
    +

    The provisioning status remains until the OpenShift Container Platform cluster provisions the node. This can take 30 minutes or more. Once complete, the status will change to provisioned.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       provisioned           openshift-worker-<num>-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  10. +
  11. +

    Once provisioned, ensure the bare metal node is ready.

    +
    +
    +
    [kni@provisioner ~]$ oc get nodes
    +
    +
    +
    +
    +
    NAME                                          STATUS   ROLES   AGE     VERSION
    +provisioner.openshift.example.com             Ready    master  30h     v1.16.2
    +openshift-master-1.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-master-2.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-master-3.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-worker-0.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-worker-1.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-worker-<num>.openshift.example.com  Ready    worker  3m27s   v1.16.2
    +
    +
    +
    +

    You can also check the kubelet.

    +
    +
    +
    +
    [kni@provisioner ~]$ ssh openshift-worker-<num>
    +
    +
    +
    +
    +
    [kni@openshift-worker-<num>]$ journalctl -fu kubelet
    +
    +
    +
  12. +
+
+
+
+

5.3.4. Preparing the provisioner node to be deployed as a worker node

+
+
Procedure
+

Perform the following steps prior to converting the provisioner node to a worker node.

+
+
+
    +
  1. +

    ssh to a system (for example, a laptop) that can access the out of band management network of the current provisioner node.

    +
  2. +
  3. +

    Copy the backups clusterconfig.tar.gz, clusterconfigsh.tar.gz, and amlconfigs.tar.gz to the new system.

    +
  4. +
  5. +

    Copy the oc binary from the existing provisioning node to the new system.

    +
  6. +
  7. +

    Make a note of the mac addresses, the baremetal network IP used for the provisioner node, and the IP address of +the Out of band Management Network.

    +
  8. +
  9. +

    Reboot the system and ensure that PXE is enabled on the provisioning network and PXE is disabled for all other NICs.

    +
  10. +
  11. +

    If installation was performed using a Satellite server, remove the Host entry for the existing provisioning node.

    +
  12. +
  13. +

    Install the ipmitool on the new system in order to power off the provisioner node.

    +
  14. +
+
+
+
+

5.3.5. Adding a worker node to an existing cluster

+
+
Procedure
+
    +
  1. +

    Retrieve the username and password of the bare metal node’s baseboard management controller. Then, create base64 strings from the username and password. In the following example, the username is root and the password is calvin.

    +
    +
    +
    [kni@provisioner ~]$ echo -ne "root" | base64
    +
    +
    +
    +
    +
    [kni@provisioner ~]$ echo -ne "calvin" | base64
    +
    +
    +
  2. +
  3. +

    Create a configuration file for the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ vim bmh.yaml
    +
    +
    +
    +
    +
    ---
    +apiVersion: v1
    +kind: Secret
    +metadata:
    +  name: openshift-worker-<num>-bmc-secret
    +type: Opaque
    +data:
    +  username: <base64-of-uid>
    +  password: <base64-of-pwd>
    +---
    +apiVersion: metal3.io/v1alpha1
    +kind: BareMetalHost
    +metadata:
    +  name: openshift-worker-<num>
    +spec:
    +  online: true
    +  bootMACAddress: <NIC1-mac-address>
    +  bmc:
    +    address: ipmi://<bmc-ip>
    +    credentialsName: openshift-worker-<num>-bmc-secret
    +
    +
    +
    +

    Replace <num> for the worker number of bare metal node in two name fields and credentialsName field. Replace <base64-of-uid> with the base64 string of the username. Replace <base64-of-pwd> with the base64 string of the password. Replace <NIC1-mac-address> with the MAC address of the bare metal node’s first NIC. Replace <bmc-ip> with the IP address of the bare metal node’s baseboard management controller.

    +
    +
  4. +
+
+
+ + + + + +
+ + +
+

When using redfish or redfish-virtualmedia, add the +appropriate addressing as described in the BMC addressing section. See BMC addressing for details.

+
+
+
+
+
    +
  1. +

    Create the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api create -f bmh.yaml
    +
    +
    +
    +
    +
    secret/openshift-worker-<num>-bmc-secret created
    +baremetalhost.metal3.io/openshift-worker-<num> created
    +
    +
    +
    +

    Where <num> will be the worker number.

    +
    +
  2. +
  3. +

    Power up and inspect the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  4. +
  5. +

    Ensure the PROVISIONING STATUS is ready before provisioning the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$  oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  6. +
  7. +

    Get a count of the number of worker nodes.

    +
    +
    +
    [kni@provisioner ~]$ oc get nodes
    +
    +
    +
  8. +
  9. +

    Get the machine set.

    +
    +
    +
    [kni@provisioner ~]$ oc get machinesets -n openshift-machine-api
    +
    +
    +
    +
    +
    NAME                                DESIRED   CURRENT   READY   AVAILABLE   AGE
    +openshift-worker-0.example.com      1         1         1       1           55m
    +openshift-worker-1.example.com      1         1         1       1           55m
    +openshift-worker-2.example.com      1         1         1       1           55m
    +
    +
    +
  10. +
  11. +

    Increase the number of worker nodes by 1.

    +
    +
    +
    [kni@provisioner ~]$ oc scale --replicas=<num> machineset <machineset> -n openshift-machine-api
    +
    +
    +
    +

    Replace <num> with the new number of worker nodes. Replace <machineset> with the name of the machine set from the previous step.

    +
    +
  12. +
  13. +

    Check the status of the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number. The status changes from ready to provisioning.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       provisioning          openshift-worker-<num>-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
    +

    The provisioning status remains until the OpenShift Container Platform cluster provisions the node. This may take 30 minutes or more. Once complete, the status will change to provisioned.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       provisioned           openshift-worker-<num>-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  14. +
  15. +

    Once provisioned, ensure the bare metal node is ready.

    +
    +
    +
    [kni@provisioner ~]$ oc get nodes
    +
    +
    +
    +
    +
    NAME                                                STATUS   ROLES           AGE     VERSION
    +provisioner.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-1.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-2.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-worker-<num>.openshift.example.com        Ready    worker          3m27s   v1.16.2
    +
    +
    +
    +

    You can also check the kubelet.

    +
    +
    +
    +
    [kni@provisioner ~]$ ssh openshift-worker-<num>
    +
    +
    +
    +
    +
    [kni@openshift-worker-<num>]$ journalctl -fu kubelet
    +
    +
    +
  16. +
+
+
+
Appending DNS records
+
+
Configuring Bind (Option 1)
+
+
Procedure
+
    +
  1. +

    Login to the DNS server using ssh.

    +
  2. +
  3. +

    Suspend updates to all dynamic zones: rndc freeze.

    +
  4. +
  5. +

    Edit /var/named/dynamic/example.com.

    +
    +
    +
    $ORIGIN openshift.example.com.
    +<OUTPUT_OMITTED>
    +openshift-worker-1      A       <ip-of-worker-1>
    +openshift-worker-2      A       <ip-of-worker-2>
    +
    +
    +
    + + + + + +
    + + +
    +

    Remove the provisioner as it is replaced by openshift-worker-2.

    +
    +
    +
    +
  6. +
  7. +

    Increase the SERIAL value by 1.

    +
  8. +
  9. +

    Edit /var/named/dynamic/1.0.10.in-addr.arpa.

    +
    + + + + + +
    + + +
    +

    The filename 1.0.10.in-addr.arpa is the reverse of the public CIDR example 10.0.1.0/24.

    +
    +
    +
    +
  10. +
  11. +

    Increase the SERIAL value by 1.

    +
  12. +
  13. +

    Enable updates to all dynamic zones and reload them: rndc thaw.

    +
  14. +
+
+
+
+
Configuring dnsmasq (Option 2)
+
+
Procedure
+

Append the following DNS record to the /etc/hosts file on the server hosting the dnsmasq service.

+
+
+
+
<OUTPUT_OMITTED>
+<NIC2-IP> openshift-worker-1.openshift.example.com openshift-worker-1
+<NIC2-IP> openshift-worker-2.openshift.example.com openshift-worker-2
+
+
+
+ + + + + +
+ + +
+

Remove the provisioner.openshift.example.com entry as it is replaced by worker-2

+
+
+
+
+
+
+
Appending DHCP reservations
+
+
Configuring dhcpd (Option 1)
+
+
Procedure
+
    +
  1. +

    Login to the DHCP server using ssh.

    +
  2. +
  3. +

    Edit /etc/dhcp/dhcpd.hosts.

    +
    +
    +
    host openshift-worker-2 {
    +     option host-name "worker-2";
    +     hardware ethernet <NIC2-mac-address>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +
    +
    +
    + + + + + +
    + + +
    +

    Remove the provisioner as it is replaced by openshift-worker-2.

    +
    +
    +
    +
  4. +
  5. +

    Restart the dhcpd service.

    +
    +
    +
    systemctl restart dhcpd
    +
    +
    +
  6. +
+
+
+
+
Configuring dnsmasq (Option 2)
+
+
Procedure
+
    +
  1. +

    Append the following DHCP reservation to the /etc/dnsmasq.d/example.dns file on the server hosting the dnsmasq service.

    +
    +
    +
    <OUTPUT_OMITTED>
    +dhcp-host=<NIC2-mac-address>,openshift-worker-1.openshift.example.com,<ip-of-worker-1>
    +dhcp-host=<NIC2-mac-address>,openshift-worker-2.openshift.example.com,<ip-of-worker-2>
    +
    +
    +
    + + + + + +
    + + +
    +

    Remove the provisioner.openshift.example.com entry as it is replaced by worker-2

    +
    +
    +
    +
  2. +
  3. +

    Restart the dnsmasq service.

    +
    +
    +
    systemctl restart dnsmasq
    +
    +
    +
  4. +
+
+
+
+
+
Deploying the provisioner node as a worker node using Metal3
+
+

After you have completed the prerequisites, perform the deployment process.

+
+
+
Procedure
+
    +
  1. +

    Power off the node using ipmitool and confirm the provisioning node is powered off.

    +
    +
    +
    ssh <server-with-access-to-management-net>
    +# Use the user, password and Management net IP adddress to shutdown the system
    +ipmitool -I lanplus -U <user> -P <password> -H <management-server-ip> power off
    +# Confirm the server is powered down
    +ipmitool -I lanplus -U <user> -P <password> -H <management-server-ip> power status
    +Chassis Power is off
    +
    +
    +
  2. +
  3. +

    Get base64 strings for the Out of band Management credentials. In this example, the user is root and the password is calvin.

    +
    +
    +
    # Use echo -ne, otherwise you will get your secrets with \n which will cause issues
    +# Get root username in base64
    +echo -ne "root" | base64
    +# Get root password in base64
    +echo -ne "calvin" | base64
    +
    +
    +
  4. +
  5. +

    Configure the BaremetalHost bmh.yaml file.

    +
    +
    +
    ---
    +apiVersion: v1
    +kind: Secret
    +metadata:
    +  name: openshift-worker-2-bmc-secret
    +type: Opaque
    +data:
    +  username: ca2vdAo=
    +  password: MWAwTWdtdC0K
    +---
    +apiVersion: metal3.io/v1alpha1
    +kind: BareMetalHost
    +metadata:
    +  name: openshift-worker-2
    +spec:
    +  online: true
    +  bootMACAddress: <NIC1-mac-address>
    +  bmc:
    +    address: ipmi://<out-of-band-ip>
    +    credentialsName: openshift-worker-2-bmc-secret
    +
    +
    +
  6. +
  7. +

    Create the BaremetalHost.

    +
    +
    +
    ./oc -n openshift-machine-api create -f bmh.yaml
    +secret/openshift-worker-2-bmc-secret created
    +baremetalhost.metal3.io/openshift-worker-2 created
    +
    +
    +
  8. +
  9. +

    Power up and inspect the node.

    +
    +
    +
    ./oc -n openshift-machine-api get bmh openshift-worker-2
    +
    +NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-2   OK       inspecting                       ipmi://<out-of-band-ip>                      true
    +
    +
    +
  10. +
  11. +

    After finishing the inspection, the node is ready to be provisioned.

    +
    +
    +
    ./oc -n openshift-machine-api get bmh openshift-worker-2
    +
    +NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-2   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  12. +
  13. +

    Scale the workers machineset. Previously, there were two replicas during original installation.

    +
    +
    +
    ./oc get machineset -n openshift-machine-api
    +NAME            DESIRED   CURRENT   READY   AVAILABLE   AGE
    +openshift-worker-2   0         0                             21h
    +
    +./oc -n openshift-machine-api scale machineset openshift-worker-2 --replicas=3
    +
    +
    +
  14. +
  15. +

    The baremetal host moves to provisioning status. This can take as long as 30 minutes. You can follow the status +from the node console.

    +
    +
    +
    oc -n openshift-machine-api get bmh openshift-worker-2
    +
    +NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-2   OK       provisioning          openshift-worker-0-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  16. +
  17. +

    When the node is provisioned it moves to provisioned status.

    +
    +
    +
    oc -n openshift-machine-api get bmh openshift-worker-2
    +
    +NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-2   OK       provisioned           openshift-worker-2-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  18. +
  19. +

    When the kubelet finishes initialization the node is ready for use. +You can connect to the node and run journalctl -fu kubelet to check the process.

    +
    +
    +
    oc get node
    +NAME                                            STATUS   ROLES           AGE     VERSION
    +openshift-master-0.openshift.example.com        Ready    master          30h     v1.16.2
    +openshift-master-1.openshift.example.com        Ready    master          30h     v1.16.2
    +openshift-master-2.openshift.example.com        Ready    master          30h     v1.16.2
    +openshift-worker-0.openshift.example.com        Ready    worker          3m27s   v1.16.2
    +openshift-worker-1.openshift.example.com        Ready    worker          3m27s   v1.16.2
    +openshift-worker-2.openshift.example.com        Ready    worker          3m27s   v1.16.2
    +
    +
    +
  20. +
+
+
+
+
+
+
+
+

6. Appendix

+
+
+

In this section of the document, extra information is provided that is outside of the regular workflow.

+
+
+

6.1. Troubleshooting

+
+

Troubleshooting the installation is out of scope of the Deployment Guide. For more details on troubleshooting deployment, refer to our Troubleshooting guide.

+
+
+
+

6.2. Creating DNS Records

+
+

Two options are documented for configuring DNS records:

+
+ +
+

6.2.1. Configuring Bind (Option 1)

+
+

Use Option 1 if access to the appropriate DNS server for the baremetal network is accessible or a request +to your network admin to create the DNS records is an option. +If this is not an option, skip this section and go to section Create DNS records using dnsmasq (Option 2).

+
+
+

Create a subzone with the name of the cluster that is going to be used on your domain. +In our example, the domain used is example.com and the cluster name used is openshift. +Make sure to change these according to your environment specifics.

+
+
+
Procedure
+
    +
  1. +

    Login to the DNS server using ssh.

    +
  2. +
  3. +

    Suspend updates to all dynamic zones: rndc freeze.

    +
  4. +
  5. +

    Edit /var/named/dynamic/example.com.

    +
    +
    +
    $ORIGIN openshift.example.com.
    +$TTL 300        ; 5 minutes
    +@  IN  SOA  dns1.example.com.  hostmaster.example.com. (
    +       2001062501  ; serial
    +       21600       ; refresh after 6 hours
    +       3600        ; retry after 1 hour
    +       604800      ; expire after 1 week
    +       86400 )     ; minimum TTL of 1 day
    +;
    +api                     A       <api-ip>
    +ns1                     A       <dns-vip-ip>
    +$ORIGIN apps.openshift.example.com.
    +*                       A       <wildcard-ingress-lb-ip>
    +$ORIGIN openshift.example.com.
    +provisioner             A       <NIC2-ip-of-provision>
    +openshift-master-0      A       <NIC2-ip-of-openshift-master-0>
    +openshift-master-1      A       <NIC2-ip-of-openshift-master-1>
    +openshift-master-2      A       <NIC2-ip-of-openshift-master-2>
    +openshift-worker-0      A       <NIC2-ip-of-openshift-worker-0>
    +openshift-worker-1      A       <NIC2-ip-of-openshift-worker-1>
    +
    +
    +
  6. +
  7. +

    Increase the serial value by 1.

    +
  8. +
  9. +

    Edit /var/named/dynamic/1.0.10.in-addr.arpa.

    +
    +
    +
    $ORIGIN 1.0.10.in-addr.arpa.
    +$TTL 300
    +@  IN  SOA  dns1.example.com.  hostmaster.example.com. (
    +       2001062501  ; serial
    +       21600       ; refresh after 6 hours
    +       3600        ; retry after 1 hour
    +       604800      ; expire after 1 week
    +       86400 )     ; minimum TTL of 1 day
    +;
    +126 IN      PTR      provisioner.openshift.example.com.
    +127	IN        	PTR    	openshift-master-0.openshift.example.com.
    +128	IN        	PTR    	openshift-master-1.openshift.example.com.
    +129	IN 	        PTR   	openshift-master-2.openshift.example.com.
    +130	IN 	        PTR   	openshift-worker-0.openshift.example.com.
    +131	IN        	PTR    	openshift-worker-1.openshift.example.com.
    +132 IN      PTR     api.openshift.example.com.
    +133 IN      PTR     ns1.openshift.example.com.
    +
    +
    +
    + + + + + +
    + + +
    +

    In this example, the IP addresses 10.0.1.126-133 are pointed to the corresponding fully qualified domain name.

    +
    +
    +
    +
    + + + + + +
    + + +
    +

    The filename 1.0.10.in-addr.arpa is the reverse of the public CIDR example 10.0.1.0/24.

    +
    +
    +
    +
  10. +
  11. +

    Increase the serial value by 1.

    +
  12. +
  13. +

    Enable updates to all dynamic zones and reload them: rndc thaw.

    +
  14. +
+
+
+
+

6.2.2. Configuring dnsmasq (Option 2)

+
+

To create DNS records, open the /etc/hosts file and add the NIC2 (baremetal net) IP followed by the hostname. +In our example, the domain used is example.com and the cluster name used is openshift. +Make sure to change these according to your environment specifics.

+
+
+
Procedure
+
    +
  1. +

    Edit /etc/hosts and add the NIC2 (baremetal net) IP followed by the hostname.

    +
    +
    +
    cat /etc/hosts
    +127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
    +::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
    +<NIC2-IP> provisioner.openshift.example.com provisioner
    +<NIC2-IP> openshift-master-0.openshift.example.com openshift-master-0
    +<NIC2-IP> openshift-master-1.openshift.example.com openshift-master-1
    +<NIC2-IP> openshift-master-2.openshift.example.com openshift-master-2
    +<NIC2-IP> openshift-worker-0.openshift.example.com openshift-worker-0
    +<NIC2-IP> openshift-worker-1.openshift.example.com openshift-worker-1
    +<API-IP>  api.openshift.example.com api
    +<DNS-VIP-IP> ns1.openshift.example.com ns1
    +
    +
    +
  2. +
  3. +

    Open the appropriate firewalld DNS service and reload the rules.

    +
    +
    +
    systemctl restart firewalld
    +firewall-cmd --add-service=dns --permanent
    +firewall-cmd --reload
    +
    +
    +
  4. +
+
+
+
+
+

6.3. Creating DHCP reservations

+
+

Two options are documented for configuring DHCP:

+
+ +
+

6.3.1. Configuring dhcpd (Option 1)

+
+

Use Option 1 if access to the appropriate DHCP server for the baremetal network is accessible or a request +to your network admin to create the DHCP reservations is an option. +If this is not an option, skip this section and go to section Create DHCP records using dnsmasq (Option 2).

+
+
+
    +
  1. +

    Login to the DHCP server using ssh.

    +
  2. +
  3. +

    Edit /etc/dhcp/dhcpd.hosts.

    +
    +
    +
    host provisioner {
    +     option host-name "provisioner";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +host openshift-master-0 {
    +     option host-name "openshift-master-0";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +
    +host openshift-master-1 {
    +     option host-name "openshift-master-1";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +
    +host openshift-master-2 {
    +     option host-name "openshift-master-2";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +host openshift-worker-0 {
    +     option host-name "openshift-worker-0";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +host openshift-worker-1 {
    +     option host-name "openshift-worker-1";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +
    +
    +
  4. +
  5. +

    Restart the dhcpd service.

    +
    +
    +
    systemctl restart dhcpd
    +
    +
    +
  6. +
+
+
+
+

6.3.2. Configuring dnsmasq (Option 2)

+
+

Set up dnsmasq on a server that can access the baremetal network.

+
+
+
Procedure
+
    +
  1. +

    Install dnsmasq.

    +
    +
    +
    dnf install -y dnsmasq
    +
    +
    +
  2. +
  3. +

    Change to the /etc/dnsmasq.d directory.

    +
    +
    +
    cd /etc/dnsmasq.d
    +
    +
    +
  4. +
  5. +

    Create a file that reflects your OpenShift cluster appended by .dns.

    +
    +
    +
    touch <filename>.dns
    +
    +
    +
  6. +
  7. +

    Open the appropriate firewalld DHCP service.

    +
    +
    +
    systemctl restart firewalld
    +firewall-cmd --add-service=dhcp --permanent
    +firewall-cmd --reload
    +
    +
    +
  8. +
  9. +

    Define DNS configuration file

    +
    IPv4
    +
    +

    Here is an example of the .dns file for IPv4.

    +
    +
    +
    +
    domain-needed
    +bind-dynamic
    +bogus-priv
    +domain=openshift.example.com
    +dhcp-range=<baremetal-net-starting-ip,baremetal-net-ending-ip>
    +#dhcp-range=10.0.1.4,10.0.14
    +dhcp-option=3,<baremetal-net-gateway-ip>
    +#dhcp-option=3,10.0.1.254
    +resolv-file=/etc/resolv.conf.upstream
    +interface=<nic-with-access-to-baremetal-net>
    +#interface=em2
    +server=<ip-of-existing-server-on-baremetal-net>
    +
    +
    +#Wildcard for apps -- make changes to cluster-name (openshift) and domain (example.com)
    +address=/.apps.openshift.example.com/<wildcard-ingress-lb-ip>
    +
    +#Static IPs for Masters
    +dhcp-host=<NIC2-mac-address>,provisioner.openshift.example.com,<ip-of-provisioner>
    +dhcp-host=<NIC2-mac-address>,openshift-master-0.openshift.example.com,<ip-of-openshift-master-0>
    +dhcp-host=<NIC2-mac-address>,openshift-master-1.openshift.example.com,<ip-of-openshift-master-1>
    +dhcp-host=<NIC2-mac-address>,openshift-master-2.openshift.example.com,<ip-of-openshift-master-2>
    +dhcp-host=<NIC2-mac-address>,openshift-worker-0.openshift.example.com,<ip-of-openshift-worker-0>
    +dhcp-host=<NIC2-mac-address>,openshift-worker-1.openshift.example.com,<ip-of-openshift-worker-1>
    +
    +
    +
    IPv6
    +
    +

    Here is an example of the .dns file for IPv6.

    +
    +
    +
    +
    strict-order
    +bind-dynamic
    +bogus-priv
    +dhcp-authoritative
    +dhcp-range=baremetal,<baremetal-IPv6-dhcp-range-start>,<baremetal-IPv6-dhcp-range-end>,<range-prefix>
    +dhcp-option=baremetal,option6:dns-server,[<IPv6-DNS-Server>]
    +
    +resolv-file=/etc/resolv.conf.upstream
    +except-interface=lo
    +dhcp-lease-max=81
    +log-dhcp
    +
    +domain=openshift.example.com,<baremetal-IPv6-cidr>,local
    +
    +# static host-records
    +address=/.apps.openshift.example.com/<wildcard-ingress-lb-ip>
    +host-record=api.openshift.example.com,<api-ip>
    +host-record=ns1.openshift.example.com,<dns-ip>
    +host-record=openshift-master-0.openshift.example.com,<ip-of-openshift-master-0>
    +host-record=openshift-master-1.openshift.example.com,<ip-of-openshift-master-1>
    +host-record=openshift-master-2.openshift.example.com,<ip-of-openshift-master-1>
    +# Registry
    +host-record=registry.openshift.example.com,<ip-of-registry-server>
    +
    +#Static IPs for Masters
    +dhcp-host=<baremetal-nic-duid>,openshift-master-0.openshift.example.com,<ip-of-openshift-master-0>
    +dhcp-host=<baremetal-nic-duid>,openshift-master-1.openshift.example.com,<ip-of-openshift-master-1>
    +dhcp-host=<baremetal-nic-duid>,openshift-master-2.openshift.example.com,<ip-of-openshift-master-2>
    +
    +
    +
  10. +
  11. +

    Create the resolv.conf.upstream file to provide DNS fowarding to an existing DNS server for resolution +to the outside world.

    +
    +
    +
    search <domain.com>
    +nameserver <ip-of-my-existing-dns-nameserver>
    +
    +
    +
  12. +
  13. +

    Restart the dnsmasq service.

    +
    +
    +
    systemctl restart dnsmasq
    +
    +
    +
  14. +
  15. +

    Verify the dnsmasq service is running.

    +
    +
    +
    systemctl status dnsmasq
    +
    +
    +
  16. +
+
+
+
+
+
+
+
+
+
+1. Stateless Address AutoConfiguration +
+
+ + + \ No newline at end of file diff --git a/4.8/Deployment.pdf b/4.8/Deployment.pdf new file mode 100644 index 0000000000..5628fecb2b Binary files /dev/null and b/4.8/Deployment.pdf differ diff --git a/4.8/Troubleshooting.html b/4.8/Troubleshooting.html new file mode 100644 index 0000000000..cbf7ddef42 --- /dev/null +++ b/4.8/Troubleshooting.html @@ -0,0 +1,1991 @@ + + + + + + + + + + +Troubleshooting Guide for IPI Installation + + + + + + + + + + + + + + + + +
+
+
+
+ + + + + +
+ + +
+

Download the PDF version of this document or visit https://openshift-kni.github.io/baremetal-deploy/

+
+
+
+
+

While attempting to deploy Installer Provisioned Infrastructure (IPI) of OpenShift on Bare Metal (BM), you may run into a situation where you need to troubleshoot your environment. This document provides troubleshooting guidance and tips in solving common issues that may arise.

+
+
+
+
+

1. Troubleshooting the installer workflow

+
+
+

Prior to troubleshooting the installation environment, it is critical to understand the overall flow of the IPI installation on bare metal. The diagrams below provide a troubleshooting flow with a step-by-step breakdown for the environment.

+
+
+

Flow-Diagram-1

+
+
+

Workflow 1 of 4 illustrates a troubleshooting workflow when the install-config.yaml file has errors or the Red Hat Enterprise Linux CoreOS (RHCOS) images are inaccessible. Troubleshooting suggestions can be found at

+
+ +
+

Flow-Diagram-2

+
+
+

Workflow 2 of 4 illustrates a troubleshooting workflow for bootstrap VM issues, bootstrap VMs that cannot boot up the cluster nodes, and inspecting logs.

+
+
+

Flow-Diagram-3

+
+
+

Workflow 3 of 4 illustrates a troubleshooting workflow for cluster nodes that will not PXE boot.

+
+
+

Flow-Diagram-4

+
+
+

Workflow 4 of 4 illustrates a troubleshooting workflow from + a non-accessible API to a validated installation.

+
+
+
+
+

2. Troubleshooting install-config.yaml

+
+
+

The install-config.yaml configuration file represents all of the nodes that are part of the OpenShift Container Platform cluster. The file contains the necessary options consisting of but not limited to apiVersion, baseDomain, imageContentSources (OpenShift 4.13 and below) or imageDigestSources (OpenShirt 4.14 and above), and virtual IP addresses. If errors occur early in the deployment of the OpenShift Container Platform cluster, the errors are likely in the install-config.yaml configuration file.

+
+
+
Procedure
+
    +
  1. +

    Use the guidelines in YAML-tips.

    +
  2. +
  3. +

    Verify the YAML syntax is correct using syntax-check.

    +
  4. +
  5. +

    Verify the Red Hat Enterprise Linux CoreOS (RHCOS) QEMU images are properly defined and accessible via the URL provided in the install-config.yaml. For example:

    +
    +
    +
    $ curl -s -o /dev/null -I -w "%{http_code}\n" http://webserver.example.com:8080/rhcos-44.81.202004250133-0-qemu.x86_64.qcow2.gz?sha256=7d884b46ee54fe87bbc3893bf2aa99af3b2d31f2e19ab5529c60636fbd0f1ce7
    +
    +
    +
    +

    If the output is 200, there is a valid response from the webserver storing the bootstrap VM image.

    +
    +
  6. +
+
+
+
+
+

3. Bootstrap VM issues

+
+
+

The OpenShift Container Platform installer spawns a bootstrap node virtual machine, which handles provisioning the OpenShift Container Platform cluster nodes.

+
+
+
Procedure
+
    +
  1. +

    About 10 to 15 minutes after triggering the installer, check to ensure the bootstrap VM is operational using the virsh command:

    +
    +
    +
    $ sudo virsh list
    +
    +
    +
    +
    +
     Id    Name                           State
    + --------------------------------------------
    + 12    openshift-xf6fq-bootstrap      running
    +
    +
    +
    + + + + + +
    + + +
    +

    The name of the bootstrap VM is always the cluster name followed by a random set of characters and ending in the word "bootstrap."

    +
    +
    +
    +
    +

    If the bootstrap VM is not running after 10-15 minutes, troubleshoot why it is not running. Possible issues include:

    +
    +
  2. +
  3. +

    Verify libvirtd is running on the system:

    +
    +
    +
    $ systemctl status libvirtd
    +
    +
    +
    +
    +
    ● libvirtd.service - Virtualization daemon
    +   Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor preset: enabled)
    +   Active: active (running) since Tue 2020-03-03 21:21:07 UTC; 3 weeks 5 days ago
    +     Docs: man:libvirtd(8)
    +           https://libvirt.org
    + Main PID: 9850 (libvirtd)
    +    Tasks: 20 (limit: 32768)
    +   Memory: 74.8M
    +   CGroup: /system.slice/libvirtd.service
    +           ├─ 9850 /usr/sbin/libvirtd
    +
    +
    +
    +

    If the bootstrap VM is operational, log into it.

    +
    +
  4. +
  5. +

    Use the virsh console command to find the IP address of the bootstrap VM:

    +
    +
    +
    $ sudo virsh console example.com
    +
    +
    +
    +
    +
    Connected to domain example.com
    +Escape character is ^]
    +
    +Red Hat Enterprise Linux CoreOS 43.81.202001142154.0 (Ootpa) 4.3
    +SSH host key: SHA256:BRWJktXZgQQRY5zjuAV0IKZ4WM7i4TiUyMVanqu9Pqg (ED25519)
    +SSH host key: SHA256:7+iKGA7VtG5szmk2jB5gl/5EZ+SNcJ3a2g23o0lnIio (ECDSA)
    +SSH host key: SHA256:DH5VWhvhvagOTaLsYiVNse9ca+ZSW/30OOMed8rIGOc (RSA)
    +ens3:  fd35:919d:4042:2:c7ed:9a9f:a9ec:7
    +ens4: 172.22.0.2 fe80::1d05:e52e:be5d:263f
    +localhost login:
    +
    +
    +
    + + + + + +
    + + +
    +

    When deploying a OpenShift Container Platform cluster without the provisioning network, you must use a public IP address and not a private IP address like 172.22.0.2.

    +
    +
    +
    +
  6. +
  7. +

    Once you obtain the IP address, log in to the bootstrap VM using the ssh command:

    +
    + + + + + +
    + + +
    +

    In the console output of the previous step, you can use the IPv6 IP address provided by ens3 or the IPv4 IP provided by ens4.

    +
    +
    +
    +
    +
    +
    $ ssh core@172.22.0.2
    +
    +
    +
  8. +
+
+
+

If you are not successful logging in to the bootstrap VM, you have likely encountered one of the following scenarios:

+
+
+
    +
  • +

    You cannot reach the 172.22.0.0/24 network. Verify network connectivity on the provisioner host specifically around the provisioning network bridge. This will not be the issue if you are not using the provisioning network.

    +
  • +
  • +

    You cannot reach the bootstrap VM via the public network. When attempting +to SSH via baremetal network, verify connectivity on the +provisioner host specifically around the baremetal network bridge.

    +
  • +
  • +

    You encountered Permission denied (publickey,password,keyboard-interactive). When +attempting to access the bootstrap VM, a Permission denied error +might occur. Verify that the SSH key for the user attempting to log +into the VM is set within the install-config.yaml file.

    +
  • +
+
+
+

3.1. Bootstrap VM cannot boot up the cluster nodes

+
+

During the deployment, it is possible for the bootstrap VM to fail to boot the cluster nodes, which prevents the VM from provisioning the nodes with the RHCOS image. This scenario can arise due to:

+
+
+
    +
  • +

    A problem with the install-config.yaml file.

    +
  • +
  • +

    Issues with out-of-band network access via the baremetal network.

    +
  • +
+
+
+

To verify the issue, there are three containers related to ironic:

+
+
+
    +
  • +

    ironic-api

    +
  • +
  • +

    ironic-conductor

    +
  • +
  • +

    ironic-inspector

    +
  • +
+
+
+
Procedure
+
    +
  1. +

    Log in to the bootstrap VM:

    +
    +
    +
    $ ssh core@172.22.0.2
    +
    +
    +
  2. +
  3. +

    To check the container logs, execute the following:

    +
    +
    +
    [core@localhost ~]$ sudo podman logs -f <container-name>
    +
    +
    +
    +

    Replace <container-name> with one of ironic-api, ironic-conductor, or ironic-inspector. If you encounter an issue where the control plane nodes are not booting up via PXE, check the ironic-conductor pod. The ironic-conductor pod contains the most detail about the attempt to boot the cluster nodes, because it attempts to log in to the node over IPMI.

    +
    +
  4. +
+
+
+
Potential reason
+

The cluster nodes might be in the ON state when deployment started.

+
+
+
Solution
+

Power off the OpenShift Container Platform cluster nodes before you begin the +installation over IPMI:

+
+
+
+
$ ipmitool -I lanplus -U root -P <password> -H <out-of-band-ip> power off
+
+
+
+
+

3.2. Inspecting logs

+
+

When experiencing issues downloading or accessing the RHCOS images, first verify that the URL is correct in the install-config.yaml configuration file.

+
+
+
Example of internal webserver hosting RHCOS images
+
+
bootstrapOSImage: http://<ip:port>/rhcos-43.81.202001142154.0-qemu.x86_64.qcow2.gz?sha256=9d999f55ff1d44f7ed7c106508e5deecd04dc3c06095d34d36bf1cd127837e0c
+clusterOSImage: http://<ip:port>/rhcos-43.81.202001142154.0-openstack.x86_64.qcow2.gz?sha256=a1bda656fa0892f7b936fdc6b6a6086bddaed5dafacedcd7a1e811abb78fe3b0
+
+
+
+

The ipa-downloader and coreos-downloader containers download resources from a webserver or the external quay.io registry, whichever the install-config.yaml configuration file specifies. Verify the following two containers are up and running and inspect their logs as needed:

+
+
+
    +
  • +

    ipa-downloader

    +
  • +
  • +

    coreos-downloader

    +
  • +
+
+
+
Procedure
+
    +
  1. +

    Log in to the bootstrap VM:

    +
    +
    +
    $ ssh core@172.22.0.2
    +
    +
    +
  2. +
  3. +

    Check the status of the ipa-downloader and coreos-downloader containers within the bootstrap VM:

    +
    +
    +
    [core@localhost ~]$ podman logs -f ipa-downloader
    +
    +
    +
    +
    +
    [core@localhost ~]$ podman logs -f coreos-downloader
    +
    +
    +
    +

    If the bootstrap VM cannot access the URL to the images, use the curl command to verify that the VM can access the images.

    +
    +
  4. +
  5. +

    To inspect the bootkube logs that indicate if all the containers launched during the deployment phase, execute the following:

    +
    +
    +
    [core@localhost ~]$ journalctl -xe
    +
    +
    +
    +
    +
    [core@localhost ~]$ journalctl -b -f -u bootkube.service
    +
    +
    +
  6. +
  7. +

    Verify all the pods, including dnsmasq, mariadb, httpd, and ironic, are running:

    +
    +
    +
    [core@localhost ~]$ sudo podman ps
    +
    +
    +
  8. +
  9. +

    If there are issues with the pods, check the logs of the containers with issues. To check the log of the ironic-api, execute the following:

    +
    +
    +
    [core@localhost ~]$ sudo podman logs <ironic-api>
    +
    +
    +
  10. +
+
+
+
+
+
+

4. Ironic Bootstrap issues

+
+
+

The OpenShift Container Platform installer spawns a bootstrap node virtual machine, which handles provisioning the OpenShift Container Platform cluster nodes. The cluster nodes are powered on, introspected and finally provisioned using Ironic.

+
+
+

Sometimes you might need to connect to the Ironic service running on the bootstrap node virtual machine to troubleshoot issues related to Ironic.

+
+
+
Procedure
+
    +
  1. +

    About 10 to 15 minutes after triggering the installer, check to ensure the bootstrap VM is operational using the virsh command:

    +
    +
    +
    [kni@provisioner ~]$ sudo virsh list
    +
    +
    +
    +
    +
     Id    Name                           State
    + --------------------------------------------
    + 12    openshift-xf6fq-bootstrap      running
    +
    +
    +
  2. +
  3. +

    Use the virsh console command to find the IP address of the bootstrap VM:

    +
    +
    +
    [kni@provisioner ~]$ sudo virsh console openshift-xf6fq-bootstrap
    +
    +
    +
    +
    +
    Connected to domain openshift-xf6fq-bootstrap
    +Escape character is ^]
    +
    +Red Hat Enterprise Linux CoreOS 43.81.202001142154.0 (Ootpa) 4.3
    +SSH host key: SHA256:BRWJktXZgQQRY5zjuAV0IKZ4WM7i4TiUyMVanqu9Pqg (ED25519)
    +SSH host key: SHA256:7+iKGA7VtG5szmk2jB5gl/5EZ+SNcJ3a2g23o0lnIio (ECDSA)
    +SSH host key: SHA256:DH5VWhvhvagOTaLsYiVNse9ca+ZSW/30OOMed8rIGOc (RSA)
    +ens3:  fd35:919d:4042:2:c7ed:9a9f:a9ec:7
    +ens4: 172.22.0.2 fe80::1d05:e52e:be5d:263f
    +localhost login:
    +
    +
    +
  4. +
  5. +

    Once you obtain the IP address, log in to the bootstrap VM using the ssh command:

    +
    + + + + + +
    + + +
    +

    In the console output of the previous step, the IPv6 IP provided by ens3 or the IPv4 IP provided by ens4 can be used.

    +
    +
    +
    +
    +
    +
    [kni@provisioner ~]$ ssh core@172.22.0.2
    +
    +
    +
  6. +
  7. +

    Make sure Ironic containers are running:

    +
    +
    +
    [core@localhost ~]$ sudo podman ps | grep ironic
    +90251a35d1e2  quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:a5603d959546a8293deaee66332da4fa3cb96bcd04c26967070c247085ca7203                        2 minutes ago  Up 2 minutes ago         ironic-api
    +168e712c9996  quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:c6af62509b3d66effe8e16c81e42e75e124ccb5770f82efb010ecc3ebadc48b8                        2 minutes ago  Up 2 minutes ago         ironic-inspector
    +025f8247bfb0  quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:a5603d959546a8293deaee66332da4fa3cb96bcd04c26967070c247085ca7203                        2 minutes ago  Up 2 minutes ago         ironic-conductor
    +
    +
    +
  8. +
  9. +

    Get the value for the bootstrapProvisioningIp property from your install-config.yaml.

    +
  10. +
  11. +

    Create a clouds.yaml file:

    +
    +
    +
    clouds:
    +  metal3-bootstrap:
    +    auth_type: none
    +    baremetal_endpoint_override: http://<bootstrapProvisioningIp>:6385
    +    baremetal_introspection_endpoint_override: http://<bootstrapProvisioningIp>:5050
    +
    +
    +
    + + + + + +
    + + +
    +

    Make sure in the file above you change <bootstrapProvisioningIp> with the value from your install-config.yaml file.

    +
    +
    +
    +
  12. +
  13. +

    Run the ironic-client on the bootstrap VM using podman:

    +
    +
    +
    [core@localhost ~]$ podman run -ti --rm --entrypoint /bin/bash -v /path/to/clouds.yaml:/clouds.yaml -e OS_CLOUD=metal3-bootstrap quay.io/metal3-io/ironic-client
    +
    +
    +
  14. +
  15. +

    Once you’re in the container, run the following command to see the status of the nodes on Ironic:

    +
    +
    +
    [root@1facad6bccff /]# baremetal node list
    +
    +
    +
    +

    The expected states for the nodes are clean-waitavailabledeployingwait call-backactive.

    +
    +
    +
      +
    • +

      clean-wait: The IPA (Ironic Python Agent) will clean the node main disk and write RHCOS to it. After that will report the node status back to Ironic.

      +
    • +
    • +

      available: The node has been introspected and it’s ready to be provisioned.

      +
    • +
    • +

      deploying: The node is being provisioned with RHCOS + the required Ignition configs.

      +
    • +
    • +

      wait call-back: The node is deployed and Ironic is waiting for the node to finish everything before marking the node as active.

      +
    • +
    • +

      active: The node is fully provisioned from an Ironic perspective.

      +
    • +
    +
    +
  16. +
+
+
+

If you are not getting any output, you have likely encountered of the following scenarios:

+
+
+
    +
  • +

    You cannot reach the bootstrapProvisioningIp from the bootstrap VM.

    +
  • +
  • +

    The Ironic conductor was not able to power on and configure the nodes to boot with the IPA image.

    +
  • +
  • +

    The machine running the openshift-install binary cannot access the bootstrapProvisioningIp on port 6385.

    +
  • +
+
+
+
+
+

5. Cluster nodes will not PXE boot

+
+
+

When OpenShift Container Platform cluster nodes will not PXE boot, execute the following checks on the cluster nodes that will not PXE boot. This procedure does not apply when installing a OpenShift Container Platform cluster without the provisioning network.

+
+
+
Procedure
+
    +
  1. +

    Check the network connectivity to the provisioning network.

    +
  2. +
  3. +

    Ensure PXE is enabled on the NIC for the provisioning network and PXE is disabled for all other NICs.

    +
  4. +
  5. +

    Verify that the install-config.yaml configuration file has the proper hardware profile and boot MAC address for the NIC connected to the provisioning network. For example:

    +
    +
    Master node settings
    +
    +
    bootMACAddress: 24:6E:96:1B:96:90 # MAC of bootable provisioning NIC
    +hardwareProfile: default          #master node settings
    +
    +
    +
    +
    Worker node settings
    +
    +
    bootMACAddress: 24:6E:96:1B:96:90 # MAC of bootable provisioning NIC
    +hardwareProfile: unknown          #worker node settings
    +
    +
    +
  6. +
+
+
+
+
+

6. The API is not accessible

+
+
+

When the cluster is running and clients cannot access the API, domain name resolution issues might impede access to the API.

+
+
+
Procedure
+
    +
  1. +

    Hostname Resolution: Check the cluster nodes to ensure they have a fully qualified domain name, and not just localhost.localdomain. For example:

    +
    +
    +
    $ hostname
    +
    +
    +
    +

    If a hostname is not set, set the correct hostname. For example:

    +
    +
    +
    +
    $ hostnamectl set-hostname <hostname>
    +
    +
    +
  2. +
  3. +

    Incorrect Name Resolution: Ensure that each node has the correct name resolution in the DNS server using dig and nslookup. For example:

    +
    +
    +
    $ dig api.<cluster-name>.example.com
    +
    +
    +
    +
    +
    ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> api.<cluster-name>.example.com
    +;; global options: +cmd
    +;; Got answer:
    +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37551
    +;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
    +
    +;; OPT PSEUDOSECTION:
    +; EDNS: version: 0, flags:; udp: 4096
    +; COOKIE: 866929d2f8e8563582af23f05ec44203d313e50948d43f60 (good)
    +;; QUESTION SECTION:
    +;api.<cluster-name>.example.com. IN A
    +
    +;; ANSWER SECTION:
    +api.<cluster-name>.example.com. 10800 IN	A 10.19.13.86
    +
    +;; AUTHORITY SECTION:
    +<cluster-name>.example.com. 10800 IN NS	<cluster-name>.example.com.
    +
    +;; ADDITIONAL SECTION:
    +<cluster-name>.example.com. 10800 IN A	10.19.14.247
    +
    +;; Query time: 0 msec
    +;; SERVER: 10.19.14.247#53(10.19.14.247)
    +;; WHEN: Tue May 19 20:30:59 UTC 2020
    +;; MSG SIZE  rcvd: 140
    +
    +
    +
    +

    The output in the foregoing example indicates that the appropriate IP address for the api.<cluster-name>.example.com VIP is 10.19.13.86. This IP address should reside on the baremetal network.

    +
    +
  4. +
+
+
+
+
+

7. Cleaning up previous installations

+
+
+

In the event of a previous failed deployment, remove the artifacts from the failed attempt before attempting to deploy OpenShift Container Platform again.

+
+
+
Procedure
+
    +
  1. +

    Power off all bare metal nodes prior to installing the OpenShift Container Platform cluster:

    +
    +
    +
    $ ipmitool -I lanplus -U <user> -P <password> -H <management-server-ip> power off
    +
    +
    +
  2. +
  3. +

    Remove all old bootstrap resources if any are left over from a previous deployment attempt:

    +
    +
    +
    for i in $(sudo virsh list | tail -n +3 | grep bootstrap | awk {'print $2'});
    +do
    +  sudo virsh destroy $i;
    +  sudo virsh undefine $i;
    +  sudo virsh vol-delete $i --pool $i;
    +  sudo virsh vol-delete $i.ign --pool $i;
    +  sudo virsh pool-destroy $i;
    +  sudo virsh pool-undefine $i;
    +done
    +
    +
    +
  4. +
  5. +

    Remove the following from the clusterconfigs directory to prevent Terraform from failing:

    +
    +
    +
    $ rm -rf ~/clusterconfigs/auth ~/clusterconfigs/terraform* ~/clusterconfigs/tls ~/clusterconfigs/metadata.json
    +
    +
    +
  6. +
+
+
+
+
+

8. Issues with creating the registry

+
+
+

When creating a disconnected registry, you might encounter a "User Not Authorized" error when attempting to mirror the registry. This error might occur if you fail to append the new authentication to the existing pull-secret.txt file.

+
+
+
Procedure
+
    +
  1. +

    Check to ensure authentication is successful:

    +
    +
    +
    [user@registry ~]$ /usr/local/bin/oc adm release mirror \
    +  -a pull-secret-update.json
    +  --from=$UPSTREAM_REPO \
    +  --to-release-image=$LOCAL_REG/$LOCAL_REPO:${VERSION} \
    +  --to=$LOCAL_REG/$LOCAL_REPO
    +
    +
    +
    + + + + + +
    + + +
    +

    Example output of the variables used to mirror the install images:

    +
    +
    +
    +
    UPSTREAM_REPO=${RELEASE_IMAGE}
    +LOCAL_REG=<registry_FQDN>:<registry_port>
    +LOCAL_REPO='ocp4/openshift4'
    +
    +
    +
    +

    The values of RELEASE_IMAGE and VERSION were set during the Retrieving OpenShift Installer step of the Setting up the environment for an OpenShift installation section.

    +
    +
    +
    +
  2. +
  3. +

    After mirroring the registry, confirm that you can access it in your +disconnected environment:

    +
    +
    +
    $ curl -k -u <user>:<password> https://registry.example.com:<registry-port>/v2/_catalog
    +{"repositories":["<Repo-Name>"]}
    +
    +
    +
  4. +
+
+
+
+
+

9. Miscellaneous issues

+
+
+

9.1. Addressing the runtime network not ready error

+
+

After the deployment of a cluster you might receive the following error:

+
+
+
+
`runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:Network plugin returns error: Missing CNI default network`
+
+
+
+

The Cluster Network Operator is responsible for deploying the networking components in response to a special object created by the installer. It runs very early in the installation process, after the control plane (master) nodes have come up, but before the bootstrap control plane has been torn down. It can be indicative of more subtle installer issues, such as long delays in bringing up control plane (master) nodes or issues with apiserver communication.

+
+
+
Procedure
+
    +
  1. +

    Inspect the pods in the openshift-network-operator namespace:

    +
    +
    +
    $ oc get all -n openshift-network-operator
    +
    +
    +
    +
    +
    NAME                                    READY STATUS            RESTARTS   AGE
    +pod/network-operator-69dfd7b577-bg89v   0/1   ContainerCreating 0          149m
    +
    +
    +
  2. +
  3. +

    On the provisioner node, determine that the network configuration exists:

    +
    +
    +
    $ kubectl get network.config.openshift.io cluster -oyaml
    +
    +
    +
    +
    +
    apiVersion: config.openshift.io/v1
    +kind: Network
    +metadata:
    +  name: cluster
    +spec:
    +  serviceNetwork:
    +  - 172.30.0.0/16
    +  clusterNetwork:
    +  - cidr: 10.128.0.0/14
    +    hostPrefix: 23
    +  networkType: OpenShiftSDN
    +
    +
    +
    +

    If it does not exist, the installer did not create it. To determine why the installer did not create it, execute the following:

    +
    +
    +
    +
    $ openshift-install create manifests
    +
    +
    +
  4. +
  5. +

    Check that the network-operator is running:

    +
    +
    +
    $ kubectl -n openshift-network-operator get pods
    +
    +
    +
  6. +
  7. +

    Retrieve the logs:

    +
    +
    +
    $ kubectl -n openshift-network-operator logs -l "name=network-operator"
    +
    +
    +
    +

    On high availability clusters with three or more control plane (master) nodes, the Operator will perform leader election and all other Operators will sleep. For additional details, see Troubleshooting.

    +
    +
  8. +
+
+
+
+

9.2. Cluster nodes not getting the correct IPv6 address over DHCP

+
+

If the cluster nodes are not getting the correct IPv6 address over DHCP, check the following:

+
+
+
    +
  1. +

    Ensure the reserved IPv6 addresses reside outside the DHCP range.

    +
  2. +
  3. +

    In the IP address reservation on the DHCP server, ensure the reservation specifies the correct DHCP Unique Identifier (DUID). For example:

    +
    +
    +
    # This is a dnsmasq dhcp reservation, 'id:00:03:00:01' is the client id and '18:db:f2:8c:d5:9f' is the MAC Address for the NIC
    +id:00:03:00:01:18:db:f2:8c:d5:9f,openshift-master-1,[2620:52:0:1302::6]
    +
    +
    +
  4. +
  5. +

    Ensure that route announcements are working.

    +
  6. +
  7. +

    Ensure that the DHCP server is listening on the required interfaces serving the IP address ranges.

    +
  8. +
+
+
+
+

9.3. Cluster nodes not getting the correct hostname over DHCP

+
+

During IPv6 deployment, cluster nodes must get their hostname over DHCP. Sometimes the NetworkManager does not assign the hostname immediately. A control plane (master) node might report an error such as:

+
+
+
+
Failed Units: 2
+  NetworkManager-wait-online.service
+  nodeip-configuration.service
+
+
+
+

This error indicates that the cluster node likely booted without first receiving a hostname from the DHCP server, which causes kubelet to boot +with a localhost.localdomain hostname. To address the error, force the node to renew the hostname.

+
+
+
Procedure
+
    +
  1. +

    Retrieve the hostname:

    +
    +
    +
    [core@master-X ~]$ hostname
    +
    +
    +
    +

    If the hostname is localhost, proceed with the following steps.

    +
    +
    + + + + + +
    + + +
    +

    Where X is the master node number.

    +
    +
    +
    +
  2. +
  3. +

    Force the cluster node to renew the DHCP lease:

    +
    +
    +
    [core@master-X ~]$ sudo nmcli con up "<bare-metal-nic>"
    +
    +
    +
    +

    Replace <bare-metal-nic> with the wired connection corresponding to the baremetal network.

    +
    +
  4. +
  5. +

    Check hostname again:

    +
    +
    +
    [core@master-X ~]$ hostname
    +
    +
    +
  6. +
  7. +

    If the hostname is still localhost.localdomain, restart NetworkManager:

    +
    +
    +
    [core@master-X ~]$ sudo systemctl restart NetworkManager
    +
    +
    +
  8. +
  9. +

    If the hostname is still localhost.localdomain, wait a few minutes and check again. If the hostname remains localhost.localdomain, repeat the previous steps.

    +
  10. +
  11. +

    Restart the nodeip-configuration service:

    +
    +
    +
    [core@master-X ~]$ sudo systemctl restart nodeip-configuration.service
    +
    +
    +
    +

    This service will reconfigure the kubelet service with the correct hostname references.

    +
    +
  12. +
  13. +

    Reload the unit files definition since the kubelet changed in the previous step:

    +
    +
    +
    [core@master-X ~]$ sudo systemctl daemon-reload
    +
    +
    +
  14. +
  15. +

    Restart the kubelet service:

    +
    +
    +
    [core@master-X ~]$ sudo systemctl restart kubelet.service
    +
    +
    +
  16. +
  17. +

    Ensure kubelet booted with the correct hostname:

    +
    +
    +
    [core@master-X ~]$ sudo journalctl -fu kubelet.service
    +
    +
    +
  18. +
+
+
+

If the cluster node is not getting the correct hostname over DHCP after the cluster is up and running, such as during a reboot, the cluster will have a pending csr. Do not approve a csr, or other issues might arise.

+
+
+
Addressing a csr
+
    +
  1. +

    Get CSRs on the cluster:

    +
    +
    +
    $ oc get csr
    +
    +
    +
  2. +
  3. +

    Verify if a pending csr contains Subject Name: localhost.localdomain:

    +
    +
    +
    $ oc get csr <pending_csr> -o jsonpath='{.spec.request}' | base64 -d | openssl req -noout -text
    +
    +
    +
  4. +
  5. +

    Remove any csr that contains Subject Name: localhost.localdomain:

    +
    +
    +
    $ oc delete csr <wrong_csr>
    +
    +
    +
  6. +
+
+
+
+

9.4. Routes do not reach endpoints

+
+

During the installation process, it is possible to encounter a Virtual Router Redundancy Protocol (VRRP) conflict. This conflict might occur if a previously used OpenShift Container Platform node that was once part of a cluster deployment using a specific cluster name is still running but not part of the current OpenShift Container Platform cluster deployment using that same cluster name. For example, a cluster was deployed using the cluster name openshift, deploying three control plane (master) nodes and three worker nodes. Later, a separate install uses the same cluster name openshift, but this redeployment only installed three control plane (master) nodes, leaving the three worker nodes from a previous deployment in an ON state. This might cause a Virtual Router Identifier (VRID) conflict and a VRRP conflict.

+
+
+
    +
  1. +

    Get the route:

    +
    +
    +
    $ oc get route oauth-openshift
    +
    +
    +
  2. +
  3. +

    Check the service endpoint:

    +
    +
    +
    $ oc get svc oauth-openshift
    +
    +
    +
    +
    +
    NAME              TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
    +oauth-openshift   ClusterIP   172.30.19.162   <none>        443/TCP   59m
    +
    +
    +
  4. +
  5. +

    Attempt to reach the service from a control plane (master) node:

    +
    +
    +
    [core@master0 ~]$ curl -k https://172.30.19.162
    +
    +
    +
    +
    +
    {
    +  "kind": "Status",
    +  "apiVersion": "v1",
    +  "metadata": {
    +  },
    +  "status": "Failure",
    +  "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
    +  "reason": "Forbidden",
    +  "details": {
    +  },
    +  "code": 403
    +
    +
    +
  6. +
  7. +

    Identify the authentication-operator errors from the provisioner node:

    +
    +
    +
    $ oc logs deployment/authentication-operator -n openshift-authentication-operator
    +
    +
    +
    +
    +
    Event(v1.ObjectReference{Kind:"Deployment", Namespace:"openshift-authentication-operator", Name:"authentication-operator", UID:"225c5bd5-b368-439b-9155-5fd3c0459d98", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Normal' reason: 'OperatorStatusChanged' Status for clusteroperator/authentication changed: Degraded message changed from "IngressStateEndpointsDegraded: All 2 endpoints for oauth-server are reporting"
    +
    +
    +
  8. +
+
+
+
Solution
+
    +
  1. +

    Ensure that the cluster name for every deployment is unique, ensuring no conflict.

    +
  2. +
  3. +

    Turn off all the rogue nodes which are not part of the cluster deployment that are using the same cluster name. Otherwise, the authentication pod of the OpenShift Container Platform cluster might never start successfully.

    +
  4. +
+
+
+
+

9.5. Failed Ignition during Firstboot

+
+

During the Firstboot, the Ignition configuration may fail.

+
+
+
Procedure
+
    +
  1. +

    Connect to the node where the Ignition configuration failed:

    +
    +
    +
    Failed Units: 1
    +  machine-config-daemon-firstboot.service
    +
    +
    +
  2. +
  3. +

    Restart the machine-config-daemon-firstboot service:

    +
    +
    +
    [core@worker-X ~]$ sudo systemctl restart machine-config-daemon-firstboot.service
    +
    +
    +
  4. +
+
+
+
+

9.6. NTP out of sync

+
+

The deployment of OpenShift Container Platform clusters depends on NTP synchronized clocks among the cluster nodes. Without synchronized clocks, the deployment may fail due to clock drift if the time difference is greater than two seconds.

+
+
+
Procedure
+
    +
  1. +

    Check for differences in the AGE of the cluster nodes. For example:

    +
    +
    +
    $ oc get nodes
    +
    +
    +
    +
    +
    NAME                         STATUS   ROLES    AGE   VERSION
    +master-0.cloud.example.com   Ready    master   145m   v1.16.2
    +master-1.cloud.example.com   Ready    master   135m   v1.16.2
    +master-2.cloud.example.com   Ready    master   145m   v1.16.2
    +worker-2.cloud.example.com   Ready    worker   100m   v1.16.2
    +
    +
    +
  2. +
  3. +

    Check for inconsistent timing delays due to clock drift. For example:

    +
    +
    +
    $ oc get bmh -n openshift-machine-api
    +
    +
    +
    +
    +
    master-1   error registering master-1  ipmi://<out-of-band-ip>
    +
    +
    +
    +
    +
    $ sudo timedatectl
    +
    +
    +
    +
    +
                   Local time: Tue 2020-03-10 18:20:02 UTC
    +           Universal time: Tue 2020-03-10 18:20:02 UTC
    +                 RTC time: Tue 2020-03-10 18:36:53
    +                Time zone: UTC (UTC, +0000)
    +System clock synchronized: no
    +              NTP service: active
    +          RTC in local TZ: no
    +
    +
    +
  4. +
+
+
+
Addressing clock drift in existing clusters
+
    +
  1. +

    Create a chrony.conf file and encode it as base64 string. For example:

    +
    +
    +
    $ cat << EOF | base 64
    +server <NTP-server> iburst(1)
    +stratumweight 0
    +driftfile /var/lib/chrony/drift
    +rtcsync
    +makestep 10 3
    +bindcmdaddress 127.0.0.1
    +bindcmdaddress ::1
    +keyfile /etc/chrony.keys
    +commandkey 1
    +generatecommandkey
    +noclientlog
    +logchange 0.5
    +logdir /var/log/chrony
    +EOF
    +
    +
    +
    + + + + + +
    1Replace <NTP-server> with the IP address of the NTP server. Copy the output. +
    +
    +
    [text-in-base-64]
    +
    +
    +
    +
  2. +
  3. +

    Create a MachineConfig object, replacing the base64 string with +the [text-in-base-64] string generated in the output of the previous step. The following example adds the file to the control plane (master) nodes. You can modify the file for worker nodes or make an additional machine config for the worker role.

    +
    +
    +
    $ cat << EOF > ./99_masters-chrony-configuration.yaml
    +apiVersion: machineconfiguration.openshift.io/v1
    +kind: MachineConfig
    +metadata:
    +  creationTimestamp: null
    +  labels:
    +    machineconfiguration.openshift.io/role: master
    +  name: 99-master-etc-chrony-conf
    +spec:
    +  config:
    +    ignition:
    +      config: {}
    +      security:
    +        tls: {}
    +      timeouts: {}
    +      version: 3.1.0
    +    networkd: {}
    +    passwd: {}
    +    storage:
    +      files:
    +      - contents:
    +          source: data:text/plain;charset=utf-8;base64,[text-in-base-64](1)
    +        group:
    +          name: root
    +        mode: 420
    +        overwrite: true
    +        path: /etc/chrony.conf
    +        user:
    +          name: root
    +  osImageURL: ""
    +
    +
    +
    + + + + + +
    1Replace [text-in-base-64] with the base64 string.
    +
    +
  4. +
  5. +

    Make a backup copy of the configuration file. For example:

    +
    +
    +
    $ cp 99_masters-chrony-configuration.yaml 99_masters-chrony-configuration.yaml.backup
    +
    +
    +
  6. +
  7. +

    Apply the configuration file:

    +
    +
    +
    $ oc apply -f ./masters-chrony-configuration.yaml
    +
    +
    +
  8. +
  9. +

    Ensure the System clock synchronized value is yes:

    +
    +
    +
    $ sudo timedatectl
    +
    +
    +
    +
    +
                   Local time: Tue 2020-03-10 19:10:02 UTC
    +           Universal time: Tue 2020-03-10 19:10:02 UTC
    +                 RTC time: Tue 2020-03-10 19:36:53
    +                Time zone: UTC (UTC, +0000)
    +System clock synchronized: yes
    +              NTP service: active
    +          RTC in local TZ: no
    +
    +
    +
    +

    To setup clock synchronization prior to deployment, generate the manifest files and add this file to the openshift directory. For example:

    +
    +
    +
    +
    $ cp chrony-masters.yaml ~/clusterconfigs/openshift/99_masters-chrony-configuration.yaml
    +
    +
    +
    +

    Then, continue to create the cluster.

    +
    +
  10. +
+
+
+
+
+
+

10. Reviewing the installation

+
+
+

After installation, ensure the installer deployed the nodes and pods successfully.

+
+
+
Procedure
+
    +
  1. +

    When the OpenShift Container Platform cluster nodes are installed appropriately, the following Ready state is seen within the STATUS column:

    +
    +
    +
    $ oc get nodes
    +
    +
    +
    +
    +
    NAME                   STATUS   ROLES           AGE  VERSION
    +master-0.example.com   Ready    master,worker   4h   v1.16.2
    +master-1.example.com   Ready    master,worker   4h   v1.16.2
    +master-2.example.com   Ready    master,worker   4h   v1.16.2
    +
    +
    +
  2. +
  3. +

    Confirm the installer deployed all pods successfully. The following command +removes any pods that are still running or have completed as part of the output.

    +
    +
    +
    $ oc get pods --all-namespaces | grep -iv running | grep -iv complete
    +
    +
    +
  4. +
+
+
+
+
+ + + \ No newline at end of file diff --git a/4.8/Troubleshooting.pdf b/4.8/Troubleshooting.pdf new file mode 100644 index 0000000000..1886e6ed70 Binary files /dev/null and b/4.8/Troubleshooting.pdf differ diff --git a/4.9/Ansible Playbook Disconnected Install.html b/4.9/Ansible Playbook Disconnected Install.html new file mode 100644 index 0000000000..3da5c713c5 --- /dev/null +++ b/4.9/Ansible Playbook Disconnected Install.html @@ -0,0 +1,1646 @@ + + + + + + + + + + +Fully Disconnected Deployment of IPI on BM using the Ansible Playbook + + + + + + + + + + + + + + + + +
+
+
+
+ + + + + +
+ + +
+

Download the PDF version of this document or visit https://openshift-kni.github.io/baremetal-deploy/

+
+
+
+
+
+
+

1. Introduction

+
+
+

This write-up will guide you through the process of deploying a fully-disconnected[1] Baremetal IPI installation of OpenShift Container Platform 4 via the Ansible +playbook.

+
+
+
+
+

2. Prerequisites

+
+
+
    +
  • +

    Best Practice Minimum Setup: 6 Physical servers (1 provision node, 3 master and 2 worker nodes)

    +
  • +
  • +

    Best Practice Minimum Setup for disconnected environments: 7 Physical servers (1 provision node, 1 registry node[2], 3 master and 2 worker nodes)

    +
  • +
  • +

    Minimum Setup: 4 Physical servers (1 provision node, 3 master nodes)

    +
  • +
  • +

    Minimum Setup for disconnected environments: 5 Physical servers (1 provision node, 1 registry node[2], 3 master nodes)

    +
  • +
  • +

    Each server needs 2 NICs pre-configured. NIC1 for the private network and NIC2 for the baremetal network. NIC interface names must be identical across all nodes[3]

    +
  • +
  • +

    It is recommended each server have a RAID-1 configured and initialized (though not enforced)

    +
  • +
  • +

    Each server must have IPMI configured

    +
  • +
  • +

    Each server must have DHCP setup for the baremetal NICs

    +
  • +
  • +

    Each server must have DNS setup for the API, wildcard applications

    +
  • +
  • +

    A DNS VIP is IP on the baremetal network is required for reservation. Reservation is done via our DHCP server (though not required).

    +
  • +
  • +

    Optional - Include DNS entries for the hostnames for each of the servers

    +
  • +
  • +

    Download a copy of your Pull Secret

    +
  • +
+
+
+

Due to the complexities of properly configuring an environment, it is +recommended to review the following steps prior to running the Ansible +playbook as without proper setup, the Ansible playbook won’t work.

+
+
+

The section to review and ensure proper configuration are as follows:

+
+
+ +
+
+

Once the above is complete, install Red Hat Enterprise Linux (RHEL) 8.x on your provision node and create a user (i.e. kni) to deploy as non-root and provide that user sudo privileges.

+
+
+

For simplicity, the steps to create the user named kni is as follows:

+
+
+
    +
  1. +

    Login into the provision node via ssh

    +
  2. +
  3. +

    Create a user (i.e kni) to deploy as non-root and provide that user sudo privileges

    +
    +
    +
    useradd kni
    +passwd kni
    +echo "kni ALL=(root) NOPASSWD:ALL" | tee -a /etc/sudoers.d/kni
    +chmod 0440 /etc/sudoers.d/kni
    +
    +
    +
  4. +
  5. +

    Enable a dnf local repository on the provision host

    +
  6. +
+
+
+
+
+

3. Using an Existing Registry

+
+
+ + + + + +
+ + +If no existing registry is already existing for your fully disconnected +environment, visit Creating a New Disconnected Registry section. +
+
+
+

When using an existing registry, two variables labeled +disconnected_registry_auths_file and the disconnected_registry_mirrors_file +must be set. These variables are located within your inventory/hosts file and +the inventory/hosts.sample file can be used as reference.

+
+
+

The disconnected_registry_auths_file variable should point to a file +containing json data regarding your registry information. This will be appended +to the auths section of the pull secret by the Ansible playbook itself.

+
+
+

An example of the contents of the disconnected_registry_auths_file is shown +below.

+
+
+
+
cat /path/to/registry-auths.json
+{"registry.example.com:5000": {"auth": "ZHVtbXk6ZHsFVtbXk=", "email": "user@example.com" } }
+
+
+
+ + + + + +
+ + +
+

The auth password given base64 encoding of the http credentials used to +create the htpasswd file.

+
+
+

Example:

+
+
+

[user@registry ~]$ b64auth=$( echo -n '<username>:<passwd>' | openssl base64 ) + 
+[user@registry ~]$ echo $b64auth

+
+
+
+
+

The disconnected_registry_mirrors_file variable should point to a file +containing the additionalTrustBundle and imageContentSources (OpenShift +4.13 and below) or imageDigestSources (OpenShift 4.14 and above) for +the disconnected registry. The certificate that goes within the additional +trust bundle is the disconnected registry node’s certificate. The +imageContentSources adds the mirrored information of the registry. The below +content from the install-config-appends.yml file gets automatically appended +by the Ansible playbook.

+
+
+
+
cat /path/to/install-config-appends.yml
+additionalTrustBundle: |
+  -----BEGIN CERTIFICATE-----
+  MIIGPDCCBCSgAwIBAgIUWr1DxDq53hrsk6XVLRXUjfF9m+swDQYJKoZIhvcNAQEL
+  BQAwgZAxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNeVN0YXRlMQ8wDQYDVQQHDAZN
+  eUNpdHkxEjAQBgNVBAoMCU15Q29tcGFueTEVMBMGA1UECwwMTXlEZXBhcnRtZW50
+  .
+  . [ABBREVIATED CERTIFICATE FOR BREVITY]
+  .
+  MTMwMQYDVQQDDCpyZWdpc3RyeS5rbmk3LmNsb3VkLmxhYi5lbmcuYm9zLnJlZGhh
+  dC5jb20wHhcNMjAwNDA3MjM1MzI2WhcNMzAwNDA1MjM1MzI2WjCBkDELMAkGA1UE
+  -----END CERTIFICATE-----
+
+<image-config>: (1)
+- mirrors:
+  - registry.example.com:5000/ocp4/openshift4
+  source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
+- mirrors:
+  - registry.example.com:5000/ocp4/openshift4
+  source: registry.svc.ci.openshift.org/ocp/release
+- mirrors:
+  - registry.example.com:5000/ocp4/openshift4
+  source: quay.io/openshift-release-dev/ocp-release
+
+
+
+

Where:

+
+
+

+ +<1> <image-config> is either imageContentSources for OpenShift 4.13 and below, or imageDigestSources for Openshift 4.14 and above.

+
+
+ + + + + +
+ + +Indentation is important in the yml file. Ensure your copy of the install-config-appends.yml is properly indented as in the example above. +
+
+
+
+
+

4. Contents of the Webserver

+
+
+

When following the details on how to create a webserver, if one not already in place, there is still additional content required for +a fully disconnected environment to be successfully deployed with the Ansible playbook.

+
+
+

The Ansible playbook requires the end user to additionally include the following +to there already existing webserver.

+
+
+

The example provided below showcases how a user adds the required prerequisites +to the webserver in order install the latest +OpenShift Container Platform version 4.9.

+
+
+
Automatic Procedure
+
    +
  1. +

    Change to the webserver directory that is to store your OpenShift related binaries

    +
    +
    +
    [user@webserver ~]$ cd /path/to/webserver/dir
    +
    +
    +
  2. +
  3. +

    Create a local copy of environment variables script and make the script executable.

    +
    +
    +
    [user@webserver ~]$ chmod +x /path/to/webserver/dir/env_vars.sh
    +
    +
    +
  4. +
  5. +

    Create a local copy of helper script that downloads all the prerequisites to the webserver

    +
    +
    +
    [user@webserver ~]$ chmod +x /path/to/webserver/dir/helper_script.sh
    +
    +
    +
  6. +
  7. +

    Open the the env_vars.sh script and fill out the appopriate environment variable values

    +
  8. +
  9. +

    Run the helper_script.sh script

    +
    +
    +
    [user@webserver ~]$ /path/to/webserver/dir/helper_script.sh
    +
    +
    +
    + + + + + +
    + + +
    +

    Using the helper_script.sh has some caveats. Extracting the +openshift-baremetal-install binary does not pull from a local registry when +given a local registry, BZ#1823143 +Due to this, in order to properly extract the installer, the OpenShift disconnected +mirrored registry that is to be used must be available and have access to quay.io +temporary to properly extract the binary.

    +
    +
    +
    +
  10. +
+
+
+ + + + + +
+ + +The following manual procedure can be skipped if used the helper script. +
+
+
+
Manual Procedure
+
    +
  1. +

    Download the OpenShift Container Platform version 4.9 latest release.txt file

    +
    +
    +
    [user@webserver ~]$ cd /path/to/webserver/dir
    +[user@webserver ~]$ wget https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest-4.9/release.txt
    +
    +
    +
    + + + + + +
    + + +
    +

    When working with a development version of OpenShift Container Platform, use the following link for the +development version of the +release.txt

    +
    +
    +
    +
  2. +
  3. +

    Create a directory with the explict release version of the captured release.txt file

    +
    +
    +
    export OCP_RELEASE=`cat release.txt | grep Name | awk {'print $2'}`
    +[user@webserver ~]$ mkdir $OCP_RELEASE
    +
    +
    +
  4. +
  5. +

    Move the release.txt file to the newly created release version directory

    +
    +
    +
    [user@webserver ~]$ mv release.txt $OCP_RELEASE/
    +
    +
    +
  6. +
  7. +

    Download the oc client and untar its contents

    +
    +
    +
    [user@webserver ~]$ wget https://mirror.openshift.com/pub/openshift-v4/clients/ocp/$OCP_RELEASE/openshift-client-linux-$OCP_RELEASE.tar.gz | tar zxvf - oc
    +
    +
    +
  8. +
  9. +

    Extract the Installer

    +
    + + + + + +
    + + +
    +

    Extracting the installer currently has some caveats. Extracting the +openshift-baremetal-install binary does not pull from a local registry when +given a local registry, BZ#1823143 +Due to this, in order to properly extract the installer, the OpenShift disconnected +mirrored registry that is to be used must be available and have access to quay.io +temporary to properly extract the binary. The following step assumes this.

    +
    +
    +
    +
    +
    +
    [user@webserver ~]$ export LOCAL_REPOSITORY='ocp4'
    +[user@webserver ~]$ export LOCAL_REGISTRY='registry.example.com:5000'
    +[user@webserver ~]$ export cmd=openshift-baremetal-install
    +[user@webserver ~]$ export pullsecret_file=~/pull-secret.txt
    +[user@webserver ~]$ export extract_dir=$(pwd)
    +[user@webserver ~]$ oc adm release extract --registry-config "${pullsecret_file}" --command="${cmd}" --to `pwd` ${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}
    +
    +
    +
  10. +
  11. +

    Ensure the openshift-baremetal-install binary points to the appopriate release image (i.e. registry.example.com )

    +
    +
    +
    [user@webserver ~]$ ./openshift-baremetal-install version
    +openshift-baremetal-install 4.4.3
    +built from commit 78b817ceb7657f81176bbe182cc6efc73004c841
    +release image registry.example.com:5000/ocp4/openshift4@sha256:e805d6a36762e22ecf66fd3f3642e609a00ed25ab44f89f064b5138cf3f0f554
    +
    +
    +
  12. +
  13. +

    The rhcos.json file is required for the disconnected installs as it contains +the appropriate image name and SHA hash

    +
    + + + + + +
    + + +This assumes the openshift-baremetal-install has been extracted +
    +
    +
    +
    +
    [user@webserver ~]$ export COMMIT_ID=$(./openshift-baremetal-install version | grep '^built from commit' | awk '{print $4}')
    +[user@webserver ~]$ curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json > rhcos.json
    +
    +
    +
  14. +
  15. +

    Clean up the oc and kubelet binary extraction as no longer required

    +
    +
    +
    [user@webserver ~]$ rm -f /path/to/$OCP_RELEASE/oc /path/to/$OCP_RELEASE/kubelet
    +
    +
    +
  16. +
  17. +

    Confirm all four files have been captured within your $OCP_RELEASE directory

    +
    +
    +
    [user@webserver ~]$ ls -latr /path/to/$OCP_RELEASE
    +openshift-baremetal-install openshift-client-linux-$OCP_RELEASE.tar.gz rhcos.json release.txt
    +
    +
    +
  18. +
+
+
+
+
+

5. Fully Disconnected Prerequiste Checklist

+
+
+

5.1. Validation checklist for nodes

+
+
When using the provisioning network
+
    +
  • +

    DHCP reservations use infinite leases to deploy the cluster with static IP addresses. (optional)

    +
  • +
  • +

    NIC1 VLAN is configured for the provisioning network.

    +
  • +
  • +

    NIC2 VLAN is configured for the baremetal network.

    +
  • +
  • +

    NIC1 is PXE-enabled on the provisioner, Control Plane (master), and worker nodes.

    +
  • +
  • +

    PXE has been disabled on all other NICs.

    +
  • +
  • +

    Control plane and worker nodes are configured.

    +
  • +
  • +

    All nodes accessible via out-of-band management.

    +
  • +
  • +

    A separate management network has been created. (optional)

    +
  • +
  • +

    Required data for installation.

    +
  • +
+
+
+
When omitting the provisioning network
+
    +
  • +

    DHCP reservations use infinite leases to deploy the cluster with static IP addresses. (optional)

    +
  • +
  • +

    NICx VLAN is configured for the baremetal network.

    +
  • +
  • +

    Control plane and worker nodes are configured.

    +
  • +
  • +

    All nodes accessible via out-of-band management.

    +
  • +
  • +

    A separate management network has been created. (optional)

    +
  • +
  • +

    Required data for installation.

    +
  • +
+
+
+
Summary
+

After an environment has been prepared according to the documented prerequisites, the installation process is the same as other installer-provisioned platforms.

+
+
+
+

5.2. Validation checklist for Ansible playbook installation

+
+
    +
  • +

    Create a local repository using a RHEL 8 Installation DVD to install packages

    +
  • +
  • +

    Suppress Unable to read consumer identity messages when using subscription-manager via /etc/yum.conf

    +
  • +
  • +

    Ensure release.txt file exists within the webserver path/to/webserver/<ocp_release_version>

    +
  • +
  • +

    Ensure rhcos.json file exists within the webserver path/to/webserver/<ocp_release_version>

    +
  • +
  • +

    Ensure openshift-baremetal-install binary exists within the webserver path/to/webserver/<ocp_release_version>

    +
  • +
  • +

    Ensure the openshift-baremetal-install binary points to the appopriate release image registry (i.e. registry.example.com )

    +
  • +
  • +

    Ensure release.txt file exists within the webserver path/to/webserver/<ocp_release_version>

    +
  • +
  • +

    Ensure openshift-client-linux-<ocp_release_version>.tar.gz tar.gz exists within the webserver path/to/webserver/<ocp_release_version>

    +
  • +
  • +

    Create registry-auths.json

    +
  • +
  • +

    Create install-config-appends.json

    +
  • +
+
+
+
+
+
+

6. Running the playbook.yml

+
+
+

The following are the steps to successfully run the Ansible playbook.

+
+
+

6.1. git clone the Ansible playbook

+
+

The first step to using the Ansible playbook is to clone the +baremetal-deploy repository.

+
+
+ + + + + +
+ + +This should be done on a system that can access the provision host +
+
+
+
    +
  1. +

    Clone the git repository

    +
    +
    +
    [user@laptop ~]$ git clone https://github.com/openshift-kni/baremetal-deploy.git
    +
    +
    +
  2. +
  3. +

    Change to the ansible-ipi-install directory

    +
    +
    +
    [user@laptop ~]$ cd /path/to/git/repo/baremetal-deploy/ansible-ipi-install
    +
    +
    +
  4. +
+
+
+
+

6.2. The ansible.cfg file

+
+

While the ansible.cfg may vary upon your environment +a sample is provided in the repository.

+
+
+
+
[defaults]
+inventory=./inventory
+remote_user=kni
+callback_whitelist = profile_tasks
+
+[privilege_escalation]
+become_method=sudo
+
+
+
+ + + + + +
+ + +
+

Ensure to change the remote_user as deemed appropriate for +your environment. The remote_user is the user previously +created on the provision node.

+
+
+
+
+
+

6.3. Ansible version

+
+

Ensure that your environment is using Ansible 2.9 or +greater. The following command can be used to verify.

+
+
+
+
ansible --version
+ansible 2.9.1
+  config file = /path/to/baremetal-deploy/ansible-ipi-install/ansible.cfg
+  configured module search path = ['/path/to/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
+  ansible python module location = /usr/lib/python3.7/site-packages/ansible
+  executable location = /usr/bin/ansible
+  python version = 3.7.2 (default, Jan 16 2019, 19:49:22) [GCC 8.2.1 20181215 (Red Hat 8.2.1-6)]
+
+
+
+ + + + + +
+ + +The config file section should point to the path of your ansible.cfg +
+
+
+
+

6.4. Copy local SSH key to provision node

+
+

With the ansible.cfg file in place, the next step is +to ensure to copy your public ssh key to your provision + node using ssh-copy-id.

+
+
+

From the system that is to run the playbook,

+
+
+
+
$ ssh-copy-id <user>@provisioner.example.com
+
+
+
+ + + + + +
+ + +<user> should be the user previously created on the provision node (i.e. kni) +
+
+
+
+

6.5. Modifying the inventory/hosts file for Fully Disconnected Deployments

+
+

While there are many options +that may be set when deploying IPI on baremetal using the Ansible +playbook. This portion will strictly focus on what are the +requirements for including your existing webserver and registry node +for a successful deployment.

+
+
+

A sample of the required variables with regards to the existing +webserver and registry node are shown below

+
+
+
+
# Provide the webserver URL as shown below if using fully disconnected
+webserver_url=http://example.com:8080'
+
+[registry_host]
+registry.example.com
+
+[registry_host:vars]
+disconnected_registry_auths_file=/path/to/registry-auths.json
+disconnected_registry_mirrors_file=/path/to/install-config-appends.json
+
+
+
+
+

6.6. The Ansible playbook.yml

+
+

The Ansible playbook connects to your provision host and +runs through the redhatci.ocp.node_prep role and the +redhatci.ocp.installer role. +No modification is necessary. All modifications of variables +may be done within the inventory/hosts file. A sample file +is located in this repository under inventory/hosts.sample. +From the system that is to run the playbook,

+
+
+
Sample playbook.yml
+
+
---
+- name: IPI on Baremetal Installation Playbook
+  hosts: provisioner
+  collections:
+    - redhatci.ocp
+  roles:
+    - node_prep
+    - installer
+
+
+
+

With the playbook.yml set and in-place, run the playbook.yml

+
+
+
+
$ ansible-playbook -i inventory/hosts playbook.yml
+
+
+
+
+
+
+

Appendix A: Setup a local RHEL8 repository using an ISO

+
+
+
    +
  1. +

    On the provision host, mount your RHEL8 ISO

    +
    +
    +
    [user@provisioner ~]$ sudo mount -o loop rhel-8.0-x86_64-dvd.iso /mnt/
    +
    +
    +
  2. +
  3. +

    Copy media.repo file from mounted directory to /etc/yum.repos.d/

    +
    +
    +
    [user@provisioner ~]$ sudo cp /mnt/media.repo /etc/yum.repos.d/rhel8.repo
    +
    +
    +
  4. +
  5. +

    Set permissions of the newly created rhel8.repo file

    +
    +
    +
    [user@provisioner ~]$ sudo chmod 644 /etc/yum.repos.d/rhel8.repo
    +
    +
    +
  6. +
  7. +

    Edit the rhel8.repo file to match the following

    +
    +
    +
    [InstallMedia-BaseOS]
    +name=Red Hat Enterprise Linux 8 - BaseOS
    +metadata_expire=-1
    +gpgcheck=1
    +enabled=1
    +baseurl=file:///mnt/BaseOS/
    +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
    +
    +[InstallMedia-AppStream]
    +name=Red Hat Enterprise Linux 8 - AppStream
    +metadata_expire=-1
    +gpgcheck=1
    +enabled=1
    +baseurl=file:///mnt/AppStream/
    +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
    +
    +
    +
  8. +
  9. +

    Clear the subscription-manager cache

    +
    +
    +
    [user@provisioner ~]$ sudo dnf clean all
    +
    +
    +
  10. +
  11. +

    Modify the /etc/yum.conf file and set plugins to zero

    +
    +
    +
    [user@provisioner ~]$ sudo echo "plugins=0" >> /etc/yum.conf
    +
    +
    +
    + + + + + +
    + + +
    +

    This is required as certain plugins won’t properly load when +not directly subscripted with subscription-manager and may +give the error of Unable to read consumer identity

    +
    +
    +
    +
  12. +
  13. +

    Verify the BaseOS and AppStream repos are available

    +
    +
    +
    [user@provisioner ~]$ sudo dnf repolist
    +$ sudo dnf repolist
    +Last metadata expiration check: 0:29:59 ago on Tue 12 May 2020 08:15:46 PM UTC.
    +repo id                    repo name                                           status
    +InstallMedia-AppStream     Red Hat Enterprise Linux 8 - AppStream              4,820
    +InstallMedia-BaseOS        Red Hat Enterprise Linux 8 - BaseOS                 1,661
    +
    +
    +
  14. +
+
+
+
+
+

Appendix B: Environment Variable Script

+
+
+
+
#!/bin/bash
+
+#Enter 'dev' for development or 'ga' for Generally Available version of OCP
+export release=''
+
+#Provide build version, i.e. 4.3.18, 4.4.4, nightly build: 4.3.0-0.nightly-2019-10-29-073252
+export build_version='<desired-build-version>'
+
+export LOCAL_REPOSITORY='ocp4'
+export LOCAL_REGISTRY='registry.example.com'
+export REGISTRY_PORT='5000'
+export OCP_RELEASE='4.4.3'
+export LOCAL_PULL_SECRET='<Path-to-your-pull-secret.txt'
+export cmd=openshift-baremetal-install
+
+
+
+
+
+

Appendix C: Helper Script

+
+
+
+
#!/bin/bash
+
+echo "***This script downloads the files needed for Ansible Automation****"
+echo "***Downloads
+      1. Release.txt
+      2. `openshift-client-linux-$build_version.tar.gz`
+      3. openshift-baremetal-install binary
+      4. rhcos.json****"
+
+. ./source_env_vars.sh
+
+code=$(curl -sL -w "%{http_code}\\n" "https://mirror.openshift.com/pub/" -o /dev/null)
+if [[ $code != 200 ]]; then
+    echo "Did not receive a successful 200 code, exiting..."
+    exit
+fi
+
+if [ $release == 'dev' ]
+then
+  export release_version='ocp-dev-preview'
+elif [ $release == 'ga' ]
+then
+   export release_version='ocp'
+else
+   echo Provide either dev or ga as a value for release.
+fi
+
+rm -f release.txt rhcos.json oc kubelet openshift-client-linux-$build_version.tar.gz
+
+echo "****Below are the values that has been set****"
+echo Local Repo = $LOCAL_REPOSITORY
+echo Local Registry = $LOCAL_REGISTRY
+echo Registry Port = $REGISTRY_PORT
+echo Release = $OCP_RELEASE
+echo Pull-Secret File = $LOCAL_PULL_SECRET
+echo Build Version = $build_version
+
+GREEN='\033[0;32m'
+NC='\033[0m'
+echo -e "**** Download the release.txt for ${GREEN}$build_version${NC}*******"
+wget https://mirror.openshift.com/pub/openshift-v4/clients/$release_version/$build_version/release.txt
+
+echo "****Download the openshift-client-linux-$build_version.tar.gz for the $build_version*********"
+wget https://mirror.openshift.com/pub/openshift-v4/clients/$release_version/$build_version/openshift-client-linux-$build_version.tar.gz
+tar -xvzf openshift-client-linux-$build_version.tar.gz
+
+echo "******Download the 'openshift-baremetal-install' binary for the $build_version and extract it*******"
+
+web_url=$(curl -sL -w "%{http_code}\\n" "http://${LOCAL_REGISTRY}/${RHCOS_QEMU_URI}" -o /dev/null)
+if [[ $web_url != 200 ]]; then
+    echo "Did not receive a successful 200 code, exiting..."
+    echo "****Extracting the installer currently has some caveats. Extracting the openshift-baremetal-install binary does not pull from a local registry when given a local registry, BZ#1823143 Due to this, in order to properly extract the installer, the OpenShift disconnected mirrored registry that is to be used must be available and have access to quay.io temporary to properly extract the binary. The following step assumes this.*****"
+    exit    # other actions
+fi
+
+oc adm release extract --registry-config "${LOCAL_PULL_SECRET}" --command="${cmd}" --to `pwd` ${LOCAL_REGISTRY}:${REGISTRY_PORT}/${LOCAL_REPOSITORY}:${OCP_RELEASE}
+
+
+echo "******Download the rhcos.json file for the $build_version*******"
+export COMMIT_ID=$(./openshift-baremetal-install version | grep '^built from commit' | awk '{print $4}')
+curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json > rhcos.json
+
+ls -ltr release.txt rhcos.json openshift-baremetal-install openshift-client-linux-$build_version.tar.gz
+
+echo "****Confirm the version*****"
+
+./openshift-baremetal-install version
+
+
+
+
+
+
+
+
+1. Fully disconnected infers that no system in the OpenShift Container Platform has deployment access to the internet. +
+
+2. If creating the mirrored registry, this system will require online access. The registry node may be a virtual machine in order to reduce physical server footprint. +
+
+3. https://github.com/openshift/installer/issues/2762 +
+
+ + + \ No newline at end of file diff --git a/4.9/Ansible Playbook Disconnected Install.pdf b/4.9/Ansible Playbook Disconnected Install.pdf new file mode 100644 index 0000000000..03528bffae Binary files /dev/null and b/4.9/Ansible Playbook Disconnected Install.pdf differ diff --git a/4.9/Ansible Playbook Install.html b/4.9/Ansible Playbook Install.html new file mode 100644 index 0000000000..e0fc9606f2 --- /dev/null +++ b/4.9/Ansible Playbook Install.html @@ -0,0 +1,2398 @@ + + + + + + + + + + +Deployment of IPI on BM using the Ansible Playbook + + + + + + + + + + + + + + + + +
+
+
+
+ + + + + +
+ + +
+

Download the PDF version of this document or visit https://openshift-kni.github.io/baremetal-deploy/

+
+
+
+
+
+
+

1. Introduction

+
+
+

This write-up will guide you through the process of using the Ansible +playbooks to deploy a Baremetal Installer Provisioned Infrastructure +(IPI) of Red Hat OpenShift 4.

+
+
+

For the manual details, visit our +Deployment Guide

+
+
+
+
+

2. Prerequisites

+
+
+
    +
  • +

    Best Practice Minimum Setup: 6 Physical servers (1 provision node, 3 master and 2 worker nodes)

    +
  • +
  • +

    Best Practice Minimum Setup for disconnected environments: 7 Physical servers (1 provision node, 1 registry node[1], 3 master and 2 worker nodes)

    +
  • +
  • +

    Minimum Setup: 4 Physical servers (1 provision node, 3 master nodes)

    +
  • +
  • +

    Minimum Setup for disconnected environments: 5 Physical servers (1 provision node, 1 registry node[1], 3 master nodes)

    +
  • +
  • +

    Each server needs 2 NICs pre-configured. NIC1 for the private network and NIC2 for the baremetal network. NIC interface names must be identical across all nodes[2]

    +
  • +
  • +

    It is recommended each server have a RAID-1 configured and initialized (though not enforced)

    +
  • +
  • +

    Each server must have IPMI configured

    +
  • +
  • +

    Each server must have DHCP setup for the baremetal NICs

    +
  • +
  • +

    Each server must have DNS setup for the API, wildcard applications

    +
  • +
  • +

    A DNS VIP is IP on the baremetal network is required for reservation. Reservation is done via our DHCP server (though not required).

    +
  • +
  • +

    Optional - Include DNS entries for the hostnames for each of the servers

    +
  • +
  • +

    Download a copy of your Pull Secret

    +
  • +
+
+
+

Due to the complexities of properly configuring an environment, it is +recommended to review the following steps prior to running the Ansible +playbook as without proper setup, the Ansible playbook won’t work.

+
+
+

The section to review and ensure proper configuration are as follows:

+
+
+ +
+
+

Once the above is complete, install Red Hat Enterprise Linux (RHEL) 8.x on your provision node and create a user (i.e. kni) to deploy as non-root and provide that user sudo privileges.

+
+
+

For simplicity, the steps to create the user named kni is as follows:

+
+
+
    +
  1. +

    Login into the provision node via ssh

    +
  2. +
  3. +

    Create a user (i.e kni) to deploy as non-root and provide that user sudo privileges

    +
    +
    +
    useradd kni
    +passwd kni
    +echo "kni ALL=(root) NOPASSWD:ALL" | tee -a /etc/sudoers.d/kni
    +chmod 0440 /etc/sudoers.d/kni
    +
    +
    +
  4. +
  5. +

    Enable a dnf local repository on the provision host

    +
  6. +
+
+
+
+
+

3. Tour of the Ansible Playbook

+
+
+
    +
  • +

    inventory - contains the file hosts.sample that:

    +
    +
      +
    • +

      contains all the modifiable variables, their default values, and their definition. Some variables are empty ensuring users give an explicit value.

      +
    • +
    • +

      the setting up of your provision node, master nodes, and worker nodes. Each section will require additional details (i.e. Management credentials).

      +
    • +
    +
    +
  • +
  • +

    requirements - contains the list of collections required by the playbook.

    +
    +
      +
    • +

      The collections include two roles: redhatci.ocp.node_prep and redhatci.ocp.installer. redhatci.ocp.node_prep handles all the prerequisites that the provisioner node requires prior to running the installer. The redhatci.ocp.installer role handles extracting the installer, setting up the manifests, and running the Red Hat OpenShift installation.

      +
    • +
    +
    +
  • +
+
+
+

The tree structure is shown below:

+
+
+
+
├── ansible.cfg
+├── inventory
+│   └── hosts.sample
+├── playbook.yml
+└── requirements.yml
+
+
+
+
+
+

4. Running the Ansible Playbook

+
+
+

The following are the steps to successfully run the Ansible playbook.

+
+
+

4.1. git clone the Ansible playbook

+
+

The first step to using the Ansible playbook is to clone the +baremetal-deploy repository.

+
+
+ + + + + +
+ + +This should be done on a system that can access the provision host +
+
+
+
    +
  1. +

    Clone the git repository

    +
    +
    +
    [user@laptop ~]$ git clone https://github.com/openshift-kni/baremetal-deploy.git
    +
    +
    +
  2. +
  3. +

    Change to the ansible-ipi-install directory

    +
    +
    +
    [user@laptop ~]$ cd /path/to/git/repo/baremetal-deploy/ansible-ipi-install
    +
    +
    +
  4. +
+
+
+
+

4.2. Install the required Ansible collections

+
+

The Ansible playbook makes use of different collections defined in the requirements.yml file. Two of the main roles come from the redhatci.ocp collection.

+
+
+
    +
  1. +

    Install required collections

    +
  2. +
+
+
+
+
[user@laptop ~]$ ansible-galaxy collection install -r requirements.yml
+
+
+
+
+

4.3. The ansible.cfg file

+
+

While the ansible.cfg may vary upon your environment +a sample is provided in the repository.

+
+
+
+
[defaults]
+inventory=./inventory
+remote_user=kni
+callback_whitelist = profile_tasks
+
+[privilege_escalation]
+become_method=sudo
+
+
+
+ + + + + +
+ + +
+

Ensure to change the remote_user as deemed appropriate for +your environment. The remote_user is the user previously +created on the provision node.

+
+
+
+
+
+

4.4. Ansible version

+
+

Ensure that your environment is using Ansible 2.9 or +greater. The following command can be used to verify.

+
+
+
+
ansible --version
+ansible 2.9.1
+  config file = /path/to/baremetal-deploy/ansible-ipi-install/ansible.cfg
+  configured module search path = ['/path/to/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
+  ansible python module location = /usr/lib/python3.7/site-packages/ansible
+  executable location = /usr/bin/ansible
+  python version = 3.7.2 (default, Jan 16 2019, 19:49:22) [GCC 8.2.1 20181215 (Red Hat 8.2.1-6)]
+
+
+
+ + + + + +
+ + +The config file section should point to the path of your ansible.cfg +
+
+
+
+

4.5. Copy local SSH key to provision node

+
+

With the ansible.cfg file in place, the next step is +to ensure to copy your public ssh key to your provision + node using ssh-copy-id.

+
+
+

From the system that is to run the playbook,

+
+
+
+
$ ssh-copy-id <user>@provisioner.example.com
+
+
+
+ + + + + +
+ + +<user> should be the user previously created on the provision node (i.e. kni) +
+
+
+
+

4.6. Modifying the inventory/hosts

+
+

The hosts file provides all the definable variables and provides a +description of each variable. Some of the variables are explicitly left + empty and require user input for the playbook to run.

+
+
+

The hosts file ensures all your nodes that will be used to deploy +IPI on baremetal are setup. There are 4 groups: masters, workers, +provisioner, and registry_host (optional). The masters and +workers group collects information about the host such as its name, +role, user management (i.e. iDRAC) user, user management (i.e. iDRAC) +password, ipmi_address, ipmi_port to access the server and the +provision mac address (NIC1) that resides on the provisioning network.

+
+
+

Below is a sample of the inventory/hosts file

+
+
+
+
[all:vars]
+
+###############################################################################
+# Required configuration variables for IPI on Baremetal Installations         #
+###############################################################################
+
+# The provisioning NIC (NIC1) used on all baremetal nodes
+prov_nic=eno1
+
+# The public NIC (NIC2) used on all baremetal nodes
+pub_nic=eno2
+
+# (Optional) Set the provisioning bridge name. Default value is 'provisioning'.
+#provisioning_bridge=provisioning
+
+# (Optional) Set the baremetal bridge name. Default value is 'baremetal'.
+#baremetal_bridge=baremetal
+
+# (Optional) Activation-key for proper setup of subscription-manager, empty value skips registration
+#activation_key=""
+
+# (Optional) Activation-key org_id for proper setup of subscription-manager, empty value skips registration
+#org_id=""
+
+# The directory used to store the cluster configuration files (install-config.yaml, pull-secret.txt, metal3-config.yaml)
+dir="{{ ansible_user_dir }}/clusterconfigs"
+
+# The version of the openshift-installer, undefined or empty results in the playbook failing with error message.
+# Values accepted: 'latest-4.3', 'latest-4.4', explicit version i.e. 4.3.0-0.nightly-2019-12-09-035405
+version=""
+
+# Enter whether the build should use 'dev' (nightly builds) or 'ga' for Generally Available version of OpenShift
+# Empty value results in playbook failing with error message.
+build=""
+
+# (Optional) Provisioning IP Network and dhcp range (default value)
+# If defined, make sure to update 'prov_ip' with a valid IP outside of your 'prov_dhcp_range' and update all other places like 'no_proxy_list'
+# prov_network=172.22.0.0/21
+# prov_dhcp_range="172.22.0.10,172.22.0.100"
+
+# Provisioning IP address (default value)
+prov_ip=172.22.0.3
+
+# (Optional) Enable playbook to pre-download RHCOS images prior to cluster deployment and use them as a local
+# cache.  Default is false.
+#cache_enabled=True
+
+# (Optional) Enable IPv6 addressing instead of IPv4 addressing
+#ipv6_enabled=True
+
+# (Optional) When ipv6_enabled is set to True, but want IPv4 addressing on provisioning network
+# Default is false.
+#ipv4_provisioning=True
+
+# (Optional) When ipv6_enabled is set to True, but want IPv4 addressing on baremetal network
+#ipv4_baremetal=True
+
+# (Optional) A list of clock servers to be used in chrony by the masters and workers
+#clock_servers=["pool.ntp.org","clock.redhat.com"]
+
+# (Optional) Provide HTTP proxy settings
+#http_proxy=http://USERNAME:PASSWORD@proxy.example.com:8080
+
+# (Optional) Provide HTTPS proxy settings
+#https_proxy=https://USERNAME:PASSWORD@proxy.example.com:8080
+
+# (Optional) comma-separated list of hosts, IP Addresses, or IP ranges in CIDR format
+# excluded from proxying
+# NOTE: OpenShift does not accept '*' as a wildcard attached to a domain suffix
+# i.e. *.example.com
+# Use '.' as the wildcard for a domain suffix as shown in the example below.
+# i.e. .example.com
+#no_proxy_list="172.22.0.0/24,.example.com"
+
+# The default installer timeouts for the bootstrap and install processes may be too short for some baremetal
+# deployments. The variables below can be used to extend those timeouts.
+
+# (Optional) Increase bootstrap process timeout by N iterations.
+#increase_bootstrap_timeout=2
+
+# (Optional) Increase install process timeout by N iterations.
+#increase_install_timeout=2
+
+# (Optional) Disable RedFish inspection to intelligently choose between IPMI or RedFish protocol.
+# By default this feature is enabled and set to true. Uncomment below to disable and use IPMI.
+#redfish_inspection=false
+
+# (Optional) Modify files on the node filesystems, you can augment the "fake" roots for the
+# control plane and worker nodes.
+# If defined, playbook will look for files in control plane and worker subdirectories.
+# Otherwise, it will look in {{ role_path }}/files/customize_filesystem (default)
+# For more information on modifying node filesystems visit: https://bit.ly/36tD30f
+#customize_node_filesystems="/path/to/customized/filesystems"
+
+# (Optional) Modify the path to add external manifests to the deployed nodes.
+# There are two folders manifests/ and openshift/
+# If defined, the playbook will copy manifests from the user provided directory.
+# Otherwise, files will be copied from the default location 'roles/installer/files/manifests/*'
+#customize_extramanifests_path="/path/to/extra/manifests"
+#customize_extramanifestsopenshift_path="/path/to/extra/ogpenshift"
+
+######################################
+# Vars regarding install-config.yaml #
+######################################
+
+# Base domain, i.e. example.com
+domain=""
+# Name of the cluster, i.e. openshift
+cluster=""
+# The public CIDR address, i.e. 10.1.1.0/21
+extcidrnet=""
+# An IP reserved on the baremetal network.
+dnsvip=""
+# An IP reserved on the baremetal network for the API endpoint.
+# (Optional) If not set, a DNS lookup verifies that api.<clustername>.<domain> provides an IP
+#apivip=""
+# An IP reserved on the baremetal network for the Ingress endpoint.
+# (Optional) If not set, a DNS lookup verifies that *.apps.<clustername>.<domain> provides an IP
+#ingressvip=""
+# The master hosts provisioning nic
+# (Optional) If not set, the prov_nic will be used
+#masters_prov_nic=""
+# Network Type (OpenShiftSDN or OVNKubernetes). Playbook defaults to OVNKubernetes.
+# Uncomment below for OpenShiftSDN
+#network_type="OpenShiftSDN"
+# (Optional) A URL to override the default operating system image for the bootstrap node.
+# The URL must contain a sha256 hash of the image.
+# See https://github.com/openshift/installer/blob/master/docs/user/metal/customization_ipi.md
+#   Example https://mirror.example.com/images/qemu.qcow2.gz?sha256=a07bd...
+#bootstraposimage=""
+# (Optional) A URL to override the default operating system image for the cluster nodes.
+# The URL must contain a sha256 hash of the image.
+# See https://github.com/openshift/installer/blob/master/docs/user/metal/customization_ipi.md
+# Example https://mirror.example.com/images/metal.qcow2.gz?sha256=3b5a8...
+#clusterosimage=""
+# A copy of your pullsecret from https://cloud.redhat.com/openshift/install/metal/user-provisioned
+pullsecret=""
+
+# (Optional) Disable BMC Certification Validation. When using self-signed certificates for your BMC, ensure to set to True.
+# Default value is False.
+#disable_bmc_certificate_verification=True
+
+# (Optional) Enable RedFish VirtualMedia/iDRAC VirtualMedia
+#enable_virtualmedia=True
+
+# (Required when enable_virtualmedia is set to True) Set an available IP address from the baremetal net for these two variables
+#provisioningHostIP=<baremetal_net_IP1>
+#bootstrapProvisioningIP=<baremetal_net_IP2>
+
+# (Optional) A MAC address to use for the external NIC on the bootstrap VM. This is optional and if blank is generated by libvirt.
+#externalMACAddress="52:54:00:XX:XX:XX"
+
+# Master nodes
+# The hardware_profile is used by the baremetal operator to match the hardware discovered on the host
+# See https://github.com/metal3-io/baremetal-operator/blob/master/docs/api.md#baremetalhost-status
+# ipmi_port is optional for each host. 623 is the common default used if omitted
+# poweroff is optional. True or ommited (by default) indicates the playbook will power off the node before deploying OCP
+#  otherwise set it to false
+# (Optional) OpenShift 4.6+, Set Root Device Hints to choose the proper device to install operating system on OpenShift nodes.
+# root device hint options include: ['deviceName','hctl','model','vendor','serialNumber','minSizeGigabytes','wwn','rotational']
+# Root Device Hint values are case sensitive.
+# root_device_hint="deviceName"
+# root_device_hint_value="/dev/sda"
+
+[masters]
+master-0 name=master-0 role=master ipmi_user=admin ipmi_password=password ipmi_address=192.168.1.1 ipmi_port=623 provision_mac=ec:f4:bb:da:0c:58 hardware_profile=default poweroff=true
+master-1 name=master-1 role=master ipmi_user=admin ipmi_password=password ipmi_address=192.168.1.2 ipmi_port=623 provision_mac=ec:f4:bb:da:32:88 hardware_profile=default poweroff=true
+master-2 name=master-2 role=master ipmi_user=admin ipmi_password=password ipmi_address=192.168.1.3 ipmi_port=623 provision_mac=ec:f4:bb:da:0d:98 hardware_profile=default poweroff=true
+
+# Worker nodes
+[workers]
+worker-0 name=worker-0 role=worker ipmi_user=admin ipmi_password=password ipmi_address=192.168.1.4 ipmi_port=623 provision_mac=ec:f4:bb:da:0c:18 hardware_profile=unknown poweroff=true
+worker-1 name=worker-1 role=worker ipmi_user=admin ipmi_password=password ipmi_address=192.168.1.5 ipmi_port=623 provision_mac=ec:f4:bb:da:32:28 hardware_profile=unknown poweroff=true
+
+# Provision Host
+[provisioner]
+provisioner.example.com
+
+# Registry Host
+#   Define a host here to create or use a local copy of the installation registry
+#   Used for disconnected installation
+# [registry_host]
+# registry.example.com
+
+# [registry_host:vars]
+# The following cert_* variables are needed to create the certificates
+#   when creating a disconnected registry. They are not needed to use
+#   an existing disconnected registry.
+# cert_country=US #it must be two letters country
+# cert_state=MyState
+# cert_locality=MyCity
+# cert_organization=MyCompany
+# cert_organizational_unit=MyDepartment
+
+# The port exposed on the disconnected registry host can be changed from
+# the default 5000 to something else by changing the following variable.
+# registry_port=5000
+
+# The directory the mirrored registry files are written to can be modified from teh default /opt/registry by changing the following variable.
+# registry_dir="/opt/registry"
+
+# The following two variables must be set to use an existing disconnected registry.
+#
+# Specify a file that contains extra auth tokens to include in the
+#   pull-secret if they are not already there.
+# disconnected_registry_auths_file=/path/to/registry-auths.json
+
+# Specify a file that contains the addition trust bundle and image
+#   content sources for the local registry. The contents of this file
+#   will be appended to the install-config.yml file.
+# disconnected_registry_mirrors_file=/path/to/install-config-appends.json
+
+
+
+ + + + + +
+ + +
+

The ipmi_address can take a fully qualified name assuming it is +resolvable.

+
+
+

The ipmi_port examples above show how a user can specify a different +ipmi_port for each host within their inventory file. If the +ipmi_port variable is omitted from the inventory file, the default +of 623 will be used.

+
+
+

A detailed description of the vars under the section +Vars regarding install-config.yaml may be reviewed within +Configuration Files if unsure how to populate.

+
+
+
+
+

4.6.1. Enabling dual-stack based deployments (optional).

+
+

Users now can deploy dual-stack based deployments using ansible-playbook by including below variables under inventory/hosts.sample file.

+
+
+
+
ipv6_enabled=True
+dualstack_baremetal=True
+extcidrnet="<ipv4-subnet-for-your-cluster>"   #Ex: 10.0.0.1/24
+extcidrnet6="<ipv6-subnet-for-your-cluster>"  #Ex: fe80:12:0:4567::/64
+
+
+
+ + + + + +
+ + +Only applicable for OCP versions greater than 4.6. +
+
+
+
+
+

4.7. The Ansible playbook.yml

+
+

The Ansible playbook connects to your provision host and +runs through the redhatci.ocp.node_prep role and the +redhatci.ocp.installer role. +No modification is necessary. All modifications of variables +may be done within the inventory/hosts file. A sample file +is located in this repository under inventory/hosts.sample. +From the system that is to run the playbook,

+
+
+
Sample playbook.yml
+
+
---
+- name: IPI on Baremetal Installation Playbook
+  hosts: provisioner
+  collections:
+    - redhatci.ocp
+  roles:
+    - node_prep
+    - installer
+
+
+
+
+

4.8. Customizing the Node Filesystems

+
+

If you need to modify files on the node filesystems, you can augment +the "fake" roots for the masters and workers under the +roles/installer/files/customize_filesystem/{master,worker} +directories. Any files added here will be included in the ignition +config files for each of the machine types, leading to permanent +changes to the node filesystem.

+
+
+ + + + + +
+ + +
+

Do not place any files directly in the "fake" root — only in +subdirectories. Files in the root will cause the ignition process to +fail. (There is a task in the playbook to cleanup the .gitkeep file +in the root, if it is left in place.)

+
+
+
+
+

This will utilize the Ignition +filetranspiler tool, +which you can read about for more information on how to use the "fake" +root directories.

+
+
+

An example of using this customization is to disable a network +interface that you need to not receive a DHCP assignment that is +outside of the cluster configuration. To do this for the eno1 +interface on the master nodes, create the appropriate +etc/sysconfig/network-scripts/ifcfg-eno1 file in the "fake" root:

+
+
+
+
IFCFG_DIR="roles/installer/files/customize_filesystem/master/etc/sysconfig/network-scripts"
+IFNAME="eno1"
+mkdir -p $IFCFG_DIR
+cat << EOF > $IFCFG_DIR/ifcfg-${IFNAME}
+DEVICE=${IFNAME}
+BOOTPROTO=none
+ONBOOT=no
+EOF
+
+
+
+ + + + + +
+ + +
+

By default these directories are empty, and the worker subdirectory +is a symbolic link to the master subdirectory so that changes are +universal.

+
+
+
+
+
+

4.9. Adding Extra Configurations to the OpenShift Installer

+
+

Prior to the installation of Red Hat OpenShift, you may want to include +additional configuration files to be included during the installation. +The installer role handles this.

+
+
+

In order to include the extraconfigs, ensure to place your yaml +files within the roles/installer/files/manifests directory. All the +files provided here will be included when the OpenShift manifests are +created.

+
+
+ + + + + +
+ + +By default this directory is empty. +
+
+
+
+

4.10. Pre-caching RHCOS Images

+
+

If you wish to set up a local cache of RHCOS images on your +provisioning host, set the cache_enabled variable to True in your +hosts file. When requested, the playbook will pre-download RHCOS +images prior to actual cluster deployment.

+
+
+

It places these images in an Apache web server container on the +provisioning host and modifies install-config.yaml to +instruct the bootstrap VM to download the images from that web server +during deployment.

+
+
+ + + + + +
+ + +
+

If you set the clusterosimage and bootstraposimage variables, +then cache_enabled will automatically be set to False. Setting +these variables leaves the responsibility to the end user in ensuring +the RHCOS images are readily available and accessible to the provision +host.

+
+
+
+
+
+

4.11. Disconnected Registry

+
+

A disconnected registry can be used to deploy the cluster. This +registry can exist or can be created.

+
+
+

To use a disconnected registry, set the registries host name in the +[registry_host] group in the inventory file.

+
+
+

4.11.1. Creating a new disconnected registry

+
+

To create a new disconnected registry, the +disconnected_registry_auths_file and +disconnected_registry_mirrors_file variables must not be set.

+
+
+

The certificate information used to generate the host certificate must +be defined. These variables must be defined as variables to the +registry_host group in the inventory file.

+
+
+
+
[registry_host:vars]
+cert_country=US
+cert_state=MyState
+cert_locality=MyCity
+cert_organization=MyCompany
+cert_organizational_unit=MyDepartment
+
+
+
+ + + + + +
+ + +cert_country must be only two letters, i.e. US +
+
+
+
+

4.11.2. Using an Existing Registry

+
+ + + + + +
+ + +If no existing registry is already existing for your fully disconnected +environment, visit Creating a New Disconnected Registry section. +
+
+
+

When using an existing registry, two variables labeled +disconnected_registry_auths_file and the disconnected_registry_mirrors_file +must be set. These variables are located within your inventory/hosts file and +the inventory/hosts.sample file can be used as reference.

+
+
+

The disconnected_registry_auths_file variable should point to a file +containing json data regarding your registry information. This will be appended +to the auths section of the pull secret by the Ansible playbook itself.

+
+
+

An example of the contents of the disconnected_registry_auths_file is shown +below.

+
+
+
+
cat /path/to/registry-auths.json
+{"registry.example.com:5000": {"auth": "ZHVtbXk6ZHsFVtbXk=", "email": "user@example.com" } }
+
+
+
+ + + + + +
+ + +
+

The auth password given base64 encoding of the http credentials used to +create the htpasswd file.

+
+
+

Example:

+
+
+

[user@registry ~]$ b64auth=$( echo -n '<username>:<passwd>' | openssl base64 ) + 
+[user@registry ~]$ echo $b64auth

+
+
+
+
+

The disconnected_registry_mirrors_file variable should point to a file +containing the additionalTrustBundle and imageContentSources (OpenShift +4.13 and below) or imageDigestSources (OpenShift 4.14 and above) for +the disconnected registry. The certificate that goes within the additional +trust bundle is the disconnected registry node’s certificate. The +imageContentSources adds the mirrored information of the registry. The below +content from the install-config-appends.yml file gets automatically appended +by the Ansible playbook.

+
+
+
+
cat /path/to/install-config-appends.yml
+additionalTrustBundle: |
+  -----BEGIN CERTIFICATE-----
+  MIIGPDCCBCSgAwIBAgIUWr1DxDq53hrsk6XVLRXUjfF9m+swDQYJKoZIhvcNAQEL
+  BQAwgZAxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNeVN0YXRlMQ8wDQYDVQQHDAZN
+  eUNpdHkxEjAQBgNVBAoMCU15Q29tcGFueTEVMBMGA1UECwwMTXlEZXBhcnRtZW50
+  .
+  . [ABBREVIATED CERTIFICATE FOR BREVITY]
+  .
+  MTMwMQYDVQQDDCpyZWdpc3RyeS5rbmk3LmNsb3VkLmxhYi5lbmcuYm9zLnJlZGhh
+  dC5jb20wHhcNMjAwNDA3MjM1MzI2WhcNMzAwNDA1MjM1MzI2WjCBkDELMAkGA1UE
+  -----END CERTIFICATE-----
+
+<image-config>: (1)
+- mirrors:
+  - registry.example.com:5000/ocp4/openshift4
+  source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
+- mirrors:
+  - registry.example.com:5000/ocp4/openshift4
+  source: registry.svc.ci.openshift.org/ocp/release
+- mirrors:
+  - registry.example.com:5000/ocp4/openshift4
+  source: quay.io/openshift-release-dev/ocp-release
+
+
+
+

Where:

+
+
+

+ +<1> <image-config> is either imageContentSources for OpenShift 4.13 and below, or imageDigestSources for Openshift 4.14 and above.

+
+
+ + + + + +
+ + +Indentation is important in the yml file. Ensure your copy of the install-config-appends.yml is properly indented as in the example above. +
+
+
+
+
+

4.12. Running the playbook.yml

+
+

With the playbook.yml set and in-place, run the playbook.yml

+
+
+
+
$ export ANSIBLE_CONFIG=./ansible.cfg
+$ ansible-playbook -i inventory/hosts playbook.yml
+
+
+
+
+
+
+

5. Verifying Installation

+
+
+

Once the playbook has successfully completed, verify that your +environment is up and running.

+
+
+
    +
  1. +

    Log into the provision node

    +
    +
    +
    ssh kni@provisioner.example.com
    +
    +
    +
    + + + + + +
    + + +kni user is my privileged user. +
    +
    +
  2. +
  3. +

    Export the kubeconfig file located in the ~/clusterconfigs/auth directory

    +
    +
    +
    export KUBECONFIG=~/clusterconfigs/auth/kubeconfig
    +
    +
    +
  4. +
  5. +

    Verify the nodes in the OpenShift cluster

    +
    +
    +
    [kni@worker-0 ~]$ oc get nodes
    +NAME                                         STATUS   ROLES           AGE   VERSION
    +master-0.openshift.example.com               Ready    master          19h   v1.16.2
    +master-1.openshift.example.com               Ready    master          19h   v1.16.2
    +master-2.openshift.example.com               Ready    master          19h   v1.16.2
    +worker-0.openshift.example.com               Ready    worker          19h   v1.16.2
    +worker-1.openshift.example.com               Ready    worker          19h   v1.16.2
    +
    +
    +
  6. +
+
+
+
+
+

6. Troubleshooting

+
+
+

The following section troubleshoots common errors that +may arise when running the Ansible playbook.

+
+
+

6.1. Unreachable Host

+
+

One of the most common errors is not being able to reach the +provisioner host and seeing an error similar to

+
+
+
+
$ ansible-playbook -i inventory/hosts playbook.yml
+
+PLAY [IPI on Baremetal Installation Playbook] **********************************
+
+TASK [Gathering Facts] *********************************************************
+fatal: [provisioner.example.com]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: ssh: Could not resolve hostname provisioner.example.com: Name or service not known", "unreachable": true}
+
+PLAY RECAP *********************************************************************
+provisioner.example.com    : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0
+
+
+
+

In order to solve this issue, ensure your provisioner hostname is +pingable.

+
+
+
    +
  1. +

    The system you are currently on can ping the provisioner.example.com

    +
    +
    +
    ping provisioner.example.com
    +
    +
    +
  2. +
  3. +

    Once pingable, ensure that you have copied your public SSH key from your local system to the privileged user via the ssh-copy-id command.

    +
    +
    +
    ssh-copy-id kni@provisioner.example.com
    +
    +
    +
    + + + + + +
    + + +When prompted, enter the password of your privileged user (i.e. kni). +
    +
    +
  4. +
  5. +

    Verify connectivity using the ping module in Ansible

    +
    +
    +
    ansible -i inventory/hosts provisioner -m ping
    +provisioner.example.com | SUCCESS => {
    +    "ansible_facts": {
    +        "discovered_interpreter_python": "/usr/libexec/platform-python"
    +    },
    +    "changed": false,
    +    "ping": "pong"
    +}
    +
    +
    +
  6. +
  7. +

    Re-run the Ansible playbook

    +
    +
    +
    $ ansible-playbook -i inventory/hosts playbook.yml
    +
    +
    +
  8. +
+
+
+
+

6.2. Permission Denied Trying To Connect To Host

+
+

Another very common error is getting a permission denied error similar +to:

+
+
+
+
$ ansible-playbook -i inventory/hosts playbook.yml
+
+PLAY [IPI on Baremetal Installation Playbook] *****************************************************************************************************
+
+TASK [Gathering Facts] ****************************************************************************************************************************
+fatal: [provisioner.example.com]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: rlopez@provisioner.example.com: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).", "unreachable": true}
+
+PLAY RECAP ****************************************************************************************************************************************
+provisioner.example.com : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0
+
+
+
+

The above issue is typically related to a problem with your +ansible.cfg file. Either it does not exist, has errors inside it, or +you have not copied your SSH public key onto the +provisioner.example.com system. If you notice closely, the Ansible +playbook attempted to use my rlopez user instead of my kni user +since my local ansible.cfg did not exist AND I had not yet set +the remote_user parameter to kni (my privileged user).

+
+
+
    +
  1. +

    When working with the Ansible playbook ensure you have an ansible.cfg located in the same directory as your playbook.yml file. The contents of the ansible.cfg should look similar to the below with the exception of changing your inventory path (location of inventory directory) and potentially your privileged user if not using kni.

    +
    +
    +
    $ cat ansible.cfg
    +[defaults]
    +inventory=/path/to/baremetal-deploy/ansible-ipi-install/inventory
    +remote_user=kni
    +
    +[privilege_escalation]
    +become=true
    +become_method=sudo
    +
    +
    +
  2. +
  3. +

    Next, ensure that you have copied your public SSH key from your local system to the privileged user via the ssh-copy-id command.

    +
    +
    +
    ssh-copy-id kni@provisioner.example.com
    +
    +
    +
    + + + + + +
    + + +When prompted, enter the password of your privileged user (i.e. kni). +
    +
    +
  4. +
  5. +

    Verify connectivity using the ping module in Ansible

    +
    +
    +
    ansible -i inventory/hosts provisioner -m ping
    +provisioner.example.com | SUCCESS => {
    +    "ansible_facts": {
    +        "discovered_interpreter_python": "/usr/libexec/platform-python"
    +    },
    +    "changed": false,
    +    "ping": "pong"
    +}
    +
    +
    +
  6. +
  7. +

    Re-run the Ansible playbook

    +
    +
    +
    $ ansible-playbook -i inventory/hosts playbook.yml
    +
    +
    +
  8. +
+
+
+
+

6.3. Dig lookup requires the python ‘dnspython’ library and it is not installed

+
+

One of the tasks in the node_prep role captures your API VIP and the +Ingress VIP of your environment using a lookup via dig. It does +this DNS query using the dnspython library. +This error is a little deceiving because the dnspython package +does not need to be installed on the remote server +(i.e. provisioner.example.com) but the package must be installed on +your local host that is running the Ansible playbook.

+
+
+
+
TASK [node_prep : fail] ************************************************************************************************************
+skipping: [provisioner.example.com]
+
+TASK [node_prep : Verify DNS records for API VIP, Wildcard (Ingress) VIP] **********************************************************
+fatal: [provisioner.example.com]: FAILED! => {"msg": "An unhandled exception occurred while running the lookup plugin 'dig'. Error was a <class 'ansible.errors.AnsibleError'>, original message: The dig lookup requires the python 'dnspython' library and it is not installed"}
+
+PLAY RECAP *************************************************************************************************************************
+provisioner.example.com : ok=2    changed=0    unreachable=0    failed=1    skipped=3    rescued=0    ignored=0
+
+
+
+

The above issue can be fixed by simply installing python3-dns on +your local system (assuming your using an OS such as Fedora, Red Hat)

+
+
+

On a local host running Red Hat 8.x, run:

+
+
+
+
# sudo dnf install python3-dns
+
+
+
+

On a local host running Red Hat 7.x, run:

+
+
+
+
# sudo yum install python2-dns
+
+
+
+

On a local host running Fedora, run:

+
+
+
+
# sudo dnf install python3-dns
+
+
+
+

Re-run the Ansible playbook

+
+
+
+
$ ansible-playbook -i inventory/hosts playbook.yml
+
+
+
+
+

6.4. Missing python netaddr library

+
+

The Ansible playbook takes advantage of certain filters such as the +ipaddr +filter. In order to use this filter, your localhost running the +Ansible playbook requires the python netaddr library.

+
+
+

The error when running the playbook looks like the following:

+
+
+
+
TASK [node_prep : Fail if Python modules are missing] ******************************************************************************
+Tuesday 05 May 2020  19:30:19 +0000 (0:00:00.512)       0:00:13.829 ***********
+fatal: [localhost]: FAILED! => {"changed": false, "msg": "Missing python module(s) ['netaddr'] on localhost\n"}
+
+
+
+

The above issue can be fixed by simply installing python3-netaddr on +your local system (assuming your using an OS such as Fedora, Red Hat)

+
+
+

On a local host running Red Hat 8.x, run:

+
+
+
+
# sudo dnf install python3-netaddr
+
+
+
+

On a local host running Red Hat 7.x, run:

+
+
+
+
# sudo yum install python2-netaddr
+
+
+
+

On a local host running Fedora, run:

+
+
+
+
# sudo dnf install python3-netaddr
+
+
+
+

Re-run the Ansible playbook

+
+
+
+
$ ansible-playbook -i inventory/hosts playbook.yml
+
+
+
+
+

6.5. Shared connection closed on provision host when installing packages

+
+

When deploying in an environment where subscription manager is not +being used and a local repository is being setup on the provision host +due to the nature that the provision host is offline, you may see the +following error.

+
+
+
+
TASK [node_prep : Install required packages] ************************************************************************************************
+Thursday 07 May 2020  17:04:21 +0000 (0:00:00.152)       0:00:11.854 **********
+fatal: [provisioner.example.com]: FAILED! => {"changed": false, "module_stderr": "Shared connection to provisioner.example.com closed.\r\n", "module_stdout": "[Errno 101] Network is unreachable\r\n\r\n{\"msg\": \"Nothing to do\", \"changed\": false, \"results\": [], \"rc\": 0, \"invocation\": {\"module_args\": {\"name\": [\"firewalld\", \"tar\", \"libvirt\", \"qemu-kvm\", \"python3-devel\", \"jq\", \"ipmitool\", \"python3-libvirt\", \"python3-lxml\", \"python3-yaml\", \"NetworkManager-libnm\", \"nm-connection-editor\", \"libsemanage-python3\", \"policycoreutils-python3\", \"podman\"], \"state\": \"present\", \"update_cache\": true, \"allow_downgrade\": false, \"autoremove\": false, \"bugfix\": false, \"disable_gpg_check\": false, \"disable_plugin\": [], \"disablerepo\": [], \"download_only\": false, \"enable_plugin\": [], \"enablerepo\": [], \"exclude\": [], \"installroot\": \"/\", \"install_repoquery\": true, \"install_weak_deps\": true, \"security\": false, \"skip_broken\": false, \"update_only\": false, \"validate_certs\": true, \"lock_timeout\": 30, \"conf_file\": null, \"disable_excludes\": null, \"download_dir\": null, \"list\": null, \"releasever\": null}}}\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 0}
+
+
+
+

The error basically means that dnf was not able to load particular +plugins, specifically the product-id and the subscription-manager +plugins. However,since this is a local repository with offline access, +we will want to disable these plugins when this error occurs.

+
+
+

On the provision host, if you run the following command:

+
+
+
+
[kni@provisioner ~]$ sudo dnf info dnf
+Updating Subscription Management repositories.
+Unable to read consumer identity
+[Errno 101] Network is unreachable
+Last metadata expiration check: 0:08:49 ago on Thu 07 May 2020 08:11:19 PM UTC.
+Installed Packages
+Name         : dnf
+Version      : 4.2.7
+Release      : 7.el8_1
+Architecture : noarch
+Size         : 1.7 M
+Source       : dnf-4.2.7-7.el8_1.src.rpm
+Repository   : @System
+From repo    : rhel-8-for-x86_64-baseos-rpms
+Summary      : Package manager
+URL          : https://github.com/rpm-software-management/dnf
+License      : GPLv2+ and GPLv2 and GPL
+Description  : Utility that allows users to manage packages on their systems.
+             : It supports RPMs, modules and comps groups & environments.
+
+
+
+

To ensure the issue is plugin related, we can attempt to run the same command +with plugins disabled as such:

+
+
+
+
[kni@provisioner ~]$ sudo dnf info dnf --disableplugin=product-id,subscription-manager
+Last metadata expiration check: 0:11:17 ago on Thu 07 May 2020 08:11:19 PM UTC.
+Installed Packages
+Name         : dnf
+Version      : 4.2.7
+Release      : 7.el8_1
+Architecture : noarch
+Size         : 1.7 M
+Source       : dnf-4.2.7-7.el8_1.src.rpm
+Repository   : @System
+From repo    : rhel-8-for-x86_64-baseos-rpms
+Summary      : Package manager
+URL          : https://github.com/rpm-software-management/dnf
+License      : GPLv2+ and GPLv2 and GPL
+Description  : Utility that allows users to manage packages on their systems.
+             : It supports RPMs, modules and comps groups & environments.
+
+
+
+

If you notice, the portion that says

+
+
+
+
Unable to read consumer identity
+[Errno 101] Network is unreachable
+
+
+
+

is no longer stated.

+
+
+

For this fix to be permanent, modify the /etc/yum.conf file and include +the plugins=0 into the [main] section of the configuration file.

+
+
+
+
[kni@provisioner ~]$ cat /etc/yum.conf
+
+[main]
+gpgcheck=1
+installonly_limit=3
+clean_requirements_on_remove=True
+best=True
+plugins=0
+
+
+
+
+
+
+

7. Gotchas

+
+
+

7.1. Using become: yes within ansible.cfg or inside playbook.yml

+
+

This Ansible playbook takes advantage of the ansible_user_dir +variable. As such, it is important to note that if within your +ansible.cfg or within the playbook.yml file the privilege +escalation of become: yes is used, this will modify the home +directory to that of the root user (i.e. /root) instead of using the +home directory of your privileged user, kni with a home directory of +/home/kni

+
+
+
+

7.2. Failed to connect to bus: No such file or directory

+
+

The Ansible playbook creates two containers (when enabled) to +store a mirored registry and a caching webserver. +When these containers are created, the playbook also creates a +systemd unit file to ensure these containers are restarted upon +the reboot of the host serving them.

+
+
+

Since these are systemd user services, when logging into a +system to attempt a command such as +systemctl --user status container-cache.service for the +webserver or systemctl --user status container-registry.service +for the mirrored registry, you may get an error such as:

+
+
+
+
[kni@provisioner ~]$ systemctl --user status container-cache
+Failed to connect to bus: No such file or directory
+
+
+
+

What the following error is trying to address is that the +parameter, DBUS_SESSIONBUS_ADDRESS, is not set.

+
+
+

In order to set this variable, we can export as follows:

+
+
+
+
export DBUS_SESSIONBUS_ADDRESS="unix:path/run/user/$id/bus"
+
+
+
+

Once that has been set, if you re-attempt the systemctl command, you should +see output as follows:

+
+
+
+
[kni@provisioner ~]$ systemctl --user status container-cache.service
+● container-cache.service - Podman container-cache.service
+   Loaded: loaded (/home/kni/.config/systemd/user/container-cache.service; enabled; vendor preset: enabled)
+   Active: active (running) since Mon 2020-06-01 19:52:04 UTC; 49min ago
+  Process: 36380 ExecStart=/usr/bin/podman start rhcos_image_cache (code=exited, status=0/SUCCESS)
+ Main PID: 36410 (conmon)
+
+
+
+
+
+
+

Appendix A: Using Ansible Tags with the playbook.yml

+
+
+

As this playbook continues to grow, there may be times when it is +useful to run specific portions of the playbook rather than running +everything the Ansible playbook offers.

+
+
+

For example, a user may only want to run the networking piece of the +playbook or create just the pull-secret.txt file, or just clean up the +environment — just to name a few.

+
+
+

As such the existing playbook has many tags that can be used for such +purposes. By running the following command you can see what options +are available.

+
+
+
+
$ ansible-playbook -i inventory/hosts playbook.yml --list-tasks --list-tags
+
+playbook: playbook.yml
+
+  play #1 (provisioner): IPI on Baremetal Installation Playbook	TAGS: []
+    tasks:
+      include_tasks	TAGS: [validation]
+      include_tasks	TAGS: [subscription]
+      include_tasks	TAGS: [packages]
+      include_tasks	TAGS: [network]
+      include_tasks	TAGS: [network_facts]
+      include_tasks	TAGS: [user]
+      include_tasks	TAGS: [services]
+      include_tasks	TAGS: [firewall]
+      include_tasks	TAGS: [storagepool]
+      include_tasks	TAGS: [clusterconfigs]
+      include_tasks	TAGS: [powerservers]
+      include_tasks	TAGS: [cleanup, getoc]
+      include_tasks	TAGS: [extract, pullsecret]
+      include_tasks	TAGS: [rhcospath]
+      include_tasks	TAGS: [cache]
+      include_tasks	TAGS: [installconfig]
+      include_tasks	TAGS: [metal3config]
+      include_tasks	TAGS: [customfs]
+      include_tasks	TAGS: [manifests]
+      include_tasks	TAGS: [extramanifests]
+      include_tasks	TAGS: [cleanup]
+      include_tasks	TAGS: [install]
+      TASK TAGS: [cache, cleanup, clusterconfigs, customfs, extract, extramanifests, firewall, getoc, install, installconfig, manifests, metal3config, network, network_facts, packages, powerservers, pullsecret, rhcospath, services, storagepool, subscription, user, validation]
+
+
+
+

To break this down further, the following is a description of each tag.

+
+ + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 1. Table Playbook Tag Description
tagdescription

validation

It is always required. It verifies that everything in your environment is set and ready for OpenShift deployment and sets some required internal variables

subscription

subscribe via Red Hat subscription manager

packages

install required package for OpenShift

network

setup the provisioning and baremetal network bridges and bridge slaves

network_facts

regather networking facts of environment

user

add remote user to libvirt group and generate SSH keys

services

enable appropriate services for OpenShift

firewall

set firewall rules for OpenShift

storagepool

define, create, auto start the default storage pool

clusterconfigs

directory that stores all configuration files for OpenShift

powerservers

power off all servers that will be part of the OpenShift cluster

getoc

get the appropriate oc binary, extract it and place within /usr/local/bin

extract

extract the OpenShift installer

pullsecret

copy the pullsecret to the pull-secret.txt file under the remote user home directory

rhcospath

set the RHCOS path

cache

tasks related to enabling RHCOS image caching

installconfig

generates the install-config.YAML

metal3config

generates the metal3-config.YAML

customfs

deals with customizing the filesystem via ignition files

manifests

create the manifests directory

extramanifests

include any extra manifests files

install

Deploy OpenShift

cleanup

clean up the environment within the provisioning node. Does not remove networking

+
+

A.1. How to use the Ansible tags

+
+

The following is an example on how to use the --tags option. In this example, we will just install the packages to the provision node.

+
+
+
Example 1
+
+
ansible-playbook -i inventory/hosts playbook.yml --tags "validation,packages"
+
+
+
+

The example above calls for the setup of the networking and +installation of the packages from the Ansible playbook. Only the tasks +with these specific tags will run.

+
+
+ + + + + +
+ + +Due to the dependencies in the playbook, the validation tag is always required. +
+
+
+
+

A.2. Skipping particular tasks using Ansible tags

+
+

In the event that you want to always skip certain tasks of the +playbook this can be done via the --skip-tag option.

+
+
+

We will use similar example as above where we want to skip the network +setup and the package installation.

+
+
+
Example 1
+
+
ansible-playbook -i inventory/hosts playbook.yml --skip-tags "network,packages"
+
+
+
+
+
+
+

Appendix B: Using a proxy with your Ansible playbook

+
+
+

When running behind a proxy, it is important to properly set the environment +to handle such scenario such that you can run the Ansible playbook. In order +to use a proxy for the ansible playbook set the appropriate variables within +your inventory/hosts file. These values will also be included within your +generated install-config.yaml file.

+
+
+
+
# (Optional) Provide HTTP proxy settings
+#http_proxy=http://USERNAME:PASSWORD@proxy.example.com:8080
+
+# (Optional) Provide HTTPS proxy settings
+#https_proxy=https://USERNAME:PASSWORD@proxy.example.com:8080
+
+# (Optional) comma-separated list of hosts, IP Addresses, or IP ranges in CIDR format
+# excluded from proxying
+# NOTE: OpenShift does not accept '*' as a wildcard attached to a domain suffix
+# i.e. *.example.com
+# Use '.' as the wildcard for a domain suffix as shown in the example below.
+# i.e. .example.com
+#no_proxy_list="172.22.0.0/24,.example.com"
+
+
+
+
+
+
+
+
+1. If creating the mirrored registry, this system will require online access. The registry node may be a virtual machine in order to reduce physical server footprint. +
+
+2. https://github.com/openshift/installer/issues/2762 +
+
+ + + \ No newline at end of file diff --git a/4.9/Ansible Playbook Install.pdf b/4.9/Ansible Playbook Install.pdf new file mode 100644 index 0000000000..b1ba5ee9da Binary files /dev/null and b/4.9/Ansible Playbook Install.pdf differ diff --git a/4.9/Deployment.html b/4.9/Deployment.html new file mode 100644 index 0000000000..e7062c4aa5 --- /dev/null +++ b/4.9/Deployment.html @@ -0,0 +1,6433 @@ + + + + + + + + + + +Deploying Installer Provisioned Infrastructure (IPI) of OpenShift on Bare Metal - 4.9 + + + + + + + + + + + + + + + + +
+
+
+
+ + + + + +
+ + +
Draft documentation
+
+

This document is considered a DRAFT:

+
+
+
    +
  1. +

    It might not be complete

    +
  2. +
  3. +

    It might be not accurate

    +
  4. +
  5. +

    It might break your environment

    +
  6. +
+
+
+
+
+ + + + + +
+ + +
+

Download the PDF version of this document or visit https://openshift-kni.github.io/baremetal-deploy/

+
+
+
+
+
+
+

1. Overview

+
+
+ + + + + +
+ + +
+

The Bare Metal IPI images and code described in this document are for Developer Preview purposes and are not supported by Red Hat at this time.

+
+
+
+
+

Installer-provisioned installation provides support for installing OpenShift Container Platform on bare metal nodes. This guide provides a methodology to achieving a successful installation.

+
+
+

During installer-provisioned installation on bare metal, the installer on the bare metal node labeled as provisioner creates a bootstrap virtual machine (VM). The role of the bootstrap VM is to assist in the process of deploying an OpenShift Container Platform cluster. The bootstrap VM connects to the baremetal network and to the provisioning network, if present, via the network bridges.

+
+
+
+Deployment phase one +
+
+
+

When the installation of OpenShift control plane nodes is complete and fully operational, the installer destroys the bootstrap VM automatically and moves the virtual IP addresses (VIPs) to +the control plane nodes.

+
+
+
+Deployment phase two +
+
+
+
+
+

2. Prerequisites

+
+ +
+

Installer-provisioned installation of OpenShift Container Platform requires:

+
+
+
    +
  1. +

    One provisioner node with Red Hat Enterprise Linux (RHEL) 8.x installed.

    +
  2. +
  3. +

    Three control plane nodes.

    +
  4. +
  5. +

    Baseboard Management Controller (BMC) access to each node.

    +
  6. +
  7. +

    At least one network:

    +
    +
      +
    1. +

      One required routable network

      +
    2. +
    3. +

      One optional network for provisioning nodes; and,

      +
    4. +
    5. +

      One optional management network.

      +
    6. +
    +
    +
  8. +
+
+
+

Before starting an installer-provisioned installation of OpenShift Container Platform, ensure the hardware environment meets the following requirements.

+
+
+

2.1. Node requirements

+
+

Installer-provisioned installation involves a number of hardware node requirements:

+
+
+
    +
  • +

    CPU architecture: All nodes must use x86_64 CPU architecture.

    +
  • +
  • +

    Similar nodes: Red Hat recommends nodes have an identical configuration per role. That is, Red Hat recommends nodes be the same brand and model with the same CPU, memory and storage configuration.

    +
  • +
  • +

    Baseboard Management Controller: The provisioner node must be able to access the baseboard management controller (BMC) of each OpenShift Container Platform cluster node. You may use IPMI, Redfish, or a proprietary protocol.

    +
  • +
  • +

    Latest generation: Nodes must be of the most recent generation. Installer-provisioned installation relies on BMC protocols, which must be compatible across nodes. Additionally, RHEL 8 ships with the most recent drivers for RAID controllers. Ensure that the nodes are recent enough to support RHEL 8 for the provisioner node and RHCOS 8 for the control plane and worker nodes.

    +
  • +
  • +

    Registry node: (Optional) If setting up a disconnected mirrored registry, it is recommended the registry reside in its own node.

    +
  • +
  • +

    Provisioner node: Installer-provisioned installation requires one provisioner node.

    +
  • +
  • +

    Control plane: Installer-provisioned installation requires three control plane nodes for high availability.

    +
  • +
  • +

    Worker nodes: While not required, a typical production cluster has one or more worker nodes. Smaller clusters are more resource efficient for administrators and developers during development, production, and testing.

    +
  • +
  • +

    Network interfaces: Each node must have at least one 10GB network interface for the routable baremetal network. Each node must have one 10GB network interface for a provisioning network when using the provisioning network for deployment. Using the provisioning network is the default configuration. Network interface names must follow the same naming convention across all nodes. For example, the first NIC name on a node, such as eth0 or eno1, must be the same name on all of the other nodes. The same principle applies to the remaining NICs on each node.

    +
  • +
  • +

    Unified Extensible Firmware Interface (UEFI): Installer-provisioned installation requires UEFI boot on all OpenShift Container Platform nodes when using IPv6 addressing on the provisioning network. In addition, UEFI Device PXE Settings must be set to use the IPv6 protocol on the provisioning network NIC, but omitting the provisioning network removes this requirement.

    +
  • +
  • +

    Secure Boot: Many production scenarios require nodes with Secure Boot enabled to verify the node only boots with trusted software, such as UEFI firmware drivers, EFI applications and the operating system. You may deploy with secure boot manually or managed.

    +
    +
      +
    1. +

      Manually: To deploy a OpenShift Container Platform cluster with Secure Boot manually, you must enable UEFI boot mode and Secure Boot on each control plane node and each worker node. Red Hat supports Secure Boot with manually enabled UEFI and Secure Boot only when installer-provisioned installation uses Redfish virtual media.

      +
    2. +
    3. +

      Managed: To deploy a OpenShift Container Platform cluster with managed Secure Boot, you must set the bootMode value to UEFISecureBoot in the install-config.yaml file. Red Hat only supports installer-provisioned installation with managed Secure Boot on 10th generation HPE hardware and 13th generation Dell hardware running firmware version 2.75.75.75 or greater. Deploying with managed Secure Boot does not require Redfish virtual media.

      +
      + + + + + +
      + + +
      +

      Red Hat does not support Secure Boot with self-generated keys.

      +
      +
      +
      +
    4. +
    +
    +
  • +
+
+
+
+

2.2. Firmware requirements for installing with virtual media

+
+

The installer for installer-provisioned OpenShift Container Platform clusters validates the hardware and firmware compatibility with Redfish virtual media. The following table lists supported firmware for installer-provisioned OpenShift Container Platform clusters deployed with Redfish virtual media.

+
+ + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 1. Firmware compatibility for Redfish virtual media
HardwareModelManagementFirmware Versions

HP

10th Generation

iLO5

N/A

9th Generation

iLO4

N/A

Dell

14th Generation

iDRAC 9

v4.20.20.20 - 04.40.00.00

13th Generation

iDRAC 8

v2.75.75.75+

+
+ + + + + +
+ + +
+

Refer to the hardware documentation for the nodes or contact the hardware vendor for information on updating the firmware.

+
+
+

There are no known firmware limitations for HP servers.

+
+
+

For Dell servers, ensure the OpenShift Container Platform cluster nodes have AutoAttach Enabled through the iDRAC console. The menu path is: ConfigurationVirtual MediaAttach ModeAutoAttach . With iDRAC 9 firmware version 04.40.00.00, the Virtual Console plug-in defaults to eHTML5, which causes problems with the InsertVirtualMedia workflow. Set the plug-in to HTML5 to avoid this issue. The menu path is: ConfigurationVirtual consolePlug-in TypeHTML5 .

+
+
+
+
+ + + + + +
+ + +
+

The installer will not initiate installation on a node if the node firmware is below the foregoing versions when installing with virtual media.

+
+
+
+
+
+

2.3. Network requirements

+
+

Installer-provisioned installation of OpenShift Container Platform involves several network requirements by default. First, installer-provisioned installation involves a non-routable provisioning network for provisioning the operating system on each bare metal node and a routable baremetal network. Since installer-provisioned installation deploys ironic-dnsmasq, the networks should have no other DHCP servers running on the same broadcast domain. Network administrators must reserve IP addresses for each node in the OpenShift Container Platform cluster.

+
+
+

OpenShift Container Platform 4.8 and later releases include functionality that uses cluster membership information to generate A/AAAA records. This resolves the node names to their IP addresses. Once the nodes are registered with the API, the cluster can disperse node information without using CoreDNS-mDNS. This eliminates the network traffic associated with multicast DNS.

+
+
+
Network Time Protocol (NTP)
+

Each OpenShift Container Platform node in the cluster must have access to an NTP server. OpenShift Container Platform nodes use NTP to synchronize their clocks. For example, cluster nodes use SSL certificates that require validation, which might fail if the date and time between the nodes are not in sync.

+
+
+ + + + + +
+ + +
+

Define a consistent clock date and time format in each cluster node’s BIOS settings, or installation might fail.

+
+
+
+
+

In OpenShift Container Platform 4.8 and later releases, you may reconfigure the control plane nodes to act as NTP servers on disconnected clusters, and reconfigure worker nodes to retrieve time from the control plane nodes.

+
+
+
Configuring NICs
+

OpenShift Container Platform deploys with two networks:

+
+
+
    +
  • +

    provisioning: The provisioning network is an optional non-routable network used for provisioning the underlying operating system on each node that is a part of the OpenShift Container Platform cluster. The network interface for the provisioning network on each cluster node must have the BIOS or UEFI configured to PXE boot. In OpenShift Container Platform 4.3, when deploying using the provisioning network, the first NIC on each node, such as eth0 or eno1, must interface with the provisioning network. In OpenShift Container Platform 4.4 and later releases, you can specify the provisioning network NIC with the provisioningNetworkInterface configuration setting.

    +
  • +
  • +

    baremetal: The baremetal network is a routable network. In OpenShift Container Platform 4.3, when deploying using the provisioning network, the second NIC on each node, such as eth1 or eno2, must interface with the baremetal network. In OpenShift Container Platform 4.4 and later releases, you can use any NIC order to interface with the baremetal network, provided it is the same NIC order across worker and control plane nodes and not the NIC specified in the provisioningNetworkInterface configuration setting for the provisioning network.

    +
  • +
+
+
+ + + + + +
+ + +
+

Use a compatible approach such that cluster nodes use the same NIC ordering on all cluster nodes. NICs must have heterogeneous hardware with the same NIC naming convention such as eth0 or eno1.

+
+
+
+
+ + + + + +
+ + +
+

When using a VLAN, each NIC must be on a separate VLAN corresponding to the appropriate network.

+
+
+
+
+
Configuring the DNS server
+

Clients access the OpenShift Container Platform cluster nodes over the baremetal network. A network administrator must configure a subdomain or subzone where the canonical name extension is the cluster name.

+
+
+
+
<cluster-name>.<domain-name>
+
+
+
+

For example:

+
+
+
+
test-cluster.example.com
+
+
+
+

You must also specify an api.<cluster-name>.<domain> record in the DNS. In subsequent configuration steps, when you configure network components to run exclusively on the control plane, the internal DNS resolution no longer works. This is an expected outcome.

+
+
+ + + + + +
+ + +
+

Failure to create a DNS record for the API precludes worker nodes from joining the cluster.

+
+
+
+
+

For assistance in configuring the DNS server, check Appendix section for:

+
+ +
+
Reserving IP addresses for nodes with the DHCP server
+

For the baremetal network, a network administrator must reserve a number of IP addresses, including:

+
+
+
    +
  1. +

    Two virtual IP addresses.

    +
    +
      +
    • +

      One IP address for the API endpoint

      +
    • +
    • +

      One IP address for the wildcard ingress endpoint

      +
    • +
    +
    +
  2. +
  3. +

    One IP address for the provisioner node.

    +
  4. +
  5. +

    One IP address for each control plane (master) node.

    +
  6. +
  7. +

    One IP address for each worker node, if applicable.

    +
  8. +
+
+
+ + + + + +
+ + +
Reserving IP addresses so they become static IP addresses
+
+

Some administrators prefer to use static IP addresses so that each node’s IP address remains constant in the absence of a DHCP server. To use static IP addresses in the OpenShift Container Platform cluster, reserve the IP addresses with an infinite lease. During deployment, the installer will reconfigure the NICs from DHCP assigned addresses to static IP addresses. NICs with DHCP leases that are not infinite will remain configured to use DHCP.

+
+
+
+
+ + + + + +
+ + +
Networking between external load balancers and control plane nodes
+
+

External load balancing services and the control plane nodes must run on the same L2 network, and on the same VLAN when using VLANs to route traffic between the load balancing services and the control plane nodes.

+
+
+
+
+

The following table provides an exemplary embodiment of fully qualified domain names. The API and Nameserver addresses begin with canonical name extensions. The host names of the control plane and worker nodes are exemplary, so you can use any host naming convention you prefer.

+
+ +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
UsageHost NameIP

API

api.<cluster-name>.<domain>

<ip>

Ingress LB (apps)

*.apps.<cluster-name>.<domain>

<ip>

Provisioner node

provisioner.<cluster-name>.<domain>

<ip>

Master-0

openshift-master-0.<cluster-name>.<domain>

<ip>

Master-1

openshift-master-1.<cluster-name>-.<domain>

<ip>

Master-2

openshift-master-2.<cluster-name>.<domain>

<ip>

Worker-0

openshift-worker-0.<cluster-name>.<domain>

<ip>

Worker-1

openshift-worker-1.<cluster-name>.<domain>

<ip>

Worker-n

openshift-worker-n.<cluster-name>.<domain>

<ip>

+
+

For assistance in configuring the DHCP server, check Appendix section for:

+
+ +
+
State-driven network configuration requirements (Technology Preview)
+

OpenShift Container Platform supports additional post-installation state-driven network configuration on the secondary network interfaces of cluster nodes using kubernetes-nmstate. For example, system administrators might configure a secondary network interface on cluster nodes after installation for a storage network.

+
+
+ + + + + +
+ + +
+

Configuration must occur before scheduling pods.

+
+
+
+
+

State-driven network configuration requires installing kubernetes-nmstate, and also requires Network Manager running on the cluster nodes. See OpenShift Virtualization > Kubernetes NMState (Tech Preview) for additional details.

+
+

IPv6 considerations

+
+
SLAAC Addressing
+

If you do not plan to use SLAAC [1] addresses on your OpenShift Container Platform node, then it should be disabled for baremetal networks, that means that if your network equipment is configured to send SLAAC addresses when replying to Route Advertisements that behavior should be changed, so it only sends the route and not the SLAAC address.

+
+
+

Install ndptool on your system in order to check what your RAs look like:

+
+
+
+
# Turn down/up baremetal iface on a master Node
+$ sudo nmcli con down "Wired connection 5" && sudo nmcli con up "Wired connection 5"
+Connection 'Wired connection 5' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1983)
+Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2044)
+
+# ndptool monitor on Helper node
+$ sudo ndptool monitor -t ra
+NDP payload len 80, from addr: fe80::c0a4:6464:bcb3:d657, iface: baremetal.153
+  Type: RA
+  Hop limit: 64
+  Managed address configuration: yes
+  Other configuration: no
+  Default router preference: medium
+  Router lifetime: 0s
+  Reachable time: unspecified
+  Retransmit time: unspecified
+  Source linkaddr: 1c:40:24:1b:0c:34
+  Prefix: 2620:52:0:1303::/64, valid_time: 86400s, preferred_time: 14400s, on_link: yes, autonomous_addr_conf: no, router_addr: no
+  Route: ::/0, lifetime: 0s, preference: low
+
+
+
+

The ndptool monitor should report Managed address configuration: yes.

+
+
+
Network Ranges and Configurations
+

Different baremetal and provisioning networks are required for each environment; each environment will have a different IPv6 range for each one of those networks.

+
+
+

In our configuration we used subinterfaces attached to two different physical interfaces, VLAN tagging was done at O.S. level (this required switch ports configured with trunk mode).

+
+
+

Our different IPv6 networks were all routable but usually, the only routable networks are the baremetal ones.

+
+
+

Keep in mind that provisioning networks cannot be in the same broadcast domain, since services such as DHCP are running.

+
+
+ + + + + +
+ + +
Route Advertisement
+
+

Route Advertisement must be enabled for both networks baremetal and provisioning.

+
+
+
+
+
Route Advertisements
+

As mentioned previously, both the baremetal and the provisioning networks must have Route Advertisement enabled. For the baremetal network, the radvd daemon was used, while the provisioning network has RA enabled in the Metal³ dnsmasq, so no configuration is needed.

+
+
+
+

2.4. Configuring nodes

+
+
Configuring nodes when using the provisioning network
+

Each node in the cluster requires the following configuration for proper installation.

+
+
+ + + + + +
+ + +
+

A mismatch between nodes will cause an installation failure.

+
+
+
+
+

While the cluster nodes can contain more than two NICs, the installation process only focuses on the first two NICs:

+
+ +++++ + + + + + + + + + + + + + + + + + +

NIC

Network

VLAN

NIC1

provisioning

<provisioning-vlan>

NIC2

baremetal

<baremetal-vlan>

+
+

NIC1 is a non-routable network (provisioning) that is only used for the installation of the OpenShift Container Platform cluster.

+
+
+

The Red Hat Enterprise Linux (RHEL) 8.x installation process on the provisioner node might vary. To install Red Hat Enterprise Linux (RHEL) 8.x using a local Satellite server or a PXE server, PXE-enable NIC2.

+
+ ++++ + + + + + + + + + + + + + + +

PXE

Boot order

NIC1 PXE-enabled provisioning network

1

NIC2 baremetal network. PXE-enabled is optional.

2

+
+ + + + + +
+ + +
+

Ensure PXE is disabled on all other NICs.

+
+
+
+
+

Configure the control plane and worker nodes as follows:

+
+ ++++ + + + + + + + + + + +

PXE

Boot order

NIC1 PXE-enabled (provisioning network)

1

+
+
Configuring nodes without the provisioning network
+

The installation process requires one NIC:

+
+ +++++ + + + + + + + + + + + + +

NIC

Network

VLAN

NICx

baremetal

<baremetal-vlan>

+
+

NICx is a routable network (baremetal) that is used for the installation of the OpenShift Container Platform cluster, and routable to the internet.

+
+
+
Configuring nodes for Secure Boot manually
+

Secure Boot prevents a node from booting unless it verifies the node is using only trusted software, such as UEFI firmware drivers, EFI applications and the operating system.

+
+
+ + + + + +
+ + +
+

Red Hat only supports manually configured Secure Boot when deploying with Redfish virtual media.

+
+
+
+
+

To enable Secure Boot manually, refer to the hardware guide for the node and execute the following:

+
+
+
    +
  1. +

    Boot the node and enter the BIOS menu.

    +
  2. +
  3. +

    Set the node’s boot mode to UEFI Enabled.

    +
  4. +
  5. +

    Enable Secure Boot.

    +
  6. +
+
+
+ + + + + +
+ + +
+

Red Hat does not support Secure Boot with self-generated keys.

+
+
+
+
+
+

2.5. Out-of-band management

+
+

Nodes will typically have an additional NIC used by the Baseboard Management Controllers (BMCs). These BMCs must be accessible from the provisioner node.

+
+
+

Each node must be accessible via out-of-band management. When using an out-of-band management network, the provisioner node requires access to the out-of-band management network for a successful OpenShift Container Platform 4 installation.

+
+
+

The out-of-band management setup is out of scope for this document. We recommend setting up a separate management network for out-of-band management. However, using the provisioning network or the baremetal network are valid options.

+
+
+
+

2.6. Required data for installation

+
+

Prior to the installation of the OpenShift Container Platform cluster, gather the following information from all cluster nodes:

+
+
+
    +
  • +

    Out-of-band management IP

    +
    +
      +
    • +

      Examples

      +
      +
        +
      • +

        Dell (iDRAC) IP

        +
      • +
      • +

        HP (iLO) IP

        +
      • +
      +
      +
    • +
    +
    +
  • +
+
+
+
When using the provisioning network
+
    +
  • +

    NIC1 (provisioning) MAC address

    +
  • +
  • +

    NIC2 (baremetal) MAC address

    +
  • +
+
+
+
When omitting the provisioning network
+
    +
  • +

    NICx (baremetal) MAC address

    +
  • +
+
+
+
+

2.7. Validation checklist for nodes

+
+
When using the provisioning network
+
    +
  • +

    DHCP reservations use infinite leases to deploy the cluster with static IP addresses. (optional)

    +
  • +
  • +

    NIC1 VLAN is configured for the provisioning network.

    +
  • +
  • +

    NIC2 VLAN is configured for the baremetal network.

    +
  • +
  • +

    NIC1 is PXE-enabled on the provisioner, Control Plane (master), and worker nodes.

    +
  • +
  • +

    PXE has been disabled on all other NICs.

    +
  • +
  • +

    Control plane and worker nodes are configured.

    +
  • +
  • +

    All nodes accessible via out-of-band management.

    +
  • +
  • +

    A separate management network has been created. (optional)

    +
  • +
  • +

    Required data for installation.

    +
  • +
+
+
+
When omitting the provisioning network
+
    +
  • +

    DHCP reservations use infinite leases to deploy the cluster with static IP addresses. (optional)

    +
  • +
  • +

    NICx VLAN is configured for the baremetal network.

    +
  • +
  • +

    Control plane and worker nodes are configured.

    +
  • +
  • +

    All nodes accessible via out-of-band management.

    +
  • +
  • +

    A separate management network has been created. (optional)

    +
  • +
  • +

    Required data for installation.

    +
  • +
+
+
+
Summary
+

After an environment has been prepared according to the documented prerequisites, the installation process is the same as other installer-provisioned platforms.

+
+
+
+
+
+

3. Setting up the environment for an OpenShift installation

+
+ +
+

3.1. Installing RHEL on the provisioner node

+
+

With the networking configuration complete, the next step is to install RHEL 8.X on the provisioner node. The installer uses the provisioner node as the orchestrator while installing the OpenShift Container Platform cluster. For the purposes of this document, installing RHEL on the provisioner node is out of scope. However, options include but are not limited to using a RHEL Satellite server, PXE, or installation media.

+
+
+
+

3.2. Preparing the provisioner node for OpenShift Container Platform installation

+
+

Perform the following steps to prepare the environment.

+
+
+
Procedure
+
    +
  1. +

    Log in to the provisioner node via ssh.

    +
  2. +
  3. +

    Create a non-root user (kni) and provide that user with sudo privileges.

    +
    +
    +
    [root@provisioner ~]# useradd kni
    +[root@provisioner ~]# passwd kni
    +[root@provisioner ~]# echo "kni ALL=(root) NOPASSWD:ALL" | tee -a /etc/sudoers.d/kni
    +[root@provisioner ~]# chmod 0440 /etc/sudoers.d/kni
    +
    +
    +
  4. +
  5. +

    Create an ssh key for the new user.

    +
    +
    +
    [root@provisioner ~]# su - kni -c "ssh-keygen -t rsa -f /home/kni/.ssh/id_rsa -N ''"
    +
    +
    +
  6. +
  7. +

    Log in as the new user on the provisioner node.

    +
    +
    +
    [root@provisioner ~]# su - kni
    +[kni@provisioner ~]$
    +
    +
    +
  8. +
  9. +

    Use Red Hat Subscription Manager to register the provisioner node.

    +
    +
    +
    [kni@provisioner ~]$ sudo subscription-manager register --username=<user> --password=<pass> --auto-attach
    +[kni@provisioner ~]$ sudo subscription-manager repos --enable=rhel-8-for-x86_64-appstream-rpms --enable=rhel-8-for-x86_64-baseos-rpms
    +
    +
    +
    + + + + + +
    + + +
    +

    For more information about Red Hat Subscription Manager, see Using and Configuring Red Hat Subscription Manager.

    +
    +
    +
    +
  10. +
  11. +

    Install the following packages.

    +
    +
    +
    [kni@provisioner ~]$ sudo dnf install -y libvirt qemu-kvm mkisofs python3-devel jq ipmitool
    +
    +
    +
  12. +
  13. +

    Modify the user to add the libvirt group to the newly created user.

    +
    +
    +
    [kni@provisioner ~]$ sudo usermod --append --groups libvirt <user>
    +
    +
    +
  14. +
  15. +

    Restart firewalld and enable the http service.

    +
    +
    +
    [kni@provisioner ~]$ sudo systemctl start firewalld
    +[kni@provisioner ~]$ sudo firewall-cmd --zone=public --add-service=http --permanent
    +[kni@provisioner ~]$ sudo firewall-cmd --add-port=5000/tcp --zone=libvirt  --permanent
    +[kni@provisioner ~]$ sudo firewall-cmd --add-port=5000/tcp --zone=public   --permanent
    +[kni@provisioner ~]$ sudo firewall-cmd --reload
    +
    +
    +
  16. +
  17. +

    Start and enable the libvirtd service.

    +
    +
    +
    [kni@provisioner ~]$ sudo systemctl start libvirtd
    +[kni@provisioner ~]$ sudo systemctl enable libvirtd --now
    +
    +
    +
  18. +
  19. +

    Create the default storage pool and start it.

    +
    +
    +
    [kni@provisioner ~]$ sudo virsh pool-define-as --name default --type dir --target /var/lib/libvirt/images
    +[kni@provisioner ~]$ sudo virsh pool-start default
    +[kni@provisioner ~]$ sudo virsh pool-autostart default
    +
    +
    +
  20. +
  21. +

    Configure networking.

    +
    + + + + + +
    + + +
    +

    This step can also be run from the web console.

    +
    +
    +
    +
    +
    Provisioning Network (IPv4 address)
    +
    +
    [kni@provisioner ~]$ sudo nohup bash -c """
    +    nmcli con down "$PROV_CONN"
    +    nmcli con delete "$PROV_CONN"
    +    # RHEL 8.1 appends the word "System" in front of the connection, delete in case it exists
    +    nmcli con down "System $PROV_CONN"
    +    nmcli con delete "System $PROV_CONN"
    +    nmcli connection add ifname provisioning type bridge con-name provisioning
    +    nmcli con add type bridge-slave ifname "$PROV_CONN" master provisioning
    +    nmcli connection modify provisioning ipv4.addresses 172.22.0.1/24 ipv4.method manual
    +    nmcli con down provisioning
    +    nmcli con up provisioning"""
    +
    +
    +
    + + + + + +
    + + +
    +

    The ssh connection might disconnect after executing this step.

    +
    +
    +

    The IPv4 address may be any address as long as it is not routable via the baremetal network.

    +
    +
    +
    +
    +
    Provisioning Network (IPv6 address)
    +
    +
    [kni@provisioner ~]$ sudo nohup bash -c """
    +    nmcli con down "$PROV_CONN"
    +    nmcli con delete "$PROV_CONN"
    +    # RHEL 8.1 appends the word "System" in front of the connection, delete in case it exists
    +    nmcli con down "System $PROV_CONN"
    +    nmcli con delete "System $PROV_CONN"
    +    nmcli connection add ifname provisioning type bridge con-name provisioning
    +    nmcli con add type bridge-slave ifname "$PROV_CONN" master provisioning
    +    nmcli connection modify provisioning ipv6.addresses fd00:1101::1/64 ipv6.method manual
    +    nmcli con down provisioning
    +    nmcli con up provisioning"""
    +
    +
    +
    + + + + + +
    + + +
    +

    The ssh connection might disconnect after executing this step.

    +
    +
    +

    The IPv6 address may be any address as long as it is not routable via the baremetal network.

    +
    +
    +
    +
    + + + + + +
    + + +
    +

    Ensure that UEFI is enabled and UEFI PXE settings are set to the IPv6 protocol when using IPv6 addressing.

    +
    +
    +
    +
  22. +
  23. +

    ssh back into the provisioner node (if required).

    +
    +
    +
    # ssh kni@provisioner.<cluster-name>.<domain>
    +
    +
    +
  24. +
  25. +

    Verify the connection bridges have been properly created.

    +
    +
    +
    [kni@provisioner ~]$ nmcli con show
    +
    +
    +
    +
    +
    NAME               UUID                                  TYPE      DEVICE
    +baremetal          4d5133a5-8351-4bb9-bfd4-3af264801530  bridge    baremetal
    +provisioning       43942805-017f-4d7d-a2c2-7cb3324482ed  bridge    provisioning
    +virbr0             d9bca40f-eee1-410b-8879-a2d4bb0465e7  bridge    virbr0
    +bridge-slave-eno1  76a8ed50-c7e5-4999-b4f6-6d9014dd0812  ethernet  eno1
    +bridge-slave-eno2  f31c3353-54b7-48de-893a-02d2b34c4736  ethernet  eno2
    +
    +
    +
  26. +
  27. +

    Create a pull-secret.txt file.

    +
    +
    +
    [kni@provisioner ~]$ vim pull-secret.txt
    +
    +
    +
    +

    In a web browser, navigate to Install on Bare Metal with user-provisioned infrastructure, and scroll down to the Downloads section. Click Copy pull secret. Paste the contents into the pull-secret.txt file and save the contents in the kni user’s home directory.

    +
    +
  28. +
+
+
+
+

3.3. Retrieving the OpenShift Container Platform installer (GA Release)

+
+

Use the latest-4.x version of the installer to deploy the latest generally +available version of OpenShift Container Platform:

+
+
+
+
[kni@provisioner ~]$ export VERSION=latest-4.9
+export RELEASE_IMAGE=$(curl -s https://mirror.openshift.com/pub/openshift-v4/clients/ocp/$VERSION/release.txt | grep 'Pull From: quay.io' | awk -F ' ' '{print $3}')
+
+
+
+
+

3.4. Extracting the OpenShift Container Platform installer (GA Release)

+
+

After retrieving the installer, the next step is to extract it.

+
+
+
Procedure
+
    +
  1. +

    Set the environment variables:

    +
    +
    +
    [kni@provisioner ~]$ export cmd=openshift-baremetal-install
    +[kni@provisioner ~]$ export pullsecret_file=~/pull-secret.txt
    +[kni@provisioner ~]$ export extract_dir=$(pwd)
    +
    +
    +
  2. +
  3. +

    Get the oc binary:

    +
    +
    +
    [kni@provisioner ~]$ curl -s https://mirror.openshift.com/pub/openshift-v4/clients/ocp/$VERSION/openshift-client-linux.tar.gz | tar zxvf - oc
    +
    +
    +
  4. +
  5. +

    Extract the installer:

    +
    +
    +
    [kni@provisioner ~]$ sudo cp oc /usr/local/bin
    +[kni@provisioner ~]$ oc adm release extract --registry-config "${pullsecret_file}" --command=$cmd --to "${extract_dir}" ${RELEASE_IMAGE}
    +[kni@provisioner ~]$ sudo cp openshift-baremetal-install /usr/local/bin
    +
    +
    +
  6. +
+
+
+
+

3.5. Creating an RHCOS images cache (optional)

+
+

To employ image caching, you must download two images: the Red Hat Enterprise Linux CoreOS (RHCOS) image used by the bootstrap VM and the RHCOS image used by the installer to provision the different nodes. Image caching is optional, but especially useful when running the installer on a network with limited bandwidth.

+
+
+

If you are running the installer on a network with limited bandwidth and the RHCOS images download takes more than 15 to 20 minutes, the installer will timeout. Caching images on a web server will help in such scenarios.

+
+
+

Use the following steps to install a container that contains the images.

+
+
+
    +
  1. +

    Install podman.

    +
    +
    +
    $ sudo dnf install -y podman
    +
    +
    +
  2. +
  3. +

    Open firewall port 8080 to be used for RHCOS image caching.

    +
    +
    +
    $ sudo firewall-cmd --add-port=8080/tcp --zone=public --permanent
    +$ sudo firewall-cmd --reload
    +
    +
    +
  4. +
  5. +

    Create a directory to store the bootstraposimage and clusterosimage.

    +
    +
    +
    $ mkdir /home/kni/rhcos_image_cache
    +
    +
    +
  6. +
  7. +

    Set the appropriate SELinux context for the newly created directory.

    +
    +
    +
    $ sudo semanage fcontext -a -t httpd_sys_content_t "/home/kni/rhcos_image_cache(/.*)?"
    +$ sudo restorecon -Rv rhcos_image_cache/
    +
    +
    +
  8. +
  9. +

    Get the commit ID from the installer. The ID determines which images the installer needs to download.

    +
    +
    +
    $ export COMMIT_ID=$(/usr/local/bin/openshift-baremetal-install version | grep '^built from commit' | awk '{print $4}')
    +
    +
    +
  10. +
  11. +

    Get the URI for the RHCOS image that the installer will deploy on the nodes.

    +
    +
    +
    $ export RHCOS_OPENSTACK_URI=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json  | jq .images.openstack.path | sed 's/"//g')
    +
    +
    +
  12. +
  13. +

    Get the URI for the RHCOS image that the installer will deploy on the bootstrap VM.

    +
    +
    +
    $ export RHCOS_QEMU_URI=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json  | jq .images.qemu.path | sed 's/"//g')
    +
    +
    +
  14. +
  15. +

    Get the path where the images are published.

    +
    +
    +
    $ export RHCOS_PATH=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json | jq .baseURI | sed 's/"//g')
    +
    +
    +
  16. +
  17. +

    Get the SHA hash for the RHCOS image that will be deployed on the bootstrap VM.

    +
    +
    +
    $ export RHCOS_QEMU_SHA_UNCOMPRESSED=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json  | jq -r '.images.qemu["uncompressed-sha256"]')
    +
    +
    +
  18. +
  19. +

    Get the SHA hash for the RHCOS image that will be deployed on the nodes.

    +
    +
    +
    $ export RHCOS_OPENSTACK_SHA_COMPRESSED=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json  | jq -r '.images.openstack.sha256')
    +
    +
    +
  20. +
  21. +

    Download the images and place them in the /home/kni/rhcos_image_cache directory.

    +
    +
    +
    $ curl -L ${RHCOS_PATH}${RHCOS_QEMU_URI} -o /home/kni/rhcos_image_cache/${RHCOS_QEMU_URI}
    +$ curl -L ${RHCOS_PATH}${RHCOS_OPENSTACK_URI} -o /home/kni/rhcos_image_cache/${RHCOS_OPENSTACK_URI}
    +
    +
    +
  22. +
  23. +

    Confirm SELinux type is of httpd_sys_content_t for the newly created files.

    +
    +
    +
    $ ls -Z /home/kni/rhcos_image_cache
    +
    +
    +
  24. +
  25. +

    Create the pod.

    +
    +
    +
    $ podman run -d --name rhcos_image_cache \
    +-v /home/kni/rhcos_image_cache:/var/www/html \
    +-p 8080:8080/tcp \
    +quay.io/centos7/httpd-24-centos7:latest
    +
    +
    +
  26. +
  27. +

    Generate the bootstrapOSImage and clusterOSImage configuration.

    +
    +
    +
    $ export BAREMETAL_IP=$(ip addr show dev baremetal | awk '/inet /{print $2}' | cut -d"/" -f1)
    +$ export RHCOS_OPENSTACK_SHA256=$(zcat /home/kni/rhcos_image_cache/${RHCOS_OPENSTACK_URI} | sha256sum | awk '{print $1}')
    +$ export RHCOS_QEMU_SHA256=$(zcat /home/kni/rhcos_image_cache/${RHCOS_QEMU_URI} | sha256sum | awk '{print $1}')
    +$ export CLUSTER_OS_IMAGE="http://${BAREMETAL_IP}:8080/${RHCOS_OPENSTACK_URI}?sha256=${RHCOS_OPENSTACK_SHA256}"
    +$ export BOOTSTRAP_OS_IMAGE="http://${BAREMETAL_IP}:8080/${RHCOS_QEMU_URI}?sha256=${RHCOS_QEMU_SHA256}"
    +$ echo "${RHCOS_OPENSTACK_SHA256}  ${RHCOS_OPENSTACK_URI}" > /home/kni/rhcos_image_cache/rhcos-ootpa-latest.qcow2.md5sum
    +$ echo "    bootstrapOSImage=${BOOTSTRAP_OS_IMAGE}"
    +$ echo "    clusterOSImage=${CLUSTER_OS_IMAGE}"
    +
    +
    +
  28. +
  29. +

    Add the required configuration to the install-config.yaml file under platform.baremetal.

    +
    +
    +
    platform:
    +  baremetal:
    +    bootstrapOSImage: http://<BAREMETAL_IP>:8080/<RHCOS_QEMU_URI>?sha256=<RHCOS_QEMU_SHA256>
    +    clusterOSImage: http://<BAREMETAL_IP>:8080/<RHCOS_OPENSTACK_URI>?sha256=<RHCOS_OPENSTACK_SHA256>
    +
    +
    +
    +

    See the Configuring the install-config.yaml file section for additional details.

    +
    +
  30. +
+
+
+
+

3.6. Configuration files

+
+

3.6.1. Configuring the install-config.yaml file

+
+

The install-config.yaml file requires some additional details. +Most of the information is teaching the installer and the resulting cluster enough about the available hardware so that it is able to fully manage it.

+
+
+
    +
  1. +

    Configure install-config.yaml. Change the appropriate variables to match the environment, including pullSecret and sshKey.

    +
    +
    +
    apiVersion: v1
    +basedomain: <domain>
    +metadata:
    +  name: <cluster-name>
    +networking:
    +  machineCIDR: <public-cidr>
    +  networkType: OVNKubernetes
    +compute:
    +- name: worker
    +  replicas: 2 (1)
    +controlPlane:
    +  name: master
    +  replicas: 3
    +  platform:
    +    baremetal: {}
    +platform:
    +  baremetal:
    +    apiVIP: <api-ip>
    +    ingressVIP: <wildcard-ip>
    +    provisioningNetworkInterface: <NIC1>
    +    provisioningNetworkCIDR: <CIDR>
    +    hosts:
    +      - name: openshift-master-0
    +        role: master
    +        bmc:
    +          address: ipmi://<out-of-band-ip> (2)
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: default
    +      - name: openshift-master-1
    +        role: master
    +        bmc:
    +          address: ipmi://<out-of-band-ip>
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: default
    +      - name: openshift-master-2
    +        role: master
    +        bmc:
    +          address: ipmi://<out-of-band-ip>
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: default
    +      - name: openshift-worker-0
    +        role: worker
    +        bmc:
    +          address: ipmi://<out-of-band-ip>
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: unknown
    +      - name: openshift-worker-1
    +        role: worker
    +        bmc:
    +          address: ipmi://<out-of-band-ip>
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: unknown
    +pullSecret: '<pull_secret>'
    +sshKey: '<ssh_pub_key>'
    +
    +
    +
    + + + + + + + + + +
    1Scale the worker machines based on the number of worker nodes that are part of the OpenShift Container Platform cluster.
    2Refer to the BMC addressing for more options
    +
    +
  2. +
  3. +

    Create a directory to store cluster configs.

    +
    +
    +
    [kni@provisioner ~]$ mkdir ~/clusterconfigs
    +[kni@provisioner ~]$ cp install-config.yaml ~/clusterconfigs
    +
    +
    +
  4. +
  5. +

    Ensure all bare metal nodes are powered off prior to installing the OpenShift Container Platform cluster.

    +
    +
    +
    [kni@provisioner ~]$ ipmitool -I lanplus -U <user> -P <password> -H <management-server-ip> power off
    +
    +
    +
  6. +
  7. +

    Remove old bootstrap resources if any are left over from a previous deployment attempt.

    +
    +
    +
    for i in $(sudo virsh list | tail -n +3 | grep bootstrap | awk {'print $2'});
    +do
    +  sudo virsh destroy $i;
    +  sudo virsh undefine $i;
    +  sudo virsh vol-delete $i --pool $i;
    +  sudo virsh vol-delete $i.ign --pool $i;
    +  sudo virsh pool-destroy $i;
    +  sudo virsh pool-undefine $i;
    +done
    +
    +
    +
  8. +
+
+
+
+

3.6.2. Setting proxy settings within the install-config.yaml file (optional)

+
+

To deploy an OpenShift Container Platform cluster using a proxy, make the following changes to the install-config.yaml file.

+
+
+
+
apiVersion: v1
+baseDomain: <domain>
+proxy:
+  httpProxy: http://USERNAME:PASSWORD@proxy.example.com:PORT
+  httpsProxy: https://USERNAME:PASSWORD@proxy.example.com:PORT
+  noProxy: <WILDCARD_OF_DOMAIN>,<PROVISIONING_NETWORK/CIDR>,<BMC_ADDRESS_RANGE/CIDR>
+
+
+
+

See below for an example of noProxy with values.

+
+
+
+
noProxy: .example.com,172.22.0.0/24,10.10.0.0/24
+
+
+
+

With a proxy enabled, set the appropriate values of the proxy in the corresponding key/value pair.

+
+
+

Key considerations:

+
+
+
    +
  • +

    If the proxy does not have an HTTPS proxy, change the value of httpsProxy from https:// to http://.

    +
  • +
  • +

    If using a provisioning network, include it in the noProxy setting, otherwise the installer will fail.

    +
  • +
  • +

    Set all of the proxy settings as environment variables within the provisioner node. For example, HTTP_PROXY, HTTPS_PROXY, and NO_PROXY.

    +
  • +
+
+
+
+

3.6.3. Modifying the install-config.yaml file for no provisioning network (optional)

+
+

To deploy an OpenShift Container Platform cluster without a provisioning network, make the following changes to the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    apiVIP: <apiVIP>
+    ingressVIP: <ingress/wildcard VIP>
+    provisioningNetwork: "Disabled"
+
+
+
+
+

3.6.4. Modifying the install-config.yaml file for dual-stack network (optional)

+
+

To deploy an OpenShift Container Platform cluster with dual-stack networking, make the following changes to the install-config.yaml file.

+
+
+
+
machineNetwork:
+- cidr: {{ extcidrnet }}
+- cidr: {{ extcidrnet6 }}
+clusterNetwork:
+- cidr: 10.128.0.0/14
+  hostPrefix: 23
+- cidr: fd02::/48
+  hostPrefix: 64
+serviceNetwork:
+- 172.30.0.0/16
+- fd03::/112
+
+
+
+ + + + + +
+ + +In the above snippet, the network settings must match the settings for the cluster’s network environment. The machineNetwork, clusterNetwork, and serviceNetwork configuration settings must have two CIDR entries each. The first CIDR entry is the IPv4 setting and the second CIDR entry is the IPv6 setting. +
+
+
+ + + + + +
+ + +
+

The IPv4 entries must go before the IPv6 entries.

+
+
+
+
+
+

3.6.5. Configuring managed Secure Boot in the install-config.yaml file (optional)

+
+

To enable managed Secure Boot, add the bootMode configuration setting to each node.

+
+
+
Example
+
+
hosts:
+  - name: openshift-master-0
+    role: master
+    bmc:
+      address: ipmi://<out-of-band-ip>
+      username: <user>
+      password: <password>
+    bootMACAddress: <NIC1-mac-address>
+    hardwareProfile: default
+    bootMode: UEFISecureBoot (1)
+
+
+
+ + + + + +
1The bootMode setting is legacy by default. Change it to UEFISecureBoot to enable managed Secure Boot.
+
+
+ + + + + +
+ + +
+

See Node requirements to ensure the nodes can support managed Secure Boot. If not, you can enable Secure Boot manually, which requires Redfish virtual media.

+
+
+
+
+
+

3.6.6. Additional install-config parameters

+
+

See the following tables for the required parameters, the hosts parameter, +and the bmc parameter for the install-config.yaml file.

+
+ + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 2. Required parameters
ParametersDefaultDescription

baseDomain

The domain name for the cluster. For example, example.com.

bootMode

legacy

The boot mode for a node. Options are legacy, UEFI and UEFISecureBoot.

sshKey

The sshKey configuration setting contains the key in the ~/.ssh/id_rsa.pub file required to access the control plane nodes and worker nodes. Typically, this key is from the provisioner node.

pullSecret

The pullSecret configuration setting contains a copy of the pull secret downloaded from the Install OpenShift on Bare Metal page when preparing the provisioner node.

+
+
metadata:
+    name:
+
+

The name to be given to the OpenShift Container Platform cluster. For example, openshift.

+
+
networking:
+    machineCIDR:
+
+

The public CIDR (Classless Inter-Domain Routing) of the external network. For example, 10.0.0.0/24 +or 2620:52:0:1302::/64 +.

+
+
compute:
+  - name: worker
+
+

The OpenShift Container Platform cluster requires a name be provided for worker (or compute) nodes even if there are zero nodes.

+
+
compute:
+    replicas: 2
+
+

Replicas sets the number of worker (or compute) nodes in the OpenShift Container Platform cluster.

+
+
controlPlane:
+    name: master
+
+

The OpenShift Container Platform cluster requires a name for control plane (master) nodes.

+
+
controlPlane:
+    replicas: 3
+
+

Replicas sets the number of control plane (master) nodes included as part of the OpenShift Container Platform cluster.

+

provisioningNetworkInterface

+

The name of the network interface on control plane nodes connected to the +provisioning network.

defaultMachinePlatform

The default configuration used for machine pools without a platform configuration.

apiVIP

api.<clustername.clusterdomain>

The VIP to use for internal API communication.

+

This setting must either be provided or pre-configured in the DNS so that the +default name resolves correctly.

disableCertificateVerification

False

redfish and redfish-virtualmedia need this parameter to manage BMC addresses. The value should be True when using a self-signed certificate for BMC addresses.

ingressVIP

test.apps.<clustername.clusterdomain>

The VIP to use for ingress traffic.

+ + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 3. Optional Parameters
ParametersDefaultDescription

provisioningDHCPRange

172.22.0.10,172.22.0.100

Defines the IP range for nodes on the provisioning network.

+

provisioningNetworkCIDR

+

172.22.0.0/24

The CIDR for the network to use for provisioning. This option is required when not using the default address range on the provisioning network.

clusterProvisioningIP

The third IP address of the provisioningNetworkCIDR.

The IP address within the cluster where the provisioning services run. Defaults to the third IP address of the provisioning subnet. For example, 172.22.0.3.

bootstrapProvisioningIP

The second IP address of the provisioningNetworkCIDR.

The IP address on the bootstrap VM where the provisioning services run while the installer is deploying the control plane (master) nodes. Defaults to the second IP address of the provisioning subnet. For example, 172.22.0.2 +or 2620:52:0:1307::2 +.

externalBridge

baremetal

The name of the baremetal bridge of the hypervisor attached to the baremetal network.

provisioningBridge

provisioning

The name of the provisioning bridge on the provisioner host attached to the provisioning network.

defaultMachinePlatform

The default configuration used for machine pools without a platform configuration.

bootstrapOSImage

A URL to override the default operating system image for the bootstrap node. The URL must contain a SHA-256 hash of the image. For example: +https://mirror.openshift.com/rhcos-<version>-qemu.qcow2.gz?sha256=<uncompressed_sha256>; + or http://[2620:52:0:1307::1]/rhcos-<version>-qemu.x86_64.qcow2.gz?sha256=<uncompressed_sha256> +.

clusterOSImage

A URL to override the default operating system for cluster nodes. The URL must include a SHA-256 hash of the image. For example, https://mirror.openshift.com/images/rhcos-<version>-openstack.qcow2.gz?sha256=<compressed_sha256>;.

provisioningNetwork

Set this parameter to Disabled to disable the requirement for a provisioning network. User may only do virtual media based provisioning, or bring up the cluster using assisted installation. If using power management, BMC’s must be accessible from the machine networks. User must provide two IP addresses on the external network that are used for the provisioning services. +Set this parameter to Managed, which is the default, to fully manage the provisioning network, including DHCP, TFTP, and so on.

+

Set this parameter to Unmanaged to still enable the provisioning network but take care of manual configuration of DHCP. Virtual media provisioning is recommended but PXE is still available if required.

httpProxy

Set this parameter to the appropriate HTTP proxy used within your environment.

httpsProxy

Set this parameter to the appropriate HTTPS proxy used within your environment.

noProxy

Set this parameter to the appropriate list of exclusions for proxy usage within your environment.

+
+
Hosts
+

The hosts parameter is a list of separate bare metal assets used to build the cluster.

+
+ +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Name

Default

Description

name

The name of the BareMetalHost resource to associate with the details. For example, openshift-master-0.

role

The role of the bare metal node. Either master or worker.

bmc

Connection details for the baseboard management controller. See the BMC addressing section for additional details.

bootMACAddress

The MAC address of the NIC the host will use to boot on the provisioning network.

+
+
+

3.6.7. BMC addressing

+
+

Most vendors support BMC addressing with the Intelligent Platform Management Interface or IPMI. IPMI does not encrypt communications. It is suitable for use within a data center over a secured or dedicated management network. Check with your vendor to see if they support Redfish network boot. Redfish delivers simple and secure management for converged, hybrid IT and the Software Defined Data Center or SDDC. Redfish is human readable and machine capable, and leverages common Internet and web services standards to expose information directly to the modern tool chain. If your hardware does not support Redfish network boot, use IPMI.

+
+
+
IPMI
+

Hosts using IPMI use the ipmi://<out-of-band-ip>:<port> address format, which defaults to port 623 if not specified. The following example demonstrates an IPMI configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: ipmi://<out-of-band-ip>
+          username: <user>
+          password: <password>
+
+
+
+
Redfish network boot
+

To enable Redfish, use redfish:// or redfish+http:// to disable TLS. The installer requires both the host name or the IP address and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+
BMC addressing for Dell iDRAC
+
+

The address field for each bmc entry is a URL for connecting to the OpenShift Container Platform cluster nodes, including the type of controller in the URL scheme and its location on the network.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: <host name>
+        role: <master | worker>
+        bmc:
+          address: <address> (1)
+          username: <user>
+          password: <password>
+
+
+
+ + + + + +
1The address configuration setting specifies the protocol.
+
+
+

For Dell hardware, Red Hat supports integrated Dell Remote Access Controller (iDRAC) virtual media, Redfish network boot, and IPMI.

+
+ + ++++ + + + + + + + + + + + + + + + + + + + + +
Table 4. BMC address formats for Dell iDRAC
ProtocolAddress Format

iDRAC virtual media

idrac-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1

Redfish network boot

redfish://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1

IPMI

ipmi://<out-of-band-ip>

+
+ + + + + +
+ + +
+

Use idrac-virtualmedia as the protocol for Redfish virtual media. redfish-virtualmedia will not work on Dell hardware. Dell’s idrac-virtualmedia uses the Redfish standard with Dell’s OEM extensions.

+
+
+
+
+

See the following sections for additional details.

+
+
+
Redfish virtual media for Dell iDRAC
+

For Redfish virtual media on Dell servers, use idrac-virtualmedia:// in the address setting. Using redfish-virtualmedia:// will not work.

+
+
+

The following example demonstrates using iDRAC virtual media within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: idrac-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: idrac-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+ + + + + +
+ + +
+

Currently, Redfish is only supported on Dell with iDRAC firmware versions 4.20.20.20 through 04.40.00.00 for installer-provisioned installations on bare metal deployments. There is a known issue with version 04.40.00.00. With iDRAC 9 firmware version 04.40.00.00, the Virtual Console plug-in defaults to eHTML5, which causes problems with the InsertVirtualMedia workflow. Set the plug-in to HTML5 to avoid this issue. The menu path is: ConfigurationVirtual consolePlug-in TypeHTML5 .

+
+
+

Ensure the OpenShift Container Platform cluster nodes have AutoAttach Enabled through the iDRAC console. The menu path is: ConfigurationVirtual MediaAttach ModeAutoAttach .

+
+
+

Use idrac-virtualmedia:// as the protocol for Redfish virtual media. Using redfish-virtualmedia:// will not work on Dell hardware, because the idrac-virtualmedia:// protocol corresponds to the idrac hardware type and the Redfish protocol in Ironic. Dell’s idrac-virtualmedia:// protocol uses the Redfish standard with Dell’s OEM extensions. Ironic also supports the idrac type with the WSMAN protocol. Therefore, you must specify idrac-virtualmedia:// to avoid unexpected behavior when electing to use Redfish with virtual media on Dell hardware.

+
+
+
+
+
Redfish network boot for iDRAC
+

To enable Redfish, use redfish:// or redfish+http:// to disable transport layer security (TLS). The installer requires both the host name or the IP address and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+ + + + + +
+ + +
+

Currently, Redfish is only supported on Dell hardware with iDRAC firmware versions 4.20.20.20 through 04.40.00.00 for installer-provisioned installations on bare metal deployments. There is a known issue with version 04.40.00.00. With iDRAC 9 firmware version 04.40.00.00, the Virtual Console plug-in defaults to eHTML5, which causes problems with the InsertVirtualMedia workflow. Set the plug-in to HTML5 to avoid this issue. The menu path is: ConfigurationVirtual consolePlug-in TypeHTML5 .

+
+
+

Ensure the OpenShift Container Platform cluster nodes have AutoAttach Enabled through the iDRAC console. The menu path is: ConfigurationVirtual MediaAttach ModeAutoAttach .

+
+
+

The redfish:// URL protocol corresponds to the redfish hardware type in Ironic.

+
+
+
+
+
+
BMC addressing for HPE iLO
+
+

The address field for each bmc entry is a URL for connecting to the OpenShift Container Platform cluster nodes, including the type of controller in the URL scheme and its location on the network.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: <host name>
+        role: <master | worker>
+        bmc:
+          address: <address> (1)
+          username: <user>
+          password: <password>
+
+
+
+ + + + + +
1The address configuration setting specifies the protocol.
+
+
+

For HPE integrated Lights Out (iLO), Red Hat supports Redfish virtual media, Redfish network boot, and IPMI.

+
+ + ++++ + + + + + + + + + + + + + + + + + + + + +
Table 5. BMC address formats for HPE iLO
ProtocolAddress Format

Redfish virtual media

redfish-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/1

Redfish network boot

redfish://<out-of-band-ip>/redfish/v1/Systems/1

IPMI

ipmi://<out-of-band-ip>

+
+

See the following sections for additional details.

+
+
+
Redfish virtual media for HPE iLO
+

To enable Redfish virtual media for HPE servers, use redfish-virtualmedia:// in the address setting. The following example demonstrates using Redfish virtual media within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+ + + + + +
+ + +
+

Redfish virtual media is not supported on 9th generation systems running iLO4, because Ironic does not support iLO4 with virtual media.

+
+
+
+
+
Redfish network boot for HPE iLO
+

To enable Redfish, use redfish:// or redfish+http:// to disable TLS. The installer requires both the host name or the IP address and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+
+
BMC addressing for Fujitsu iRMC
+
+

The address field for each bmc entry is a URL for connecting to the OpenShift Container Platform cluster nodes, including the type of controller in the URL scheme and its location on the network.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: <host name>
+        role: <master | worker>
+        bmc:
+          address: <address> (1)
+          username: <user>
+          password: <password>
+
+
+
+ + + + + +
1The address configuration setting specifies the protocol.
+
+
+

For Fujitsu hardware, Red Hat supports integrated Remote Management Controller (iRMC) and IPMI.

+
+ + ++++ + + + + + + + + + + + + + + + + +
Table 6. BMC address formats for Fujitsu iRMC
ProtocolAddress Format

iRMC

irmc://<out-of-band-ip>

IPMI

ipmi://<out-of-band-ip>

+
+
iRMC
+

Fujitsu nodes can use irmc://<out-of-band-ip> and defaults to port 623. The following example demonstrates an iRMC configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: irmc://<out-of-band-ip>
+          username: <user>
+          password: <password>
+
+
+
+ + + + + +
+ + +
+

Currently Fujitsu supports iRMC S5 firmware version 3.05P and above for installer-provisioned installation on bare metal.

+
+
+
+
+
+
BMC addressing for KVM with sushy-tools Redfish emulator
+
+

The address field for each bmc entry is a URL for connecting to the OpenShift Container Platform cluster nodes, including the type of controller in the URL scheme and its location on the network.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: <host name>
+        role: <master | worker>
+        bmc:
+          address: <address> (1)
+          username: <user>
+          password: <password>
+
+
+
+ + + + + +
1The address configuration setting specifies the protocol.
+
+
+

For KVM working with sushy-tools Redfish emulator, Red Hat supports Redfish virtual media and Redfish network boot.

+
+ + ++++ + + + + + + + + + + + + + + + + +
Table 7. BMC address formats for KVM with sushy-tools Redfish emulator
ProtocolAddress Format

Redfish virtual media

redfish-virtualmedia://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>

Redfish network boot

redfish://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>

+
+ + + + + +
+ + +
+

The sushy-tools Redfish emulator runs from the KVM hypervisor and a single instance acts as the virtual BMC for all the guest machines. This means both the out of band IP address and port, will be same and each individual machine must be identified by its System ID.

+
+
+

You may retrieve the System ID of your guest machines with the following command:

+
+
+
+
---
+$ virsh list --all --name --uuid
+d8ac6bf8-3062-4954-84c3-e097faa17025 compute-0
+84971a71-3935-4a92-8d90-a9f8440dac09 compute-1
+92430f42-8805-4412-959a-2a7252c7c540 compute-2
+0fea5296-db95-41d7-9295-f57cfa50255f control-plane-0
+4986e405-fd3a-483d-9210-8cb120b98f80 control-plane-1
+26bf228c-44fd-4c49-9e6f-44f4b5968b34 control-plane-2
+---
+
+
+
+
+
+

See the following sections for additional details.

+
+
+
Redfish virtual media for KVM with sushy-tools Redfish emulator
+

To enable Redfish virtual media for KVM environments running the sushy-tools Redfish emulator, use redfish-virtualmedia:// in the address setting. The following example demonstrates using Redfish virtual media within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish-virtualmedia://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish-virtualmedia://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+
Redfish network boot for KVM with sushy-tools Redfish emulator
+

To enable Redfish, use redfish:// or redfish+http:// to disable TLS. The installer requires the host name or the IP address, the Redfish emulator listening port and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+
+
+

3.6.8. Root device hints

+
+

The rootDeviceHints parameter enables the installer to provision the Red Hat Enterprise Linux CoreOS (RHCOS) image to a particular device. The installer examines the devices in the order it discovers them, and compares the discovered values with the hint values. The installer uses the first discovered device that matches the hint value. The configuration can combine multiple hints, but a device must match all hints for the installer to select it.

+
+ + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 8. Subfields
SubfieldDescription

deviceName

A string containing a Linux device name like /dev/vda. The hint must match the actual value exactly.

hctl

A string containing a SCSI bus address like 0:0:0:0. The hint must match the actual value exactly.

model

A string containing a vendor-specific device identifier. The hint can be a substring of the actual value.

vendor

A string containing the name of the vendor or manufacturer of the device. The hint can be a sub-string of the actual value.

serialNumber

A string containing the device serial number. The hint must match the actual value exactly.

minSizeGigabytes

An integer representing the minimum size of the device in gigabytes.

wwn

A string containing the unique storage identifier. The hint must match the actual value exactly.

wwnWithExtension

A string containing the unique storage identifier with the vendor extension appended. The hint must match the actual value exactly.

wwnVendorExtension

A string containing the unique vendor storage identifier. The hint must match the actual value exactly.

rotational

A Boolean indicating whether the device should be a rotating disk (true) or not (false).

+
+
Example usage
+
+
     - name: master-0
+       role: master
+       bmc:
+         address: ipmi://10.10.0.3:6203
+         username: admin
+         password: redhat
+       bootMACAddress: de:ad:be:ef:00:40
+       rootDeviceHints:
+         deviceName: "/dev/sda"
+
+
+
+
+

3.6.9. Creating the OpenShift Container Platform manifests

+
+
    +
  1. +

    Create the OpenShift Container Platform manifests.

    +
    +
    +
    [kni@provisioner ~]$ ./openshift-baremetal-install --dir ~/clusterconfigs create manifests
    +
    +
    +
    +
    +
    INFO Consuming Install Config from target directory
    +WARNING Making control-plane schedulable by setting MastersSchedulable to true for Scheduler cluster settings
    +WARNING Discarding the Openshift Manifest that was provided in the target directory because its dependencies are dirty and it needs to be regenerated
    +
    +
    +
  2. +
+
+
+
+

3.6.10. Configuring NTP for disconnected clusters (optional)

+
+

OpenShift Container Platform installs the chrony Network Time Protocol (NTP) service on the cluster nodes. +Use the following procedure to configure NTP servers on the control plane nodes and configure worker nodes as NTP clients of the control plane nodes before deployment.

+
+
+
+Configuring NTP for disconnected clusters +
+
+
+

OpenShift Container Platform nodes must agree on a date and time to run properly. When worker nodes retrieve the date and time from the NTP servers on the control plane nodes, it enables the installation and operation of clusters that are not connected to a routable network and thereby do not have access to a higher stratum NTP server.

+
+
+
Procedure
+
    +
  1. +

    Create a ~/control-plane-chrony.conf configuration file for the control plane nodes.

    +
    +
    Configuration file example
    +
    +
    # Use public servers from the pool.ntp.org project.
    +# Please consider joining the pool (https://www.pool.ntp.org/join.html).
    +
    +# This file is managed by the machine config operator
    +server openshift-master-0.<cluster-name>.<domain> iburst (1)
    +server openshift-master-1.<cluster-name>.<domain> iburst
    +server openshift-master-2.<cluster-name>.<domain> iburst
    +
    +stratumweight 0
    +driftfile /var/lib/chrony/drift
    +rtcsync
    +makestep 10 3
    +bindcmdaddress 127.0.0.1
    +bindcmdaddress ::1
    +keyfile /etc/chrony.keys
    +commandkey 1
    +generatecommandkey
    +noclientlog
    +logchange 0.5
    +logdir /var/log/chrony
    +
    +# Configure the control plane nodes to serve as local NTP servers
    +# for all worker nodes, even if they are not in sync with an
    +# upstream NTP server.
    +
    +# Allow NTP client access from the local network.
    +allow all
    +# Serve time even if not synchronized to a time source.
    +local stratum 3 orphan
    +
    +
    +
    +

    Where:

    +
    +
    + + + + + +
    1You must replace <cluster-name> with the name of the cluster and replace <domain> with the fully qualified domain name.
    +
    +
  2. +
  3. +

    Create a ~/worker-chrony.conf configuration file for the worker nodes such that worker nodes reference the NTP servers on the control plane nodes.

    +
    +
    Configuration file example
    +
    +
    # This file is managed by the machine config operator
    +server openshift-master-0.<cluster-name>.<domain> iburst (1)
    +server openshift-master-1.<cluster-name>.<domain> iburst
    +server openshift-master-2.<cluster-name>.<domain> iburst
    +
    +stratumweight 0
    +driftfile /var/lib/chrony/drift
    +rtcsync
    +makestep 10 3
    +bindcmdaddress 127.0.0.1
    +bindcmdaddress ::1
    +keyfile /etc/chrony.keys
    +commandkey 1
    +generatecommandkey
    +noclientlog
    +logchange 0.5
    +logdir /var/log/chrony
    +
    +
    +
    +

    Where:

    +
    +
    + + + + + +
    1You must replace <cluster-name> with the name of the cluster and replace <domain> with the fully qualified domain name.
    +
    +
  4. +
  5. +

    Create a ~/ntp-server.yaml configuration file for telling the Machine Configuration Operator to apply the ~/control-plane-chrony.conf settings to the NTP servers on the control plane nodes.

    +
    +
    Configuration file example
    +
    +
    # This example MachineConfig replaces ~/control-plane-chrony.conf
    +apiVersion: machineconfiguration.openshift.io/v1
    +kind: MachineConfig
    +metadata:
    +  labels:
    +    machineconfiguration.openshift.io/role: master
    +  name: 99-master-etc-chrony-conf-override-to-server
    +spec:
    +  config:
    +    ignition:
    +      version: 2.2.0
    +    storage:
    +      files:
    +        - contents:
    +            source: data:text/plain;charset=utf-8;base64,BASE64ENCODEDCONFIGFILE(1)
    +          filesystem: root
    +          mode: 0644
    +          path: /etc/control-plane-chrony.conf
    +
    +
    +
    +

    Where:

    +
    +
    + + + + + +
    1You must replace the BASE64ENCODEDCONFIGFILE string with the base64-encoded string of the ~/control-plane-chrony.conf file in the subsequent step.
    +
    +
  6. +
  7. +

    Generate a base64 string of the ~/control-plane-chrony.conf file.

    +
    +
    +
    $ base64 ~/control-plane-chrony.conf
    +
    +
    +
    +
    Example output
    +
    +
    IyBVc2UgcHVibGljIHNlcnZlcnMgZnJvbSB0aGUgcG9vbC5udHAub3JnIHByb2plY3QuCiMgUGxl
    +YXNlIGNvbnNpZGVyIGpvaW5pbmcgdGhlIHBvb2wgKGh0dHBzOi8vd3d3LnBvb2wubnRwLm9yZy9q
    +b2luLmh0bWwpLgoKIyBUaGlzIGZpbGUgaXMgbWFuYWdlZCBieSB0aGUgbWFjaGluZSBjb25maWcg
    +b3BlcmF0b3IKc2VydmVyIG9wZW5zaGlmdC1tYXN0ZXItMC48Y2x1c3Rlci1uYW1lPi48ZG9tYWlu
    +PiBpYnVyc3QKc2VydmVyIG9wZW5zaGlmdC1tYXN0ZXItMS48Y2x1c3Rlci1uYW1lPi48ZG9tYWlu
    +PiBpYnVyc3QKc2VydmVyIG9wZW5zaGlmdC1tYXN0ZXItMi48Y2x1c3Rlci1uYW1lPi48ZG9tYWlu
    +PiBpYnVyc3QKCnN0cmF0dW13ZWlnaHQgMApkcmlmdGZpbGUgL3Zhci9saWIvY2hyb255L2RyaWZ0
    +CnJ0Y3N5bmMKbWFrZXN0ZXAgMTAgMwpiaW5kY21kYWRkcmVzcyAxMjcuMC4wLjEKYmluZGNtZGFk
    +ZHJlc3MgOjoxCmtleWZpbGUgL2V0Yy9jaHJvbnkua2V5cwpjb21tYW5ka2V5IDEKZ2VuZXJhdGVj
    +b21tYW5ka2V5Cm5vY2xpZW50bG9nCmxvZ2NoYW5nZSAwLjUKbG9nZGlyIC92YXIvbG9nL2Nocm9u
    +eQoKIyBDb25maWd1cmUgdGhlIGNvbnRyb2wgcGxhbmUgbm9kZXMgdG8gc2VydmUgYXMgbG9jYWwg
    +TlRQIHNlcnZlcnMKIyBmb3IgYWxsIHdvcmtlciBub2RlcywgZXZlbiBpZiB0aGV5IGFyZSBub3Qg
    +aW4gc3luYyB3aXRoIGFuCiMgdXBzdHJlYW0gTlRQIHNlcnZlci4KCiMgQWxsb3cgTlRQIGNsaWVu
    +dCBhY2Nlc3MgZnJvbSB0aGUgbG9jYWwgbmV0d29yay4KYWxsb3cgYWxsCiMgU2VydmUgdGltZSBl
    +dmVuIGlmIG5vdCBzeW5jaHJvbml6ZWQgdG8gYSB0aW1lIHNvdXJjZS4KbG9jYWwgc3RyYXR1bSAz
    +IG9ycGhhbgo=
    +
    +
    +
    +

    Replace the BASE64ENCODEDCONFIGFILE string in the ~/ntp-server.yaml with the base64-encoded string.

    +
    +
  8. +
  9. +

    Create a ~/ntp-client.yaml configuration file for telling the Machine Configuration Operator to apply the ~/worker-chrony.conf settings to the NTP clients on the worker nodes.

    +
    +
    Configuration file example
    +
    +
    # This example MachineConfig replaces ~/worker-chrony.conf
    +apiVersion: machineconfiguration.openshift.io/v1
    +kind: MachineConfig
    +metadata:
    +  labels:
    +    machineconfiguration.openshift.io/role: worker
    +  name: 99-master-etc-chrony-conf-override-for-worker
    +spec:
    +  config:
    +    ignition:
    +      version: 2.2.0
    +    storage:
    +      files:
    +        - contents:
    +            source: data:text/plain;charset=utf-8;base64,BASE64ENCODEDCONFIGFILE(1)
    +          filesystem: root
    +          mode: 0644
    +          path: /etc/worker-chrony.conf
    +
    +
    +
    +

    Where:

    +
    +
    + + + + + +
    1You must replace the BASE64ENCODEDCONFIGFILE string with the base64-encoded string of the ~/worker-chrony.conf file in the subsequent step.
    +
    +
  10. +
  11. +

    Generate a base64-encoded string of the ~/worker-chrony.conf file.

    +
    +
    +
    $ base64 ~/worker-chrony.conf
    +
    +
    +
    +
    Example output
    +
    +
    IyBUaGlzIGZpbGUgaXMgbWFuYWdlZCBieSB0aGUgbWFjaGluZSBjb25maWcgb3BlcmF0b3IKc2Vy
    +dmVyIG9wZW5zaGlmdC1tYXN0ZXItMC48Y2x1c3Rlci1uYW1lPi48ZG9tYWluPiBpYnVyc3QKc2Vy
    +dmVyIG9wZW5zaGlmdC1tYXN0ZXItMS48Y2x1c3Rlci1uYW1lPi48ZG9tYWluPiBpYnVyc3QKc2Vy
    +dmVyIG9wZW5zaGlmdC1tYXN0ZXItMi48Y2x1c3Rlci1uYW1lPi48ZG9tYWluPiBpYnVyc3QKCnN0
    +cmF0dW13ZWlnaHQgMApkcmlmdGZpbGUgL3Zhci9saWIvY2hyb255L2RyaWZ0CnJ0Y3N5bmMKbWFr
    +ZXN0ZXAgMTAgMwpiaW5kY21kYWRkcmVzcyAxMjcuMC4wLjEKYmluZGNtZGFkZHJlc3MgOjoxCmtl
    +eWZpbGUgL2V0Yy9jaHJvbnkua2V5cwpjb21tYW5ka2V5IDEKZ2VuZXJhdGVjb21tYW5ka2V5Cm5v
    +Y2xpZW50bG9nCmxvZ2NoYW5nZSAwLjUKbG9nZGlyIC92YXIvbG9nL2Nocm9ueQo=
    +
    +
    +
    +

    Replace the BASE64ENCODEDCONFIGFILE string in the ~/ntp-client.yaml file with the base64-encoded string.

    +
    +
  12. +
  13. +

    Copy the ~/ntp-server.yaml file to the ~/clusterconfigs/manifests directory.

    +
    +
    +
    $ cp ~/ntp-server.yaml ~/clusterconfigs/manifests
    +
    +
    +
  14. +
  15. +

    Copy the ~/ntp-client.yaml file to the ~/clusterconfigs/manifests directory.

    +
    +
    +
    $ cp ~/ntp-client.yaml ~/clusterconfigs/manifests
    +
    +
    +
  16. +
+
+
+
+

3.6.11. Configure network components to run on the control plane

+
+

Configure networking components to run exclusively on the control plane nodes. By default, OpenShift Container Platform allows any node in the machine config pool to host the apiVIP and ingressVIP virtual IP addresses. However, many environments deploy worker nodes in separate subnets from the control plane nodes. Consequently, you must place the apiVIP and ingressVIP virtual IP addresses exclusively with the control plane nodes.

+
+
+
Procedure
+
    +
  1. +

    Change to the directory storing the install-config.yaml file.

    +
    +
    +
    $ cd ~/clusterconfigs
    +
    +
    +
  2. +
  3. +

    Switch to the manifests subdirectory.

    +
    +
    +
    $ cd manifests
    +
    +
    +
  4. +
  5. +

    Create a file named cluster-network-avoid-workers-99-config.yaml.

    +
    +
    +
    $ touch cluster-network-avoid-workers-99-config.yaml
    +
    +
    +
  6. +
  7. +

    Open the cluster-network-avoid-workers-99-config.yaml file in an editor and enter a custom resource (CR) that describes the Operator configuration:

    +
    +
    +
    apiVersion: machineconfiguration.openshift.io/v1
    +kind: MachineConfig
    +metadata:
    +  name: 50-worker-fix-ipi-rwn
    +  labels:
    +    machineconfiguration.openshift.io/role: worker
    +spec:
    +  config:
    +    ignition:
    +      version: 3.1.0
    +    systemd:
    +      units:
    +      - name: nodeip-configuration.service
    +        enabled: true
    +        contents: |
    +          [Unit]
    +          Description=Writes IP address configuration so that kubelet and crio services select a valid node IP
    +          Wants=network-online.target
    +          After=network-online.target ignition-firstboot-complete.service
    +          Before=kubelet.service crio.service
    +          [Service]
    +          Type=oneshot
    +          ExecStart=/bin/bash -c "exit 0 "
    +          [Install]
    +          WantedBy=multi-user.target
    +    storage:
    +      files:
    +        - contents:
    +            source: data:,
    +            verification: {}
    +          filesystem: root
    +          mode: 420
    +          path: /etc/kubernetes/manifests/keepalived.yaml
    +        - contents:
    +            source: data:,
    +            verification: {}
    +          filesystem: root
    +          mode: 420
    +          path: /etc/kubernetes/manifests/mdns-publisher.yaml
    +        - contents:
    +            source: data:,
    +            verification: {}
    +          filesystem: root
    +          mode: 420
    +          path: /etc/kubernetes/manifests/coredns.yaml
    +
    +
    +
    +

    This manifest places the apiVIP and ingressVIP virtual IP addresses on the control plane nodes. Additionally, this manifest deploys the following processes on the control plane nodes only:

    +
    +
    +
      +
    • +

      openshift-ingress-operator

      +
    • +
    • +

      keepalived

      +
    • +
    +
    +
  8. +
  9. +

    Save the cluster-network-avoid-workers-99-config.yaml file.

    +
  10. +
  11. +

    Create a manifests/cluster-ingress-default-ingresscontroller.yaml file.

    +
    +
    +
    apiVersion: operator.openshift.io/v1
    +kind: IngressController
    +metadata:
    +  name: default
    +  namespace: openshift-ingress-operator
    +spec:
    +  nodePlacement:
    +    nodeSelector:
    +      matchLabels:
    +        node-role.kubernetes.io/master: ""
    +
    +
    +
  12. +
  13. +

    Consider backing up the manifests directory. The installer deletes the manifests/ directory when creating the cluster.

    +
  14. +
  15. +

    Modify the cluster-scheduler-02-config.yml manifest to make the control plane nodes schedulable by setting the mastersSchedulable field to true. Control plane nodes are not schedulable by default. For example:

    +
    +
    +
    $ sed -i "s;mastersSchedulable: false;mastersSchedulable: true;g" clusterconfigs/manifests/cluster-scheduler-02-config.yml
    +
    +
    +
    + + + + + +
    + + +
    +

    If control plane nodes are not schedulable, deploying the cluster will fail.

    +
    +
    +
    +
  16. +
  17. +

    Before deploying the cluster, ensure that the api.<cluster-name>.<domain> domain name is resolvable in the DNS. When you configure network components to run exclusively on the control plane, the internal DNS resolution no longer works for worker nodes, which is an expected outcome.

    +
    + + + + + +
    + + +
    +

    Failure to create a DNS record for the API precludes worker nodes from joining the cluster.

    +
    +
    +
    +
  18. +
+
+
+
+
+

3.7. Creating a disconnected registry (optional)

+
+

In some cases, you might want to install an OpenShift Container Platform cluster using a local copy of the installation registry. This could be for enhancing network efficiency because the cluster nodes are on a network that does not have access to the internet.

+
+
+

A local, or mirrored, copy of the registry requires the following:

+
+
+
    +
  • +

    A certificate for the registry node. This can be a self-signed certificate.

    +
  • +
  • +

    A web server that a container on a system will serve.

    +
  • +
  • +

    An updated pull secret that contains the certificate and local repository information.

    +
  • +
+
+
+ + + + + +
+ + +
+

Creating a disconnected registry on a registry node is optional. The subsequent sections indicate that they are optional since they are steps you need to execute only when creating a disconnected registry on a registry node. You should execute all of the subsequent sub-sections labeled "(optional)" when creating a disconnected registry on a registry node.

+
+
+
+
+

3.7.1. Preparing the registry node to host the mirrored registry (optional)

+
+

Make the following changes to the registry node.

+
+
+
Procedure
+
    +
  1. +

    Open the firewall port on the registry node.

    +
    +
    +
    [user@registry ~]$ sudo firewall-cmd --add-port=5000/tcp --zone=libvirt  --permanent
    +[user@registry ~]$ sudo firewall-cmd --add-port=5000/tcp --zone=public   --permanent
    +[user@registry ~]$ sudo firewall-cmd --reload
    +
    +
    +
  2. +
  3. +

    Install the required packages for the registry node.

    +
    +
    +
    [user@registry ~]$ sudo yum -y install python3 podman httpd httpd-tools jq
    +
    +
    +
  4. +
  5. +

    Create the directory structure where the repository information will be held.

    +
    +
    +
    [user@registry ~]$ sudo mkdir -p /opt/registry/{auth,certs,data}
    +
    +
    +
  6. +
+
+
+
+

3.7.2. Generating the self-signed certificate (optional)

+
+

Generate a self-signed certificate for the registry node and put it in the /opt/registry/certs directory.

+
+
+
Procedure
+
    +
  1. +

    Adjust the certificate information as appropriate.

    +
    +
    +
    [user@registry ~]$ host_fqdn=$( hostname --long )
    +[user@registry ~]$ cert_c="<Country Name>"   # Country Name (C, 2 letter code)
    +[user@registry ~]$ cert_s="<State>"          # Certificate State (S)
    +[user@registry ~]$ cert_l="<Locality>"       # Certificate Locality (L)
    +[user@registry ~]$ cert_o="<Organization>"   # Certificate Organization (O)
    +[user@registry ~]$ cert_ou="<Org Unit>"      # Certificate Organizational Unit (OU)
    +[user@registry ~]$ cert_cn="${host_fqdn}"    # Certificate Common Name (CN)
    +
    +[user@registry ~]$ openssl req \
    +    -newkey rsa:4096 \
    +    -nodes \
    +    -sha256 \
    +    -keyout /opt/registry/certs/domain.key \
    +    -x509 \
    +    -days 365 \
    +    -out /opt/registry/certs/domain.crt \
    +    -addext "subjectAltName = DNS:${host_fqdn}" \
    +    -subj "/C=${cert_c}/ST=${cert_s}/L=${cert_l}/O=${cert_o}/OU=${cert_ou}/CN=${cert_cn}"
    +
    +
    +
    + + + + + +
    + + +When replacing <Country Name>, ensure that it only contains two letters. For example, US. +
    +
    +
  2. +
  3. +

    Update the registry node’s ca-trust with the new certificate.

    +
    +
    +
    [user@registry ~]$ sudo cp /opt/registry/certs/domain.crt /etc/pki/ca-trust/source/anchors/
    +[user@registry ~]$ sudo update-ca-trust extract
    +
    +
    +
  4. +
+
+
+
+

3.7.3. Creating the registry podman container (optional)

+
+

The registry container uses the /opt/registry directory for certificates, authentication files, and to store its data files.

+
+
+

The registry container uses httpd and needs an htpasswd file for authentication.

+
+
+
Procedure
+
    +
  1. +

    Create an htpasswd file in /opt/registry/auth for the container to use.

    +
    +
    +
    [user@registry ~]$ htpasswd -bBc /opt/registry/auth/htpasswd <user> <passwd>
    +
    +
    +
    +

    Replace <user> with the user name and <passwd> with the password.

    +
    +
  2. +
  3. +

    Create and start the registry container.

    +
    +
    +
    [user@registry ~]$ podman create \
    +  --name ocpdiscon-registry \
    +  -p 5000:5000 \
    +  -e "REGISTRY_AUTH=htpasswd" \
    +  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry" \
    +  -e "REGISTRY_HTTP_SECRET=ALongRandomSecretForRegistry" \
    +  -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \
    +  -e "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt" \
    +  -e "REGISTRY_HTTP_TLS_KEY=/certs/domain.key" \
    +  -e "REGISTRY_COMPATIBILITY_SCHEMA1_ENABLED=true" \
    +  -v /opt/registry/data:/var/lib/registry:z \
    +  -v /opt/registry/auth:/auth:z \
    +  -v /opt/registry/certs:/certs:z \
    +  docker.io/library/registry:2
    +
    +
    +
    +
    +
    [user@registry ~]$ podman start ocpdiscon-registry
    +
    +
    +
  4. +
+
+
+
+

3.7.4. Copy and update the pull-secret (optional)

+
+

Copy the pull secret file from the provisioner node to the registry node and modify it to include the authentication information for the new registry node.

+
+
+
Procedure
+
    +
  1. +

    Copy the pull-secret.txt file.

    +
    +
    +
    [user@registry ~]$ scp kni@provisioner:/home/kni/pull-secret.txt pull-secret.txt
    +
    +
    +
  2. +
  3. +

    Update the host_fqdn environment variable with the fully qualified domain name of the registry node.

    +
    +
    +
    [user@registry ~]$ host_fqdn=$( hostname --long )
    +
    +
    +
  4. +
  5. +

    Update the b64auth environment variable with the base64 encoding of the http credentials used to create the htpasswd file.

    +
    +
    +
    [user@registry ~]$ b64auth=$( echo -n '<username>:<passwd>' | openssl base64 )
    +
    +
    +
    +

    Replace <username> with the user name and <passwd> with the password.

    +
    +
  6. +
  7. +

    Set the AUTHSTRING environment variable to use the base64 authorization string. The $USER variable is an environment variable containing the name of the current user.

    +
    +
    +
    [user@registry ~]$ AUTHSTRING="{\"$host_fqdn:5000\": {\"auth\": \"$b64auth\",\"email\": \"$USER@redhat.com\"}}"
    +
    +
    +
  8. +
  9. +

    Update the pull-secret.txt file.

    +
    +
    +
    [user@registry ~]$ jq ".auths += $AUTHSTRING" < pull-secret.txt > pull-secret-update.txt
    +
    +
    +
  10. +
+
+
+
+

3.7.5. Mirroring the repository (optional)

+
+
Procedure
+
    +
  1. +

    Copy the oc binary from the provisioner node to the registry node.

    +
    +
    +
    [user@registry ~]$ sudo scp kni@provisioner:/usr/local/bin/oc /usr/local/bin
    +
    +
    +
  2. +
  3. +

    Get the release image and mirror the remote install images to the local repository.

    +
    +
    +
    [user@registry ~]$ export VERSION=latest-4.9
    +[user@registry ~]$ UPSTREAM_REPO=$(curl -s https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/$VERSION/release.txt | awk  '/Pull From/ {print $3}')
    +[user@registry ~]$ /usr/local/bin/oc adm release mirror \
    +  -a pull-secret-update.txt
    +  --from=$UPSTREAM_REPO \
    +  --to-release-image=$LOCAL_REG/$LOCAL_REPO:${VERSION} \
    +  --to=$LOCAL_REG/$LOCAL_REPO
    +
    +
    +
  4. +
+
+
+
+

3.7.6. Modify the install-config.yaml file to use the disconnected registry (optional)

+
+

On the provisioner node, the install-config.yaml file should use the newly created pull-secret from the pull-secret-update.txt file. The install-config.yaml file must also contain the disconnected registry node’s certificate and registry information.

+
+
+
Procedure
+
    +
  1. +

    Add the disconnected registry node’s certificate to the install-config.yaml file. The certificate should follow the "additionalTrustBundle: |" line and be properly indented, usually by two spaces.

    +
    +
    +
    $ echo "additionalTrustBundle: |" >> install-config.yaml
    +$ sed -e 's/^/  /' /opt/registry/certs/domain.crt >> install-config.yaml
    +
    +
    +
  2. +
  3. +

    Add the mirror information for the registry to the install-config.yaml file.

    +
    +
    +
    $ cat <<EOF >> install-config.yaml
    +<image-config>: (1)
    +- mirrors:
    +  - registry.example.com:5000/ocp4/openshift4
    +  source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
    +- mirrors:
    +  - registry.example.com:5000/ocp4/openshift4
    +  source: registry.svc.ci.openshift.org/ocp/release
    +- mirrors:
    +  - registry.example.com:5000/ocp4/openshift4
    +  source: quay.io/openshift-release-dev/ocp-release
    +EOF
    +
    +
    +
    +

    Where:

    +
    +
    + + + + + +
    1You must replace <image-config> with imageContentSources for OpenShift 4.13 and below, or imageDigestSources for Openshift 4.14 and above. +
    + + + + + +
    + + +Replace registry.example.com with the registry’s fully qualified domain name. +
    +
    +
    +
  4. +
+
+
+
+
+

3.8. Deploying routers on worker nodes

+
+

During installation, the installer deploys router pods on worker nodes. By default, the installer installs two router pods. If the initial cluster has only one worker node, or if a deployed cluster requires additional routers to handle external traffic loads destined for services within the OpenShift Container Platform cluster, you can create a yaml file to set an appropriate number of router replicas.

+
+
+ + + + + +
+ + +
+

By default, the installer deploys two routers. +If the cluster has at least two worker nodes, you can skip this section. +For more information on the Ingress Operator see: Ingress Operator in OpenShift Container Platform.

+
+
+
+
+ + + + + +
+ + +
+

If the cluster has no worker nodes, the installer deploys the two routers on the control plane nodes by default. If the cluster has no worker nodes, you can skip this section.

+
+
+
+
+
Procedure
+
    +
  1. +

    Create a router-replicas.yaml file.

    +
    +
    +
    apiVersion: operator.openshift.io/v1
    +kind: IngressController
    +metadata:
    +  name: default
    +  namespace: openshift-ingress-operator
    +spec:
    +  replicas: <num-of-router-pods>
    +  endpointPublishingStrategy:
    +    type: HostNetwork
    +  nodePlacement:
    +    nodeSelector:
    +      matchLabels:
    +        node-role.kubernetes.io/worker: ""
    +
    +
    +
    + + + + + +
    + + +
    +

    Replace <num-of-router-pods> with an appropriate value. If working with just one worker node, set replicas: to 1. If working with more than 3 worker nodes, you can increase replicas: from the default value 2 as appropriate.

    +
    +
    +
    +
  2. +
  3. +

    Save and copy the router-replicas.yaml file to the clusterconfigs/openshift directory.

    +
    +
    +
    cp ~/router-replicas.yaml clusterconfigs/openshift/99_router-replicas.yaml
    +
    +
    +
  4. +
+
+
+
+

3.9. Validation checklist for installation

+
+
    +
  • +

    OpenShift Container Platform installer has been retrieved.

    +
  • +
  • +

    OpenShift Container Platform installer has been extracted.

    +
  • +
  • +

    Required parameters for the install-config.yaml have been configured.

    +
  • +
  • +

    The hosts parameter for the install-config.yaml has been configured.

    +
  • +
  • +

    The bmc parameter for the install-config.yaml has been configured.

    +
  • +
  • +

    Conventions for the values configured in the bmc address field have been applied.

    +
  • +
  • +

    Created a disconnected registry (optional).

    +
  • +
  • +

    Validate disconnected registry settings if in use. (optional)

    +
  • +
  • +

    Deployed routers on worker nodes. (optional)

    +
  • +
+
+
+
+

3.10. Deploying the cluster via the OpenShift Container Platform installer

+
+

Run the OpenShift Container Platform installer:

+
+
+
+
[kni@provisioner ~]$ ./openshift-baremetal-install --dir ~/clusterconfigs --log-level debug create cluster
+
+
+
+
+

3.11. Following the installation

+
+

During the deployment process, you can check the installation’s overall status by issuing the tail command to the .openshift_install.log log file in the install directory folder.

+
+
+
+
[kni@provisioner ~]$ tail -f /path/to/install-dir/.openshift_install.log
+
+
+
+
+

3.12. Verifying static IP address configuration

+
+

If the DHCP reservation for a cluster node specifies an infinite leases, after the installer successfully provisions the node, the dispatcher script will check the node’s network configuration. If the script determines that the network configuration contains an infinite DHCP lease, it creates a new connection using the IP address of the DHCP lease as a static IP address.

+
+
+ + + + + +
+ + +
+

The dispatcher script may run on successfully provisioned nodes while the provisioning of other nodes in the cluster is ongoing.

+
+
+
+
+

To verify the network configuration is working properly, you can:

+
+
+
    +
  • +

    Check the network interface configuration on the node.

    +
  • +
  • +

    Turn off the DHCP server and reboot the OpenShift Container Platform node and and ensure that the network configuration works properly.

    +
  • +
+
+
+
+
+
+

4. Installer-provisioned post-installation configuration

+
+
+

After successfully deploying an installer-provisioned cluster, consider the following post-installation procedures.

+
+
+

4.1. Configuring NTP for disconnected clusters (optional)

+
+

OpenShift Container Platform installs the chrony Network Time Protocol (NTP) service on the cluster nodes. +Use the following procedure to configure NTP servers on the control plane nodes and configure worker nodes as NTP clients of the control plane nodes after a successful deployment.

+
+
+
+Configuring NTP for disconnected clusters +
+
+
+

OpenShift Container Platform nodes must agree on a date and time to run properly. When worker nodes retrieve the date and time from the NTP servers on the control plane nodes, it enables the installation and operation of clusters that are not connected to a routable network and thereby do not have access to a higher stratum NTP server.

+
+
+
Procedure
+
    +
  1. +

    Create a ~/control-plane-chrony.conf configuration file for the control plane nodes.

    +
    +
    Configuration file example
    +
    +
    # Use public servers from the pool.ntp.org project.
    +# Please consider joining the pool (https://www.pool.ntp.org/join.html).
    +
    +# This file is managed by the machine config operator
    +server openshift-master-0.<cluster-name>.<domain> iburst (1)
    +server openshift-master-1.<cluster-name>.<domain> iburst
    +server openshift-master-2.<cluster-name>.<domain> iburst
    +
    +stratumweight 0
    +driftfile /var/lib/chrony/drift
    +rtcsync
    +makestep 10 3
    +bindcmdaddress 127.0.0.1
    +bindcmdaddress ::1
    +keyfile /etc/chrony.keys
    +commandkey 1
    +generatecommandkey
    +noclientlog
    +logchange 0.5
    +logdir /var/log/chrony
    +
    +# Configure the control plane nodes to serve as local NTP servers
    +# for all worker nodes, even if they are not in sync with an
    +# upstream NTP server.
    +
    +# Allow NTP client access from the local network.
    +allow all
    +# Serve time even if not synchronized to a time source.
    +local stratum 3 orphan
    +
    +
    +
    +

    Where:

    +
    +
    + + + + + +
    1You must replace <cluster-name> with the name of the cluster and replace <domain> with the fully qualified domain name.
    +
    +
  2. +
  3. +

    Create a ~/worker-chrony.conf configuration file for the worker nodes such that worker nodes reference the NTP servers on the control plane nodes.

    +
    +
    Configuration file example
    +
    +
    # This file is managed by the machine config operator
    +server openshift-master-0.<cluster-name>.<domain> iburst (1)
    +server openshift-master-1.<cluster-name>.<domain> iburst
    +server openshift-master-2.<cluster-name>.<domain> iburst
    +
    +stratumweight 0
    +driftfile /var/lib/chrony/drift
    +rtcsync
    +makestep 10 3
    +bindcmdaddress 127.0.0.1
    +bindcmdaddress ::1
    +keyfile /etc/chrony.keys
    +commandkey 1
    +generatecommandkey
    +noclientlog
    +logchange 0.5
    +logdir /var/log/chrony
    +
    +
    +
    +

    Where:

    +
    +
    + + + + + +
    1You must replace <cluster-name> with the name of the cluster and replace <domain> with the fully qualified domain name.
    +
    +
  4. +
  5. +

    Create a ~/ntp-server.yaml configuration file for telling the Machine Configuration Operator to apply the ~/control-plane-chrony.conf settings to the NTP servers on the control plane nodes.

    +
    +
    Configuration file example
    +
    +
    # This example MachineConfig replaces ~/control-plane-chrony.conf
    +apiVersion: machineconfiguration.openshift.io/v1
    +kind: MachineConfig
    +metadata:
    +  labels:
    +    machineconfiguration.openshift.io/role: master
    +  name: 99-master-etc-chrony-conf-override-to-server
    +spec:
    +  config:
    +    ignition:
    +      version: 2.2.0
    +    storage:
    +      files:
    +        - contents:
    +            source: data:text/plain;charset=utf-8;base64,BASE64ENCODEDCONFIGFILE(1)
    +          filesystem: root
    +          mode: 0644
    +          path: /etc/control-plane-chrony.conf
    +
    +
    +
    +

    Where:

    +
    +
    + + + + + +
    1You must replace the BASE64ENCODEDCONFIGFILE string with the base64-encoded string of the ~/control-plane-chrony.conf file in the subsequent step.
    +
    +
  6. +
  7. +

    Generate a base64 string of the ~/control-plane-chrony.conf file.

    +
    +
    +
    $ base64 ~/control-plane-chrony.conf
    +
    +
    +
    +
    Example output
    +
    +
    IyBVc2UgcHVibGljIHNlcnZlcnMgZnJvbSB0aGUgcG9vbC5udHAub3JnIHByb2plY3QuCiMgUGxl
    +YXNlIGNvbnNpZGVyIGpvaW5pbmcgdGhlIHBvb2wgKGh0dHBzOi8vd3d3LnBvb2wubnRwLm9yZy9q
    +b2luLmh0bWwpLgoKIyBUaGlzIGZpbGUgaXMgbWFuYWdlZCBieSB0aGUgbWFjaGluZSBjb25maWcg
    +b3BlcmF0b3IKc2VydmVyIG9wZW5zaGlmdC1tYXN0ZXItMC48Y2x1c3Rlci1uYW1lPi48ZG9tYWlu
    +PiBpYnVyc3QKc2VydmVyIG9wZW5zaGlmdC1tYXN0ZXItMS48Y2x1c3Rlci1uYW1lPi48ZG9tYWlu
    +PiBpYnVyc3QKc2VydmVyIG9wZW5zaGlmdC1tYXN0ZXItMi48Y2x1c3Rlci1uYW1lPi48ZG9tYWlu
    +PiBpYnVyc3QKCnN0cmF0dW13ZWlnaHQgMApkcmlmdGZpbGUgL3Zhci9saWIvY2hyb255L2RyaWZ0
    +CnJ0Y3N5bmMKbWFrZXN0ZXAgMTAgMwpiaW5kY21kYWRkcmVzcyAxMjcuMC4wLjEKYmluZGNtZGFk
    +ZHJlc3MgOjoxCmtleWZpbGUgL2V0Yy9jaHJvbnkua2V5cwpjb21tYW5ka2V5IDEKZ2VuZXJhdGVj
    +b21tYW5ka2V5Cm5vY2xpZW50bG9nCmxvZ2NoYW5nZSAwLjUKbG9nZGlyIC92YXIvbG9nL2Nocm9u
    +eQoKIyBDb25maWd1cmUgdGhlIGNvbnRyb2wgcGxhbmUgbm9kZXMgdG8gc2VydmUgYXMgbG9jYWwg
    +TlRQIHNlcnZlcnMKIyBmb3IgYWxsIHdvcmtlciBub2RlcywgZXZlbiBpZiB0aGV5IGFyZSBub3Qg
    +aW4gc3luYyB3aXRoIGFuCiMgdXBzdHJlYW0gTlRQIHNlcnZlci4KCiMgQWxsb3cgTlRQIGNsaWVu
    +dCBhY2Nlc3MgZnJvbSB0aGUgbG9jYWwgbmV0d29yay4KYWxsb3cgYWxsCiMgU2VydmUgdGltZSBl
    +dmVuIGlmIG5vdCBzeW5jaHJvbml6ZWQgdG8gYSB0aW1lIHNvdXJjZS4KbG9jYWwgc3RyYXR1bSAz
    +IG9ycGhhbgo=
    +
    +
    +
    +

    Replace the BASE64ENCODEDCONFIGFILE string in the ~/ntp-server.yaml with the base64-encoded string.

    +
    +
  8. +
  9. +

    Create a ~/ntp-client.yaml configuration file for telling the Machine Configuration Operator to apply the ~/worker-chrony.conf settings to the NTP clients on the worker nodes.

    +
    +
    Configuration file example
    +
    +
    # This example MachineConfig replaces ~/worker-chrony.conf
    +apiVersion: machineconfiguration.openshift.io/v1
    +kind: MachineConfig
    +metadata:
    +  labels:
    +    machineconfiguration.openshift.io/role: worker
    +  name: 99-master-etc-chrony-conf-override-for-worker
    +spec:
    +  config:
    +    ignition:
    +      version: 2.2.0
    +    storage:
    +      files:
    +        - contents:
    +            source: data:text/plain;charset=utf-8;base64,BASE64ENCODEDCONFIGFILE(1)
    +          filesystem: root
    +          mode: 0644
    +          path: /etc/worker-chrony.conf
    +
    +
    +
    +

    Where:

    +
    +
    + + + + + +
    1You must replace the BASE64ENCODEDCONFIGFILE string with the base64-encoded string of the ~/worker-chrony.conf file in the subsequent step.
    +
    +
  10. +
  11. +

    Generate a base64-encoded string of the ~/worker-chrony.conf file.

    +
    +
    +
    $ base64 ~/worker-chrony.conf
    +
    +
    +
    +
    Example output
    +
    +
    IyBUaGlzIGZpbGUgaXMgbWFuYWdlZCBieSB0aGUgbWFjaGluZSBjb25maWcgb3BlcmF0b3IKc2Vy
    +dmVyIG9wZW5zaGlmdC1tYXN0ZXItMC48Y2x1c3Rlci1uYW1lPi48ZG9tYWluPiBpYnVyc3QKc2Vy
    +dmVyIG9wZW5zaGlmdC1tYXN0ZXItMS48Y2x1c3Rlci1uYW1lPi48ZG9tYWluPiBpYnVyc3QKc2Vy
    +dmVyIG9wZW5zaGlmdC1tYXN0ZXItMi48Y2x1c3Rlci1uYW1lPi48ZG9tYWluPiBpYnVyc3QKCnN0
    +cmF0dW13ZWlnaHQgMApkcmlmdGZpbGUgL3Zhci9saWIvY2hyb255L2RyaWZ0CnJ0Y3N5bmMKbWFr
    +ZXN0ZXAgMTAgMwpiaW5kY21kYWRkcmVzcyAxMjcuMC4wLjEKYmluZGNtZGFkZHJlc3MgOjoxCmtl
    +eWZpbGUgL2V0Yy9jaHJvbnkua2V5cwpjb21tYW5ka2V5IDEKZ2VuZXJhdGVjb21tYW5ka2V5Cm5v
    +Y2xpZW50bG9nCmxvZ2NoYW5nZSAwLjUKbG9nZGlyIC92YXIvbG9nL2Nocm9ueQo=
    +
    +
    +
    +

    Replace the BASE64ENCODEDCONFIGFILE string in the ~/ntp-client.yaml file with the base64-encoded string.

    +
    +
  12. +
  13. +

    Apply the ntp-server.yaml policy to the control plane nodes.

    +
    +
    +
    $ oc apply -f ~/ntp-server.yaml
    +
    +
    +
    +
    Example output
    +
    +
    machineconfig.machineconfiguration.openshift.io/99-master-etc-chrony-conf-override-for-server created
    +
    +
    +
  14. +
  15. +

    Apply the ~/ntp-client.yaml policy to the worker nodes.

    +
    +
    +
    $ oc apply -f ~/worker-chrony.conf
    +
    +
    +
    +
    Example output
    +
    +
    machineconfig.machineconfiguration.openshift.io/99-master-etc-chrony-conf-override-for-worker created
    +
    +
    +
  16. +
  17. +

    Check the status of the applied NTP settings.

    +
    +
    +
    $ oc describe machineconfigpool
    +
    +
    +
  18. +
+
+
+
+

4.2. Configuring an external load balancer

+
+

You can configure an OpenShift Container Platform cluster +to use an external load balancer in place of the default load balancer.

+
+
+
Prerequisites
+
    +
  • +

    On your load balancer, TCP over ports 6443, 443, and 80 must be available to any users of your system.

    +
  • +
  • +

    Load balance the API port, 6443, between each of the control plane nodes.

    +
  • +
  • +

    Load balance the application ports, 443 and 80, between all of the compute nodes.

    +
  • +
  • +

    On your load balancer, port 22623, which is used to serve ignition start-up configurations to nodes, is not exposed outside of the cluster.

    +
  • +
  • +

    Your load balancer must be able to access every machine in your cluster. Methods to allow this access include:

    +
    +
      +
    • +

      Attaching the load balancer to the cluster’s machine subnet.

      +
    • +
    • +

      Attaching floating IP addresses to machines that use the load balancer.

      +
    • +
    +
    +
  • +
+
+
+ + + + + +
+ + +
+

External load balancing services and the control plane nodes must run on the same L2 network, and on the same VLAN when using VLANs to route traffic between the load balancing services and the control plane nodes.

+
+
+
+
+
Procedure
+
    +
  1. +

    Enable access to the cluster from your load balancer on ports 6443, 443, and 80.

    +
    +

    As an example, note this HAProxy configuration:

    +
    +
    +
    A section of a sample HAProxy configuration
    +
    +
    ...
    +listen my-cluster-api-6443
    +    bind 0.0.0.0:6443
    +    mode tcp
    +    balance roundrobin
    +    server my-cluster-master-2 192.0.2.2:6443 check
    +    server my-cluster-master-0 192.0.2.3:6443 check
    +    server my-cluster-master-1 192.0.2.1:6443 check
    +listenmy-cluster-apps-443
    +        bind 0.0.0.0:443
    +        mode tcp
    +        balance roundrobin
    +        server my-cluster-worker-0 192.0.2.6:443 check
    +        server my-cluster-worker-1 192.0.2.5:443 check
    +        server my-cluster-worker-2 192.0.2.4:443 check
    +listenmy-cluster-apps-80
    +        bind 0.0.0.0:80
    +        mode tcp
    +        balance roundrobin
    +        server my-cluster-worker-0 192.0.2.7:80 check
    +        server my-cluster-worker-1 192.0.2.9:80 check
    +        server my-cluster-worker-2 192.0.2.8:80 check
    +
    +
    +
  2. +
  3. +

    Add records to your DNS server for the cluster API and apps over the load balancer. For example:

    +
    +
    +
    <load_balancer_ip_address> api.<cluster_name>.<base_domain>
    +<load_balancer_ip_address> apps.<cluster_name>.<base_domain>
    +
    +
    +
  4. +
  5. +

    From a command line, use curl to verify that the external load balancer and DNS configuration are operational.

    +
    +
      +
    1. +

      Verify that the cluster API is accessible:

      +
      +
      +
      $ curl https://<loadbalancer_ip_address>:6443/version --insecure
      +
      +
      +
      +

      If the configuration is correct, you receive a JSON object in response:

      +
      +
      +
      +
      {
      +  "major": "1",
      +  "minor": "11+",
      +  "gitVersion": "v1.11.0+ad103ed",
      +  "gitCommit": "ad103ed",
      +  "gitTreeState": "clean",
      +  "buildDate": "2019-01-09T06:44:10Z",
      +  "goVersion": "go1.10.3",
      +  "compiler": "gc",
      +  "platform": "linux/amd64"
      +}
      +
      +
      +
    2. +
    3. +

      Verify that cluster applications are accessible:

      +
      + + + + + +
      + + +
      +

      You can also verify application accessibility by opening the OpenShift Container Platform console in a web browser.

      +
      +
      +
      +
      +
      +
      $ curl http://console-openshift-console.apps.<cluster_name>.<base_domain> -I -L --insecure
      +
      +
      +
      +

      If the configuration is correct, you receive an HTTP response:

      +
      +
      +
      +
      HTTP/1.1 302 Found
      +content-length: 0
      +location: https://console-openshift-console.apps.<cluster-name>.<base domain>/
      +cache-control: no-cacheHTTP/1.1 200 OK
      +referrer-policy: strict-origin-when-cross-origin
      +set-cookie: csrf-token=39HoZgztDnzjJkq/JuLJMeoKNXlfiVv2YgZc09c3TBOBU4NI6kDXaJH1LdicNhN1UsQWzon4Dor9GWGfopaTEQ==; Path=/; Secure
      +x-content-type-options: nosniff
      +x-dns-prefetch-control: off
      +x-frame-options: DENY
      +x-xss-protection: 1; mode=block
      +date: Tue, 17 Nov 2020 08:42:10 GMT
      +content-type: text/html; charset=utf-8
      +set-cookie: 1e2670d92730b515ce3a1bb65da45062=9b714eb87e93cf34853e87a92d6894be; path=/; HttpOnly; Secure; SameSite=None
      +cache-control: private
      +
      +
      +
    4. +
    +
    +
  6. +
+
+
+
+

4.3. Enabling a provisioning network after installation

+
+

The assisted installer and installer-provisioned installation for bare metal clusters provide the ability to deploy a cluster without a provisioning network. This capability is for scenarios such as proof-of-concept clusters or deploying exclusively with Redfish virtual media when each node’s baseboard management controller is routable via the baremetal network.

+
+
+

In OpenShift Container Platform 4.8 and later, you can enable a provisioning network after installation using the Cluster Baremetal Operator (CBO).

+
+
+
Prerequisites
+
    +
  • +

    A dedicated physical network must exist, connected to all worker and control plane nodes.

    +
  • +
  • +

    You must isolate the native, untagged physical network.

    +
  • +
  • +

    The network cannot have a DHCP server when the provisioningNetwork configuration setting is set to Managed.

    +
  • +
  • +

    You must connect the control plane nodes to the network with the same network interface, such as eth0 or eno1.

    +
  • +
+
+
+
Procedure
+
    +
  1. +

    Identify the provisioning interface name for the cluster nodes. For example, eth0 or eno1.

    +
  2. +
  3. +

    Enable the Preboot eXecution Environment (PXE) on the provisioning network interface of the cluster nodes.

    +
  4. +
  5. +

    Retrieve the current state of the provisioning network and save it to a provisioning configuration resource file:

    +
    +
    +
    $ oc get provisioning -o yaml > enable-provisioning-nw.yaml
    +
    +
    +
  6. +
  7. +

    Modify the provisioning configuration resource file:

    +
    +
    +
    $ vim ~/enable-provisioning-nw.yaml
    +
    +
    +
    +

    Scroll down to the provisioningNetwork configuration setting and change it from Disabled to Managed. Then, add the provisioningOSDownloadURL, provisioningIP, provisioningNetworkCIDR, provisioningDHCPRange, provisioningInterface, and watchAllNameSpaces configuration settings after the provisioningNetwork setting. Provide appropriate values for each setting.

    +
    +
    +
    +
    apiVersion: v1
    +items:
    +- apiVersion: metal3.io/v1alpha1
    +  kind: Provisioning
    +  metadata:
    +    name: provisioning-configuration
    +  spec:
    +    provisioningNetwork: (1)
    +    provisioningOSDownloadURL: (2)
    +    provisioningIP: (3)
    +    provisioningNetworkCIDR: (4)
    +    provisioningDHCPRange: (5)
    +    provisioningInterface: (6)
    +    watchAllNameSpaces: (7)
    +
    +
    +
    +

    where:

    +
    +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    1The provisioningNetwork is one of Managed, Unmanaged, or Disabled. When set to Managed, Metal3 manages the provisioning network and the CBO deploys the Metal3 pod with a configured DHCP server. When set to Unmanaged, the system administrator configures the DHCP server manually.
    2The provisioningOSDownloadURL is a valid HTTPS URL with a valid sha256 checksum that enables the Metal3 pod to download a qcow2 operating system image ending in .qcow2.gz or .qcow2.xz. This field is required whether the provisioning network is Managed, Unmanaged, or Disabled. For example: http://192.168.0.1/images/rhcos-<version>.x86_64.qcow2.gz?sha256=<sha>.
    3The provisioningIP is the static IP address that the DHCP server and ironic use to provision the network. This static IP address must be within the provisioning subnet, and outside of the DHCP range. If you configure this setting, it must have a valid IP address even if the provisioning network is Disabled. The static IP address is bound to the metal3 pod. If the metal3 pod fails and moves to another server, the static IP address also moves to the new server.
    4The Classless Inter-Domain Routing (CIDR) address. If you configure this setting, it must have a valid CIDR address even if the provisioning network is Disabled. For example: 192.168.0.1/24.
    5The DHCP range. This setting is only applicable to a Managed provisioning network. Omit this configuration setting if the provisioning network is Disabled. For example: 192.168.0.64, 192.168.0.253.
    6The NIC name for the provisioning interface on cluster nodes. This setting is only applicable to Managed and Unamanged provisioning networks. Omit this configuration setting if the provisioning network is Disabled.
    7Set this setting to true if you want metal3 to watch namespaces other than the default openshift-machine-api namespace. The default value is false.
    +
    +
  8. +
  9. +

    Save the changes to the provisioning configuration resource file.

    +
  10. +
  11. +

    Apply the provisioning configuration resource file to the cluster:

    +
    +
    +
    $ oc apply -f enable-provisioning-nw.yaml
    +
    +
    +
  12. +
+
+
+
+
+
+

5. Day 2 operations

+
+
+

The following sections are optional, but may be of interest after the initial deployment has been completed.

+
+
+

5.1. Accessing the web console

+
+

The web console runs as a pod on the master. The static assets required to run +the web console are served by the pod. Once OpenShift Container Platform is successfully +installed, find the URL for the web console and login credentials for your +installed cluster in the CLI output of the installation program. For example:

+
+
+
Example output
+
+
INFO Install complete!
+INFO Run 'export KUBECONFIG=<your working directory>/auth/kubeconfig' to manage the cluster with 'oc', the OpenShift CLI.
+INFO The cluster is ready when 'oc login -u kubeadmin -p <provided>' succeeds (wait a few minutes).
+INFO Access the OpenShift web-console here: https://console-openshift-console.apps.demo1.openshift4-beta-abcorp.com
+INFO Login to the console with user: kubeadmin, password: <provided>
+
+
+
+

Use those details to log in and access the web console.

+
+
+

Additionally, you can execute:

+
+
+
+
oc whoami --show-console
+
+
+
+

To obtain the url for the console.

+
+
+
+

5.2. Backing up the cluster configuration

+
+

At this point you have a working OpenShift 4 cluster on baremetal. +In order to take advantage of the baremetal hardware that was the provision node, +you can repurpose the provisioning node as a worker. +Prior to reprovisioning the node, it is recommended to backup some existing files.

+
+
+
Procedure
+
    +
  1. +

    Tar the clusterconfig folder and download it to your local machine.

    +
    +
    +
    tar cvfz clusterconfig.tar.gz ~/clusterconfig
    +
    +
    +
  2. +
  3. +

    Copy the Private part for the SSH Key configured on the install-config.yaml file to your local machine.

    +
    +
    +
    tar cvfz clusterconfigsh.tar.gz ~/.ssh/id_rsa*
    +
    +
    +
  4. +
  5. +

    Copy the install-config.yaml and metal3-config.yaml files.

    +
    +
    +
    tar cvfz yamlconfigs.tar.gz install-config.yaml metal3-config.yaml
    +
    +
    +
  6. +
+
+
+
+

5.3. Expanding the cluster

+
+

After deploying an installer-provisioned OpenShift Container Platform cluster, you can use the following procedures to expand the number of worker nodes. Ensure that each prospective worker node meets the prerequisites.

+
+
+ + + + + +
+ + +
+

Expanding the cluster using RedFish Virtual Media involves meeting minimum firmware requirements. See Firmware requirements for installing with virtual media in the Prerequisites section for additional details when expanding the cluster using RedFish Virtual Media.

+
+
+
+
+

5.3.1. Preparing the bare metal node

+
+

Expanding the cluster requires a DHCP server. Each node must have a DHCP reservation.

+
+
+ + + + + +
+ + +
Reserving IP addresses so they become static IP addresses
+
+

Some administrators prefer to use static IP addresses so that each node’s IP address remains constant in the absence of a DHCP server. To use static IP addresses in the OpenShift Container Platform cluster, reserve the IP addresses in the DHCP server with an infinite lease. After the installer provisions the node successfully, the dispatcher script will check the node’s network configuration. If the dispatcher script finds that the network configuration contains a DHCP infinite lease, it will recreate the connection as a static IP connection using the IP address from the DHCP infinite lease. NICs without DHCP infinite leases will remain unmodified.

+
+
+
+
+

Preparing the bare metal node requires executing the following procedure from the provisioner node.

+
+
+
Procedure
+
    +
  1. +

    Get the oc binary, if needed. It should already exist on the provisioner node.

    +
    +
    +
    [kni@provisioner ~]$ export VERSION=latest-4.9
    +[kni@provisioner ~]$ curl -s https://mirror.openshift.com/pub/openshift-v4/clients/ocp/$VERSION/openshift-client-linux-$VERSION.tar.gz | tar zxvf - oc
    +
    +
    +
    +
    +
    [kni@provisioner ~]$ sudo cp oc /usr/local/bin
    +
    +
    +
  2. +
  3. +

    Power off the bare metal node via the baseboard management controller and ensure it is off.

    +
  4. +
  5. +

    Retrieve the user name and password of the bare metal node’s baseboard management controller. Then, create base64 strings from the user name and password. In the following example, the user name is root and the password is calvin.

    +
    +
    +
    [kni@provisioner ~]$ echo -ne "root" | base64
    +
    +
    +
    +
    +
    [kni@provisioner ~]$ echo -ne "calvin" | base64
    +
    +
    +
  6. +
  7. +

    Create a configuration file for the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ vim bmh.yaml
    +
    +
    +
    +
    +
    ---
    +apiVersion: v1
    +kind: Secret
    +metadata:
    +  name: openshift-worker-<num>-bmc-secret
    +type: Opaque
    +data:
    +  username: <base64-of-uid>
    +  password: <base64-of-pwd>
    +---
    +apiVersion: metal3.io/v1alpha1
    +kind: BareMetalHost
    +metadata:
    +  name: openshift-worker-<num>
    +spec:
    +  online: true
    +  bootMACAddress: <NIC1-mac-address>
    +  bmc:
    +    address: <protocol>://<bmc-ip>
    +    credentialsName: openshift-worker-<num>-bmc-secret
    +
    +
    +
    +

    Replace <num> for the worker number of the bare metal node in the two name fields and the credentialsName field. Replace <base64-of-uid> with the base64 string of the user name. Replace <base64-of-pwd> with the base64 string of the password. Replace <NIC1-mac-address> with the MAC address of the bare metal node’s first NIC.

    +
    +
    +

    Refer to the BMC addressing section for additional BMC configuration options. Replace <protocol> with the BMC protocol, such as IPMI, RedFish, or others. +Replace <bmc-ip> with the IP address of the bare metal node’s baseboard management controller.

    +
    +
    + + + + + +
    + + +
    +

    If the MAC address of an existing bare metal node matches the MAC address of a bare metal host that you are attempting to provision, then the Ironic installation will fail. If the host enrollment, inspection, cleaning, or other Ironic steps fail, the metal3-baremetal-operator will continuously retry. See Diagnosing a host duplicate MAC address for more information.

    +
    +
    +
    +
  8. +
  9. +

    Create the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api create -f bmh.yaml
    +
    +
    +
    +
    +
    secret/openshift-worker-<num>-bmc-secret created
    +baremetalhost.metal3.io/openshift-worker-<num> created
    +
    +
    +
    +

    Where <num> will be the worker number.

    +
    +
  10. +
  11. +

    Power up and inspect the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  12. +
+
+
+
+

5.3.2. Preparing to deploy with Virtual Media on the baremetal network

+
+

If the provisioning network is enabled, and you want to expand the cluster using Virtual Media on the baremetal network, execute the following procedure.

+
+
+
Procedure
+
    +
  1. +

    Edit the provisioning configuration resource (CR) to enable deploying with Virtual Media on the baremetal network.

    +
    +
    +
    oc edit provisioning
    +
    +
    +
    +
    +
      apiVersion: metal3.io/v1alpha1
    +  kind: Provisioning
    +  metadata:
    +    creationTimestamp: "2021-08-05T18:51:50Z"
    +    finalizers:
    +    - provisioning.metal3.io
    +    generation: 8
    +    name: provisioning-configuration
    +    resourceVersion: "551591"
    +    uid: f76e956f-24c6-4361-aa5b-feaf72c5b526
    +  spec:
    +    preProvisioningOSDownloadURLs: {}
    +    provisioningDHCPRange: 172.22.0.10,172.22.0.254
    +    provisioningIP: 172.22.0.3
    +    provisioningInterface: enp1s0
    +    provisioningNetwork: Managed
    +    provisioningNetworkCIDR: 172.22.0.0/24
    +    provisioningOSDownloadURL: http://192.168.111.1/images/rhcos-49.84.202107010027-0-openstack.x86_64.qcow2.gz?sha256=c7dde5f96826c33c97b5a4ad34110212281916128ae11100956f400db3d5299e
    +    virtualMediaViaExternalNetwork: true (1)
    +  status:
    +    generations:
    +    - group: apps
    +      hash: ""
    +      lastGeneration: 7
    +      name: metal3
    +      namespace: openshift-machine-api
    +      resource: deployments
    +    - group: apps
    +      hash: ""
    +      lastGeneration: 1
    +      name: metal3-image-cache
    +      namespace: openshift-machine-api
    +      resource: daemonsets
    +    observedGeneration: 8
    +    readyReplicas: 0
    +
    +
    +
    + + + + + +
    1Add virtualMediaViaExternalNetwork: true to the provisioning CR.
    +
    +
  2. +
  3. +

    Edit the machine set to use the API VIP address.

    +
    +
    +
    oc edit machineset
    +
    +
    +
    +
    +
      apiVersion: machine.openshift.io/v1beta1
    +  kind: MachineSet
    +  metadata:
    +    creationTimestamp: "2021-08-05T18:51:52Z"
    +    generation: 11
    +    labels:
    +      machine.openshift.io/cluster-api-cluster: ostest-hwmdt
    +      machine.openshift.io/cluster-api-machine-role: worker
    +      machine.openshift.io/cluster-api-machine-type: worker
    +    name: ostest-hwmdt-worker-0
    +    namespace: openshift-machine-api
    +    resourceVersion: "551513"
    +    uid: fad1c6e0-b9da-4d4a-8d73-286f78788931
    +  spec:
    +    replicas: 2
    +    selector:
    +      matchLabels:
    +        machine.openshift.io/cluster-api-cluster: ostest-hwmdt
    +        machine.openshift.io/cluster-api-machineset: ostest-hwmdt-worker-0
    +    template:
    +      metadata:
    +        labels:
    +          machine.openshift.io/cluster-api-cluster: ostest-hwmdt
    +          machine.openshift.io/cluster-api-machine-role: worker
    +          machine.openshift.io/cluster-api-machine-type: worker
    +          machine.openshift.io/cluster-api-machineset: ostest-hwmdt-worker-0
    +      spec:
    +        metadata: {}
    +        providerSpec:
    +          value:
    +            apiVersion: baremetal.cluster.k8s.io/v1alpha1
    +            hostSelector: {}
    +            image:
    +              checksum: http:/172.22.0.3:6181/images/rhcos-49.84.202107010027-0-openstack.x86_64.qcow2/cached-rhcos-49.84.202107010027-0-openstack.x86_64.qcow2.md5sum (1)
    +              url: http://172.22.0.3:6181/images/rhcos-49.84.202107010027-0-openstack.x86_64.qcow2/cached-rhcos-49.84.202107010027-0-openstack.x86_64.qcow2 (2)
    +            kind: BareMetalMachineProviderSpec
    +            metadata:
    +              creationTimestamp: null
    +            userData:
    +              name: worker-user-data
    +  status:
    +    availableReplicas: 2
    +    fullyLabeledReplicas: 2
    +    observedGeneration: 11
    +    readyReplicas: 2
    +    replicas: 2
    +
    +
    +
    + + + + + + + + + +
    1Edit the checksum URL to use the API VIP address.
    2Edit the url URL to use the API VIP address.
    +
    +
  4. +
+
+
+
Diagnosing a duplicate MAC address when provisioning a new host in the cluster
+
+

If the MAC address of an existing bare-metal node in the cluster matches the MAC address of a bare-metal host you are attempting to add to the cluster, the Bare Metal Operator associates the host with the existing node. If the host enrollment, inspection, cleaning, or other Ironic steps fail, the Bare Metal Operator retries the installation continuously. A registration error is displayed for the failed bare-metal host.

+
+
+

You can diagnose a duplicate MAC address by examining the bare-metal hosts that are running in the openshift-machine-api namespace.

+
+
+
Prerequisites
+
    +
  • +

    Install an OpenShift Container Platform cluster on bare metal.

    +
  • +
  • +

    Install the OpenShift Container Platform CLI oc.

    +
  • +
  • +

    Log in as a user with cluster-admin privileges.

    +
  • +
+
+
+
Procedure
+

To determine whether a bare-metal host that fails provisioning has the same MAC address as an existing node, do the following:

+
+
+
    +
  1. +

    Get the bare-metal hosts running in the openshift-machine-api namespace:

    +
    +
    +
    $ oc get bmh -n openshift-machine-api
    +
    +
    +
    +
    Example output
    +
    +
    NAME                 STATUS   PROVISIONING STATUS      CONSUMER
    +openshift-master-0   OK       externally provisioned   openshift-zpwpq-master-0
    +openshift-master-1   OK       externally provisioned   openshift-zpwpq-master-1
    +openshift-master-2   OK       externally provisioned   openshift-zpwpq-master-2
    +openshift-worker-0   OK       provisioned              openshift-zpwpq-worker-0-lv84n
    +openshift-worker-1   OK       provisioned              openshift-zpwpq-worker-0-zd8lm
    +openshift-worker-2   error    registering
    +
    +
    +
  2. +
  3. +

    To see more detailed information about the status of the failing host, run the following command replacing <bare_metal_host_name> with the name of the host:

    +
    +
    +
    $ oc get -n openshift-machine-api bmh <bare_metal_host_name> -o yaml
    +
    +
    +
    +
    Example output
    +
    +
    ...
    +status:
    +  errorCount: 12
    +  errorMessage: MAC address b4:96:91:1d:7c:20 conflicts with existing node openshift-worker-1
    +  errorType: registration error
    +...
    +
    +
    +
  4. +
+
+
+
+
+

5.3.3. Provisioning the bare metal node

+
+

Provisioning the bare metal node requires executing the following procedure from the provisioner node.

+
+
+
Procedure
+
    +
  1. +

    Ensure the PROVISIONING STATUS is ready before provisioning the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$  oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  2. +
  3. +

    Get a count of the number of worker nodes.

    +
    +
    +
    [kni@provisioner ~]$ oc get nodes
    +
    +
    +
    +
    +
    NAME                                                STATUS   ROLES           AGE     VERSION
    +provisioner.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-1.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-2.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-3.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-worker-0.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-worker-1.openshift.example.com            Ready    master          30h     v1.16.2
    +
    +
    +
  4. +
  5. +

    Get the machine set.

    +
    +
    +
    [kni@provisioner ~]$ oc get machinesets -n openshift-machine-api
    +
    +
    +
    +
    +
    NAME                                DESIRED   CURRENT   READY   AVAILABLE   AGE
    +...
    +openshift-worker-0.example.com      1         1         1       1           55m
    +openshift-worker-1.example.com      1         1         1       1           55m
    +
    +
    +
  6. +
  7. +

    Increase the number of worker nodes by one.

    +
    +
    +
    [kni@provisioner ~]$ oc scale --replicas=<num> machineset <machineset> -n openshift-machine-api
    +
    +
    +
    +

    Replace <num> with the new number of worker nodes. Replace <machineset> with the name of the machine set from the previous step.

    +
    +
  8. +
  9. +

    Check the status of the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number. The status changes from ready to provisioning.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       provisioning          openshift-worker-<num>-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
    +

    The provisioning status remains until the OpenShift Container Platform cluster provisions the node. This can take 30 minutes or more. Once complete, the status will change to provisioned.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       provisioned           openshift-worker-<num>-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  10. +
  11. +

    Once provisioned, ensure the bare metal node is ready.

    +
    +
    +
    [kni@provisioner ~]$ oc get nodes
    +
    +
    +
    +
    +
    NAME                                          STATUS   ROLES   AGE     VERSION
    +provisioner.openshift.example.com             Ready    master  30h     v1.16.2
    +openshift-master-1.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-master-2.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-master-3.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-worker-0.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-worker-1.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-worker-<num>.openshift.example.com  Ready    worker  3m27s   v1.16.2
    +
    +
    +
    +

    You can also check the kubelet.

    +
    +
    +
    +
    [kni@provisioner ~]$ ssh openshift-worker-<num>
    +
    +
    +
    +
    +
    [kni@openshift-worker-<num>]$ journalctl -fu kubelet
    +
    +
    +
  12. +
+
+
+
+

5.3.4. Preparing the provisioner node to be deployed as a worker node

+
+
Procedure
+

Perform the following steps prior to converting the provisioner node to a worker node.

+
+
+
    +
  1. +

    ssh to a system (for example, a laptop) that can access the out of band management network of the current provisioner node.

    +
  2. +
  3. +

    Copy the backups clusterconfig.tar.gz, clusterconfigsh.tar.gz, and amlconfigs.tar.gz to the new system.

    +
  4. +
  5. +

    Copy the oc binary from the existing provisioning node to the new system.

    +
  6. +
  7. +

    Make a note of the mac addresses, the baremetal network IP used for the provisioner node, and the IP address of +the Out of band Management Network.

    +
  8. +
  9. +

    Reboot the system and ensure that PXE is enabled on the provisioning network and PXE is disabled for all other NICs.

    +
  10. +
  11. +

    If installation was performed using a Satellite server, remove the Host entry for the existing provisioning node.

    +
  12. +
  13. +

    Install the ipmitool on the new system in order to power off the provisioner node.

    +
  14. +
+
+
+
+

5.3.5. Adding a worker node to an existing cluster

+
+
Procedure
+
    +
  1. +

    Retrieve the username and password of the bare metal node’s baseboard management controller. Then, create base64 strings from the username and password. In the following example, the username is root and the password is calvin.

    +
    +
    +
    [kni@provisioner ~]$ echo -ne "root" | base64
    +
    +
    +
    +
    +
    [kni@provisioner ~]$ echo -ne "calvin" | base64
    +
    +
    +
  2. +
  3. +

    Create a configuration file for the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ vim bmh.yaml
    +
    +
    +
    +
    +
    ---
    +apiVersion: v1
    +kind: Secret
    +metadata:
    +  name: openshift-worker-<num>-bmc-secret
    +type: Opaque
    +data:
    +  username: <base64-of-uid>
    +  password: <base64-of-pwd>
    +---
    +apiVersion: metal3.io/v1alpha1
    +kind: BareMetalHost
    +metadata:
    +  name: openshift-worker-<num>
    +spec:
    +  online: true
    +  bootMACAddress: <NIC1-mac-address>
    +  bmc:
    +    address: ipmi://<bmc-ip>
    +    credentialsName: openshift-worker-<num>-bmc-secret
    +
    +
    +
    +

    Replace <num> for the worker number of bare metal node in two name fields and credentialsName field. Replace <base64-of-uid> with the base64 string of the username. Replace <base64-of-pwd> with the base64 string of the password. Replace <NIC1-mac-address> with the MAC address of the bare metal node’s first NIC. Replace <bmc-ip> with the IP address of the bare metal node’s baseboard management controller.

    +
    +
  4. +
+
+
+ + + + + +
+ + +
+

When using redfish or redfish-virtualmedia, add the +appropriate addressing as described in the BMC addressing section. See BMC addressing for details.

+
+
+
+
+
    +
  1. +

    Create the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api create -f bmh.yaml
    +
    +
    +
    +
    +
    secret/openshift-worker-<num>-bmc-secret created
    +baremetalhost.metal3.io/openshift-worker-<num> created
    +
    +
    +
    +

    Where <num> will be the worker number.

    +
    +
  2. +
  3. +

    Power up and inspect the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  4. +
  5. +

    Ensure the PROVISIONING STATUS is ready before provisioning the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$  oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  6. +
  7. +

    Get a count of the number of worker nodes.

    +
    +
    +
    [kni@provisioner ~]$ oc get nodes
    +
    +
    +
  8. +
  9. +

    Get the machine set.

    +
    +
    +
    [kni@provisioner ~]$ oc get machinesets -n openshift-machine-api
    +
    +
    +
    +
    +
    NAME                                DESIRED   CURRENT   READY   AVAILABLE   AGE
    +openshift-worker-0.example.com      1         1         1       1           55m
    +openshift-worker-1.example.com      1         1         1       1           55m
    +openshift-worker-2.example.com      1         1         1       1           55m
    +
    +
    +
  10. +
  11. +

    Increase the number of worker nodes by 1.

    +
    +
    +
    [kni@provisioner ~]$ oc scale --replicas=<num> machineset <machineset> -n openshift-machine-api
    +
    +
    +
    +

    Replace <num> with the new number of worker nodes. Replace <machineset> with the name of the machine set from the previous step.

    +
    +
  12. +
  13. +

    Check the status of the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number. The status changes from ready to provisioning.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       provisioning          openshift-worker-<num>-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
    +

    The provisioning status remains until the OpenShift Container Platform cluster provisions the node. This may take 30 minutes or more. Once complete, the status will change to provisioned.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       provisioned           openshift-worker-<num>-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  14. +
  15. +

    Once provisioned, ensure the bare metal node is ready.

    +
    +
    +
    [kni@provisioner ~]$ oc get nodes
    +
    +
    +
    +
    +
    NAME                                                STATUS   ROLES           AGE     VERSION
    +provisioner.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-1.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-2.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-worker-<num>.openshift.example.com        Ready    worker          3m27s   v1.16.2
    +
    +
    +
    +

    You can also check the kubelet.

    +
    +
    +
    +
    [kni@provisioner ~]$ ssh openshift-worker-<num>
    +
    +
    +
    +
    +
    [kni@openshift-worker-<num>]$ journalctl -fu kubelet
    +
    +
    +
  16. +
+
+
+
Appending DNS records
+
+
Configuring Bind (Option 1)
+
+
Procedure
+
    +
  1. +

    Login to the DNS server using ssh.

    +
  2. +
  3. +

    Suspend updates to all dynamic zones: rndc freeze.

    +
  4. +
  5. +

    Edit /var/named/dynamic/example.com.

    +
    +
    +
    $ORIGIN openshift.example.com.
    +<OUTPUT_OMITTED>
    +openshift-worker-1      A       <ip-of-worker-1>
    +openshift-worker-2      A       <ip-of-worker-2>
    +
    +
    +
    + + + + + +
    + + +
    +

    Remove the provisioner as it is replaced by openshift-worker-2.

    +
    +
    +
    +
  6. +
  7. +

    Increase the SERIAL value by 1.

    +
  8. +
  9. +

    Edit /var/named/dynamic/1.0.10.in-addr.arpa.

    +
    + + + + + +
    + + +
    +

    The filename 1.0.10.in-addr.arpa is the reverse of the public CIDR example 10.0.1.0/24.

    +
    +
    +
    +
  10. +
  11. +

    Increase the SERIAL value by 1.

    +
  12. +
  13. +

    Enable updates to all dynamic zones and reload them: rndc thaw.

    +
  14. +
+
+
+
+
Configuring dnsmasq (Option 2)
+
+
Procedure
+

Append the following DNS record to the /etc/hosts file on the server hosting the dnsmasq service.

+
+
+
+
<OUTPUT_OMITTED>
+<NIC2-IP> openshift-worker-1.openshift.example.com openshift-worker-1
+<NIC2-IP> openshift-worker-2.openshift.example.com openshift-worker-2
+
+
+
+ + + + + +
+ + +
+

Remove the provisioner.openshift.example.com entry as it is replaced by worker-2

+
+
+
+
+
+
+
Appending DHCP reservations
+
+
Configuring dhcpd (Option 1)
+
+
Procedure
+
    +
  1. +

    Login to the DHCP server using ssh.

    +
  2. +
  3. +

    Edit /etc/dhcp/dhcpd.hosts.

    +
    +
    +
    host openshift-worker-2 {
    +     option host-name "worker-2";
    +     hardware ethernet <NIC2-mac-address>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +
    +
    +
    + + + + + +
    + + +
    +

    Remove the provisioner as it is replaced by openshift-worker-2.

    +
    +
    +
    +
  4. +
  5. +

    Restart the dhcpd service.

    +
    +
    +
    systemctl restart dhcpd
    +
    +
    +
  6. +
+
+
+
+
Configuring dnsmasq (Option 2)
+
+
Procedure
+
    +
  1. +

    Append the following DHCP reservation to the /etc/dnsmasq.d/example.dns file on the server hosting the dnsmasq service.

    +
    +
    +
    <OUTPUT_OMITTED>
    +dhcp-host=<NIC2-mac-address>,openshift-worker-1.openshift.example.com,<ip-of-worker-1>
    +dhcp-host=<NIC2-mac-address>,openshift-worker-2.openshift.example.com,<ip-of-worker-2>
    +
    +
    +
    + + + + + +
    + + +
    +

    Remove the provisioner.openshift.example.com entry as it is replaced by worker-2

    +
    +
    +
    +
  2. +
  3. +

    Restart the dnsmasq service.

    +
    +
    +
    systemctl restart dnsmasq
    +
    +
    +
  4. +
+
+
+
+
+
Deploying the provisioner node as a worker node using Metal3
+
+

After you have completed the prerequisites, perform the deployment process.

+
+
+
Procedure
+
    +
  1. +

    Power off the node using ipmitool and confirm the provisioning node is powered off.

    +
    +
    +
    ssh <server-with-access-to-management-net>
    +# Use the user, password and Management net IP adddress to shutdown the system
    +ipmitool -I lanplus -U <user> -P <password> -H <management-server-ip> power off
    +# Confirm the server is powered down
    +ipmitool -I lanplus -U <user> -P <password> -H <management-server-ip> power status
    +Chassis Power is off
    +
    +
    +
  2. +
  3. +

    Get base64 strings for the Out of band Management credentials. In this example, the user is root and the password is calvin.

    +
    +
    +
    # Use echo -ne, otherwise you will get your secrets with \n which will cause issues
    +# Get root username in base64
    +echo -ne "root" | base64
    +# Get root password in base64
    +echo -ne "calvin" | base64
    +
    +
    +
  4. +
  5. +

    Configure the BaremetalHost bmh.yaml file.

    +
    +
    +
    ---
    +apiVersion: v1
    +kind: Secret
    +metadata:
    +  name: openshift-worker-2-bmc-secret
    +type: Opaque
    +data:
    +  username: ca2vdAo=
    +  password: MWAwTWdtdC0K
    +---
    +apiVersion: metal3.io/v1alpha1
    +kind: BareMetalHost
    +metadata:
    +  name: openshift-worker-2
    +spec:
    +  online: true
    +  bootMACAddress: <NIC1-mac-address>
    +  bmc:
    +    address: ipmi://<out-of-band-ip>
    +    credentialsName: openshift-worker-2-bmc-secret
    +
    +
    +
  6. +
  7. +

    Create the BaremetalHost.

    +
    +
    +
    ./oc -n openshift-machine-api create -f bmh.yaml
    +secret/openshift-worker-2-bmc-secret created
    +baremetalhost.metal3.io/openshift-worker-2 created
    +
    +
    +
  8. +
  9. +

    Power up and inspect the node.

    +
    +
    +
    ./oc -n openshift-machine-api get bmh openshift-worker-2
    +
    +NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-2   OK       inspecting                       ipmi://<out-of-band-ip>                      true
    +
    +
    +
  10. +
  11. +

    After finishing the inspection, the node is ready to be provisioned.

    +
    +
    +
    ./oc -n openshift-machine-api get bmh openshift-worker-2
    +
    +NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-2   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  12. +
  13. +

    Scale the workers machineset. Previously, there were two replicas during original installation.

    +
    +
    +
    ./oc get machineset -n openshift-machine-api
    +NAME            DESIRED   CURRENT   READY   AVAILABLE   AGE
    +openshift-worker-2   0         0                             21h
    +
    +./oc -n openshift-machine-api scale machineset openshift-worker-2 --replicas=3
    +
    +
    +
  14. +
  15. +

    The baremetal host moves to provisioning status. This can take as long as 30 minutes. You can follow the status +from the node console.

    +
    +
    +
    oc -n openshift-machine-api get bmh openshift-worker-2
    +
    +NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-2   OK       provisioning          openshift-worker-0-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  16. +
  17. +

    When the node is provisioned it moves to provisioned status.

    +
    +
    +
    oc -n openshift-machine-api get bmh openshift-worker-2
    +
    +NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-2   OK       provisioned           openshift-worker-2-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  18. +
  19. +

    When the kubelet finishes initialization the node is ready for use. +You can connect to the node and run journalctl -fu kubelet to check the process.

    +
    +
    +
    oc get node
    +NAME                                            STATUS   ROLES           AGE     VERSION
    +openshift-master-0.openshift.example.com        Ready    master          30h     v1.16.2
    +openshift-master-1.openshift.example.com        Ready    master          30h     v1.16.2
    +openshift-master-2.openshift.example.com        Ready    master          30h     v1.16.2
    +openshift-worker-0.openshift.example.com        Ready    worker          3m27s   v1.16.2
    +openshift-worker-1.openshift.example.com        Ready    worker          3m27s   v1.16.2
    +openshift-worker-2.openshift.example.com        Ready    worker          3m27s   v1.16.2
    +
    +
    +
  20. +
+
+
+
+
+
+
+
+

6. Appendix

+
+
+

In this section of the document, extra information is provided that is outside of the regular workflow.

+
+
+

6.1. Troubleshooting

+
+

Troubleshooting the installation is out of scope of the Deployment Guide. For more details on troubleshooting deployment, refer to our Troubleshooting guide.

+
+
+
+

6.2. Creating DNS Records

+
+

Two options are documented for configuring DNS records:

+
+ +
+

6.2.1. Configuring Bind (Option 1)

+
+

Use Option 1 if access to the appropriate DNS server for the baremetal network is accessible or a request +to your network admin to create the DNS records is an option. +If this is not an option, skip this section and go to section Create DNS records using dnsmasq (Option 2).

+
+
+

Create a subzone with the name of the cluster that is going to be used on your domain. +In our example, the domain used is example.com and the cluster name used is openshift. +Make sure to change these according to your environment specifics.

+
+
+
Procedure
+
    +
  1. +

    Login to the DNS server using ssh.

    +
  2. +
  3. +

    Suspend updates to all dynamic zones: rndc freeze.

    +
  4. +
  5. +

    Edit /var/named/dynamic/example.com.

    +
    +
    +
    $ORIGIN openshift.example.com.
    +$TTL 300        ; 5 minutes
    +@  IN  SOA  dns1.example.com.  hostmaster.example.com. (
    +       2001062501  ; serial
    +       21600       ; refresh after 6 hours
    +       3600        ; retry after 1 hour
    +       604800      ; expire after 1 week
    +       86400 )     ; minimum TTL of 1 day
    +;
    +api                     A       <api-ip>
    +ns1                     A       <dns-vip-ip>
    +$ORIGIN apps.openshift.example.com.
    +*                       A       <wildcard-ingress-lb-ip>
    +$ORIGIN openshift.example.com.
    +provisioner             A       <NIC2-ip-of-provision>
    +openshift-master-0      A       <NIC2-ip-of-openshift-master-0>
    +openshift-master-1      A       <NIC2-ip-of-openshift-master-1>
    +openshift-master-2      A       <NIC2-ip-of-openshift-master-2>
    +openshift-worker-0      A       <NIC2-ip-of-openshift-worker-0>
    +openshift-worker-1      A       <NIC2-ip-of-openshift-worker-1>
    +
    +
    +
  6. +
  7. +

    Increase the serial value by 1.

    +
  8. +
  9. +

    Edit /var/named/dynamic/1.0.10.in-addr.arpa.

    +
    +
    +
    $ORIGIN 1.0.10.in-addr.arpa.
    +$TTL 300
    +@  IN  SOA  dns1.example.com.  hostmaster.example.com. (
    +       2001062501  ; serial
    +       21600       ; refresh after 6 hours
    +       3600        ; retry after 1 hour
    +       604800      ; expire after 1 week
    +       86400 )     ; minimum TTL of 1 day
    +;
    +126 IN      PTR      provisioner.openshift.example.com.
    +127	IN        	PTR    	openshift-master-0.openshift.example.com.
    +128	IN        	PTR    	openshift-master-1.openshift.example.com.
    +129	IN 	        PTR   	openshift-master-2.openshift.example.com.
    +130	IN 	        PTR   	openshift-worker-0.openshift.example.com.
    +131	IN        	PTR    	openshift-worker-1.openshift.example.com.
    +132 IN      PTR     api.openshift.example.com.
    +133 IN      PTR     ns1.openshift.example.com.
    +
    +
    +
    + + + + + +
    + + +
    +

    In this example, the IP addresses 10.0.1.126-133 are pointed to the corresponding fully qualified domain name.

    +
    +
    +
    +
    + + + + + +
    + + +
    +

    The filename 1.0.10.in-addr.arpa is the reverse of the public CIDR example 10.0.1.0/24.

    +
    +
    +
    +
  10. +
  11. +

    Increase the serial value by 1.

    +
  12. +
  13. +

    Enable updates to all dynamic zones and reload them: rndc thaw.

    +
  14. +
+
+
+
+

6.2.2. Configuring dnsmasq (Option 2)

+
+

To create DNS records, open the /etc/hosts file and add the NIC2 (baremetal net) IP followed by the hostname. +In our example, the domain used is example.com and the cluster name used is openshift. +Make sure to change these according to your environment specifics.

+
+
+
Procedure
+
    +
  1. +

    Edit /etc/hosts and add the NIC2 (baremetal net) IP followed by the hostname.

    +
    +
    +
    cat /etc/hosts
    +127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
    +::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
    +<NIC2-IP> provisioner.openshift.example.com provisioner
    +<NIC2-IP> openshift-master-0.openshift.example.com openshift-master-0
    +<NIC2-IP> openshift-master-1.openshift.example.com openshift-master-1
    +<NIC2-IP> openshift-master-2.openshift.example.com openshift-master-2
    +<NIC2-IP> openshift-worker-0.openshift.example.com openshift-worker-0
    +<NIC2-IP> openshift-worker-1.openshift.example.com openshift-worker-1
    +<API-IP>  api.openshift.example.com api
    +<DNS-VIP-IP> ns1.openshift.example.com ns1
    +
    +
    +
  2. +
  3. +

    Open the appropriate firewalld DNS service and reload the rules.

    +
    +
    +
    systemctl restart firewalld
    +firewall-cmd --add-service=dns --permanent
    +firewall-cmd --reload
    +
    +
    +
  4. +
+
+
+
+
+

6.3. Creating DHCP reservations

+
+

Two options are documented for configuring DHCP:

+
+ +
+

6.3.1. Configuring dhcpd (Option 1)

+
+

Use Option 1 if access to the appropriate DHCP server for the baremetal network is accessible or a request +to your network admin to create the DHCP reservations is an option. +If this is not an option, skip this section and go to section Create DHCP records using dnsmasq (Option 2).

+
+
+
    +
  1. +

    Login to the DHCP server using ssh.

    +
  2. +
  3. +

    Edit /etc/dhcp/dhcpd.hosts.

    +
    +
    +
    host provisioner {
    +     option host-name "provisioner";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +host openshift-master-0 {
    +     option host-name "openshift-master-0";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +
    +host openshift-master-1 {
    +     option host-name "openshift-master-1";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +
    +host openshift-master-2 {
    +     option host-name "openshift-master-2";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +host openshift-worker-0 {
    +     option host-name "openshift-worker-0";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +host openshift-worker-1 {
    +     option host-name "openshift-worker-1";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +
    +
    +
  4. +
  5. +

    Restart the dhcpd service.

    +
    +
    +
    systemctl restart dhcpd
    +
    +
    +
  6. +
+
+
+
+

6.3.2. Configuring dnsmasq (Option 2)

+
+

Set up dnsmasq on a server that can access the baremetal network.

+
+
+
Procedure
+
    +
  1. +

    Install dnsmasq.

    +
    +
    +
    dnf install -y dnsmasq
    +
    +
    +
  2. +
  3. +

    Change to the /etc/dnsmasq.d directory.

    +
    +
    +
    cd /etc/dnsmasq.d
    +
    +
    +
  4. +
  5. +

    Create a file that reflects your OpenShift cluster appended by .dns.

    +
    +
    +
    touch <filename>.dns
    +
    +
    +
  6. +
  7. +

    Open the appropriate firewalld DHCP service.

    +
    +
    +
    systemctl restart firewalld
    +firewall-cmd --add-service=dhcp --permanent
    +firewall-cmd --reload
    +
    +
    +
  8. +
  9. +

    Define DNS configuration file

    +
    IPv4
    +
    +

    Here is an example of the .dns file for IPv4.

    +
    +
    +
    +
    domain-needed
    +bind-dynamic
    +bogus-priv
    +domain=openshift.example.com
    +dhcp-range=<baremetal-net-starting-ip,baremetal-net-ending-ip>
    +#dhcp-range=10.0.1.4,10.0.14
    +dhcp-option=3,<baremetal-net-gateway-ip>
    +#dhcp-option=3,10.0.1.254
    +resolv-file=/etc/resolv.conf.upstream
    +interface=<nic-with-access-to-baremetal-net>
    +#interface=em2
    +server=<ip-of-existing-server-on-baremetal-net>
    +
    +
    +#Wildcard for apps -- make changes to cluster-name (openshift) and domain (example.com)
    +address=/.apps.openshift.example.com/<wildcard-ingress-lb-ip>
    +
    +#Static IPs for Masters
    +dhcp-host=<NIC2-mac-address>,provisioner.openshift.example.com,<ip-of-provisioner>
    +dhcp-host=<NIC2-mac-address>,openshift-master-0.openshift.example.com,<ip-of-openshift-master-0>
    +dhcp-host=<NIC2-mac-address>,openshift-master-1.openshift.example.com,<ip-of-openshift-master-1>
    +dhcp-host=<NIC2-mac-address>,openshift-master-2.openshift.example.com,<ip-of-openshift-master-2>
    +dhcp-host=<NIC2-mac-address>,openshift-worker-0.openshift.example.com,<ip-of-openshift-worker-0>
    +dhcp-host=<NIC2-mac-address>,openshift-worker-1.openshift.example.com,<ip-of-openshift-worker-1>
    +
    +
    +
    IPv6
    +
    +

    Here is an example of the .dns file for IPv6.

    +
    +
    +
    +
    strict-order
    +bind-dynamic
    +bogus-priv
    +dhcp-authoritative
    +dhcp-range=baremetal,<baremetal-IPv6-dhcp-range-start>,<baremetal-IPv6-dhcp-range-end>,<range-prefix>
    +dhcp-option=baremetal,option6:dns-server,[<IPv6-DNS-Server>]
    +
    +resolv-file=/etc/resolv.conf.upstream
    +except-interface=lo
    +dhcp-lease-max=81
    +log-dhcp
    +
    +domain=openshift.example.com,<baremetal-IPv6-cidr>,local
    +
    +# static host-records
    +address=/.apps.openshift.example.com/<wildcard-ingress-lb-ip>
    +host-record=api.openshift.example.com,<api-ip>
    +host-record=ns1.openshift.example.com,<dns-ip>
    +host-record=openshift-master-0.openshift.example.com,<ip-of-openshift-master-0>
    +host-record=openshift-master-1.openshift.example.com,<ip-of-openshift-master-1>
    +host-record=openshift-master-2.openshift.example.com,<ip-of-openshift-master-1>
    +# Registry
    +host-record=registry.openshift.example.com,<ip-of-registry-server>
    +
    +#Static IPs for Masters
    +dhcp-host=<baremetal-nic-duid>,openshift-master-0.openshift.example.com,<ip-of-openshift-master-0>
    +dhcp-host=<baremetal-nic-duid>,openshift-master-1.openshift.example.com,<ip-of-openshift-master-1>
    +dhcp-host=<baremetal-nic-duid>,openshift-master-2.openshift.example.com,<ip-of-openshift-master-2>
    +
    +
    +
  10. +
  11. +

    Create the resolv.conf.upstream file to provide DNS fowarding to an existing DNS server for resolution +to the outside world.

    +
    +
    +
    search <domain.com>
    +nameserver <ip-of-my-existing-dns-nameserver>
    +
    +
    +
  12. +
  13. +

    Restart the dnsmasq service.

    +
    +
    +
    systemctl restart dnsmasq
    +
    +
    +
  14. +
  15. +

    Verify the dnsmasq service is running.

    +
    +
    +
    systemctl status dnsmasq
    +
    +
    +
  16. +
+
+
+
+
+
+
+
+
+
+1. Stateless Address AutoConfiguration +
+
+ + + \ No newline at end of file diff --git a/4.9/Deployment.pdf b/4.9/Deployment.pdf new file mode 100644 index 0000000000..49f091beb6 Binary files /dev/null and b/4.9/Deployment.pdf differ diff --git a/4.9/Troubleshooting.html b/4.9/Troubleshooting.html new file mode 100644 index 0000000000..b7fdca8630 --- /dev/null +++ b/4.9/Troubleshooting.html @@ -0,0 +1,2020 @@ + + + + + + + + + + +Troubleshooting Guide for IPI Installation + + + + + + + + + + + + + + + + +
+
+
+ +
+ + + + + +
+ + +
Draft documentation
+
+

This document is considered a DRAFT:

+
+
+
    +
  1. +

    It might not be complete

    +
  2. +
  3. +

    It might be not accurate

    +
  4. +
  5. +

    It might break your environment

    +
  6. +
+
+
+
+
+ + + + + +
+ + +
+

Download the PDF version of this document or visit https://openshift-kni.github.io/baremetal-deploy/

+
+
+
+
+

While attempting to deploy Installer Provisioned Infrastructure (IPI) of OpenShift on Bare Metal (BM), you may run into a situation where you need to troubleshoot your environment. This document provides troubleshooting guidance and tips in solving common issues that may arise.

+
+
+
+
+

1. Troubleshooting the installer workflow

+
+
+

Prior to troubleshooting the installation environment, it is critical to understand the overall flow of the IPI installation on bare metal. The diagrams below provide a troubleshooting flow with a step-by-step breakdown for the environment.

+
+
+

Flow-Diagram-1

+
+
+

Workflow 1 of 4 illustrates a troubleshooting workflow when the install-config.yaml file has errors or the Red Hat Enterprise Linux CoreOS (RHCOS) images are inaccessible. Troubleshooting suggestions can be found at

+
+ +
+

Flow-Diagram-2

+
+
+

Workflow 2 of 4 illustrates a troubleshooting workflow for bootstrap VM issues, bootstrap VMs that cannot boot up the cluster nodes, and inspecting logs.

+
+
+

Flow-Diagram-3

+
+
+

Workflow 3 of 4 illustrates a troubleshooting workflow for cluster nodes that will not PXE boot.

+
+
+

Flow-Diagram-4

+
+
+

Workflow 4 of 4 illustrates a troubleshooting workflow from + a non-accessible API to a validated installation.

+
+
+
+
+

2. Troubleshooting install-config.yaml

+
+
+

The install-config.yaml configuration file represents all of the nodes that are part of the OpenShift Container Platform cluster. The file contains the necessary options consisting of but not limited to apiVersion, baseDomain, imageContentSources (OpenShift 4.13 and below) or imageDigestSources (OpenShirt 4.14 and above), and virtual IP addresses. If errors occur early in the deployment of the OpenShift Container Platform cluster, the errors are likely in the install-config.yaml configuration file.

+
+
+
Procedure
+
    +
  1. +

    Use the guidelines in YAML-tips.

    +
  2. +
  3. +

    Verify the YAML syntax is correct using syntax-check.

    +
  4. +
  5. +

    Verify the Red Hat Enterprise Linux CoreOS (RHCOS) QEMU images are properly defined and accessible via the URL provided in the install-config.yaml. For example:

    +
    +
    +
    $ curl -s -o /dev/null -I -w "%{http_code}\n" http://webserver.example.com:8080/rhcos-44.81.202004250133-0-qemu.x86_64.qcow2.gz?sha256=7d884b46ee54fe87bbc3893bf2aa99af3b2d31f2e19ab5529c60636fbd0f1ce7
    +
    +
    +
    +

    If the output is 200, there is a valid response from the webserver storing the bootstrap VM image.

    +
    +
  6. +
+
+
+
+
+

3. Bootstrap VM issues

+
+
+

The OpenShift Container Platform installer spawns a bootstrap node virtual machine, which handles provisioning the OpenShift Container Platform cluster nodes.

+
+
+
Procedure
+
    +
  1. +

    About 10 to 15 minutes after triggering the installer, check to ensure the bootstrap VM is operational using the virsh command:

    +
    +
    +
    $ sudo virsh list
    +
    +
    +
    +
    +
     Id    Name                           State
    + --------------------------------------------
    + 12    openshift-xf6fq-bootstrap      running
    +
    +
    +
    + + + + + +
    + + +
    +

    The name of the bootstrap VM is always the cluster name followed by a random set of characters and ending in the word "bootstrap."

    +
    +
    +
    +
    +

    If the bootstrap VM is not running after 10-15 minutes, troubleshoot why it is not running. Possible issues include:

    +
    +
  2. +
  3. +

    Verify libvirtd is running on the system:

    +
    +
    +
    $ systemctl status libvirtd
    +
    +
    +
    +
    +
    ● libvirtd.service - Virtualization daemon
    +   Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor preset: enabled)
    +   Active: active (running) since Tue 2020-03-03 21:21:07 UTC; 3 weeks 5 days ago
    +     Docs: man:libvirtd(8)
    +           https://libvirt.org
    + Main PID: 9850 (libvirtd)
    +    Tasks: 20 (limit: 32768)
    +   Memory: 74.8M
    +   CGroup: /system.slice/libvirtd.service
    +           ├─ 9850 /usr/sbin/libvirtd
    +
    +
    +
    +

    If the bootstrap VM is operational, log into it.

    +
    +
  4. +
  5. +

    Use the virsh console command to find the IP address of the bootstrap VM:

    +
    +
    +
    $ sudo virsh console example.com
    +
    +
    +
    +
    +
    Connected to domain example.com
    +Escape character is ^]
    +
    +Red Hat Enterprise Linux CoreOS 43.81.202001142154.0 (Ootpa) 4.3
    +SSH host key: SHA256:BRWJktXZgQQRY5zjuAV0IKZ4WM7i4TiUyMVanqu9Pqg (ED25519)
    +SSH host key: SHA256:7+iKGA7VtG5szmk2jB5gl/5EZ+SNcJ3a2g23o0lnIio (ECDSA)
    +SSH host key: SHA256:DH5VWhvhvagOTaLsYiVNse9ca+ZSW/30OOMed8rIGOc (RSA)
    +ens3:  fd35:919d:4042:2:c7ed:9a9f:a9ec:7
    +ens4: 172.22.0.2 fe80::1d05:e52e:be5d:263f
    +localhost login:
    +
    +
    +
    + + + + + +
    + + +
    +

    When deploying a OpenShift Container Platform cluster without the provisioning network, you must use a public IP address and not a private IP address like 172.22.0.2.

    +
    +
    +
    +
  6. +
  7. +

    Once you obtain the IP address, log in to the bootstrap VM using the ssh command:

    +
    + + + + + +
    + + +
    +

    In the console output of the previous step, you can use the IPv6 IP address provided by ens3 or the IPv4 IP provided by ens4.

    +
    +
    +
    +
    +
    +
    $ ssh core@172.22.0.2
    +
    +
    +
  8. +
+
+
+

If you are not successful logging in to the bootstrap VM, you have likely encountered one of the following scenarios:

+
+
+
    +
  • +

    You cannot reach the 172.22.0.0/24 network. Verify network connectivity on the provisioner host specifically around the provisioning network bridge. This will not be the issue if you are not using the provisioning network.

    +
  • +
  • +

    You cannot reach the bootstrap VM via the public network. When attempting +to SSH via baremetal network, verify connectivity on the +provisioner host specifically around the baremetal network bridge.

    +
  • +
  • +

    You encountered Permission denied (publickey,password,keyboard-interactive). When +attempting to access the bootstrap VM, a Permission denied error +might occur. Verify that the SSH key for the user attempting to log +into the VM is set within the install-config.yaml file.

    +
  • +
+
+
+

3.1. Bootstrap VM cannot boot up the cluster nodes

+
+

During the deployment, it is possible for the bootstrap VM to fail to boot the cluster nodes, which prevents the VM from provisioning the nodes with the RHCOS image. This scenario can arise due to:

+
+
+
    +
  • +

    A problem with the install-config.yaml file.

    +
  • +
  • +

    Issues with out-of-band network access via the baremetal network.

    +
  • +
+
+
+

To verify the issue, there are three containers related to ironic:

+
+
+
    +
  • +

    ironic-api

    +
  • +
  • +

    ironic-conductor

    +
  • +
  • +

    ironic-inspector

    +
  • +
+
+
+
Procedure
+
    +
  1. +

    Log in to the bootstrap VM:

    +
    +
    +
    $ ssh core@172.22.0.2
    +
    +
    +
  2. +
  3. +

    To check the container logs, execute the following:

    +
    +
    +
    [core@localhost ~]$ sudo podman logs -f <container-name>
    +
    +
    +
    +

    Replace <container-name> with one of ironic-api, ironic-conductor, or ironic-inspector. If you encounter an issue where the control plane nodes are not booting up via PXE, check the ironic-conductor pod. The ironic-conductor pod contains the most detail about the attempt to boot the cluster nodes, because it attempts to log in to the node over IPMI.

    +
    +
  4. +
+
+
+
Potential reason
+

The cluster nodes might be in the ON state when deployment started.

+
+
+
Solution
+

Power off the OpenShift Container Platform cluster nodes before you begin the +installation over IPMI:

+
+
+
+
$ ipmitool -I lanplus -U root -P <password> -H <out-of-band-ip> power off
+
+
+
+
+

3.2. Inspecting logs

+
+

When experiencing issues downloading or accessing the RHCOS images, first verify that the URL is correct in the install-config.yaml configuration file.

+
+
+
Example of internal webserver hosting RHCOS images
+
+
bootstrapOSImage: http://<ip:port>/rhcos-43.81.202001142154.0-qemu.x86_64.qcow2.gz?sha256=9d999f55ff1d44f7ed7c106508e5deecd04dc3c06095d34d36bf1cd127837e0c
+clusterOSImage: http://<ip:port>/rhcos-43.81.202001142154.0-openstack.x86_64.qcow2.gz?sha256=a1bda656fa0892f7b936fdc6b6a6086bddaed5dafacedcd7a1e811abb78fe3b0
+
+
+
+

The ipa-downloader and coreos-downloader containers download resources from a webserver or the external quay.io registry, whichever the install-config.yaml configuration file specifies. Verify the following two containers are up and running and inspect their logs as needed:

+
+
+
    +
  • +

    ipa-downloader

    +
  • +
  • +

    coreos-downloader

    +
  • +
+
+
+
Procedure
+
    +
  1. +

    Log in to the bootstrap VM:

    +
    +
    +
    $ ssh core@172.22.0.2
    +
    +
    +
  2. +
  3. +

    Check the status of the ipa-downloader and coreos-downloader containers within the bootstrap VM:

    +
    +
    +
    [core@localhost ~]$ podman logs -f ipa-downloader
    +
    +
    +
    +
    +
    [core@localhost ~]$ podman logs -f coreos-downloader
    +
    +
    +
    +

    If the bootstrap VM cannot access the URL to the images, use the curl command to verify that the VM can access the images.

    +
    +
  4. +
  5. +

    To inspect the bootkube logs that indicate if all the containers launched during the deployment phase, execute the following:

    +
    +
    +
    [core@localhost ~]$ journalctl -xe
    +
    +
    +
    +
    +
    [core@localhost ~]$ journalctl -b -f -u bootkube.service
    +
    +
    +
  6. +
  7. +

    Verify all the pods, including dnsmasq, mariadb, httpd, and ironic, are running:

    +
    +
    +
    [core@localhost ~]$ sudo podman ps
    +
    +
    +
  8. +
  9. +

    If there are issues with the pods, check the logs of the containers with issues. To check the log of the ironic-api, execute the following:

    +
    +
    +
    [core@localhost ~]$ sudo podman logs <ironic-api>
    +
    +
    +
  10. +
+
+
+
+
+
+

4. Ironic Bootstrap issues

+
+
+

The OpenShift Container Platform installer spawns a bootstrap node virtual machine, which handles provisioning the OpenShift Container Platform cluster nodes. The cluster nodes are powered on, introspected and finally provisioned using Ironic.

+
+
+

Sometimes you might need to connect to the Ironic service running on the bootstrap node virtual machine to troubleshoot issues related to Ironic.

+
+
+
Procedure
+
    +
  1. +

    About 10 to 15 minutes after triggering the installer, check to ensure the bootstrap VM is operational using the virsh command:

    +
    +
    +
    [kni@provisioner ~]$ sudo virsh list
    +
    +
    +
    +
    +
     Id    Name                           State
    + --------------------------------------------
    + 12    openshift-xf6fq-bootstrap      running
    +
    +
    +
  2. +
  3. +

    Use the virsh console command to find the IP address of the bootstrap VM:

    +
    +
    +
    [kni@provisioner ~]$ sudo virsh console openshift-xf6fq-bootstrap
    +
    +
    +
    +
    +
    Connected to domain openshift-xf6fq-bootstrap
    +Escape character is ^]
    +
    +Red Hat Enterprise Linux CoreOS 43.81.202001142154.0 (Ootpa) 4.3
    +SSH host key: SHA256:BRWJktXZgQQRY5zjuAV0IKZ4WM7i4TiUyMVanqu9Pqg (ED25519)
    +SSH host key: SHA256:7+iKGA7VtG5szmk2jB5gl/5EZ+SNcJ3a2g23o0lnIio (ECDSA)
    +SSH host key: SHA256:DH5VWhvhvagOTaLsYiVNse9ca+ZSW/30OOMed8rIGOc (RSA)
    +ens3:  fd35:919d:4042:2:c7ed:9a9f:a9ec:7
    +ens4: 172.22.0.2 fe80::1d05:e52e:be5d:263f
    +localhost login:
    +
    +
    +
  4. +
  5. +

    Once you obtain the IP address, log in to the bootstrap VM using the ssh command:

    +
    + + + + + +
    + + +
    +

    In the console output of the previous step, the IPv6 IP provided by ens3 or the IPv4 IP provided by ens4 can be used.

    +
    +
    +
    +
    +
    +
    [kni@provisioner ~]$ ssh core@172.22.0.2
    +
    +
    +
  6. +
  7. +

    Make sure Ironic containers are running:

    +
    +
    +
    [core@localhost ~]$ sudo podman ps | grep ironic
    +90251a35d1e2  quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:a5603d959546a8293deaee66332da4fa3cb96bcd04c26967070c247085ca7203                        2 minutes ago  Up 2 minutes ago         ironic-api
    +168e712c9996  quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:c6af62509b3d66effe8e16c81e42e75e124ccb5770f82efb010ecc3ebadc48b8                        2 minutes ago  Up 2 minutes ago         ironic-inspector
    +025f8247bfb0  quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:a5603d959546a8293deaee66332da4fa3cb96bcd04c26967070c247085ca7203                        2 minutes ago  Up 2 minutes ago         ironic-conductor
    +
    +
    +
  8. +
  9. +

    Get the value for the bootstrapProvisioningIp property from your install-config.yaml.

    +
  10. +
  11. +

    Create a clouds.yaml file:

    +
    +
    +
    clouds:
    +  metal3-bootstrap:
    +    auth_type: none
    +    baremetal_endpoint_override: http://<bootstrapProvisioningIp>:6385
    +    baremetal_introspection_endpoint_override: http://<bootstrapProvisioningIp>:5050
    +
    +
    +
    + + + + + +
    + + +
    +

    Make sure in the file above you change <bootstrapProvisioningIp> with the value from your install-config.yaml file.

    +
    +
    +
    +
  12. +
  13. +

    Run the ironic-client on the bootstrap VM using podman:

    +
    +
    +
    [core@localhost ~]$ podman run -ti --rm --entrypoint /bin/bash -v /path/to/clouds.yaml:/clouds.yaml -e OS_CLOUD=metal3-bootstrap quay.io/metal3-io/ironic-client
    +
    +
    +
  14. +
  15. +

    Once you’re in the container, run the following command to see the status of the nodes on Ironic:

    +
    +
    +
    [root@1facad6bccff /]# baremetal node list
    +
    +
    +
    +

    The expected states for the nodes are clean-waitavailabledeployingwait call-backactive.

    +
    +
    +
      +
    • +

      clean-wait: The IPA (Ironic Python Agent) will clean the node main disk and write RHCOS to it. After that will report the node status back to Ironic.

      +
    • +
    • +

      available: The node has been introspected and it’s ready to be provisioned.

      +
    • +
    • +

      deploying: The node is being provisioned with RHCOS + the required Ignition configs.

      +
    • +
    • +

      wait call-back: The node is deployed and Ironic is waiting for the node to finish everything before marking the node as active.

      +
    • +
    • +

      active: The node is fully provisioned from an Ironic perspective.

      +
    • +
    +
    +
  16. +
+
+
+

If you are not getting any output, you have likely encountered of the following scenarios:

+
+
+
    +
  • +

    You cannot reach the bootstrapProvisioningIp from the bootstrap VM.

    +
  • +
  • +

    The Ironic conductor was not able to power on and configure the nodes to boot with the IPA image.

    +
  • +
  • +

    The machine running the openshift-install binary cannot access the bootstrapProvisioningIp on port 6385.

    +
  • +
+
+
+
+
+

5. Cluster nodes will not PXE boot

+
+
+

When OpenShift Container Platform cluster nodes will not PXE boot, execute the following checks on the cluster nodes that will not PXE boot. This procedure does not apply when installing a OpenShift Container Platform cluster without the provisioning network.

+
+
+
Procedure
+
    +
  1. +

    Check the network connectivity to the provisioning network.

    +
  2. +
  3. +

    Ensure PXE is enabled on the NIC for the provisioning network and PXE is disabled for all other NICs.

    +
  4. +
  5. +

    Verify that the install-config.yaml configuration file has the proper hardware profile and boot MAC address for the NIC connected to the provisioning network. For example:

    +
    +
    Master node settings
    +
    +
    bootMACAddress: 24:6E:96:1B:96:90 # MAC of bootable provisioning NIC
    +hardwareProfile: default          #master node settings
    +
    +
    +
    +
    Worker node settings
    +
    +
    bootMACAddress: 24:6E:96:1B:96:90 # MAC of bootable provisioning NIC
    +hardwareProfile: unknown          #worker node settings
    +
    +
    +
  6. +
+
+
+
+
+

6. The API is not accessible

+
+
+

When the cluster is running and clients cannot access the API, domain name resolution issues might impede access to the API.

+
+
+
Procedure
+
    +
  1. +

    Hostname Resolution: Check the cluster nodes to ensure they have a fully qualified domain name, and not just localhost.localdomain. For example:

    +
    +
    +
    $ hostname
    +
    +
    +
    +

    If a hostname is not set, set the correct hostname. For example:

    +
    +
    +
    +
    $ hostnamectl set-hostname <hostname>
    +
    +
    +
  2. +
  3. +

    Incorrect Name Resolution: Ensure that each node has the correct name resolution in the DNS server using dig and nslookup. For example:

    +
    +
    +
    $ dig api.<cluster-name>.example.com
    +
    +
    +
    +
    +
    ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> api.<cluster-name>.example.com
    +;; global options: +cmd
    +;; Got answer:
    +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37551
    +;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
    +
    +;; OPT PSEUDOSECTION:
    +; EDNS: version: 0, flags:; udp: 4096
    +; COOKIE: 866929d2f8e8563582af23f05ec44203d313e50948d43f60 (good)
    +;; QUESTION SECTION:
    +;api.<cluster-name>.example.com. IN A
    +
    +;; ANSWER SECTION:
    +api.<cluster-name>.example.com. 10800 IN	A 10.19.13.86
    +
    +;; AUTHORITY SECTION:
    +<cluster-name>.example.com. 10800 IN NS	<cluster-name>.example.com.
    +
    +;; ADDITIONAL SECTION:
    +<cluster-name>.example.com. 10800 IN A	10.19.14.247
    +
    +;; Query time: 0 msec
    +;; SERVER: 10.19.14.247#53(10.19.14.247)
    +;; WHEN: Tue May 19 20:30:59 UTC 2020
    +;; MSG SIZE  rcvd: 140
    +
    +
    +
    +

    The output in the foregoing example indicates that the appropriate IP address for the api.<cluster-name>.example.com VIP is 10.19.13.86. This IP address should reside on the baremetal network.

    +
    +
  4. +
+
+
+
+
+

7. Cleaning up previous installations

+
+
+

In the event of a previous failed deployment, remove the artifacts from the failed attempt before attempting to deploy OpenShift Container Platform again.

+
+
+
Procedure
+
    +
  1. +

    Power off all bare metal nodes prior to installing the OpenShift Container Platform cluster:

    +
    +
    +
    $ ipmitool -I lanplus -U <user> -P <password> -H <management-server-ip> power off
    +
    +
    +
  2. +
  3. +

    Remove all old bootstrap resources if any are left over from a previous deployment attempt:

    +
    +
    +
    for i in $(sudo virsh list | tail -n +3 | grep bootstrap | awk {'print $2'});
    +do
    +  sudo virsh destroy $i;
    +  sudo virsh undefine $i;
    +  sudo virsh vol-delete $i --pool $i;
    +  sudo virsh vol-delete $i.ign --pool $i;
    +  sudo virsh pool-destroy $i;
    +  sudo virsh pool-undefine $i;
    +done
    +
    +
    +
  4. +
  5. +

    Remove the following from the clusterconfigs directory to prevent Terraform from failing:

    +
    +
    +
    $ rm -rf ~/clusterconfigs/auth ~/clusterconfigs/terraform* ~/clusterconfigs/tls ~/clusterconfigs/metadata.json
    +
    +
    +
  6. +
+
+
+
+
+

8. Issues with creating the registry

+
+
+

When creating a disconnected registry, you might encounter a "User Not Authorized" error when attempting to mirror the registry. This error might occur if you fail to append the new authentication to the existing pull-secret.txt file.

+
+
+
Procedure
+
    +
  1. +

    Check to ensure authentication is successful:

    +
    +
    +
    [user@registry ~]$ /usr/local/bin/oc adm release mirror \
    +  -a pull-secret-update.json
    +  --from=$UPSTREAM_REPO \
    +  --to-release-image=$LOCAL_REG/$LOCAL_REPO:${VERSION} \
    +  --to=$LOCAL_REG/$LOCAL_REPO
    +
    +
    +
    + + + + + +
    + + +
    +

    Example output of the variables used to mirror the install images:

    +
    +
    +
    +
    UPSTREAM_REPO=${RELEASE_IMAGE}
    +LOCAL_REG=<registry_FQDN>:<registry_port>
    +LOCAL_REPO='ocp4/openshift4'
    +
    +
    +
    +

    The values of RELEASE_IMAGE and VERSION were set during the Retrieving OpenShift Installer step of the Setting up the environment for an OpenShift installation section.

    +
    +
    +
    +
  2. +
  3. +

    After mirroring the registry, confirm that you can access it in your +disconnected environment:

    +
    +
    +
    $ curl -k -u <user>:<password> https://registry.example.com:<registry-port>/v2/_catalog
    +{"repositories":["<Repo-Name>"]}
    +
    +
    +
  4. +
+
+
+
+
+

9. Miscellaneous issues

+
+
+

9.1. Addressing the runtime network not ready error

+
+

After the deployment of a cluster you might receive the following error:

+
+
+
+
`runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:Network plugin returns error: Missing CNI default network`
+
+
+
+

The Cluster Network Operator is responsible for deploying the networking components in response to a special object created by the installer. It runs very early in the installation process, after the control plane (master) nodes have come up, but before the bootstrap control plane has been torn down. It can be indicative of more subtle installer issues, such as long delays in bringing up control plane (master) nodes or issues with apiserver communication.

+
+
+
Procedure
+
    +
  1. +

    Inspect the pods in the openshift-network-operator namespace:

    +
    +
    +
    $ oc get all -n openshift-network-operator
    +
    +
    +
    +
    +
    NAME                                    READY STATUS            RESTARTS   AGE
    +pod/network-operator-69dfd7b577-bg89v   0/1   ContainerCreating 0          149m
    +
    +
    +
  2. +
  3. +

    On the provisioner node, determine that the network configuration exists:

    +
    +
    +
    $ kubectl get network.config.openshift.io cluster -oyaml
    +
    +
    +
    +
    +
    apiVersion: config.openshift.io/v1
    +kind: Network
    +metadata:
    +  name: cluster
    +spec:
    +  serviceNetwork:
    +  - 172.30.0.0/16
    +  clusterNetwork:
    +  - cidr: 10.128.0.0/14
    +    hostPrefix: 23
    +  networkType: OpenShiftSDN
    +
    +
    +
    +

    If it does not exist, the installer did not create it. To determine why the installer did not create it, execute the following:

    +
    +
    +
    +
    $ openshift-install create manifests
    +
    +
    +
  4. +
  5. +

    Check that the network-operator is running:

    +
    +
    +
    $ kubectl -n openshift-network-operator get pods
    +
    +
    +
  6. +
  7. +

    Retrieve the logs:

    +
    +
    +
    $ kubectl -n openshift-network-operator logs -l "name=network-operator"
    +
    +
    +
    +

    On high availability clusters with three or more control plane (master) nodes, the Operator will perform leader election and all other Operators will sleep. For additional details, see Troubleshooting.

    +
    +
  8. +
+
+
+
+

9.2. Cluster nodes not getting the correct IPv6 address over DHCP

+
+

If the cluster nodes are not getting the correct IPv6 address over DHCP, check the following:

+
+
+
    +
  1. +

    Ensure the reserved IPv6 addresses reside outside the DHCP range.

    +
  2. +
  3. +

    In the IP address reservation on the DHCP server, ensure the reservation specifies the correct DHCP Unique Identifier (DUID). For example:

    +
    +
    +
    # This is a dnsmasq dhcp reservation, 'id:00:03:00:01' is the client id and '18:db:f2:8c:d5:9f' is the MAC Address for the NIC
    +id:00:03:00:01:18:db:f2:8c:d5:9f,openshift-master-1,[2620:52:0:1302::6]
    +
    +
    +
  4. +
  5. +

    Ensure that route announcements are working.

    +
  6. +
  7. +

    Ensure that the DHCP server is listening on the required interfaces serving the IP address ranges.

    +
  8. +
+
+
+
+

9.3. Cluster nodes not getting the correct hostname over DHCP

+
+

During IPv6 deployment, cluster nodes must get their hostname over DHCP. Sometimes the NetworkManager does not assign the hostname immediately. A control plane (master) node might report an error such as:

+
+
+
+
Failed Units: 2
+  NetworkManager-wait-online.service
+  nodeip-configuration.service
+
+
+
+

This error indicates that the cluster node likely booted without first receiving a hostname from the DHCP server, which causes kubelet to boot +with a localhost.localdomain hostname. To address the error, force the node to renew the hostname.

+
+
+
Procedure
+
    +
  1. +

    Retrieve the hostname:

    +
    +
    +
    [core@master-X ~]$ hostname
    +
    +
    +
    +

    If the hostname is localhost, proceed with the following steps.

    +
    +
    + + + + + +
    + + +
    +

    Where X is the master node number.

    +
    +
    +
    +
  2. +
  3. +

    Force the cluster node to renew the DHCP lease:

    +
    +
    +
    [core@master-X ~]$ sudo nmcli con up "<bare-metal-nic>"
    +
    +
    +
    +

    Replace <bare-metal-nic> with the wired connection corresponding to the baremetal network.

    +
    +
  4. +
  5. +

    Check hostname again:

    +
    +
    +
    [core@master-X ~]$ hostname
    +
    +
    +
  6. +
  7. +

    If the hostname is still localhost.localdomain, restart NetworkManager:

    +
    +
    +
    [core@master-X ~]$ sudo systemctl restart NetworkManager
    +
    +
    +
  8. +
  9. +

    If the hostname is still localhost.localdomain, wait a few minutes and check again. If the hostname remains localhost.localdomain, repeat the previous steps.

    +
  10. +
  11. +

    Restart the nodeip-configuration service:

    +
    +
    +
    [core@master-X ~]$ sudo systemctl restart nodeip-configuration.service
    +
    +
    +
    +

    This service will reconfigure the kubelet service with the correct hostname references.

    +
    +
  12. +
  13. +

    Reload the unit files definition since the kubelet changed in the previous step:

    +
    +
    +
    [core@master-X ~]$ sudo systemctl daemon-reload
    +
    +
    +
  14. +
  15. +

    Restart the kubelet service:

    +
    +
    +
    [core@master-X ~]$ sudo systemctl restart kubelet.service
    +
    +
    +
  16. +
  17. +

    Ensure kubelet booted with the correct hostname:

    +
    +
    +
    [core@master-X ~]$ sudo journalctl -fu kubelet.service
    +
    +
    +
  18. +
+
+
+

If the cluster node is not getting the correct hostname over DHCP after the cluster is up and running, such as during a reboot, the cluster will have a pending csr. Do not approve a csr, or other issues might arise.

+
+
+
Addressing a csr
+
    +
  1. +

    Get CSRs on the cluster:

    +
    +
    +
    $ oc get csr
    +
    +
    +
  2. +
  3. +

    Verify if a pending csr contains Subject Name: localhost.localdomain:

    +
    +
    +
    $ oc get csr <pending_csr> -o jsonpath='{.spec.request}' | base64 -d | openssl req -noout -text
    +
    +
    +
  4. +
  5. +

    Remove any csr that contains Subject Name: localhost.localdomain:

    +
    +
    +
    $ oc delete csr <wrong_csr>
    +
    +
    +
  6. +
+
+
+
+

9.4. Routes do not reach endpoints

+
+

During the installation process, it is possible to encounter a Virtual Router Redundancy Protocol (VRRP) conflict. This conflict might occur if a previously used OpenShift Container Platform node that was once part of a cluster deployment using a specific cluster name is still running but not part of the current OpenShift Container Platform cluster deployment using that same cluster name. For example, a cluster was deployed using the cluster name openshift, deploying three control plane (master) nodes and three worker nodes. Later, a separate install uses the same cluster name openshift, but this redeployment only installed three control plane (master) nodes, leaving the three worker nodes from a previous deployment in an ON state. This might cause a Virtual Router Identifier (VRID) conflict and a VRRP conflict.

+
+
+
    +
  1. +

    Get the route:

    +
    +
    +
    $ oc get route oauth-openshift
    +
    +
    +
  2. +
  3. +

    Check the service endpoint:

    +
    +
    +
    $ oc get svc oauth-openshift
    +
    +
    +
    +
    +
    NAME              TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
    +oauth-openshift   ClusterIP   172.30.19.162   <none>        443/TCP   59m
    +
    +
    +
  4. +
  5. +

    Attempt to reach the service from a control plane (master) node:

    +
    +
    +
    [core@master0 ~]$ curl -k https://172.30.19.162
    +
    +
    +
    +
    +
    {
    +  "kind": "Status",
    +  "apiVersion": "v1",
    +  "metadata": {
    +  },
    +  "status": "Failure",
    +  "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
    +  "reason": "Forbidden",
    +  "details": {
    +  },
    +  "code": 403
    +
    +
    +
  6. +
  7. +

    Identify the authentication-operator errors from the provisioner node:

    +
    +
    +
    $ oc logs deployment/authentication-operator -n openshift-authentication-operator
    +
    +
    +
    +
    +
    Event(v1.ObjectReference{Kind:"Deployment", Namespace:"openshift-authentication-operator", Name:"authentication-operator", UID:"225c5bd5-b368-439b-9155-5fd3c0459d98", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Normal' reason: 'OperatorStatusChanged' Status for clusteroperator/authentication changed: Degraded message changed from "IngressStateEndpointsDegraded: All 2 endpoints for oauth-server are reporting"
    +
    +
    +
  8. +
+
+
+
Solution
+
    +
  1. +

    Ensure that the cluster name for every deployment is unique, ensuring no conflict.

    +
  2. +
  3. +

    Turn off all the rogue nodes which are not part of the cluster deployment that are using the same cluster name. Otherwise, the authentication pod of the OpenShift Container Platform cluster might never start successfully.

    +
  4. +
+
+
+
+

9.5. Failed Ignition during Firstboot

+
+

During the Firstboot, the Ignition configuration may fail.

+
+
+
Procedure
+
    +
  1. +

    Connect to the node where the Ignition configuration failed:

    +
    +
    +
    Failed Units: 1
    +  machine-config-daemon-firstboot.service
    +
    +
    +
  2. +
  3. +

    Restart the machine-config-daemon-firstboot service:

    +
    +
    +
    [core@worker-X ~]$ sudo systemctl restart machine-config-daemon-firstboot.service
    +
    +
    +
  4. +
+
+
+
+

9.6. NTP out of sync

+
+

The deployment of OpenShift Container Platform clusters depends on NTP synchronized clocks among the cluster nodes. Without synchronized clocks, the deployment may fail due to clock drift if the time difference is greater than two seconds.

+
+
+
Procedure
+
    +
  1. +

    Check for differences in the AGE of the cluster nodes. For example:

    +
    +
    +
    $ oc get nodes
    +
    +
    +
    +
    +
    NAME                         STATUS   ROLES    AGE   VERSION
    +master-0.cloud.example.com   Ready    master   145m   v1.16.2
    +master-1.cloud.example.com   Ready    master   135m   v1.16.2
    +master-2.cloud.example.com   Ready    master   145m   v1.16.2
    +worker-2.cloud.example.com   Ready    worker   100m   v1.16.2
    +
    +
    +
  2. +
  3. +

    Check for inconsistent timing delays due to clock drift. For example:

    +
    +
    +
    $ oc get bmh -n openshift-machine-api
    +
    +
    +
    +
    +
    master-1   error registering master-1  ipmi://<out-of-band-ip>
    +
    +
    +
    +
    +
    $ sudo timedatectl
    +
    +
    +
    +
    +
                   Local time: Tue 2020-03-10 18:20:02 UTC
    +           Universal time: Tue 2020-03-10 18:20:02 UTC
    +                 RTC time: Tue 2020-03-10 18:36:53
    +                Time zone: UTC (UTC, +0000)
    +System clock synchronized: no
    +              NTP service: active
    +          RTC in local TZ: no
    +
    +
    +
  4. +
+
+
+
Addressing clock drift in existing clusters
+
    +
  1. +

    Create a chrony.conf file and encode it as base64 string. For example:

    +
    +
    +
    $ cat << EOF | base 64
    +server <NTP-server> iburst(1)
    +stratumweight 0
    +driftfile /var/lib/chrony/drift
    +rtcsync
    +makestep 10 3
    +bindcmdaddress 127.0.0.1
    +bindcmdaddress ::1
    +keyfile /etc/chrony.keys
    +commandkey 1
    +generatecommandkey
    +noclientlog
    +logchange 0.5
    +logdir /var/log/chrony
    +EOF
    +
    +
    +
    + + + + + +
    1Replace <NTP-server> with the IP address of the NTP server. Copy the output. +
    +
    +
    [text-in-base-64]
    +
    +
    +
    +
  2. +
  3. +

    Create a MachineConfig object, replacing the base64 string with +the [text-in-base-64] string generated in the output of the previous step. The following example adds the file to the control plane (master) nodes. You can modify the file for worker nodes or make an additional machine config for the worker role.

    +
    +
    +
    $ cat << EOF > ./99_masters-chrony-configuration.yaml
    +apiVersion: machineconfiguration.openshift.io/v1
    +kind: MachineConfig
    +metadata:
    +  creationTimestamp: null
    +  labels:
    +    machineconfiguration.openshift.io/role: master
    +  name: 99-master-etc-chrony-conf
    +spec:
    +  config:
    +    ignition:
    +      config: {}
    +      security:
    +        tls: {}
    +      timeouts: {}
    +      version: 3.1.0
    +    networkd: {}
    +    passwd: {}
    +    storage:
    +      files:
    +      - contents:
    +          source: data:text/plain;charset=utf-8;base64,[text-in-base-64](1)
    +        group:
    +          name: root
    +        mode: 420
    +        overwrite: true
    +        path: /etc/chrony.conf
    +        user:
    +          name: root
    +  osImageURL: ""
    +
    +
    +
    + + + + + +
    1Replace [text-in-base-64] with the base64 string.
    +
    +
  4. +
  5. +

    Make a backup copy of the configuration file. For example:

    +
    +
    +
    $ cp 99_masters-chrony-configuration.yaml 99_masters-chrony-configuration.yaml.backup
    +
    +
    +
  6. +
  7. +

    Apply the configuration file:

    +
    +
    +
    $ oc apply -f ./masters-chrony-configuration.yaml
    +
    +
    +
  8. +
  9. +

    Ensure the System clock synchronized value is yes:

    +
    +
    +
    $ sudo timedatectl
    +
    +
    +
    +
    +
                   Local time: Tue 2020-03-10 19:10:02 UTC
    +           Universal time: Tue 2020-03-10 19:10:02 UTC
    +                 RTC time: Tue 2020-03-10 19:36:53
    +                Time zone: UTC (UTC, +0000)
    +System clock synchronized: yes
    +              NTP service: active
    +          RTC in local TZ: no
    +
    +
    +
    +

    To setup clock synchronization prior to deployment, generate the manifest files and add this file to the openshift directory. For example:

    +
    +
    +
    +
    $ cp chrony-masters.yaml ~/clusterconfigs/openshift/99_masters-chrony-configuration.yaml
    +
    +
    +
    +

    Then, continue to create the cluster.

    +
    +
  10. +
+
+
+
+
+
+

10. Reviewing the installation

+
+
+

After installation, ensure the installer deployed the nodes and pods successfully.

+
+
+
Procedure
+
    +
  1. +

    When the OpenShift Container Platform cluster nodes are installed appropriately, the following Ready state is seen within the STATUS column:

    +
    +
    +
    $ oc get nodes
    +
    +
    +
    +
    +
    NAME                   STATUS   ROLES           AGE  VERSION
    +master-0.example.com   Ready    master,worker   4h   v1.16.2
    +master-1.example.com   Ready    master,worker   4h   v1.16.2
    +master-2.example.com   Ready    master,worker   4h   v1.16.2
    +
    +
    +
  2. +
  3. +

    Confirm the installer deployed all pods successfully. The following command +removes any pods that are still running or have completed as part of the output.

    +
    +
    +
    $ oc get pods --all-namespaces | grep -iv running | grep -iv complete
    +
    +
    +
  4. +
+
+
+
+
+ + + \ No newline at end of file diff --git a/4.9/Troubleshooting.pdf b/4.9/Troubleshooting.pdf new file mode 100644 index 0000000000..0d6401007b Binary files /dev/null and b/4.9/Troubleshooting.pdf differ diff --git a/assets/css/style.css b/assets/css/style.css new file mode 100644 index 0000000000..f874292354 --- /dev/null +++ b/assets/css/style.css @@ -0,0 +1,300 @@ +@font-face { font-family: 'Noto Sans'; font-weight: 400; font-style: normal; src: url("../fonts/Noto-Sans-regular/Noto-Sans-regular.eot"); src: url("../fonts/Noto-Sans-regular/Noto-Sans-regular.eot?#iefix") format("embedded-opentype"), local("Noto Sans"), local("Noto-Sans-regular"), url("../fonts/Noto-Sans-regular/Noto-Sans-regular.woff2") format("woff2"), url("../fonts/Noto-Sans-regular/Noto-Sans-regular.woff") format("woff"), url("../fonts/Noto-Sans-regular/Noto-Sans-regular.ttf") format("truetype"), url("../fonts/Noto-Sans-regular/Noto-Sans-regular.svg#NotoSans") format("svg"); } + +@font-face { font-family: 'Noto Sans'; font-weight: 700; font-style: normal; src: url("../fonts/Noto-Sans-700/Noto-Sans-700.eot"); src: url("../fonts/Noto-Sans-700/Noto-Sans-700.eot?#iefix") format("embedded-opentype"), local("Noto Sans Bold"), local("Noto-Sans-700"), url("../fonts/Noto-Sans-700/Noto-Sans-700.woff2") format("woff2"), url("../fonts/Noto-Sans-700/Noto-Sans-700.woff") format("woff"), url("../fonts/Noto-Sans-700/Noto-Sans-700.ttf") format("truetype"), url("../fonts/Noto-Sans-700/Noto-Sans-700.svg#NotoSans") format("svg"); } + +@font-face { font-family: 'Noto Sans'; font-weight: 400; font-style: italic; src: url("../fonts/Noto-Sans-italic/Noto-Sans-italic.eot"); src: url("../fonts/Noto-Sans-italic/Noto-Sans-italic.eot?#iefix") format("embedded-opentype"), local("Noto Sans Italic"), local("Noto-Sans-italic"), url("../fonts/Noto-Sans-italic/Noto-Sans-italic.woff2") format("woff2"), url("../fonts/Noto-Sans-italic/Noto-Sans-italic.woff") format("woff"), url("../fonts/Noto-Sans-italic/Noto-Sans-italic.ttf") format("truetype"), url("../fonts/Noto-Sans-italic/Noto-Sans-italic.svg#NotoSans") format("svg"); } + +@font-face { font-family: 'Noto Sans'; font-weight: 700; font-style: italic; src: url("../fonts/Noto-Sans-700italic/Noto-Sans-700italic.eot"); src: url("../fonts/Noto-Sans-700italic/Noto-Sans-700italic.eot?#iefix") format("embedded-opentype"), local("Noto Sans Bold Italic"), local("Noto-Sans-700italic"), url("../fonts/Noto-Sans-700italic/Noto-Sans-700italic.woff2") format("woff2"), url("../fonts/Noto-Sans-700italic/Noto-Sans-700italic.woff") format("woff"), url("../fonts/Noto-Sans-700italic/Noto-Sans-700italic.ttf") format("truetype"), url("../fonts/Noto-Sans-700italic/Noto-Sans-700italic.svg#NotoSans") format("svg"); } + +.highlight table td { padding: 5px; } + +.highlight table pre { margin: 0; } + +.highlight .cm { color: #999988; font-style: italic; } + +.highlight .cp { color: #999999; font-weight: bold; } + +.highlight .c1 { color: #999988; font-style: italic; } + +.highlight .cs { color: #999999; font-weight: bold; font-style: italic; } + +.highlight .c, .highlight .cd { color: #999988; font-style: italic; } + +.highlight .err { color: #a61717; background-color: #e3d2d2; } + +.highlight .gd { color: #000000; background-color: #ffdddd; } + +.highlight .ge { color: #000000; font-style: italic; } + +.highlight .gr { color: #aa0000; } + +.highlight .gh { color: #999999; } + +.highlight .gi { color: #000000; background-color: #ddffdd; } + +.highlight .go { color: #888888; } + +.highlight .gp { color: #555555; } + +.highlight .gs { font-weight: bold; } + +.highlight .gu { color: #aaaaaa; } + +.highlight .gt { color: #aa0000; } + +.highlight .kc { color: #000000; font-weight: bold; } + +.highlight .kd { color: #000000; font-weight: bold; } + +.highlight .kn { color: #000000; font-weight: bold; } + +.highlight .kp { color: #000000; font-weight: bold; } + +.highlight .kr { color: #000000; font-weight: bold; } + +.highlight .kt { color: #445588; font-weight: bold; } + +.highlight .k, .highlight .kv { color: #000000; font-weight: bold; } + +.highlight .mf { color: #009999; } + +.highlight .mh { color: #009999; } + +.highlight .il { color: #009999; } + +.highlight .mi { color: #009999; } + +.highlight .mo { color: #009999; } + +.highlight .m, .highlight .mb, .highlight .mx { color: #009999; } + +.highlight .sb { color: #d14; } + +.highlight .sc { color: #d14; } + +.highlight .sd { color: #d14; } + +.highlight .s2 { color: #d14; } + +.highlight .se { color: #d14; } + +.highlight .sh { color: #d14; } + +.highlight .si { color: #d14; } + +.highlight .sx { color: #d14; } + +.highlight .sr { color: #009926; } + +.highlight .s1 { color: #d14; } + +.highlight .ss { color: #990073; } + +.highlight .s { color: #d14; } + +.highlight .na { color: #008080; } + +.highlight .bp { color: #999999; } + +.highlight .nb { color: #0086B3; } + +.highlight .nc { color: #445588; font-weight: bold; } + +.highlight .no { color: #008080; } + +.highlight .nd { color: #3c5d5d; font-weight: bold; } + +.highlight .ni { color: #800080; } + +.highlight .ne { color: #990000; font-weight: bold; } + +.highlight .nf { color: #990000; font-weight: bold; } + +.highlight .nl { color: #990000; font-weight: bold; } + +.highlight .nn { color: #555555; } + +.highlight .nt { color: #000080; } + +.highlight .vc { color: #008080; } + +.highlight .vg { color: #008080; } + +.highlight .vi { color: #008080; } + +.highlight .nv { color: #008080; } + +.highlight .ow { color: #000000; font-weight: bold; } + +.highlight .o { color: #000000; font-weight: bold; } + +.highlight .w { color: #bbbbbb; } + +.highlight { background-color: #f8f8f8; } + +body { background-color: #fff; padding: 50px; font: 14px/1.5 "Noto Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; color: #727272; font-weight: 400; } + +h1, h2, h3, h4, h5, h6 { color: #222; margin: 0 0 20px; } + +p, ul, ol, table, pre, dl { margin: 0 0 20px; } + +h1, h2, h3 { line-height: 1.1; } + +h1 { font-size: 28px; } + +h2 { color: #393939; } + +h3, h4, h5, h6 { color: #494949; } + +a { color: #267CB9; text-decoration: none; } + +a:hover, a:focus { color: #069; font-weight: bold; } + +a small { font-size: 11px; color: #777; margin-top: -0.3em; display: block; } + +a:hover small { color: #777; } + +.wrapper { width: 860px; margin: 0 auto; } + +blockquote { border-left: 1px solid #e5e5e5; margin: 0; padding: 0 0 0 20px; font-style: italic; } + +code, pre { font-family: Monaco, Bitstream Vera Sans Mono, Lucida Console, Terminal, Consolas, Liberation Mono, DejaVu Sans Mono, Courier New, monospace; color: #333; } + +pre { padding: 8px 15px; background: #f8f8f8; border-radius: 5px; border: 1px solid #e5e5e5; overflow-x: auto; } + +table { width: 100%; border-collapse: collapse; } + +th, td { text-align: left; padding: 5px 10px; border-bottom: 1px solid #e5e5e5; } + +dt { color: #444; font-weight: 700; } + +th { color: #444; } + +img { max-width: 100%; } + +header { width: 270px; float: left; position: fixed; -webkit-font-smoothing: subpixel-antialiased; } + +ul.downloads { list-style: none; height: 40px; padding: 0; background: #f4f4f4; border-radius: 5px; border: 1px solid #e0e0e0; width: 270px; } + +.downloads li { width: 89px; float: left; border-right: 1px solid #e0e0e0; height: 40px; } + +.downloads li:first-child a { border-radius: 5px 0 0 5px; } + +.downloads li:last-child a { border-radius: 0 5px 5px 0; } + +.downloads a { line-height: 1; font-size: 11px; color: #676767; display: block; text-align: center; padding-top: 6px; height: 34px; } + +.downloads a:hover, .downloads a:focus { color: #675C5C; font-weight: bold; } + +.downloads ul a:active { background-color: #f0f0f0; } + +strong { color: #222; font-weight: 700; } + +.downloads li + li + li { border-right: none; width: 89px; } + +.downloads a strong { font-size: 14px; display: block; color: #222; } + +section { width: 500px; float: right; padding-bottom: 50px; } + +small { font-size: 11px; } + +hr { border: 0; background: #e5e5e5; height: 1px; margin: 0 0 20px; } + +footer { width: 270px; float: left; position: fixed; bottom: 50px; -webkit-font-smoothing: subpixel-antialiased; } + +@media print, screen and (max-width: 960px) { div.wrapper { width: auto; margin: 0; } header, section, footer { float: none; position: static; width: auto; } header { padding-right: 320px; } section { border: 1px solid #e5e5e5; border-width: 1px 0; padding: 20px 0; margin: 0 0 20px; } header a small { display: inline; } header ul { position: absolute; right: 50px; top: 52px; } } + +@media print, screen and (max-width: 720px) { body { word-wrap: break-word; } header { padding: 0; } header ul, header p.view { position: static; } pre, code { word-wrap: normal; } } + +@media print, screen and (max-width: 480px) { body { padding: 15px; } .downloads { width: 99%; } .downloads li, .downloads li + li + li { width: 33%; } } + +@media print { body { padding: 0.4in; font-size: 12pt; color: #444; } } + +.premonition { display: grid; grid-template-columns: 43px auto; padding-top: 13px; padding-bottom: 13px; margin: 30px 0 30px 0; background-color: #e3edf2; border-left: 4px solid #5bc0de; color: #5bc0de; /* Autogenerated code */ /* End of Autogenerated code */ } + +.premonition code { background-color: #fff; color: #5bc0de; } + +.premonition .header { font-weight: 500; font-size: 1.1rem; color: #5bc0de; padding-bottom: 6px; } + +.premonition .content { color: rgba(0, 0, 0, 0.5); padding-left: 20px; padding-right: 40px; } + +.premonition p { margin-top: 0; margin-bottom: 0; } + +.premonition.info { background-color: #f3f8f3; color: #50af51; border-color: #50af51; } + +.premonition.info a { color: #50af51; text-decoration: underline; } + +.premonition.info code { color: #50af51; } + +.premonition.info .header { color: #50af51; } + +.premonition.warning { background-color: #fcf8f2; color: #f0ad4e; border-color: #f0ad4e; } + +.premonition.warning a { color: #f0ad4e; text-decoration: underline; } + +.premonition.warning code { color: #f0ad4e; } + +.premonition.warning .header { color: #f0ad4e; } + +.premonition.error { background-color: #fdf7f7; color: #d9534f; border-color: #d9534f; } + +.premonition.error a { color: #d9534f; text-decoration: underline; } + +.premonition.error code { color: #d9534f; } + +.premonition.error .header { color: #d9534f; } + +.premonition.citation { background-color: #f8f9fa; color: #495057; border-color: #495057; } + +.premonition.citation a { color: #495057; text-decoration: underline; } + +.premonition.citation code { color: #495057; } + +.premonition.citation .header { color: #495057; } + +.premonition.citation blockquote { border-left: 0; } + +.premonition .fa, .premonition .fas, .premonition .far, .premonition .fal, .premonition .fab { font-size: 28px; opacity: 0.3; padding-top: 2px; padding-left: 20px; } + +.premonition > svg { opacity: 0.6; margin-top: 0.36rem; margin-left: 0.7rem; } + +.premonition.pn-note { border: 0; margin: 3px 0 0 14px; background-repeat: no-repeat; background-color: transparent; background-image: url("data:image/svg+xml,%3C%3Fxml version='1.0' encoding='UTF-8'%3F%3E%3Csvg width='165px' height='165px' viewBox='0 0 165 165' version='1.1' xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink'%3E%3Cg id='Page-1' stroke='none' stroke-width='1' fill='none' fill-rule='evenodd'%3E%3Cpath d='M40,0.5 C18.1847524,0.5 0.5,18.1847524 0.5,40 L0.5,125 C0.5,146.815248 18.1847524,164.5 40,164.5 L125,164.5 C146.815248,164.5 164.5,146.815248 164.5,125 L164.5,40 C164.5,18.1847524 146.815248,0.5 125,0.5 L40,0.5 Z M73.9421225,101.035652 C105.680247,64.0622419 122.973943,44.3076275 125.890221,41.6952841 C129.340278,37.6445263 135.770506,37.5263132 140.538208,40.8455453 C145.631474,44.3914319 146.755991,50.3287958 142.263833,56.0881327 C114.758351,89.0776641 89.30795,118.028061 81.5674939,125.633994 C76.464822,130.398827 70.5909248,130.398827 66.4355344,125.58961 C62.9024905,121.371642 58.9333122,116.710237 54.3854087,111.427565 C53.8350288,110.788264 53.2758998,110.139548 52.706934,109.480131 C49.8512069,106.170414 46.9143172,102.783286 43.1506474,98.4546038 C43.1657573,98.4719821 36.1709078,90.431646 34.3564576,88.341891 C27.8799723,80.882735 24.2336656,76.6160672 22.1013335,73.9633891 L22.095737,73.9562966 C15.4200148,65.3371074 30.5778334,52.1721209 38.5786063,60.512576 C48.9690719,71.5242952 60.7566779,85.0318321 73.9420929,101.035687 Z' id='Note' stroke='%23979797' fill='%235bc0de'%3E%3C/path%3E%3C/g%3E%3C/svg%3E"); background-size: 28px 28px; width: 28px; height: 28px; opacity: 0.3; } + +.premonition.pn-info { border: 0; margin: 3px 0 0 14px; background-repeat: no-repeat; background-color: transparent; background-image: url("data:image/svg+xml,%3C%3Fxml version='1.0' encoding='UTF-8'%3F%3E%3Csvg width='165px' height='165px' viewBox='0 0 165 165' version='1.1' xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink'%3E%3Cg id='Page-1' stroke='none' stroke-width='1' fill='none' fill-rule='evenodd'%3E%3Cpath d='M82.5,165 C36.9365081,165 0,128.063492 0,82.5 C0,36.9365081 36.9365081,0 82.5,0 C128.063492,0 165,36.9365081 165,82.5 C165,128.063492 128.063492,165 82.5,165 Z M71.3481445,44.7539062 C71.3481445,47.7402493 72.400136,50.2853899 74.5041504,52.3894043 C76.6081648,54.4934187 79.1533054,55.5454102 82.1396484,55.5454102 C85.0807439,55.5454102 87.603261,54.4934187 89.7072754,52.3894043 C91.8112898,50.2853899 92.8632812,47.7402493 92.8632812,44.7539062 C92.8632812,41.7675632 91.8112898,39.2224226 89.7072754,37.1184082 C87.603261,35.0143938 85.0807439,33.9624023 82.1396484,33.9624023 C79.1533054,33.9624023 76.6081648,35.0143938 74.5041504,37.1184082 C72.400136,39.2224226 71.3481445,41.7675632 71.3481445,44.7539062 Z M65.2397461,126.674316 L65.2397461,130 L98.3608398,130 L98.3608398,126.674316 C95.8722206,126.176593 94.1754603,125.497888 93.2705078,124.638184 C92.3655554,123.778479 91.9130859,121.83286 91.9130859,118.80127 L91.9130859,65.9975586 L65.2397461,65.9975586 L65.2397461,69.3911133 C68.0450987,69.8888371 69.9228468,70.6467234 70.8730469,71.6647949 C71.8232469,72.6828664 72.2983398,74.5945498 72.2983398,77.3999023 L72.2983398,118.258301 C72.2983398,121.425634 71.6196357,123.620111 70.262207,124.841797 C69.3572546,125.656254 67.6831177,126.267088 65.2397461,126.674316 Z' id='Info' fill='%2350af51'%3E%3C/path%3E%3C/g%3E%3C/svg%3E"); background-size: 28px 28px; width: 28px; height: 28px; opacity: 0.3; } + +.premonition.pn-warn { border: 0; margin: 3px 0 0 14px; background-repeat: no-repeat; background-color: transparent; background-image: url("data:image/svg+xml,%3C%3Fxml version='1.0' encoding='UTF-8'%3F%3E%3Csvg width='165px' height='165px' viewBox='0 0 165 165' version='1.1' xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink'%3E%3Cg id='Page-1' stroke='none' stroke-width='1' fill='none' fill-rule='evenodd'%3E%3Cpath d='M82.5,165 C36.9365081,165 0,128.063492 0,82.5 C0,36.9365081 36.9365081,0 82.5,0 C128.063492,0 165,36.9365081 165,82.5 C165,128.063492 128.063492,165 82.5,165 Z M70.0629883,121.226562 C70.0629883,124.484391 71.2054736,127.255767 73.4904785,129.540771 C75.7754834,131.825776 78.5468587,132.968262 81.8046875,132.968262 C85.0625163,132.968262 87.8338916,131.825776 90.1188965,129.540771 C92.4039014,127.255767 93.5463867,124.484391 93.5463867,121.226562 C93.5463867,117.968734 92.4039014,115.197358 90.1188965,112.912354 C87.8338916,110.627349 85.0625163,109.484863 81.8046875,109.484863 C78.5468587,109.484863 75.7754834,110.627349 73.4904785,112.912354 C71.2054736,115.197358 70.0629883,117.968734 70.0629883,121.226562 Z M70.0629883,49.1474609 C70.0629883,50.8668706 70.4475873,53.2423351 71.2167969,56.2739258 C71.7145207,58.2195735 72.8230708,62.1108107 74.5424805,67.9477539 C75.8999091,72.5177637 76.804848,76.0696488 77.2573242,78.6035156 C77.7098004,81.1373825 78.5921158,87.7886831 79.9042969,98.5576172 L83.9086914,98.5576172 C84.8588915,90.0058166 85.5489074,84.3160135 85.9787598,81.4880371 C86.4086122,78.6600607 87.2117454,75.1194874 88.3881836,70.8662109 C90.3338313,63.8075819 91.6799279,58.7286125 92.4265137,55.6291504 C93.1730994,52.5296883 93.5463867,50.2107824 93.5463867,48.6723633 C93.5463867,43.7856201 92.3586545,40.278982 89.9831543,38.1523438 C87.6076541,36.0257055 84.8815258,34.9624023 81.8046875,34.9624023 C78.637354,34.9624023 75.8886021,36.0370172 73.5583496,38.1862793 C71.2280971,40.3355413 70.0629883,43.989232 70.0629883,49.1474609 Z' id='Warning' fill='%23f0ad4e'%3E%3C/path%3E%3C/g%3E%3C/svg%3E"); background-size: 28px 28px; width: 28px; height: 28px; opacity: 0.3; } + +.premonition.pn-error { border: 0; margin: 3px 0 0 14px; background-repeat: no-repeat; background-color: transparent; background-image: url("data:image/svg+xml,%3C%3Fxml version='1.0' encoding='UTF-8'%3F%3E%3Csvg width='165px' height='165px' viewBox='0 0 165 165' version='1.1' xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink'%3E%3Cg id='Page-1' stroke='none' stroke-width='1' fill='none' fill-rule='evenodd'%3E%3Cpath d='M94.8695048,7.74207645 L163.217029,144.437125 C166.674878,151.352824 163.871738,159.762246 156.956039,163.220096 C155.012063,164.192084 152.86848,164.698115 150.695048,164.698115 L14,164.698115 C6.2680135,164.698115 -4.08562073e-14,158.430102 -4.26325641e-14,150.698115 C-4.26325641e-14,148.524684 0.506031285,146.381101 1.47801933,144.437125 L69.8255435,7.74207645 C73.283393,0.826377491 81.6928155,-1.97676336 88.6085145,1.48108612 C91.3178981,2.83577793 93.514813,5.03269282 94.8695048,7.74207645 Z M70.4105124,130.924678 C70.4105124,134.182506 71.5529978,136.953882 73.8380027,139.238887 C76.1230076,141.523892 78.8943829,142.666377 82.1522117,142.666377 C85.4100404,142.666377 88.1814157,141.523892 90.4664206,139.238887 C92.7514256,136.953882 93.8939109,134.182506 93.8939109,130.924678 C93.8939109,127.666849 92.7514256,124.895474 90.4664206,122.610469 C88.1814157,120.325464 85.4100404,119.182978 82.1522117,119.182978 C78.8943829,119.182978 76.1230076,120.325464 73.8380027,122.610469 C71.5529978,124.895474 70.4105124,127.666849 70.4105124,130.924678 Z M70.4105124,58.845576 C70.4105124,60.5649857 70.7951115,62.9404502 71.564321,65.9720409 C72.0620449,67.9176886 73.170595,71.8089258 74.8900046,77.645869 C76.2474333,82.2158788 77.1523722,85.7677639 77.6048484,88.3016307 C78.0573246,90.8354976 78.93964,97.4867982 80.251821,108.255732 L84.2562156,108.255732 C85.2064156,99.7039317 85.8964315,94.0141286 86.3262839,91.1861522 C86.7561363,88.3581758 87.5592696,84.8176025 88.7357078,80.564326 C90.6813555,73.505697 92.0274521,68.4267276 92.7740378,65.3272655 C93.5206236,62.2278034 93.8939109,59.9088975 93.8939109,58.3704784 C93.8939109,53.4837352 92.7061786,49.9770971 90.3306785,47.8504589 C87.9551783,45.7238206 85.22905,44.6605175 82.1522117,44.6605175 C78.9848781,44.6605175 76.2361263,45.7351324 73.9058738,47.8843944 C71.5756212,50.0336565 70.4105124,53.6873471 70.4105124,58.845576 Z' id='Error' fill='%23d9534f'%3E%3C/path%3E%3C/g%3E%3C/svg%3E"); background-size: 28px 28px; width: 28px; height: 28px; opacity: 0.3; } + +.premonition.pn-quote { border: 0; margin: 3px 0 0 14px; background-repeat: no-repeat; background-color: transparent; background-image: url("data:image/svg+xml,%3C%3Fxml version='1.0' encoding='UTF-8'%3F%3E%3Csvg width='165px' height='165px' viewBox='0 0 165 165' version='1.1' xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink'%3E%3Cg id='Page-1' stroke='none' stroke-width='1' fill='none' fill-rule='evenodd'%3E%3Cpath d='M104.546838,164.525333 C97.1871585,164.350607 90.6368822,160.915227 90.6512001,150.013018 C90.4479076,131.842639 90.4697154,98.303237 90.6512001,49.7828789 C91.9844555,2.36817118 138.064959,0.504907944 148.576644,0.0692731383 C152.479575,0.302510658 153.780675,2.21617827 154.578947,4.17356105 C155.831948,9.88458567 155.831948,17.6357453 154.578947,27.4270401 C153.93686,32.7057192 151.936092,35.3224781 148.576644,35.2773166 C143.472082,35.2236794 151.862467,35.2263624 140.927765,35.2773166 C128.559674,35.7091823 122.660334,39.3672244 122.615074,56.9085817 C122.635604,63.1213926 122.635604,71.5842998 122.615074,82.2973033 C138.48496,82.4101196 149.139584,82.4488979 154.578947,82.4136382 C159.435737,82.5353733 163.923774,84.3352392 164.565789,96.288498 C164.874062,119.857257 164.829662,136.387115 164.782895,150.013018 C164.664253,157.17723 161.233392,164.356416 151.753558,164.525333 C127.51005,164.615729 113.455097,164.525333 104.546838,164.525333 Z M14.0400451,164.45606 C6.68036548,164.281334 0.130089247,160.845954 0.144407166,149.943745 C-0.058885353,131.773366 -0.0370775896,98.2339638 0.144407166,49.7136058 C1.47766255,2.29889804 47.5581663,0.435634806 58.0698511,-9.9475983e-14 C61.9727821,0.233237519 63.2738816,2.14690514 64.0721544,4.10428791 C65.3251551,9.81531253 65.3251551,17.5664722 64.0721544,27.3577669 C63.4300669,32.6364461 61.4292991,35.2532049 58.0698511,35.2080434 C52.9652887,35.1544062 61.3556736,35.1570892 50.4209719,35.2080434 C38.0528815,35.6399092 32.153541,39.2979513 32.1082808,56.8393085 C32.1288111,63.0521194 32.1288111,71.5150266 32.1082808,82.2280302 C47.9781667,82.3408464 58.6327912,82.3796247 64.0721544,82.3443651 C68.9289443,82.4661002 73.4169814,84.265966 74.0589965,96.2192249 C74.367269,119.787984 74.3228688,136.317842 74.2761018,149.943745 C74.1574604,157.107957 70.7265987,164.287143 61.2467647,164.45606 C37.0032571,164.546456 22.9483044,164.45606 14.0400451,164.45606 Z' id='Quote' fill='%23495057'%3E%3C/path%3E%3C/g%3E%3C/svg%3E"); background-size: 28px 28px; width: 28px; height: 28px; opacity: 0.3; } + +.premonition.pn-square { border: 0; margin: 3px 0 0 14px; background-repeat: no-repeat; background-color: transparent; background-image: url("data:image/svg+xml,%3C%3Fxml version='1.0' encoding='UTF-8'%3F%3E%3Csvg width='165px' height='165px' viewBox='0 0 165 165' version='1.1' xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink'%3E%3Cg id='Page-1' stroke='none' stroke-width='1' fill='none' fill-rule='evenodd'%3E%3Cpath d='M82.5,165 C36.9365081,165 0,128.063492 0,82.5 C0,36.9365081 36.9365081,0 82.5,0 C128.063492,0 165,36.9365081 165,82.5 C165,128.063492 128.063492,165 82.5,165 Z M115.5,99 C124.612698,99 132,91.3888407 132,82 C132,72.6111593 124.612698,65 115.5,65 C106.387302,65 99,72.6111593 99,82 C99,91.3888407 106.387302,99 115.5,99 Z M49.5,99 C58.6126984,99 66,91.3888407 66,82 C66,72.6111593 58.6126984,65 49.5,65 C40.3873016,65 33,72.6111593 33,82 C33,91.3888407 40.3873016,99 49.5,99 Z M66,114 L66,129 L99,129 L99,114 L66,114 Z' id='Default' fill='%235bc0de'%3E%3C/path%3E%3C/g%3E%3C/svg%3E"); background-size: 28px 28px; width: 28px; height: 28px; opacity: 0.3; } + +/*----- Menu Outline -----*/ +.menu-wrap { box-shadow: 0px 1px 3px rgba(0, 0, 0, 0.2); background: #a7898f; } + +.menu { margin: 0px auto; } + +.menu li { margin: 0px; list-style: none; } + +.menu a { transition: all linear 0.15s; color: #919191; } + +.menu li:hover > a, .menu .current-item > a { text-decoration: none; color: #be5b70; } + +.menu .arrow { font-size: 11px; } + +/*----- Top Level -----*/ +.menu > ul > li { float: left; position: relative; } + +.menu > ul > li:hover > a, .menu > ul > .current-item > a { background: #ec9ca8; } + +/*----- Bottom Level -----*/ +.menu li:hover .sub-menu { z-index: 1; opacity: 1; } + +.sub-menu { width: 160%; padding: 0px 0px; position: absolute; top: 100%; left: 0px; z-index: -1; opacity: 0; transition: opacity linear 0.15s; box-shadow: 0px 2px 3px rgba(0, 0, 0, 0.2); background: #d1ddfc; } + +.sub-menu li { display: block; } + +.sub-menu li a { padding: 10px 10px; display: block; } + +/*# sourceMappingURL=style.css.map */ \ No newline at end of file diff --git a/assets/css/style.css.map b/assets/css/style.css.map new file mode 100644 index 0000000000..402a349b8f --- /dev/null +++ b/assets/css/style.css.map @@ -0,0 +1,22 @@ +{ + "version": 3, + "file": "style.css", + "sources": [ + "style.scss", + "_sass/jekyll-theme-minimal.scss", + "_sass/fonts.scss", + "_sass/rouge-github.scss", + "_sass/premonition.scss", + "_sass/menu.scss" + ], + "sourcesContent": [ + "@import \"jekyll-theme-minimal\";\n@import \"premonition\";\n@import \"menu\";\n", + "@import \"fonts\";\n@import \"rouge-github\";\n\nbody {\n background-color: #fff;\n padding:50px;\n font: 14px/1.5 \"Noto Sans\", \"Helvetica Neue\", Helvetica, Arial, sans-serif;\n color:#727272;\n font-weight:400;\n}\n\nh1, h2, h3, h4, h5, h6 {\n color:#222;\n margin:0 0 20px;\n}\n\np, ul, ol, table, pre, dl {\n margin:0 0 20px;\n}\n\nh1, h2, h3 {\n line-height:1.1;\n}\n\nh1 {\n font-size:28px;\n}\n\nh2 {\n color:#393939;\n}\n\nh3, h4, h5, h6 {\n color:#494949;\n}\n\na {\n color:#267CB9;\n text-decoration:none;\n}\n\na:hover, a:focus {\n color:#069;\n font-weight: bold;\n}\n\na small {\n font-size:11px;\n color:#777;\n margin-top:-0.3em;\n display:block;\n}\n\na:hover small {\n color:#777;\n}\n\n.wrapper {\n width:860px;\n margin:0 auto;\n}\n\nblockquote {\n border-left:1px solid #e5e5e5;\n margin:0;\n padding:0 0 0 20px;\n font-style:italic;\n}\n\ncode, pre {\n font-family:Monaco, Bitstream Vera Sans Mono, Lucida Console, Terminal, Consolas, Liberation Mono, DejaVu Sans Mono, Courier New, monospace;\n color:#333;\n}\n\npre {\n padding:8px 15px;\n background: #f8f8f8;\n border-radius:5px;\n border:1px solid #e5e5e5;\n overflow-x: auto;\n}\n\ntable {\n width:100%;\n border-collapse:collapse;\n}\n\nth, td {\n text-align:left;\n padding:5px 10px;\n border-bottom:1px solid #e5e5e5;\n}\n\ndt {\n color:#444;\n font-weight:700;\n}\n\nth {\n color:#444;\n}\n\nimg {\n max-width:100%;\n}\n\nheader {\n width:270px;\n float:left;\n position:fixed;\n -webkit-font-smoothing:subpixel-antialiased;\n}\n\nul.downloads {\n list-style:none;\n height:40px;\n padding:0;\n background: #f4f4f4;\n border-radius:5px;\n border:1px solid #e0e0e0;\n width:270px;\n}\n\n.downloads li {\n width:89px;\n float:left;\n border-right:1px solid #e0e0e0;\n height:40px;\n}\n\n.downloads li:first-child a {\n border-radius:5px 0 0 5px;\n}\n\n.downloads li:last-child a {\n border-radius:0 5px 5px 0;\n}\n\n.downloads a {\n line-height:1;\n font-size:11px;\n color:#676767;\n display:block;\n text-align:center;\n padding-top:6px;\n height:34px;\n}\n\n.downloads a:hover, .downloads a:focus {\n color:#675C5C;\n font-weight:bold;\n}\n\n.downloads ul a:active {\n background-color:#f0f0f0;\n}\n\nstrong {\n color:#222;\n font-weight:700;\n}\n\n.downloads li + li + li {\n border-right:none;\n width:89px;\n}\n\n.downloads a strong {\n font-size:14px;\n display:block;\n color:#222;\n}\n\nsection {\n width:500px;\n float:right;\n padding-bottom:50px;\n}\n\nsmall {\n font-size:11px;\n}\n\nhr {\n border:0;\n background:#e5e5e5;\n height:1px;\n margin:0 0 20px;\n}\n\nfooter {\n width:270px;\n float:left;\n position:fixed;\n bottom:50px;\n -webkit-font-smoothing:subpixel-antialiased;\n}\n\n@media print, screen and (max-width: 960px) {\n\n div.wrapper {\n width:auto;\n margin:0;\n }\n\n header, section, footer {\n float:none;\n position:static;\n width:auto;\n }\n\n header {\n padding-right:320px;\n }\n\n section {\n border:1px solid #e5e5e5;\n border-width:1px 0;\n padding:20px 0;\n margin:0 0 20px;\n }\n\n header a small {\n display:inline;\n }\n\n header ul {\n position:absolute;\n right:50px;\n top:52px;\n }\n}\n\n@media print, screen and (max-width: 720px) {\n body {\n word-wrap:break-word;\n }\n\n header {\n padding:0;\n }\n\n header ul, header p.view {\n position:static;\n }\n\n pre, code {\n word-wrap:normal;\n }\n}\n\n@media print, screen and (max-width: 480px) {\n body {\n padding:15px;\n }\n\n .downloads {\n width:99%;\n }\n\n .downloads li, .downloads li + li + li {\n width:33%;\n }\n}\n\n@media print {\n body {\n padding:0.4in;\n font-size:12pt;\n color:#444;\n }\n}\n", + "@font-face {\n font-family: 'Noto Sans';\n font-weight: 400;\n font-style: normal;\n src: url('../fonts/Noto-Sans-regular/Noto-Sans-regular.eot');\n src: url('../fonts/Noto-Sans-regular/Noto-Sans-regular.eot?#iefix') format('embedded-opentype'),\n local('Noto Sans'),\n local('Noto-Sans-regular'),\n url('../fonts/Noto-Sans-regular/Noto-Sans-regular.woff2') format('woff2'),\n url('../fonts/Noto-Sans-regular/Noto-Sans-regular.woff') format('woff'),\n url('../fonts/Noto-Sans-regular/Noto-Sans-regular.ttf') format('truetype'),\n url('../fonts/Noto-Sans-regular/Noto-Sans-regular.svg#NotoSans') format('svg');\n}\n\n@font-face {\n font-family: 'Noto Sans';\n font-weight: 700;\n font-style: normal;\n src: url('../fonts/Noto-Sans-700/Noto-Sans-700.eot');\n src: url('../fonts/Noto-Sans-700/Noto-Sans-700.eot?#iefix') format('embedded-opentype'),\n local('Noto Sans Bold'),\n local('Noto-Sans-700'),\n url('../fonts/Noto-Sans-700/Noto-Sans-700.woff2') format('woff2'),\n url('../fonts/Noto-Sans-700/Noto-Sans-700.woff') format('woff'),\n url('../fonts/Noto-Sans-700/Noto-Sans-700.ttf') format('truetype'),\n url('../fonts/Noto-Sans-700/Noto-Sans-700.svg#NotoSans') format('svg');\n}\n\n@font-face {\n font-family: 'Noto Sans';\n font-weight: 400;\n font-style: italic;\n src: url('../fonts/Noto-Sans-italic/Noto-Sans-italic.eot');\n src: url('../fonts/Noto-Sans-italic/Noto-Sans-italic.eot?#iefix') format('embedded-opentype'),\n local('Noto Sans Italic'),\n local('Noto-Sans-italic'),\n url('../fonts/Noto-Sans-italic/Noto-Sans-italic.woff2') format('woff2'),\n url('../fonts/Noto-Sans-italic/Noto-Sans-italic.woff') format('woff'),\n url('../fonts/Noto-Sans-italic/Noto-Sans-italic.ttf') format('truetype'),\n url('../fonts/Noto-Sans-italic/Noto-Sans-italic.svg#NotoSans') format('svg');\n}\n\n@font-face {\n font-family: 'Noto Sans';\n font-weight: 700;\n font-style: italic;\n src: url('../fonts/Noto-Sans-700italic/Noto-Sans-700italic.eot');\n src: url('../fonts/Noto-Sans-700italic/Noto-Sans-700italic.eot?#iefix') format('embedded-opentype'),\n local('Noto Sans Bold Italic'),\n local('Noto-Sans-700italic'),\n url('../fonts/Noto-Sans-700italic/Noto-Sans-700italic.woff2') format('woff2'),\n url('../fonts/Noto-Sans-700italic/Noto-Sans-700italic.woff') format('woff'),\n url('../fonts/Noto-Sans-700italic/Noto-Sans-700italic.ttf') format('truetype'),\n url('../fonts/Noto-Sans-700italic/Noto-Sans-700italic.svg#NotoSans') format('svg');\n}\n", + ".highlight table td { padding: 5px; }\n.highlight table pre { margin: 0; }\n.highlight .cm {\n color: #999988;\n font-style: italic;\n}\n.highlight .cp {\n color: #999999;\n font-weight: bold;\n}\n.highlight .c1 {\n color: #999988;\n font-style: italic;\n}\n.highlight .cs {\n color: #999999;\n font-weight: bold;\n font-style: italic;\n}\n.highlight .c, .highlight .cd {\n color: #999988;\n font-style: italic;\n}\n.highlight .err {\n color: #a61717;\n background-color: #e3d2d2;\n}\n.highlight .gd {\n color: #000000;\n background-color: #ffdddd;\n}\n.highlight .ge {\n color: #000000;\n font-style: italic;\n}\n.highlight .gr {\n color: #aa0000;\n}\n.highlight .gh {\n color: #999999;\n}\n.highlight .gi {\n color: #000000;\n background-color: #ddffdd;\n}\n.highlight .go {\n color: #888888;\n}\n.highlight .gp {\n color: #555555;\n}\n.highlight .gs {\n font-weight: bold;\n}\n.highlight .gu {\n color: #aaaaaa;\n}\n.highlight .gt {\n color: #aa0000;\n}\n.highlight .kc {\n color: #000000;\n font-weight: bold;\n}\n.highlight .kd {\n color: #000000;\n font-weight: bold;\n}\n.highlight .kn {\n color: #000000;\n font-weight: bold;\n}\n.highlight .kp {\n color: #000000;\n font-weight: bold;\n}\n.highlight .kr {\n color: #000000;\n font-weight: bold;\n}\n.highlight .kt {\n color: #445588;\n font-weight: bold;\n}\n.highlight .k, .highlight .kv {\n color: #000000;\n font-weight: bold;\n}\n.highlight .mf {\n color: #009999;\n}\n.highlight .mh {\n color: #009999;\n}\n.highlight .il {\n color: #009999;\n}\n.highlight .mi {\n color: #009999;\n}\n.highlight .mo {\n color: #009999;\n}\n.highlight .m, .highlight .mb, .highlight .mx {\n color: #009999;\n}\n.highlight .sb {\n color: #d14;\n}\n.highlight .sc {\n color: #d14;\n}\n.highlight .sd {\n color: #d14;\n}\n.highlight .s2 {\n color: #d14;\n}\n.highlight .se {\n color: #d14;\n}\n.highlight .sh {\n color: #d14;\n}\n.highlight .si {\n color: #d14;\n}\n.highlight .sx {\n color: #d14;\n}\n.highlight .sr {\n color: #009926;\n}\n.highlight .s1 {\n color: #d14;\n}\n.highlight .ss {\n color: #990073;\n}\n.highlight .s {\n color: #d14;\n}\n.highlight .na {\n color: #008080;\n}\n.highlight .bp {\n color: #999999;\n}\n.highlight .nb {\n color: #0086B3;\n}\n.highlight .nc {\n color: #445588;\n font-weight: bold;\n}\n.highlight .no {\n color: #008080;\n}\n.highlight .nd {\n color: #3c5d5d;\n font-weight: bold;\n}\n.highlight .ni {\n color: #800080;\n}\n.highlight .ne {\n color: #990000;\n font-weight: bold;\n}\n.highlight .nf {\n color: #990000;\n font-weight: bold;\n}\n.highlight .nl {\n color: #990000;\n font-weight: bold;\n}\n.highlight .nn {\n color: #555555;\n}\n.highlight .nt {\n color: #000080;\n}\n.highlight .vc {\n color: #008080;\n}\n.highlight .vg {\n color: #008080;\n}\n.highlight .vi {\n color: #008080;\n}\n.highlight .nv {\n color: #008080;\n}\n.highlight .ow {\n color: #000000;\n font-weight: bold;\n}\n.highlight .o {\n color: #000000;\n font-weight: bold;\n}\n.highlight .w {\n color: #bbbbbb;\n}\n.highlight {\n background-color: #f8f8f8;\n}\n", + "$default-color: #5bc0de;\n$default-light-color: #e3edf2;\n$info-color: #50af51;\n$info-light-color: #f3f8f3;\n$warning-color: #f0ad4e;\n$warning-light-color: #fcf8f2;\n$error-color: #d9534f;\n$error-light-color: #fdf7f7;\n$content-color: rgba(0, 0, 0, 0.5);\n$citation-color: #495057;\n$citation-light-color: #f8f9fa;\n\n$svg-default-color: \"5bc0de\";\n$svg-info-color: \"50af51\";\n$svg-warning-color: \"f0ad4e\";\n$svg-error-color: \"d9534f\";\n$svg-citation-color: \"495057\";\n\n.premonition {\n display: grid;\n grid-template-columns: 43px auto;\n padding-top: 13px;\n padding-bottom: 13px;\n margin: 30px 0 30px 0;\n background-color: $default-light-color;\n border-left: 4px solid $default-color;\n color: $default-color;\n\n code {\n background-color: #fff;\n color: $default-color;\n }\n\n .header {\n font-weight: 500;\n font-size: 1.1rem;\n color: $default-color;\n padding-bottom: 6px;\n }\n\n .content {\n color: $content-color;\n padding-left: 20px;\n padding-right: 40px;\n }\n\n p {\n margin-top: 0;\n margin-bottom: 0;\n }\n\n @mixin box-type($c, $lc) {\n background-color: $lc;\n color: $c;\n border-color: $c;\n\n a {\n color: $c;\n text-decoration: underline;\n }\n code {\n color: $c;\n }\n .header {\n color: $c;\n }\n }\n\n &.info {\n @include box-type($info-color, $info-light-color);\n }\n &.warning {\n @include box-type($warning-color, $warning-light-color);\n }\n &.error {\n @include box-type($error-color, $error-light-color);\n }\n &.citation {\n @include box-type($citation-color, $citation-light-color);\n\n blockquote {\n border-left: 0;\n }\n }\n\n .fa,\n .fas,\n .far,\n .fal,\n .fab {\n font-size: 28px;\n opacity: 0.3;\n padding-top: 2px;\n padding-left: 20px;\n }\n\n & > svg {\n opacity: 0.6;\n margin-top: 0.36rem;\n margin-left: 0.7rem;\n }\n\n @mixin pn-icon($pre, $color, $post) {\n border: 0;\n margin: 3px 0 0 14px;\n background-repeat: no-repeat;\n background-color: transparent;\n background-image: url($pre + \"%23\" + $color + $post);\n background-size: 28px 28px;\n width: 28px;\n height: 28px;\n opacity: 0.3;\n }\n\n /* Autogenerated code */\n &.pn-note {\n @include pn-icon(\n \"data:image/svg+xml,%3C%3Fxml version='1.0' encoding='UTF-8'%3F%3E%3Csvg width='165px' height='165px' viewBox='0 0 165 165' version='1.1' xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink'%3E%3Cg id='Page-1' stroke='none' stroke-width='1' fill='none' fill-rule='evenodd'%3E%3Cpath d='M40,0.5 C18.1847524,0.5 0.5,18.1847524 0.5,40 L0.5,125 C0.5,146.815248 18.1847524,164.5 40,164.5 L125,164.5 C146.815248,164.5 164.5,146.815248 164.5,125 L164.5,40 C164.5,18.1847524 146.815248,0.5 125,0.5 L40,0.5 Z M73.9421225,101.035652 C105.680247,64.0622419 122.973943,44.3076275 125.890221,41.6952841 C129.340278,37.6445263 135.770506,37.5263132 140.538208,40.8455453 C145.631474,44.3914319 146.755991,50.3287958 142.263833,56.0881327 C114.758351,89.0776641 89.30795,118.028061 81.5674939,125.633994 C76.464822,130.398827 70.5909248,130.398827 66.4355344,125.58961 C62.9024905,121.371642 58.9333122,116.710237 54.3854087,111.427565 C53.8350288,110.788264 53.2758998,110.139548 52.706934,109.480131 C49.8512069,106.170414 46.9143172,102.783286 43.1506474,98.4546038 C43.1657573,98.4719821 36.1709078,90.431646 34.3564576,88.341891 C27.8799723,80.882735 24.2336656,76.6160672 22.1013335,73.9633891 L22.095737,73.9562966 C15.4200148,65.3371074 30.5778334,52.1721209 38.5786063,60.512576 C48.9690719,71.5242952 60.7566779,85.0318321 73.9420929,101.035687 Z' id='Note' stroke='%23979797' fill='\",\n $svg-default-color,\n \"'%3E%3C/path%3E%3C/g%3E%3C/svg%3E\"\n );\n }\n &.pn-info {\n @include pn-icon(\n \"data:image/svg+xml,%3C%3Fxml version='1.0' encoding='UTF-8'%3F%3E%3Csvg width='165px' height='165px' viewBox='0 0 165 165' version='1.1' xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink'%3E%3Cg id='Page-1' stroke='none' stroke-width='1' fill='none' fill-rule='evenodd'%3E%3Cpath d='M82.5,165 C36.9365081,165 0,128.063492 0,82.5 C0,36.9365081 36.9365081,0 82.5,0 C128.063492,0 165,36.9365081 165,82.5 C165,128.063492 128.063492,165 82.5,165 Z M71.3481445,44.7539062 C71.3481445,47.7402493 72.400136,50.2853899 74.5041504,52.3894043 C76.6081648,54.4934187 79.1533054,55.5454102 82.1396484,55.5454102 C85.0807439,55.5454102 87.603261,54.4934187 89.7072754,52.3894043 C91.8112898,50.2853899 92.8632812,47.7402493 92.8632812,44.7539062 C92.8632812,41.7675632 91.8112898,39.2224226 89.7072754,37.1184082 C87.603261,35.0143938 85.0807439,33.9624023 82.1396484,33.9624023 C79.1533054,33.9624023 76.6081648,35.0143938 74.5041504,37.1184082 C72.400136,39.2224226 71.3481445,41.7675632 71.3481445,44.7539062 Z M65.2397461,126.674316 L65.2397461,130 L98.3608398,130 L98.3608398,126.674316 C95.8722206,126.176593 94.1754603,125.497888 93.2705078,124.638184 C92.3655554,123.778479 91.9130859,121.83286 91.9130859,118.80127 L91.9130859,65.9975586 L65.2397461,65.9975586 L65.2397461,69.3911133 C68.0450987,69.8888371 69.9228468,70.6467234 70.8730469,71.6647949 C71.8232469,72.6828664 72.2983398,74.5945498 72.2983398,77.3999023 L72.2983398,118.258301 C72.2983398,121.425634 71.6196357,123.620111 70.262207,124.841797 C69.3572546,125.656254 67.6831177,126.267088 65.2397461,126.674316 Z' id='Info' fill='\",\n $svg-info-color,\n \"'%3E%3C/path%3E%3C/g%3E%3C/svg%3E\"\n );\n }\n &.pn-warn {\n @include pn-icon(\n \"data:image/svg+xml,%3C%3Fxml version='1.0' encoding='UTF-8'%3F%3E%3Csvg width='165px' height='165px' viewBox='0 0 165 165' version='1.1' xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink'%3E%3Cg id='Page-1' stroke='none' stroke-width='1' fill='none' fill-rule='evenodd'%3E%3Cpath d='M82.5,165 C36.9365081,165 0,128.063492 0,82.5 C0,36.9365081 36.9365081,0 82.5,0 C128.063492,0 165,36.9365081 165,82.5 C165,128.063492 128.063492,165 82.5,165 Z M70.0629883,121.226562 C70.0629883,124.484391 71.2054736,127.255767 73.4904785,129.540771 C75.7754834,131.825776 78.5468587,132.968262 81.8046875,132.968262 C85.0625163,132.968262 87.8338916,131.825776 90.1188965,129.540771 C92.4039014,127.255767 93.5463867,124.484391 93.5463867,121.226562 C93.5463867,117.968734 92.4039014,115.197358 90.1188965,112.912354 C87.8338916,110.627349 85.0625163,109.484863 81.8046875,109.484863 C78.5468587,109.484863 75.7754834,110.627349 73.4904785,112.912354 C71.2054736,115.197358 70.0629883,117.968734 70.0629883,121.226562 Z M70.0629883,49.1474609 C70.0629883,50.8668706 70.4475873,53.2423351 71.2167969,56.2739258 C71.7145207,58.2195735 72.8230708,62.1108107 74.5424805,67.9477539 C75.8999091,72.5177637 76.804848,76.0696488 77.2573242,78.6035156 C77.7098004,81.1373825 78.5921158,87.7886831 79.9042969,98.5576172 L83.9086914,98.5576172 C84.8588915,90.0058166 85.5489074,84.3160135 85.9787598,81.4880371 C86.4086122,78.6600607 87.2117454,75.1194874 88.3881836,70.8662109 C90.3338313,63.8075819 91.6799279,58.7286125 92.4265137,55.6291504 C93.1730994,52.5296883 93.5463867,50.2107824 93.5463867,48.6723633 C93.5463867,43.7856201 92.3586545,40.278982 89.9831543,38.1523438 C87.6076541,36.0257055 84.8815258,34.9624023 81.8046875,34.9624023 C78.637354,34.9624023 75.8886021,36.0370172 73.5583496,38.1862793 C71.2280971,40.3355413 70.0629883,43.989232 70.0629883,49.1474609 Z' id='Warning' fill='\",\n $svg-warning-color,\n \"'%3E%3C/path%3E%3C/g%3E%3C/svg%3E\"\n );\n }\n &.pn-error {\n @include pn-icon(\n \"data:image/svg+xml,%3C%3Fxml version='1.0' encoding='UTF-8'%3F%3E%3Csvg width='165px' height='165px' viewBox='0 0 165 165' version='1.1' xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink'%3E%3Cg id='Page-1' stroke='none' stroke-width='1' fill='none' fill-rule='evenodd'%3E%3Cpath d='M94.8695048,7.74207645 L163.217029,144.437125 C166.674878,151.352824 163.871738,159.762246 156.956039,163.220096 C155.012063,164.192084 152.86848,164.698115 150.695048,164.698115 L14,164.698115 C6.2680135,164.698115 -4.08562073e-14,158.430102 -4.26325641e-14,150.698115 C-4.26325641e-14,148.524684 0.506031285,146.381101 1.47801933,144.437125 L69.8255435,7.74207645 C73.283393,0.826377491 81.6928155,-1.97676336 88.6085145,1.48108612 C91.3178981,2.83577793 93.514813,5.03269282 94.8695048,7.74207645 Z M70.4105124,130.924678 C70.4105124,134.182506 71.5529978,136.953882 73.8380027,139.238887 C76.1230076,141.523892 78.8943829,142.666377 82.1522117,142.666377 C85.4100404,142.666377 88.1814157,141.523892 90.4664206,139.238887 C92.7514256,136.953882 93.8939109,134.182506 93.8939109,130.924678 C93.8939109,127.666849 92.7514256,124.895474 90.4664206,122.610469 C88.1814157,120.325464 85.4100404,119.182978 82.1522117,119.182978 C78.8943829,119.182978 76.1230076,120.325464 73.8380027,122.610469 C71.5529978,124.895474 70.4105124,127.666849 70.4105124,130.924678 Z M70.4105124,58.845576 C70.4105124,60.5649857 70.7951115,62.9404502 71.564321,65.9720409 C72.0620449,67.9176886 73.170595,71.8089258 74.8900046,77.645869 C76.2474333,82.2158788 77.1523722,85.7677639 77.6048484,88.3016307 C78.0573246,90.8354976 78.93964,97.4867982 80.251821,108.255732 L84.2562156,108.255732 C85.2064156,99.7039317 85.8964315,94.0141286 86.3262839,91.1861522 C86.7561363,88.3581758 87.5592696,84.8176025 88.7357078,80.564326 C90.6813555,73.505697 92.0274521,68.4267276 92.7740378,65.3272655 C93.5206236,62.2278034 93.8939109,59.9088975 93.8939109,58.3704784 C93.8939109,53.4837352 92.7061786,49.9770971 90.3306785,47.8504589 C87.9551783,45.7238206 85.22905,44.6605175 82.1522117,44.6605175 C78.9848781,44.6605175 76.2361263,45.7351324 73.9058738,47.8843944 C71.5756212,50.0336565 70.4105124,53.6873471 70.4105124,58.845576 Z' id='Error' fill='\",\n $svg-error-color,\n \"'%3E%3C/path%3E%3C/g%3E%3C/svg%3E\"\n );\n }\n &.pn-quote {\n @include pn-icon(\n \"data:image/svg+xml,%3C%3Fxml version='1.0' encoding='UTF-8'%3F%3E%3Csvg width='165px' height='165px' viewBox='0 0 165 165' version='1.1' xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink'%3E%3Cg id='Page-1' stroke='none' stroke-width='1' fill='none' fill-rule='evenodd'%3E%3Cpath d='M104.546838,164.525333 C97.1871585,164.350607 90.6368822,160.915227 90.6512001,150.013018 C90.4479076,131.842639 90.4697154,98.303237 90.6512001,49.7828789 C91.9844555,2.36817118 138.064959,0.504907944 148.576644,0.0692731383 C152.479575,0.302510658 153.780675,2.21617827 154.578947,4.17356105 C155.831948,9.88458567 155.831948,17.6357453 154.578947,27.4270401 C153.93686,32.7057192 151.936092,35.3224781 148.576644,35.2773166 C143.472082,35.2236794 151.862467,35.2263624 140.927765,35.2773166 C128.559674,35.7091823 122.660334,39.3672244 122.615074,56.9085817 C122.635604,63.1213926 122.635604,71.5842998 122.615074,82.2973033 C138.48496,82.4101196 149.139584,82.4488979 154.578947,82.4136382 C159.435737,82.5353733 163.923774,84.3352392 164.565789,96.288498 C164.874062,119.857257 164.829662,136.387115 164.782895,150.013018 C164.664253,157.17723 161.233392,164.356416 151.753558,164.525333 C127.51005,164.615729 113.455097,164.525333 104.546838,164.525333 Z M14.0400451,164.45606 C6.68036548,164.281334 0.130089247,160.845954 0.144407166,149.943745 C-0.058885353,131.773366 -0.0370775896,98.2339638 0.144407166,49.7136058 C1.47766255,2.29889804 47.5581663,0.435634806 58.0698511,-9.9475983e-14 C61.9727821,0.233237519 63.2738816,2.14690514 64.0721544,4.10428791 C65.3251551,9.81531253 65.3251551,17.5664722 64.0721544,27.3577669 C63.4300669,32.6364461 61.4292991,35.2532049 58.0698511,35.2080434 C52.9652887,35.1544062 61.3556736,35.1570892 50.4209719,35.2080434 C38.0528815,35.6399092 32.153541,39.2979513 32.1082808,56.8393085 C32.1288111,63.0521194 32.1288111,71.5150266 32.1082808,82.2280302 C47.9781667,82.3408464 58.6327912,82.3796247 64.0721544,82.3443651 C68.9289443,82.4661002 73.4169814,84.265966 74.0589965,96.2192249 C74.367269,119.787984 74.3228688,136.317842 74.2761018,149.943745 C74.1574604,157.107957 70.7265987,164.287143 61.2467647,164.45606 C37.0032571,164.546456 22.9483044,164.45606 14.0400451,164.45606 Z' id='Quote' fill='\",\n $svg-citation-color,\n \"'%3E%3C/path%3E%3C/g%3E%3C/svg%3E\"\n );\n }\n &.pn-square {\n @include pn-icon(\n \"data:image/svg+xml,%3C%3Fxml version='1.0' encoding='UTF-8'%3F%3E%3Csvg width='165px' height='165px' viewBox='0 0 165 165' version='1.1' xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink'%3E%3Cg id='Page-1' stroke='none' stroke-width='1' fill='none' fill-rule='evenodd'%3E%3Cpath d='M82.5,165 C36.9365081,165 0,128.063492 0,82.5 C0,36.9365081 36.9365081,0 82.5,0 C128.063492,0 165,36.9365081 165,82.5 C165,128.063492 128.063492,165 82.5,165 Z M115.5,99 C124.612698,99 132,91.3888407 132,82 C132,72.6111593 124.612698,65 115.5,65 C106.387302,65 99,72.6111593 99,82 C99,91.3888407 106.387302,99 115.5,99 Z M49.5,99 C58.6126984,99 66,91.3888407 66,82 C66,72.6111593 58.6126984,65 49.5,65 C40.3873016,65 33,72.6111593 33,82 C33,91.3888407 40.3873016,99 49.5,99 Z M66,114 L66,129 L99,129 L99,114 L66,114 Z' id='Default' fill='\",\n $svg-default-color,\n \"'%3E%3C/path%3E%3C/g%3E%3C/svg%3E\"\n );\n }\n /* End of Autogenerated code */\n}\n", + "/*----- Menu Outline -----*/\n.menu-wrap {\n\n box-shadow: 0px 1px 3px rgba(0, 0, 0, 0.2);\n background: #a7898f;\n}\n\n.menu {\n\n margin: 0px auto;\n}\n\n.menu li {\n margin: 0px;\n list-style: none;\n}\n\n.menu a {\n transition: all linear 0.15s;\n color: #919191;\n}\n\n.menu li:hover>a,\n.menu .current-item>a {\n text-decoration: none;\n color: #be5b70;\n}\n\n.menu .arrow {\n font-size: 11px;\n}\n\n/*----- Top Level -----*/\n.menu>ul>li {\n float: left;\n position: relative;\n}\n\n.menu>ul>li>a {\n\n\n}\n\n.menu>ul>li:hover>a,\n.menu>ul>.current-item>a {\n background: #ec9ca8;\n}\n\n/*----- Bottom Level -----*/\n.menu li:hover .sub-menu {\n z-index: 1;\n opacity: 1;\n}\n\n.sub-menu {\n width: 160%;\n padding: 0px 0px;\n position: absolute;\n top: 100%;\n left: 0px;\n z-index: -1;\n opacity: 0;\n transition: opacity linear 0.15s;\n box-shadow: 0px 2px 3px rgba(0, 0, 0, 0.2);\n background: #d1ddfc;\n}\n\n.sub-menu li {\n display: block;\n}\n\n.sub-menu li a {\n padding: 10px 10px;\n display: block;\n}\n" + ], + "names": [], + "mappings": "AEAA,UAAU,GACR,WAAW,EAAE,WAAW,EACxB,WAAW,EAAE,GAAG,EAChB,UAAU,EAAE,MAAM,EAClB,GAAG,EAAE,uDAAuD,EAC5D,GAAG,EAAE,8DAA8D,CAAC,2BAA2B,EAC1F,kBAAkB,EAClB,0BAA0B,EAC1B,yDAAyD,CAAC,eAAe,EACzE,wDAAwD,CAAC,cAAc,EACvE,uDAAuD,CAAC,kBAAkB,EAC1E,gEAAgE,CAAC,aAAa;;AAGrF,UAAU,GACR,WAAW,EAAE,WAAW,EACxB,WAAW,EAAE,GAAG,EAChB,UAAU,EAAE,MAAM,EAClB,GAAG,EAAE,+CAA+C,EACpD,GAAG,EAAE,sDAAsD,CAAC,2BAA2B,EAClF,uBAAuB,EACvB,sBAAsB,EACtB,iDAAiD,CAAC,eAAe,EACjE,gDAAgD,CAAC,cAAc,EAC/D,+CAA+C,CAAC,kBAAkB,EAClE,wDAAwD,CAAC,aAAa;;AAG7E,UAAU,GACR,WAAW,EAAE,WAAW,EACxB,WAAW,EAAE,GAAG,EAChB,UAAU,EAAE,MAAM,EAClB,GAAG,EAAE,qDAAqD,EAC1D,GAAG,EAAE,4DAA4D,CAAC,2BAA2B,EACxF,yBAAyB,EACzB,yBAAyB,EACzB,uDAAuD,CAAC,eAAe,EACvE,sDAAsD,CAAC,cAAc,EACrE,qDAAqD,CAAC,kBAAkB,EACxE,8DAA8D,CAAC,aAAa;;AAGnF,UAAU,GACR,WAAW,EAAE,WAAW,EACxB,WAAW,EAAE,GAAG,EAChB,UAAU,EAAE,MAAM,EAClB,GAAG,EAAE,2DAA2D,EAChE,GAAG,EAAE,kEAAkE,CAAC,2BAA2B,EAC9F,8BAA8B,EAC9B,4BAA4B,EAC5B,6DAA6D,CAAC,eAAe,EAC7E,4DAA4D,CAAC,cAAc,EAC3E,2DAA2D,CAAC,kBAAkB,EAC9E,oEAAoE,CAAC,aAAa;;ACrDzF,AAAA,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,OAAO,EAAE,GAAG,GAAI;;AACtC,AAAA,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC,GAAI;;AACpC,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,EACd,UAAU,EAAE,MAAM,GACnB;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,EACd,WAAW,EAAE,IAAI,GAClB;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,EACd,UAAU,EAAE,MAAM,GACnB;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,EACd,WAAW,EAAE,IAAI,EACjB,UAAU,EAAE,MAAM,GACnB;;AACD,AAAA,UAAU,CAAC,EAAE,EAAE,UAAU,CAAC,GAAG,CAAC,EAC5B,KAAK,EAAE,OAAO,EACd,UAAU,EAAE,MAAM,GACnB;;AACD,AAAA,UAAU,CAAC,IAAI,CAAC,EACd,KAAK,EAAE,OAAO,EACd,gBAAgB,EAAE,OAAO,GAC1B;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,EACd,gBAAgB,EAAE,OAAO,GAC1B;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,EACd,UAAU,EAAE,MAAM,GACnB;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,GACf;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,GACf;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,EACd,gBAAgB,EAAE,OAAO,GAC1B;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,GACf;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,GACf;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,WAAW,EAAE,IAAI,GAClB;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,GACf;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,GACf;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,EACd,WAAW,EAAE,IAAI,GAClB;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,EACd,WAAW,EAAE,IAAI,GAClB;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,EACd,WAAW,EAAE,IAAI,GAClB;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,EACd,WAAW,EAAE,IAAI,GAClB;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,EACd,WAAW,EAAE,IAAI,GAClB;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,EACd,WAAW,EAAE,IAAI,GAClB;;AACD,AAAA,UAAU,CAAC,EAAE,EAAE,UAAU,CAAC,GAAG,CAAC,EAC5B,KAAK,EAAE,OAAO,EACd,WAAW,EAAE,IAAI,GAClB;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,GACf;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,GACf;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,GACf;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,GACf;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,GACf;;AACD,AAAA,UAAU,CAAC,EAAE,EAAE,UAAU,CAAC,GAAG,EAAE,UAAU,CAAC,GAAG,CAAC,EAC5C,KAAK,EAAE,OAAO,GACf;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,IAAI,GACZ;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,IAAI,GACZ;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,IAAI,GACZ;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,IAAI,GACZ;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,IAAI,GACZ;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,IAAI,GACZ;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,IAAI,GACZ;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,IAAI,GACZ;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,GACf;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,IAAI,GACZ;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,GACf;;AACD,AAAA,UAAU,CAAC,EAAE,CAAC,EACZ,KAAK,EAAE,IAAI,GACZ;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,GACf;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,GACf;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,GACf;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,EACd,WAAW,EAAE,IAAI,GAClB;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,GACf;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,EACd,WAAW,EAAE,IAAI,GAClB;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,GACf;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,EACd,WAAW,EAAE,IAAI,GAClB;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,EACd,WAAW,EAAE,IAAI,GAClB;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,EACd,WAAW,EAAE,IAAI,GAClB;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,GACf;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,GACf;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,GACf;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,GACf;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,GACf;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,GACf;;AACD,AAAA,UAAU,CAAC,GAAG,CAAC,EACb,KAAK,EAAE,OAAO,EACd,WAAW,EAAE,IAAI,GAClB;;AACD,AAAA,UAAU,CAAC,EAAE,CAAC,EACZ,KAAK,EAAE,OAAO,EACd,WAAW,EAAE,IAAI,GAClB;;AACD,AAAA,UAAU,CAAC,EAAE,CAAC,EACZ,KAAK,EAAE,OAAO,GACf;;AACD,AAAA,UAAU,CAAC,EACT,gBAAgB,EAAE,OAAO,GAC1B;;AF7MD,AAAA,IAAI,CAAC,EACH,gBAAgB,EAAE,IAAI,EACtB,OAAO,EAAC,IAAI,EACZ,IAAI,EAAE,oEAAoE,EAC1E,KAAK,EAAC,OAAO,EACb,WAAW,EAAC,GAAG,GAChB;;AAED,AAAA,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,EACrB,KAAK,EAAC,IAAI,EACV,MAAM,EAAC,QAAQ,GAChB;;AAED,AAAA,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE,CAAC,EACxB,MAAM,EAAC,QAAQ,GAChB;;AAED,AAAA,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,EACT,WAAW,EAAC,GAAG,GAChB;;AAED,AAAA,EAAE,CAAC,EACD,SAAS,EAAC,IAAI,GACf;;AAED,AAAA,EAAE,CAAC,EACD,KAAK,EAAC,OAAO,GACd;;AAED,AAAA,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,EACb,KAAK,EAAC,OAAO,GACd;;AAED,AAAA,CAAC,CAAC,EACA,KAAK,EAAC,OAAO,EACb,eAAe,EAAC,IAAI,GACrB;;AAED,AAAA,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,EACf,KAAK,EAAC,IAAI,EACV,WAAW,EAAE,IAAI,GAClB;;AAED,AAAA,CAAC,CAAC,KAAK,CAAC,EACN,SAAS,EAAC,IAAI,EACd,KAAK,EAAC,IAAI,EACV,UAAU,EAAC,MAAM,EACjB,OAAO,EAAC,KAAK,GACd;;AAED,AAAA,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,EACZ,KAAK,EAAC,IAAI,GACX;;AAED,AAAA,QAAQ,CAAC,EACP,KAAK,EAAC,KAAK,EACX,MAAM,EAAC,MAAM,GACd;;AAED,AAAA,UAAU,CAAC,EACT,WAAW,EAAC,iBAAiB,EAC7B,MAAM,EAAC,CAAC,EACR,OAAO,EAAC,UAAU,EAClB,UAAU,EAAC,MAAM,GAClB;;AAED,AAAA,IAAI,EAAE,GAAG,CAAC,EACR,WAAW,EAAC,+HAA+H,EAC3I,KAAK,EAAC,IAAI,GACX;;AAED,AAAA,GAAG,CAAC,EACF,OAAO,EAAC,QAAQ,EAChB,UAAU,EAAE,OAAO,EACnB,aAAa,EAAC,GAAG,EACjB,MAAM,EAAC,iBAAiB,EACxB,UAAU,EAAE,IAAI,GACjB;;AAED,AAAA,KAAK,CAAC,EACJ,KAAK,EAAC,IAAI,EACV,eAAe,EAAC,QAAQ,GACzB;;AAED,AAAA,EAAE,EAAE,EAAE,CAAC,EACL,UAAU,EAAC,IAAI,EACf,OAAO,EAAC,QAAQ,EAChB,aAAa,EAAC,iBAAiB,GAChC;;AAED,AAAA,EAAE,CAAC,EACD,KAAK,EAAC,IAAI,EACV,WAAW,EAAC,GAAG,GAChB;;AAED,AAAA,EAAE,CAAC,EACD,KAAK,EAAC,IAAI,GACX;;AAED,AAAA,GAAG,CAAC,EACF,SAAS,EAAC,IAAI,GACf;;AAED,AAAA,MAAM,CAAC,EACL,KAAK,EAAC,KAAK,EACX,KAAK,EAAC,IAAI,EACV,QAAQ,EAAC,KAAK,EACd,sBAAsB,EAAC,oBAAoB,GAC5C;;AAED,AAAA,EAAE,AAAA,UAAU,CAAC,EACX,UAAU,EAAC,IAAI,EACf,MAAM,EAAC,IAAI,EACX,OAAO,EAAC,CAAC,EACT,UAAU,EAAE,OAAO,EACnB,aAAa,EAAC,GAAG,EACjB,MAAM,EAAC,iBAAiB,EACxB,KAAK,EAAC,KAAK,GACZ;;AAED,AAAA,UAAU,CAAC,EAAE,CAAC,EACZ,KAAK,EAAC,IAAI,EACV,KAAK,EAAC,IAAI,EACV,YAAY,EAAC,iBAAiB,EAC9B,MAAM,EAAC,IAAI,GACZ;;AAED,AAAA,UAAU,CAAC,EAAE,CAAC,WAAW,CAAC,CAAC,CAAC,EAC1B,aAAa,EAAC,WAAW,GAC1B;;AAED,AAAA,UAAU,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,EACzB,aAAa,EAAC,WAAW,GAC1B;;AAED,AAAA,UAAU,CAAC,CAAC,CAAC,EACX,WAAW,EAAC,CAAC,EACb,SAAS,EAAC,IAAI,EACd,KAAK,EAAC,OAAO,EACb,OAAO,EAAC,KAAK,EACb,UAAU,EAAC,MAAM,EACjB,WAAW,EAAC,GAAG,EACf,MAAM,EAAC,IAAI,GACZ;;AAED,AAAA,UAAU,CAAC,CAAC,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,EACrC,KAAK,EAAC,OAAO,EACb,WAAW,EAAC,IAAI,GACjB;;AAED,AAAA,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,EACrB,gBAAgB,EAAC,OAAO,GACzB;;AAED,AAAA,MAAM,CAAC,EACL,KAAK,EAAC,IAAI,EACV,WAAW,EAAC,GAAG,GAChB;;AAED,AAAA,UAAU,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,EACtB,YAAY,EAAC,IAAI,EACjB,KAAK,EAAC,IAAI,GACX;;AAED,AAAA,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,EAClB,SAAS,EAAC,IAAI,EACd,OAAO,EAAC,KAAK,EACb,KAAK,EAAC,IAAI,GACX;;AAED,AAAA,OAAO,CAAC,EACN,KAAK,EAAC,KAAK,EACX,KAAK,EAAC,KAAK,EACX,cAAc,EAAC,IAAI,GACpB;;AAED,AAAA,KAAK,CAAC,EACJ,SAAS,EAAC,IAAI,GACf;;AAED,AAAA,EAAE,CAAC,EACD,MAAM,EAAC,CAAC,EACR,UAAU,EAAC,OAAO,EAClB,MAAM,EAAC,GAAG,EACV,MAAM,EAAC,QAAQ,GAChB;;AAED,AAAA,MAAM,CAAC,EACL,KAAK,EAAC,KAAK,EACX,KAAK,EAAC,IAAI,EACV,QAAQ,EAAC,KAAK,EACd,MAAM,EAAC,IAAI,EACX,sBAAsB,EAAC,oBAAoB,GAC5C;;AAED,MAAM,qCAEJ,GAAA,AAAA,GAAG,AAAA,QAAQ,CAAC,EACV,KAAK,EAAC,IAAI,EACV,MAAM,EAAC,CAAC,GACT,CAED,AAAA,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC,EACtB,KAAK,EAAC,IAAI,EACV,QAAQ,EAAC,MAAM,EACf,KAAK,EAAC,IAAI,GACX,CAED,AAAA,MAAM,CAAC,EACL,aAAa,EAAC,KAAK,GACpB,CAED,AAAA,OAAO,CAAC,EACN,MAAM,EAAC,iBAAiB,EACxB,YAAY,EAAC,KAAK,EAClB,OAAO,EAAC,MAAM,EACd,MAAM,EAAC,QAAQ,GAChB,CAED,AAAA,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,EACb,OAAO,EAAC,MAAM,GACf,CAED,AAAA,MAAM,CAAC,EAAE,CAAC,EACR,QAAQ,EAAC,QAAQ,EACjB,KAAK,EAAC,IAAI,EACV,GAAG,EAAC,IAAI,GACT,EA3BA;;AA8BH,MAAM,qCACJ,GAAA,AAAA,IAAI,CAAC,EACH,SAAS,EAAC,UAAU,GACrB,CAED,AAAA,MAAM,CAAC,EACL,OAAO,EAAC,CAAC,GACV,CAED,AAAA,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC,AAAA,KAAK,CAAC,EACvB,QAAQ,EAAC,MAAM,GAChB,CAED,AAAA,GAAG,EAAE,IAAI,CAAC,EACR,SAAS,EAAC,MAAM,GACjB,EAZA;;AAeH,MAAM,qCACJ,GAAA,AAAA,IAAI,CAAC,EACH,OAAO,EAAC,IAAI,GACb,CAED,AAAA,UAAU,CAAC,EACT,KAAK,EAAC,GAAG,GACV,CAED,AAAA,UAAU,CAAC,EAAE,EAAE,UAAU,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,EACrC,KAAK,EAAC,GAAG,GACV,EARA;;AAWH,MAAM,MACJ,GAAA,AAAA,IAAI,CAAC,EACH,OAAO,EAAC,KAAK,EACb,SAAS,EAAC,IAAI,EACd,KAAK,EAAC,IAAI,GACX,EAAA;;AG5PH,AAAA,YAAY,CAAC,EACX,OAAO,EAAE,IAAI,EACb,qBAAqB,EAAE,SAAS,EAChC,WAAW,EAAE,IAAI,EACjB,cAAc,EAAE,IAAI,EACpB,MAAM,EAAE,aAAa,EACrB,gBAAgB,EAvBI,OAAO,EAwB3B,WAAW,EAAE,GAAG,CAAC,KAAK,CAzBR,OAAO,EA0BrB,KAAK,EA1BS,OAAO,EAkHrB,wBAAwB,CA2CxB,+BAA+B,EAChC;;AA5ID,AAUE,YAVU,CAUV,IAAI,CAAC,EACH,gBAAgB,EAAE,IAAI,EACtB,KAAK,EA9BO,OAAO,GA+BpB;;AAbH,AAeE,YAfU,CAeV,OAAO,CAAC,EACN,WAAW,EAAE,GAAG,EAChB,SAAS,EAAE,MAAM,EACjB,KAAK,EApCO,OAAO,EAqCnB,cAAc,EAAE,GAAG,GACpB;;AApBH,AAsBE,YAtBU,CAsBV,QAAQ,CAAC,EACP,KAAK,EAjCO,kBAAkB,EAkC9B,YAAY,EAAE,IAAI,EAClB,aAAa,EAAE,IAAI,GACpB;;AA1BH,AA4BE,YA5BU,CA4BV,CAAC,CAAC,EACA,UAAU,EAAE,CAAC,EACb,aAAa,EAAE,CAAC,GACjB;;AA/BH,AAkDE,YAlDU,AAkDT,KAAK,CAAC,EAhBL,gBAAgB,EAjDD,OAAO,EAkDtB,KAAK,EAnDI,OAAO,EAoDhB,YAAY,EApDH,OAAO,GAoEjB;;AApDH,AAsCI,YAtCQ,AAkDT,KAAK,CAZJ,CAAC,CAAC,EACA,KAAK,EAvDE,OAAO,EAwDd,eAAe,EAAE,SAAS,GAC3B;;AAzCL,AA0CI,YA1CQ,AAkDT,KAAK,CARJ,IAAI,CAAC,EACH,KAAK,EA3DE,OAAO,GA4Df;;AA5CL,AA6CI,YA7CQ,AAkDT,KAAK,CALJ,OAAO,CAAC,EACN,KAAK,EA9DE,OAAO,GA+Df;;AA/CL,AAqDE,YArDU,AAqDT,QAAQ,CAAC,EAnBR,gBAAgB,EA/CE,OAAO,EAgDzB,KAAK,EAjDO,OAAO,EAkDnB,YAAY,EAlDA,OAAO,GAqEpB;;AAvDH,AAsCI,YAtCQ,AAqDT,QAAQ,CAfP,CAAC,CAAC,EACA,KAAK,EArDK,OAAO,EAsDjB,eAAe,EAAE,SAAS,GAC3B;;AAzCL,AA0CI,YA1CQ,AAqDT,QAAQ,CAXP,IAAI,CAAC,EACH,KAAK,EAzDK,OAAO,GA0DlB;;AA5CL,AA6CI,YA7CQ,AAqDT,QAAQ,CARP,OAAO,CAAC,EACN,KAAK,EA5DK,OAAO,GA6DlB;;AA/CL,AAwDE,YAxDU,AAwDT,MAAM,CAAC,EAtBN,gBAAgB,EA7CA,OAAO,EA8CvB,KAAK,EA/CK,OAAO,EAgDjB,YAAY,EAhDF,OAAO,GAsElB;;AA1DH,AAsCI,YAtCQ,AAwDT,MAAM,CAlBL,CAAC,CAAC,EACA,KAAK,EAnDG,OAAO,EAoDf,eAAe,EAAE,SAAS,GAC3B;;AAzCL,AA0CI,YA1CQ,AAwDT,MAAM,CAdL,IAAI,CAAC,EACH,KAAK,EAvDG,OAAO,GAwDhB;;AA5CL,AA6CI,YA7CQ,AAwDT,MAAM,CAXL,OAAO,CAAC,EACN,KAAK,EA1DG,OAAO,GA2DhB;;AA/CL,AA2DE,YA3DU,AA2DT,SAAS,CAAC,EAzBT,gBAAgB,EA1CG,OAAO,EA2C1B,KAAK,EA5CQ,OAAO,EA6CpB,YAAY,EA7CC,OAAO,GA0ErB;;AAjEH,AAsCI,YAtCQ,AA2DT,SAAS,CArBR,CAAC,CAAC,EACA,KAAK,EAhDM,OAAO,EAiDlB,eAAe,EAAE,SAAS,GAC3B;;AAzCL,AA0CI,YA1CQ,AA2DT,SAAS,CAjBR,IAAI,CAAC,EACH,KAAK,EApDM,OAAO,GAqDnB;;AA5CL,AA6CI,YA7CQ,AA2DT,SAAS,CAdR,OAAO,CAAC,EACN,KAAK,EAvDM,OAAO,GAwDnB;;AA/CL,AA8DI,YA9DQ,AA2DT,SAAS,CAGR,UAAU,CAAC,EACT,WAAW,EAAE,CAAC,GACf;;AAhEL,AAmEE,YAnEU,CAmEV,GAAG,EAnEL,YAAY,CAoEV,IAAI,EApEN,YAAY,CAqEV,IAAI,EArEN,YAAY,CAsEV,IAAI,EAtEN,YAAY,CAuEV,IAAI,CAAC,EACH,SAAS,EAAE,IAAI,EACf,OAAO,EAAE,GAAG,EACZ,WAAW,EAAE,GAAG,EAChB,YAAY,EAAE,IAAI,GACnB;;AA5EH,AA8EE,YA9EU,GA8EN,GAAG,CAAC,EACN,OAAO,EAAE,GAAG,EACZ,UAAU,EAAE,OAAO,EACnB,WAAW,EAAE,MAAM,GACpB;;AAlFH,AAiGE,YAjGU,AAiGT,QAAQ,CAAC,EAZR,MAAM,EAAE,CAAC,EACT,MAAM,EAAE,YAAY,EACpB,iBAAiB,EAAE,SAAS,EAC5B,gBAAgB,EAAE,WAAW,EAC7B,gBAAgB,EAAE,26CAAkC,EACpD,eAAe,EAAE,SAAS,EAC1B,KAAK,EAAE,IAAI,EACX,MAAM,EAAE,IAAI,EACZ,OAAO,EAAE,GAAG,GAUb;;AAvGH,AAwGE,YAxGU,AAwGT,QAAQ,CAAC,EAnBR,MAAM,EAAE,CAAC,EACT,MAAM,EAAE,YAAY,EACpB,iBAAiB,EAAE,SAAS,EAC5B,gBAAgB,EAAE,WAAW,EAC7B,gBAAgB,EAAE,goDAAkC,EACpD,eAAe,EAAE,SAAS,EAC1B,KAAK,EAAE,IAAI,EACX,MAAM,EAAE,IAAI,EACZ,OAAO,EAAE,GAAG,GAiBb;;AA9GH,AA+GE,YA/GU,AA+GT,QAAQ,CAAC,EA1BR,MAAM,EAAE,CAAC,EACT,MAAM,EAAE,YAAY,EACpB,iBAAiB,EAAE,SAAS,EAC5B,gBAAgB,EAAE,WAAW,EAC7B,gBAAgB,EAAE,45DAAkC,EACpD,eAAe,EAAE,SAAS,EAC1B,KAAK,EAAE,IAAI,EACX,MAAM,EAAE,IAAI,EACZ,OAAO,EAAE,GAAG,GAwBb;;AArHH,AAsHE,YAtHU,AAsHT,SAAS,CAAC,EAjCT,MAAM,EAAE,CAAC,EACT,MAAM,EAAE,YAAY,EACpB,iBAAiB,EAAE,SAAS,EAC5B,gBAAgB,EAAE,WAAW,EAC7B,gBAAgB,EAAE,wuEAAkC,EACpD,eAAe,EAAE,SAAS,EAC1B,KAAK,EAAE,IAAI,EACX,MAAM,EAAE,IAAI,EACZ,OAAO,EAAE,GAAG,GA+Bb;;AA5HH,AA6HE,YA7HU,AA6HT,SAAS,CAAC,EAxCT,MAAM,EAAE,CAAC,EACT,MAAM,EAAE,YAAY,EACpB,iBAAiB,EAAE,SAAS,EAC5B,gBAAgB,EAAE,WAAW,EAC7B,gBAAgB,EAAE,owEAAkC,EACpD,eAAe,EAAE,SAAS,EAC1B,KAAK,EAAE,IAAI,EACX,MAAM,EAAE,IAAI,EACZ,OAAO,EAAE,GAAG,GAsCb;;AAnIH,AAoIE,YApIU,AAoIT,UAAU,CAAC,EA/CV,MAAM,EAAE,CAAC,EACT,MAAM,EAAE,YAAY,EACpB,iBAAiB,EAAE,SAAS,EAC5B,gBAAgB,EAAE,WAAW,EAC7B,gBAAgB,EAAE,i4BAAkC,EACpD,eAAe,EAAE,SAAS,EAC1B,KAAK,EAAE,IAAI,EACX,MAAM,EAAE,IAAI,EACZ,OAAO,EAAE,GAAG,GA6Cb;;AC5JH,4BAA4B;AAC5B,AAAA,UAAU,CAAC,EAET,UAAU,EAAE,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,kBAAkB,EAC1C,UAAU,EAAE,OAAO,GACpB;;AAED,AAAA,KAAK,CAAC,EAEJ,MAAM,EAAE,QAAQ,GACjB;;AAED,AAAA,KAAK,CAAC,EAAE,CAAC,EACP,MAAM,EAAE,GAAG,EACX,UAAU,EAAE,IAAI,GACjB;;AAED,AAAA,KAAK,CAAC,CAAC,CAAC,EACN,UAAU,EAAE,gBAAgB,EAC5B,KAAK,EAAE,OAAO,GACf;;AAED,AAAA,KAAK,CAAC,EAAE,CAAC,KAAK,GAAC,CAAC,EAChB,KAAK,CAAC,aAAa,GAAC,CAAC,CAAC,EACpB,eAAe,EAAE,IAAI,EACrB,KAAK,EAAE,OAAO,GACf;;AAED,AAAA,KAAK,CAAC,MAAM,CAAC,EACX,SAAS,EAAE,IAAI,GAChB;;AAED,yBAAyB;AACzB,AAAA,KAAK,GAAC,EAAE,GAAC,EAAE,CAAC,EACV,KAAK,EAAE,IAAI,EACX,QAAQ,EAAE,QAAQ,GACnB;;AAOD,AAAA,KAAK,GAAC,EAAE,GAAC,EAAE,CAAC,KAAK,GAAC,CAAC,EACnB,KAAK,GAAC,EAAE,GAAC,aAAa,GAAC,CAAC,CAAC,EACvB,UAAU,EAAE,OAAO,GACpB;;AAED,4BAA4B;AAC5B,AAAA,KAAK,CAAC,EAAE,CAAC,KAAK,CAAC,SAAS,CAAC,EACvB,OAAO,EAAE,CAAC,EACV,OAAO,EAAE,CAAC,GACX;;AAED,AAAA,SAAS,CAAC,EACR,KAAK,EAAE,IAAI,EACX,OAAO,EAAE,OAAO,EAChB,QAAQ,EAAE,QAAQ,EAClB,GAAG,EAAE,IAAI,EACT,IAAI,EAAE,GAAG,EACT,OAAO,EAAE,EAAE,EACX,OAAO,EAAE,CAAC,EACV,UAAU,EAAE,oBAAoB,EAChC,UAAU,EAAE,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,kBAAkB,EAC1C,UAAU,EAAE,OAAO,GACpB;;AAED,AAAA,SAAS,CAAC,EAAE,CAAC,EACX,OAAO,EAAE,KAAK,GACf;;AAED,AAAA,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC,EACb,OAAO,EAAE,SAAS,EAClB,OAAO,EAAE,KAAK,GACf" +} \ No newline at end of file diff --git a/assets/fonts/Noto-Sans-700/Noto-Sans-700.eot b/assets/fonts/Noto-Sans-700/Noto-Sans-700.eot new file mode 100755 index 0000000000..03bf93fec2 Binary files /dev/null and b/assets/fonts/Noto-Sans-700/Noto-Sans-700.eot differ diff --git a/assets/fonts/Noto-Sans-700/Noto-Sans-700.svg b/assets/fonts/Noto-Sans-700/Noto-Sans-700.svg new file mode 100644 index 0000000000..925fe47475 --- /dev/null +++ b/assets/fonts/Noto-Sans-700/Noto-Sans-700.svg @@ -0,0 +1,336 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/assets/fonts/Noto-Sans-700/Noto-Sans-700.ttf b/assets/fonts/Noto-Sans-700/Noto-Sans-700.ttf new file mode 100755 index 0000000000..4599e3ca9a Binary files /dev/null and b/assets/fonts/Noto-Sans-700/Noto-Sans-700.ttf differ diff --git a/assets/fonts/Noto-Sans-700/Noto-Sans-700.woff b/assets/fonts/Noto-Sans-700/Noto-Sans-700.woff new file mode 100755 index 0000000000..9d0b78df81 Binary files /dev/null and b/assets/fonts/Noto-Sans-700/Noto-Sans-700.woff differ diff --git a/assets/fonts/Noto-Sans-700/Noto-Sans-700.woff2 b/assets/fonts/Noto-Sans-700/Noto-Sans-700.woff2 new file mode 100755 index 0000000000..55fc44bcd1 Binary files /dev/null and b/assets/fonts/Noto-Sans-700/Noto-Sans-700.woff2 differ diff --git a/assets/fonts/Noto-Sans-700italic/Noto-Sans-700italic.eot b/assets/fonts/Noto-Sans-700italic/Noto-Sans-700italic.eot new file mode 100755 index 0000000000..cb97b2b4dd Binary files /dev/null and b/assets/fonts/Noto-Sans-700italic/Noto-Sans-700italic.eot differ diff --git a/assets/fonts/Noto-Sans-700italic/Noto-Sans-700italic.svg b/assets/fonts/Noto-Sans-700italic/Noto-Sans-700italic.svg new file mode 100644 index 0000000000..abdafc0f53 --- /dev/null +++ b/assets/fonts/Noto-Sans-700italic/Noto-Sans-700italic.svg @@ -0,0 +1,334 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/assets/fonts/Noto-Sans-700italic/Noto-Sans-700italic.ttf b/assets/fonts/Noto-Sans-700italic/Noto-Sans-700italic.ttf new file mode 100755 index 0000000000..6640dbeb33 Binary files /dev/null and b/assets/fonts/Noto-Sans-700italic/Noto-Sans-700italic.ttf differ diff --git a/assets/fonts/Noto-Sans-700italic/Noto-Sans-700italic.woff b/assets/fonts/Noto-Sans-700italic/Noto-Sans-700italic.woff new file mode 100755 index 0000000000..209739eeb0 Binary files /dev/null and b/assets/fonts/Noto-Sans-700italic/Noto-Sans-700italic.woff differ diff --git a/assets/fonts/Noto-Sans-700italic/Noto-Sans-700italic.woff2 b/assets/fonts/Noto-Sans-700italic/Noto-Sans-700italic.woff2 new file mode 100755 index 0000000000..f5525aa28b Binary files /dev/null and b/assets/fonts/Noto-Sans-700italic/Noto-Sans-700italic.woff2 differ diff --git a/assets/fonts/Noto-Sans-italic/Noto-Sans-italic.eot b/assets/fonts/Noto-Sans-italic/Noto-Sans-italic.eot new file mode 100755 index 0000000000..a997349935 Binary files /dev/null and b/assets/fonts/Noto-Sans-italic/Noto-Sans-italic.eot differ diff --git a/assets/fonts/Noto-Sans-italic/Noto-Sans-italic.svg b/assets/fonts/Noto-Sans-italic/Noto-Sans-italic.svg new file mode 100644 index 0000000000..dcd8fc89dc --- /dev/null +++ b/assets/fonts/Noto-Sans-italic/Noto-Sans-italic.svg @@ -0,0 +1,337 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/assets/fonts/Noto-Sans-italic/Noto-Sans-italic.ttf b/assets/fonts/Noto-Sans-italic/Noto-Sans-italic.ttf new file mode 100755 index 0000000000..7f75a2d909 Binary files /dev/null and b/assets/fonts/Noto-Sans-italic/Noto-Sans-italic.ttf differ diff --git a/assets/fonts/Noto-Sans-italic/Noto-Sans-italic.woff b/assets/fonts/Noto-Sans-italic/Noto-Sans-italic.woff new file mode 100755 index 0000000000..6dce67cede Binary files /dev/null and b/assets/fonts/Noto-Sans-italic/Noto-Sans-italic.woff differ diff --git a/assets/fonts/Noto-Sans-italic/Noto-Sans-italic.woff2 b/assets/fonts/Noto-Sans-italic/Noto-Sans-italic.woff2 new file mode 100755 index 0000000000..a9c14c4920 Binary files /dev/null and b/assets/fonts/Noto-Sans-italic/Noto-Sans-italic.woff2 differ diff --git a/assets/fonts/Noto-Sans-regular/Noto-Sans-regular.eot b/assets/fonts/Noto-Sans-regular/Noto-Sans-regular.eot new file mode 100755 index 0000000000..15fc8bfc91 Binary files /dev/null and b/assets/fonts/Noto-Sans-regular/Noto-Sans-regular.eot differ diff --git a/assets/fonts/Noto-Sans-regular/Noto-Sans-regular.svg b/assets/fonts/Noto-Sans-regular/Noto-Sans-regular.svg new file mode 100644 index 0000000000..bd2894d6a2 --- /dev/null +++ b/assets/fonts/Noto-Sans-regular/Noto-Sans-regular.svg @@ -0,0 +1,335 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/assets/fonts/Noto-Sans-regular/Noto-Sans-regular.ttf b/assets/fonts/Noto-Sans-regular/Noto-Sans-regular.ttf new file mode 100755 index 0000000000..a83bbf9fc8 Binary files /dev/null and b/assets/fonts/Noto-Sans-regular/Noto-Sans-regular.ttf differ diff --git a/assets/fonts/Noto-Sans-regular/Noto-Sans-regular.woff b/assets/fonts/Noto-Sans-regular/Noto-Sans-regular.woff new file mode 100755 index 0000000000..17c85006d0 Binary files /dev/null and b/assets/fonts/Noto-Sans-regular/Noto-Sans-regular.woff differ diff --git a/assets/fonts/Noto-Sans-regular/Noto-Sans-regular.woff2 b/assets/fonts/Noto-Sans-regular/Noto-Sans-regular.woff2 new file mode 100755 index 0000000000..a87d9cd7c6 Binary files /dev/null and b/assets/fonts/Noto-Sans-regular/Noto-Sans-regular.woff2 differ diff --git a/assets/img/logo.png b/assets/img/logo.png new file mode 100644 index 0000000000..93e608e4a4 Binary files /dev/null and b/assets/img/logo.png differ diff --git a/assets/js/scale.fix.js b/assets/js/scale.fix.js new file mode 100644 index 0000000000..2f4f8fd4d3 --- /dev/null +++ b/assets/js/scale.fix.js @@ -0,0 +1,30 @@ +(function (document) { + var metas = document.getElementsByTagName("meta"), + changeViewportContent = function (content) { + for (var i = 0; i < metas.length; i++) { + if (metas[i].name == "viewport") { + metas[i].content = content; + } + } + }, + initialize = function () { + changeViewportContent( + "width=device-width, minimum-scale=1.0, maximum-scale=1.0" + ); + }, + gestureStart = function () { + changeViewportContent( + "width=device-width, minimum-scale=0.25, maximum-scale=1.6" + ); + }, + gestureEnd = function () { + initialize(); + }; + + if (navigator.userAgent.match(/iPhone/i)) { + initialize(); + + document.addEventListener("touchstart", gestureStart, false); + document.addEventListener("touchend", gestureEnd, false); + } +})(document); diff --git a/feed.xml b/feed.xml new file mode 100644 index 0000000000..dba633c724 --- /dev/null +++ b/feed.xml @@ -0,0 +1 @@ +Jekyll2024-12-22T18:59:53-06:00https://openshift-kni.github.io/baremetal-deploy/feed.xmlOpenShift Cluster Managed Bare Metal DocumentationDocuments produced by Deployment Integration team \ No newline at end of file diff --git a/index.html b/index.html new file mode 100644 index 0000000000..69577ef3af --- /dev/null +++ b/index.html @@ -0,0 +1,456 @@ + + + + + + + + + + + Deploying Installer Provisioned Infrastructure (IPI) of OpenShift on Bare Metal | OpenShift Cluster Managed Bare Metal Documentation + + + + + + + + + + + + + + +Deploying Installer Provisioned Infrastructure (IPI) of OpenShift on Bare Metal | OpenShift Cluster Managed Bare Metal Documentation + + + + + + + + + + + + + + + + + + +
+
+

OpenShift Cluster Managed Bare Metal Documentation

+ + + +

Documents produced by Deployment Integration team

+ + + + + + +
+
+ +

Installer Provisioned Infrastructure (IPI) of OpenShift on Baremetal Install Guides

+ +

Documentation

+ +

Below is the list of generated documentation versions

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
DocumentAccess
Deployment + +
Troubleshooting + +
Ansible Playbook Install + +
Ansible Playbook Disconnected Install + +
+ +
+ +
+

These guides are created from the contents of the repository under documentation/ folder.

+ + + + +
+
+ +

Development Draft

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
DocumentAccess
Deployment + +
Troubleshooting + +
+ +
+ +
+

Documents in this section are incomplete drafts and may contain inaccuracies

+ + + + +
+
+ + +
+ +
+ + + + diff --git a/latest/Ansible Playbook Disconnected Install.html b/latest/Ansible Playbook Disconnected Install.html new file mode 100644 index 0000000000..3da5c713c5 --- /dev/null +++ b/latest/Ansible Playbook Disconnected Install.html @@ -0,0 +1,1646 @@ + + + + + + + + + + +Fully Disconnected Deployment of IPI on BM using the Ansible Playbook + + + + + + + + + + + + + + + + +
+
+
+
+ + + + + +
+ + +
+

Download the PDF version of this document or visit https://openshift-kni.github.io/baremetal-deploy/

+
+
+
+
+
+
+

1. Introduction

+
+
+

This write-up will guide you through the process of deploying a fully-disconnected[1] Baremetal IPI installation of OpenShift Container Platform 4 via the Ansible +playbook.

+
+
+
+
+

2. Prerequisites

+
+
+
    +
  • +

    Best Practice Minimum Setup: 6 Physical servers (1 provision node, 3 master and 2 worker nodes)

    +
  • +
  • +

    Best Practice Minimum Setup for disconnected environments: 7 Physical servers (1 provision node, 1 registry node[2], 3 master and 2 worker nodes)

    +
  • +
  • +

    Minimum Setup: 4 Physical servers (1 provision node, 3 master nodes)

    +
  • +
  • +

    Minimum Setup for disconnected environments: 5 Physical servers (1 provision node, 1 registry node[2], 3 master nodes)

    +
  • +
  • +

    Each server needs 2 NICs pre-configured. NIC1 for the private network and NIC2 for the baremetal network. NIC interface names must be identical across all nodes[3]

    +
  • +
  • +

    It is recommended each server have a RAID-1 configured and initialized (though not enforced)

    +
  • +
  • +

    Each server must have IPMI configured

    +
  • +
  • +

    Each server must have DHCP setup for the baremetal NICs

    +
  • +
  • +

    Each server must have DNS setup for the API, wildcard applications

    +
  • +
  • +

    A DNS VIP is IP on the baremetal network is required for reservation. Reservation is done via our DHCP server (though not required).

    +
  • +
  • +

    Optional - Include DNS entries for the hostnames for each of the servers

    +
  • +
  • +

    Download a copy of your Pull Secret

    +
  • +
+
+
+

Due to the complexities of properly configuring an environment, it is +recommended to review the following steps prior to running the Ansible +playbook as without proper setup, the Ansible playbook won’t work.

+
+
+

The section to review and ensure proper configuration are as follows:

+
+
+ +
+
+

Once the above is complete, install Red Hat Enterprise Linux (RHEL) 8.x on your provision node and create a user (i.e. kni) to deploy as non-root and provide that user sudo privileges.

+
+
+

For simplicity, the steps to create the user named kni is as follows:

+
+
+
    +
  1. +

    Login into the provision node via ssh

    +
  2. +
  3. +

    Create a user (i.e kni) to deploy as non-root and provide that user sudo privileges

    +
    +
    +
    useradd kni
    +passwd kni
    +echo "kni ALL=(root) NOPASSWD:ALL" | tee -a /etc/sudoers.d/kni
    +chmod 0440 /etc/sudoers.d/kni
    +
    +
    +
  4. +
  5. +

    Enable a dnf local repository on the provision host

    +
  6. +
+
+
+
+
+

3. Using an Existing Registry

+
+
+ + + + + +
+ + +If no existing registry is already existing for your fully disconnected +environment, visit Creating a New Disconnected Registry section. +
+
+
+

When using an existing registry, two variables labeled +disconnected_registry_auths_file and the disconnected_registry_mirrors_file +must be set. These variables are located within your inventory/hosts file and +the inventory/hosts.sample file can be used as reference.

+
+
+

The disconnected_registry_auths_file variable should point to a file +containing json data regarding your registry information. This will be appended +to the auths section of the pull secret by the Ansible playbook itself.

+
+
+

An example of the contents of the disconnected_registry_auths_file is shown +below.

+
+
+
+
cat /path/to/registry-auths.json
+{"registry.example.com:5000": {"auth": "ZHVtbXk6ZHsFVtbXk=", "email": "user@example.com" } }
+
+
+
+ + + + + +
+ + +
+

The auth password given base64 encoding of the http credentials used to +create the htpasswd file.

+
+
+

Example:

+
+
+

[user@registry ~]$ b64auth=$( echo -n '<username>:<passwd>' | openssl base64 ) + 
+[user@registry ~]$ echo $b64auth

+
+
+
+
+

The disconnected_registry_mirrors_file variable should point to a file +containing the additionalTrustBundle and imageContentSources (OpenShift +4.13 and below) or imageDigestSources (OpenShift 4.14 and above) for +the disconnected registry. The certificate that goes within the additional +trust bundle is the disconnected registry node’s certificate. The +imageContentSources adds the mirrored information of the registry. The below +content from the install-config-appends.yml file gets automatically appended +by the Ansible playbook.

+
+
+
+
cat /path/to/install-config-appends.yml
+additionalTrustBundle: |
+  -----BEGIN CERTIFICATE-----
+  MIIGPDCCBCSgAwIBAgIUWr1DxDq53hrsk6XVLRXUjfF9m+swDQYJKoZIhvcNAQEL
+  BQAwgZAxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNeVN0YXRlMQ8wDQYDVQQHDAZN
+  eUNpdHkxEjAQBgNVBAoMCU15Q29tcGFueTEVMBMGA1UECwwMTXlEZXBhcnRtZW50
+  .
+  . [ABBREVIATED CERTIFICATE FOR BREVITY]
+  .
+  MTMwMQYDVQQDDCpyZWdpc3RyeS5rbmk3LmNsb3VkLmxhYi5lbmcuYm9zLnJlZGhh
+  dC5jb20wHhcNMjAwNDA3MjM1MzI2WhcNMzAwNDA1MjM1MzI2WjCBkDELMAkGA1UE
+  -----END CERTIFICATE-----
+
+<image-config>: (1)
+- mirrors:
+  - registry.example.com:5000/ocp4/openshift4
+  source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
+- mirrors:
+  - registry.example.com:5000/ocp4/openshift4
+  source: registry.svc.ci.openshift.org/ocp/release
+- mirrors:
+  - registry.example.com:5000/ocp4/openshift4
+  source: quay.io/openshift-release-dev/ocp-release
+
+
+
+

Where:

+
+
+

+ +<1> <image-config> is either imageContentSources for OpenShift 4.13 and below, or imageDigestSources for Openshift 4.14 and above.

+
+
+ + + + + +
+ + +Indentation is important in the yml file. Ensure your copy of the install-config-appends.yml is properly indented as in the example above. +
+
+
+
+
+

4. Contents of the Webserver

+
+
+

When following the details on how to create a webserver, if one not already in place, there is still additional content required for +a fully disconnected environment to be successfully deployed with the Ansible playbook.

+
+
+

The Ansible playbook requires the end user to additionally include the following +to there already existing webserver.

+
+
+

The example provided below showcases how a user adds the required prerequisites +to the webserver in order install the latest +OpenShift Container Platform version 4.9.

+
+
+
Automatic Procedure
+
    +
  1. +

    Change to the webserver directory that is to store your OpenShift related binaries

    +
    +
    +
    [user@webserver ~]$ cd /path/to/webserver/dir
    +
    +
    +
  2. +
  3. +

    Create a local copy of environment variables script and make the script executable.

    +
    +
    +
    [user@webserver ~]$ chmod +x /path/to/webserver/dir/env_vars.sh
    +
    +
    +
  4. +
  5. +

    Create a local copy of helper script that downloads all the prerequisites to the webserver

    +
    +
    +
    [user@webserver ~]$ chmod +x /path/to/webserver/dir/helper_script.sh
    +
    +
    +
  6. +
  7. +

    Open the the env_vars.sh script and fill out the appopriate environment variable values

    +
  8. +
  9. +

    Run the helper_script.sh script

    +
    +
    +
    [user@webserver ~]$ /path/to/webserver/dir/helper_script.sh
    +
    +
    +
    + + + + + +
    + + +
    +

    Using the helper_script.sh has some caveats. Extracting the +openshift-baremetal-install binary does not pull from a local registry when +given a local registry, BZ#1823143 +Due to this, in order to properly extract the installer, the OpenShift disconnected +mirrored registry that is to be used must be available and have access to quay.io +temporary to properly extract the binary.

    +
    +
    +
    +
  10. +
+
+
+ + + + + +
+ + +The following manual procedure can be skipped if used the helper script. +
+
+
+
Manual Procedure
+
    +
  1. +

    Download the OpenShift Container Platform version 4.9 latest release.txt file

    +
    +
    +
    [user@webserver ~]$ cd /path/to/webserver/dir
    +[user@webserver ~]$ wget https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest-4.9/release.txt
    +
    +
    +
    + + + + + +
    + + +
    +

    When working with a development version of OpenShift Container Platform, use the following link for the +development version of the +release.txt

    +
    +
    +
    +
  2. +
  3. +

    Create a directory with the explict release version of the captured release.txt file

    +
    +
    +
    export OCP_RELEASE=`cat release.txt | grep Name | awk {'print $2'}`
    +[user@webserver ~]$ mkdir $OCP_RELEASE
    +
    +
    +
  4. +
  5. +

    Move the release.txt file to the newly created release version directory

    +
    +
    +
    [user@webserver ~]$ mv release.txt $OCP_RELEASE/
    +
    +
    +
  6. +
  7. +

    Download the oc client and untar its contents

    +
    +
    +
    [user@webserver ~]$ wget https://mirror.openshift.com/pub/openshift-v4/clients/ocp/$OCP_RELEASE/openshift-client-linux-$OCP_RELEASE.tar.gz | tar zxvf - oc
    +
    +
    +
  8. +
  9. +

    Extract the Installer

    +
    + + + + + +
    + + +
    +

    Extracting the installer currently has some caveats. Extracting the +openshift-baremetal-install binary does not pull from a local registry when +given a local registry, BZ#1823143 +Due to this, in order to properly extract the installer, the OpenShift disconnected +mirrored registry that is to be used must be available and have access to quay.io +temporary to properly extract the binary. The following step assumes this.

    +
    +
    +
    +
    +
    +
    [user@webserver ~]$ export LOCAL_REPOSITORY='ocp4'
    +[user@webserver ~]$ export LOCAL_REGISTRY='registry.example.com:5000'
    +[user@webserver ~]$ export cmd=openshift-baremetal-install
    +[user@webserver ~]$ export pullsecret_file=~/pull-secret.txt
    +[user@webserver ~]$ export extract_dir=$(pwd)
    +[user@webserver ~]$ oc adm release extract --registry-config "${pullsecret_file}" --command="${cmd}" --to `pwd` ${LOCAL_REGISTRY}/${LOCAL_REPOSITORY}:${OCP_RELEASE}
    +
    +
    +
  10. +
  11. +

    Ensure the openshift-baremetal-install binary points to the appopriate release image (i.e. registry.example.com )

    +
    +
    +
    [user@webserver ~]$ ./openshift-baremetal-install version
    +openshift-baremetal-install 4.4.3
    +built from commit 78b817ceb7657f81176bbe182cc6efc73004c841
    +release image registry.example.com:5000/ocp4/openshift4@sha256:e805d6a36762e22ecf66fd3f3642e609a00ed25ab44f89f064b5138cf3f0f554
    +
    +
    +
  12. +
  13. +

    The rhcos.json file is required for the disconnected installs as it contains +the appropriate image name and SHA hash

    +
    + + + + + +
    + + +This assumes the openshift-baremetal-install has been extracted +
    +
    +
    +
    +
    [user@webserver ~]$ export COMMIT_ID=$(./openshift-baremetal-install version | grep '^built from commit' | awk '{print $4}')
    +[user@webserver ~]$ curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json > rhcos.json
    +
    +
    +
  14. +
  15. +

    Clean up the oc and kubelet binary extraction as no longer required

    +
    +
    +
    [user@webserver ~]$ rm -f /path/to/$OCP_RELEASE/oc /path/to/$OCP_RELEASE/kubelet
    +
    +
    +
  16. +
  17. +

    Confirm all four files have been captured within your $OCP_RELEASE directory

    +
    +
    +
    [user@webserver ~]$ ls -latr /path/to/$OCP_RELEASE
    +openshift-baremetal-install openshift-client-linux-$OCP_RELEASE.tar.gz rhcos.json release.txt
    +
    +
    +
  18. +
+
+
+
+
+

5. Fully Disconnected Prerequiste Checklist

+
+
+

5.1. Validation checklist for nodes

+
+
When using the provisioning network
+
    +
  • +

    DHCP reservations use infinite leases to deploy the cluster with static IP addresses. (optional)

    +
  • +
  • +

    NIC1 VLAN is configured for the provisioning network.

    +
  • +
  • +

    NIC2 VLAN is configured for the baremetal network.

    +
  • +
  • +

    NIC1 is PXE-enabled on the provisioner, Control Plane (master), and worker nodes.

    +
  • +
  • +

    PXE has been disabled on all other NICs.

    +
  • +
  • +

    Control plane and worker nodes are configured.

    +
  • +
  • +

    All nodes accessible via out-of-band management.

    +
  • +
  • +

    A separate management network has been created. (optional)

    +
  • +
  • +

    Required data for installation.

    +
  • +
+
+
+
When omitting the provisioning network
+
    +
  • +

    DHCP reservations use infinite leases to deploy the cluster with static IP addresses. (optional)

    +
  • +
  • +

    NICx VLAN is configured for the baremetal network.

    +
  • +
  • +

    Control plane and worker nodes are configured.

    +
  • +
  • +

    All nodes accessible via out-of-band management.

    +
  • +
  • +

    A separate management network has been created. (optional)

    +
  • +
  • +

    Required data for installation.

    +
  • +
+
+
+
Summary
+

After an environment has been prepared according to the documented prerequisites, the installation process is the same as other installer-provisioned platforms.

+
+
+
+

5.2. Validation checklist for Ansible playbook installation

+
+
    +
  • +

    Create a local repository using a RHEL 8 Installation DVD to install packages

    +
  • +
  • +

    Suppress Unable to read consumer identity messages when using subscription-manager via /etc/yum.conf

    +
  • +
  • +

    Ensure release.txt file exists within the webserver path/to/webserver/<ocp_release_version>

    +
  • +
  • +

    Ensure rhcos.json file exists within the webserver path/to/webserver/<ocp_release_version>

    +
  • +
  • +

    Ensure openshift-baremetal-install binary exists within the webserver path/to/webserver/<ocp_release_version>

    +
  • +
  • +

    Ensure the openshift-baremetal-install binary points to the appopriate release image registry (i.e. registry.example.com )

    +
  • +
  • +

    Ensure release.txt file exists within the webserver path/to/webserver/<ocp_release_version>

    +
  • +
  • +

    Ensure openshift-client-linux-<ocp_release_version>.tar.gz tar.gz exists within the webserver path/to/webserver/<ocp_release_version>

    +
  • +
  • +

    Create registry-auths.json

    +
  • +
  • +

    Create install-config-appends.json

    +
  • +
+
+
+
+
+
+

6. Running the playbook.yml

+
+
+

The following are the steps to successfully run the Ansible playbook.

+
+
+

6.1. git clone the Ansible playbook

+
+

The first step to using the Ansible playbook is to clone the +baremetal-deploy repository.

+
+
+ + + + + +
+ + +This should be done on a system that can access the provision host +
+
+
+
    +
  1. +

    Clone the git repository

    +
    +
    +
    [user@laptop ~]$ git clone https://github.com/openshift-kni/baremetal-deploy.git
    +
    +
    +
  2. +
  3. +

    Change to the ansible-ipi-install directory

    +
    +
    +
    [user@laptop ~]$ cd /path/to/git/repo/baremetal-deploy/ansible-ipi-install
    +
    +
    +
  4. +
+
+
+
+

6.2. The ansible.cfg file

+
+

While the ansible.cfg may vary upon your environment +a sample is provided in the repository.

+
+
+
+
[defaults]
+inventory=./inventory
+remote_user=kni
+callback_whitelist = profile_tasks
+
+[privilege_escalation]
+become_method=sudo
+
+
+
+ + + + + +
+ + +
+

Ensure to change the remote_user as deemed appropriate for +your environment. The remote_user is the user previously +created on the provision node.

+
+
+
+
+
+

6.3. Ansible version

+
+

Ensure that your environment is using Ansible 2.9 or +greater. The following command can be used to verify.

+
+
+
+
ansible --version
+ansible 2.9.1
+  config file = /path/to/baremetal-deploy/ansible-ipi-install/ansible.cfg
+  configured module search path = ['/path/to/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
+  ansible python module location = /usr/lib/python3.7/site-packages/ansible
+  executable location = /usr/bin/ansible
+  python version = 3.7.2 (default, Jan 16 2019, 19:49:22) [GCC 8.2.1 20181215 (Red Hat 8.2.1-6)]
+
+
+
+ + + + + +
+ + +The config file section should point to the path of your ansible.cfg +
+
+
+
+

6.4. Copy local SSH key to provision node

+
+

With the ansible.cfg file in place, the next step is +to ensure to copy your public ssh key to your provision + node using ssh-copy-id.

+
+
+

From the system that is to run the playbook,

+
+
+
+
$ ssh-copy-id <user>@provisioner.example.com
+
+
+
+ + + + + +
+ + +<user> should be the user previously created on the provision node (i.e. kni) +
+
+
+
+

6.5. Modifying the inventory/hosts file for Fully Disconnected Deployments

+
+

While there are many options +that may be set when deploying IPI on baremetal using the Ansible +playbook. This portion will strictly focus on what are the +requirements for including your existing webserver and registry node +for a successful deployment.

+
+
+

A sample of the required variables with regards to the existing +webserver and registry node are shown below

+
+
+
+
# Provide the webserver URL as shown below if using fully disconnected
+webserver_url=http://example.com:8080'
+
+[registry_host]
+registry.example.com
+
+[registry_host:vars]
+disconnected_registry_auths_file=/path/to/registry-auths.json
+disconnected_registry_mirrors_file=/path/to/install-config-appends.json
+
+
+
+
+

6.6. The Ansible playbook.yml

+
+

The Ansible playbook connects to your provision host and +runs through the redhatci.ocp.node_prep role and the +redhatci.ocp.installer role. +No modification is necessary. All modifications of variables +may be done within the inventory/hosts file. A sample file +is located in this repository under inventory/hosts.sample. +From the system that is to run the playbook,

+
+
+
Sample playbook.yml
+
+
---
+- name: IPI on Baremetal Installation Playbook
+  hosts: provisioner
+  collections:
+    - redhatci.ocp
+  roles:
+    - node_prep
+    - installer
+
+
+
+

With the playbook.yml set and in-place, run the playbook.yml

+
+
+
+
$ ansible-playbook -i inventory/hosts playbook.yml
+
+
+
+
+
+
+

Appendix A: Setup a local RHEL8 repository using an ISO

+
+
+
    +
  1. +

    On the provision host, mount your RHEL8 ISO

    +
    +
    +
    [user@provisioner ~]$ sudo mount -o loop rhel-8.0-x86_64-dvd.iso /mnt/
    +
    +
    +
  2. +
  3. +

    Copy media.repo file from mounted directory to /etc/yum.repos.d/

    +
    +
    +
    [user@provisioner ~]$ sudo cp /mnt/media.repo /etc/yum.repos.d/rhel8.repo
    +
    +
    +
  4. +
  5. +

    Set permissions of the newly created rhel8.repo file

    +
    +
    +
    [user@provisioner ~]$ sudo chmod 644 /etc/yum.repos.d/rhel8.repo
    +
    +
    +
  6. +
  7. +

    Edit the rhel8.repo file to match the following

    +
    +
    +
    [InstallMedia-BaseOS]
    +name=Red Hat Enterprise Linux 8 - BaseOS
    +metadata_expire=-1
    +gpgcheck=1
    +enabled=1
    +baseurl=file:///mnt/BaseOS/
    +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
    +
    +[InstallMedia-AppStream]
    +name=Red Hat Enterprise Linux 8 - AppStream
    +metadata_expire=-1
    +gpgcheck=1
    +enabled=1
    +baseurl=file:///mnt/AppStream/
    +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
    +
    +
    +
  8. +
  9. +

    Clear the subscription-manager cache

    +
    +
    +
    [user@provisioner ~]$ sudo dnf clean all
    +
    +
    +
  10. +
  11. +

    Modify the /etc/yum.conf file and set plugins to zero

    +
    +
    +
    [user@provisioner ~]$ sudo echo "plugins=0" >> /etc/yum.conf
    +
    +
    +
    + + + + + +
    + + +
    +

    This is required as certain plugins won’t properly load when +not directly subscripted with subscription-manager and may +give the error of Unable to read consumer identity

    +
    +
    +
    +
  12. +
  13. +

    Verify the BaseOS and AppStream repos are available

    +
    +
    +
    [user@provisioner ~]$ sudo dnf repolist
    +$ sudo dnf repolist
    +Last metadata expiration check: 0:29:59 ago on Tue 12 May 2020 08:15:46 PM UTC.
    +repo id                    repo name                                           status
    +InstallMedia-AppStream     Red Hat Enterprise Linux 8 - AppStream              4,820
    +InstallMedia-BaseOS        Red Hat Enterprise Linux 8 - BaseOS                 1,661
    +
    +
    +
  14. +
+
+
+
+
+

Appendix B: Environment Variable Script

+
+
+
+
#!/bin/bash
+
+#Enter 'dev' for development or 'ga' for Generally Available version of OCP
+export release=''
+
+#Provide build version, i.e. 4.3.18, 4.4.4, nightly build: 4.3.0-0.nightly-2019-10-29-073252
+export build_version='<desired-build-version>'
+
+export LOCAL_REPOSITORY='ocp4'
+export LOCAL_REGISTRY='registry.example.com'
+export REGISTRY_PORT='5000'
+export OCP_RELEASE='4.4.3'
+export LOCAL_PULL_SECRET='<Path-to-your-pull-secret.txt'
+export cmd=openshift-baremetal-install
+
+
+
+
+
+

Appendix C: Helper Script

+
+
+
+
#!/bin/bash
+
+echo "***This script downloads the files needed for Ansible Automation****"
+echo "***Downloads
+      1. Release.txt
+      2. `openshift-client-linux-$build_version.tar.gz`
+      3. openshift-baremetal-install binary
+      4. rhcos.json****"
+
+. ./source_env_vars.sh
+
+code=$(curl -sL -w "%{http_code}\\n" "https://mirror.openshift.com/pub/" -o /dev/null)
+if [[ $code != 200 ]]; then
+    echo "Did not receive a successful 200 code, exiting..."
+    exit
+fi
+
+if [ $release == 'dev' ]
+then
+  export release_version='ocp-dev-preview'
+elif [ $release == 'ga' ]
+then
+   export release_version='ocp'
+else
+   echo Provide either dev or ga as a value for release.
+fi
+
+rm -f release.txt rhcos.json oc kubelet openshift-client-linux-$build_version.tar.gz
+
+echo "****Below are the values that has been set****"
+echo Local Repo = $LOCAL_REPOSITORY
+echo Local Registry = $LOCAL_REGISTRY
+echo Registry Port = $REGISTRY_PORT
+echo Release = $OCP_RELEASE
+echo Pull-Secret File = $LOCAL_PULL_SECRET
+echo Build Version = $build_version
+
+GREEN='\033[0;32m'
+NC='\033[0m'
+echo -e "**** Download the release.txt for ${GREEN}$build_version${NC}*******"
+wget https://mirror.openshift.com/pub/openshift-v4/clients/$release_version/$build_version/release.txt
+
+echo "****Download the openshift-client-linux-$build_version.tar.gz for the $build_version*********"
+wget https://mirror.openshift.com/pub/openshift-v4/clients/$release_version/$build_version/openshift-client-linux-$build_version.tar.gz
+tar -xvzf openshift-client-linux-$build_version.tar.gz
+
+echo "******Download the 'openshift-baremetal-install' binary for the $build_version and extract it*******"
+
+web_url=$(curl -sL -w "%{http_code}\\n" "http://${LOCAL_REGISTRY}/${RHCOS_QEMU_URI}" -o /dev/null)
+if [[ $web_url != 200 ]]; then
+    echo "Did not receive a successful 200 code, exiting..."
+    echo "****Extracting the installer currently has some caveats. Extracting the openshift-baremetal-install binary does not pull from a local registry when given a local registry, BZ#1823143 Due to this, in order to properly extract the installer, the OpenShift disconnected mirrored registry that is to be used must be available and have access to quay.io temporary to properly extract the binary. The following step assumes this.*****"
+    exit    # other actions
+fi
+
+oc adm release extract --registry-config "${LOCAL_PULL_SECRET}" --command="${cmd}" --to `pwd` ${LOCAL_REGISTRY}:${REGISTRY_PORT}/${LOCAL_REPOSITORY}:${OCP_RELEASE}
+
+
+echo "******Download the rhcos.json file for the $build_version*******"
+export COMMIT_ID=$(./openshift-baremetal-install version | grep '^built from commit' | awk '{print $4}')
+curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json > rhcos.json
+
+ls -ltr release.txt rhcos.json openshift-baremetal-install openshift-client-linux-$build_version.tar.gz
+
+echo "****Confirm the version*****"
+
+./openshift-baremetal-install version
+
+
+
+
+
+
+
+
+1. Fully disconnected infers that no system in the OpenShift Container Platform has deployment access to the internet. +
+
+2. If creating the mirrored registry, this system will require online access. The registry node may be a virtual machine in order to reduce physical server footprint. +
+
+3. https://github.com/openshift/installer/issues/2762 +
+
+ + + \ No newline at end of file diff --git a/latest/Ansible Playbook Disconnected Install.pdf b/latest/Ansible Playbook Disconnected Install.pdf new file mode 100644 index 0000000000..03528bffae Binary files /dev/null and b/latest/Ansible Playbook Disconnected Install.pdf differ diff --git a/latest/Ansible Playbook Install.html b/latest/Ansible Playbook Install.html new file mode 100644 index 0000000000..e0fc9606f2 --- /dev/null +++ b/latest/Ansible Playbook Install.html @@ -0,0 +1,2398 @@ + + + + + + + + + + +Deployment of IPI on BM using the Ansible Playbook + + + + + + + + + + + + + + + + +
+
+
+
+ + + + + +
+ + +
+

Download the PDF version of this document or visit https://openshift-kni.github.io/baremetal-deploy/

+
+
+
+
+
+
+

1. Introduction

+
+
+

This write-up will guide you through the process of using the Ansible +playbooks to deploy a Baremetal Installer Provisioned Infrastructure +(IPI) of Red Hat OpenShift 4.

+
+
+

For the manual details, visit our +Deployment Guide

+
+
+
+
+

2. Prerequisites

+
+
+
    +
  • +

    Best Practice Minimum Setup: 6 Physical servers (1 provision node, 3 master and 2 worker nodes)

    +
  • +
  • +

    Best Practice Minimum Setup for disconnected environments: 7 Physical servers (1 provision node, 1 registry node[1], 3 master and 2 worker nodes)

    +
  • +
  • +

    Minimum Setup: 4 Physical servers (1 provision node, 3 master nodes)

    +
  • +
  • +

    Minimum Setup for disconnected environments: 5 Physical servers (1 provision node, 1 registry node[1], 3 master nodes)

    +
  • +
  • +

    Each server needs 2 NICs pre-configured. NIC1 for the private network and NIC2 for the baremetal network. NIC interface names must be identical across all nodes[2]

    +
  • +
  • +

    It is recommended each server have a RAID-1 configured and initialized (though not enforced)

    +
  • +
  • +

    Each server must have IPMI configured

    +
  • +
  • +

    Each server must have DHCP setup for the baremetal NICs

    +
  • +
  • +

    Each server must have DNS setup for the API, wildcard applications

    +
  • +
  • +

    A DNS VIP is IP on the baremetal network is required for reservation. Reservation is done via our DHCP server (though not required).

    +
  • +
  • +

    Optional - Include DNS entries for the hostnames for each of the servers

    +
  • +
  • +

    Download a copy of your Pull Secret

    +
  • +
+
+
+

Due to the complexities of properly configuring an environment, it is +recommended to review the following steps prior to running the Ansible +playbook as without proper setup, the Ansible playbook won’t work.

+
+
+

The section to review and ensure proper configuration are as follows:

+
+
+ +
+
+

Once the above is complete, install Red Hat Enterprise Linux (RHEL) 8.x on your provision node and create a user (i.e. kni) to deploy as non-root and provide that user sudo privileges.

+
+
+

For simplicity, the steps to create the user named kni is as follows:

+
+
+
    +
  1. +

    Login into the provision node via ssh

    +
  2. +
  3. +

    Create a user (i.e kni) to deploy as non-root and provide that user sudo privileges

    +
    +
    +
    useradd kni
    +passwd kni
    +echo "kni ALL=(root) NOPASSWD:ALL" | tee -a /etc/sudoers.d/kni
    +chmod 0440 /etc/sudoers.d/kni
    +
    +
    +
  4. +
  5. +

    Enable a dnf local repository on the provision host

    +
  6. +
+
+
+
+
+

3. Tour of the Ansible Playbook

+
+
+
    +
  • +

    inventory - contains the file hosts.sample that:

    +
    +
      +
    • +

      contains all the modifiable variables, their default values, and their definition. Some variables are empty ensuring users give an explicit value.

      +
    • +
    • +

      the setting up of your provision node, master nodes, and worker nodes. Each section will require additional details (i.e. Management credentials).

      +
    • +
    +
    +
  • +
  • +

    requirements - contains the list of collections required by the playbook.

    +
    +
      +
    • +

      The collections include two roles: redhatci.ocp.node_prep and redhatci.ocp.installer. redhatci.ocp.node_prep handles all the prerequisites that the provisioner node requires prior to running the installer. The redhatci.ocp.installer role handles extracting the installer, setting up the manifests, and running the Red Hat OpenShift installation.

      +
    • +
    +
    +
  • +
+
+
+

The tree structure is shown below:

+
+
+
+
├── ansible.cfg
+├── inventory
+│   └── hosts.sample
+├── playbook.yml
+└── requirements.yml
+
+
+
+
+
+

4. Running the Ansible Playbook

+
+
+

The following are the steps to successfully run the Ansible playbook.

+
+
+

4.1. git clone the Ansible playbook

+
+

The first step to using the Ansible playbook is to clone the +baremetal-deploy repository.

+
+
+ + + + + +
+ + +This should be done on a system that can access the provision host +
+
+
+
    +
  1. +

    Clone the git repository

    +
    +
    +
    [user@laptop ~]$ git clone https://github.com/openshift-kni/baremetal-deploy.git
    +
    +
    +
  2. +
  3. +

    Change to the ansible-ipi-install directory

    +
    +
    +
    [user@laptop ~]$ cd /path/to/git/repo/baremetal-deploy/ansible-ipi-install
    +
    +
    +
  4. +
+
+
+
+

4.2. Install the required Ansible collections

+
+

The Ansible playbook makes use of different collections defined in the requirements.yml file. Two of the main roles come from the redhatci.ocp collection.

+
+
+
    +
  1. +

    Install required collections

    +
  2. +
+
+
+
+
[user@laptop ~]$ ansible-galaxy collection install -r requirements.yml
+
+
+
+
+

4.3. The ansible.cfg file

+
+

While the ansible.cfg may vary upon your environment +a sample is provided in the repository.

+
+
+
+
[defaults]
+inventory=./inventory
+remote_user=kni
+callback_whitelist = profile_tasks
+
+[privilege_escalation]
+become_method=sudo
+
+
+
+ + + + + +
+ + +
+

Ensure to change the remote_user as deemed appropriate for +your environment. The remote_user is the user previously +created on the provision node.

+
+
+
+
+
+

4.4. Ansible version

+
+

Ensure that your environment is using Ansible 2.9 or +greater. The following command can be used to verify.

+
+
+
+
ansible --version
+ansible 2.9.1
+  config file = /path/to/baremetal-deploy/ansible-ipi-install/ansible.cfg
+  configured module search path = ['/path/to/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
+  ansible python module location = /usr/lib/python3.7/site-packages/ansible
+  executable location = /usr/bin/ansible
+  python version = 3.7.2 (default, Jan 16 2019, 19:49:22) [GCC 8.2.1 20181215 (Red Hat 8.2.1-6)]
+
+
+
+ + + + + +
+ + +The config file section should point to the path of your ansible.cfg +
+
+
+
+

4.5. Copy local SSH key to provision node

+
+

With the ansible.cfg file in place, the next step is +to ensure to copy your public ssh key to your provision + node using ssh-copy-id.

+
+
+

From the system that is to run the playbook,

+
+
+
+
$ ssh-copy-id <user>@provisioner.example.com
+
+
+
+ + + + + +
+ + +<user> should be the user previously created on the provision node (i.e. kni) +
+
+
+
+

4.6. Modifying the inventory/hosts

+
+

The hosts file provides all the definable variables and provides a +description of each variable. Some of the variables are explicitly left + empty and require user input for the playbook to run.

+
+
+

The hosts file ensures all your nodes that will be used to deploy +IPI on baremetal are setup. There are 4 groups: masters, workers, +provisioner, and registry_host (optional). The masters and +workers group collects information about the host such as its name, +role, user management (i.e. iDRAC) user, user management (i.e. iDRAC) +password, ipmi_address, ipmi_port to access the server and the +provision mac address (NIC1) that resides on the provisioning network.

+
+
+

Below is a sample of the inventory/hosts file

+
+
+
+
[all:vars]
+
+###############################################################################
+# Required configuration variables for IPI on Baremetal Installations         #
+###############################################################################
+
+# The provisioning NIC (NIC1) used on all baremetal nodes
+prov_nic=eno1
+
+# The public NIC (NIC2) used on all baremetal nodes
+pub_nic=eno2
+
+# (Optional) Set the provisioning bridge name. Default value is 'provisioning'.
+#provisioning_bridge=provisioning
+
+# (Optional) Set the baremetal bridge name. Default value is 'baremetal'.
+#baremetal_bridge=baremetal
+
+# (Optional) Activation-key for proper setup of subscription-manager, empty value skips registration
+#activation_key=""
+
+# (Optional) Activation-key org_id for proper setup of subscription-manager, empty value skips registration
+#org_id=""
+
+# The directory used to store the cluster configuration files (install-config.yaml, pull-secret.txt, metal3-config.yaml)
+dir="{{ ansible_user_dir }}/clusterconfigs"
+
+# The version of the openshift-installer, undefined or empty results in the playbook failing with error message.
+# Values accepted: 'latest-4.3', 'latest-4.4', explicit version i.e. 4.3.0-0.nightly-2019-12-09-035405
+version=""
+
+# Enter whether the build should use 'dev' (nightly builds) or 'ga' for Generally Available version of OpenShift
+# Empty value results in playbook failing with error message.
+build=""
+
+# (Optional) Provisioning IP Network and dhcp range (default value)
+# If defined, make sure to update 'prov_ip' with a valid IP outside of your 'prov_dhcp_range' and update all other places like 'no_proxy_list'
+# prov_network=172.22.0.0/21
+# prov_dhcp_range="172.22.0.10,172.22.0.100"
+
+# Provisioning IP address (default value)
+prov_ip=172.22.0.3
+
+# (Optional) Enable playbook to pre-download RHCOS images prior to cluster deployment and use them as a local
+# cache.  Default is false.
+#cache_enabled=True
+
+# (Optional) Enable IPv6 addressing instead of IPv4 addressing
+#ipv6_enabled=True
+
+# (Optional) When ipv6_enabled is set to True, but want IPv4 addressing on provisioning network
+# Default is false.
+#ipv4_provisioning=True
+
+# (Optional) When ipv6_enabled is set to True, but want IPv4 addressing on baremetal network
+#ipv4_baremetal=True
+
+# (Optional) A list of clock servers to be used in chrony by the masters and workers
+#clock_servers=["pool.ntp.org","clock.redhat.com"]
+
+# (Optional) Provide HTTP proxy settings
+#http_proxy=http://USERNAME:PASSWORD@proxy.example.com:8080
+
+# (Optional) Provide HTTPS proxy settings
+#https_proxy=https://USERNAME:PASSWORD@proxy.example.com:8080
+
+# (Optional) comma-separated list of hosts, IP Addresses, or IP ranges in CIDR format
+# excluded from proxying
+# NOTE: OpenShift does not accept '*' as a wildcard attached to a domain suffix
+# i.e. *.example.com
+# Use '.' as the wildcard for a domain suffix as shown in the example below.
+# i.e. .example.com
+#no_proxy_list="172.22.0.0/24,.example.com"
+
+# The default installer timeouts for the bootstrap and install processes may be too short for some baremetal
+# deployments. The variables below can be used to extend those timeouts.
+
+# (Optional) Increase bootstrap process timeout by N iterations.
+#increase_bootstrap_timeout=2
+
+# (Optional) Increase install process timeout by N iterations.
+#increase_install_timeout=2
+
+# (Optional) Disable RedFish inspection to intelligently choose between IPMI or RedFish protocol.
+# By default this feature is enabled and set to true. Uncomment below to disable and use IPMI.
+#redfish_inspection=false
+
+# (Optional) Modify files on the node filesystems, you can augment the "fake" roots for the
+# control plane and worker nodes.
+# If defined, playbook will look for files in control plane and worker subdirectories.
+# Otherwise, it will look in {{ role_path }}/files/customize_filesystem (default)
+# For more information on modifying node filesystems visit: https://bit.ly/36tD30f
+#customize_node_filesystems="/path/to/customized/filesystems"
+
+# (Optional) Modify the path to add external manifests to the deployed nodes.
+# There are two folders manifests/ and openshift/
+# If defined, the playbook will copy manifests from the user provided directory.
+# Otherwise, files will be copied from the default location 'roles/installer/files/manifests/*'
+#customize_extramanifests_path="/path/to/extra/manifests"
+#customize_extramanifestsopenshift_path="/path/to/extra/ogpenshift"
+
+######################################
+# Vars regarding install-config.yaml #
+######################################
+
+# Base domain, i.e. example.com
+domain=""
+# Name of the cluster, i.e. openshift
+cluster=""
+# The public CIDR address, i.e. 10.1.1.0/21
+extcidrnet=""
+# An IP reserved on the baremetal network.
+dnsvip=""
+# An IP reserved on the baremetal network for the API endpoint.
+# (Optional) If not set, a DNS lookup verifies that api.<clustername>.<domain> provides an IP
+#apivip=""
+# An IP reserved on the baremetal network for the Ingress endpoint.
+# (Optional) If not set, a DNS lookup verifies that *.apps.<clustername>.<domain> provides an IP
+#ingressvip=""
+# The master hosts provisioning nic
+# (Optional) If not set, the prov_nic will be used
+#masters_prov_nic=""
+# Network Type (OpenShiftSDN or OVNKubernetes). Playbook defaults to OVNKubernetes.
+# Uncomment below for OpenShiftSDN
+#network_type="OpenShiftSDN"
+# (Optional) A URL to override the default operating system image for the bootstrap node.
+# The URL must contain a sha256 hash of the image.
+# See https://github.com/openshift/installer/blob/master/docs/user/metal/customization_ipi.md
+#   Example https://mirror.example.com/images/qemu.qcow2.gz?sha256=a07bd...
+#bootstraposimage=""
+# (Optional) A URL to override the default operating system image for the cluster nodes.
+# The URL must contain a sha256 hash of the image.
+# See https://github.com/openshift/installer/blob/master/docs/user/metal/customization_ipi.md
+# Example https://mirror.example.com/images/metal.qcow2.gz?sha256=3b5a8...
+#clusterosimage=""
+# A copy of your pullsecret from https://cloud.redhat.com/openshift/install/metal/user-provisioned
+pullsecret=""
+
+# (Optional) Disable BMC Certification Validation. When using self-signed certificates for your BMC, ensure to set to True.
+# Default value is False.
+#disable_bmc_certificate_verification=True
+
+# (Optional) Enable RedFish VirtualMedia/iDRAC VirtualMedia
+#enable_virtualmedia=True
+
+# (Required when enable_virtualmedia is set to True) Set an available IP address from the baremetal net for these two variables
+#provisioningHostIP=<baremetal_net_IP1>
+#bootstrapProvisioningIP=<baremetal_net_IP2>
+
+# (Optional) A MAC address to use for the external NIC on the bootstrap VM. This is optional and if blank is generated by libvirt.
+#externalMACAddress="52:54:00:XX:XX:XX"
+
+# Master nodes
+# The hardware_profile is used by the baremetal operator to match the hardware discovered on the host
+# See https://github.com/metal3-io/baremetal-operator/blob/master/docs/api.md#baremetalhost-status
+# ipmi_port is optional for each host. 623 is the common default used if omitted
+# poweroff is optional. True or ommited (by default) indicates the playbook will power off the node before deploying OCP
+#  otherwise set it to false
+# (Optional) OpenShift 4.6+, Set Root Device Hints to choose the proper device to install operating system on OpenShift nodes.
+# root device hint options include: ['deviceName','hctl','model','vendor','serialNumber','minSizeGigabytes','wwn','rotational']
+# Root Device Hint values are case sensitive.
+# root_device_hint="deviceName"
+# root_device_hint_value="/dev/sda"
+
+[masters]
+master-0 name=master-0 role=master ipmi_user=admin ipmi_password=password ipmi_address=192.168.1.1 ipmi_port=623 provision_mac=ec:f4:bb:da:0c:58 hardware_profile=default poweroff=true
+master-1 name=master-1 role=master ipmi_user=admin ipmi_password=password ipmi_address=192.168.1.2 ipmi_port=623 provision_mac=ec:f4:bb:da:32:88 hardware_profile=default poweroff=true
+master-2 name=master-2 role=master ipmi_user=admin ipmi_password=password ipmi_address=192.168.1.3 ipmi_port=623 provision_mac=ec:f4:bb:da:0d:98 hardware_profile=default poweroff=true
+
+# Worker nodes
+[workers]
+worker-0 name=worker-0 role=worker ipmi_user=admin ipmi_password=password ipmi_address=192.168.1.4 ipmi_port=623 provision_mac=ec:f4:bb:da:0c:18 hardware_profile=unknown poweroff=true
+worker-1 name=worker-1 role=worker ipmi_user=admin ipmi_password=password ipmi_address=192.168.1.5 ipmi_port=623 provision_mac=ec:f4:bb:da:32:28 hardware_profile=unknown poweroff=true
+
+# Provision Host
+[provisioner]
+provisioner.example.com
+
+# Registry Host
+#   Define a host here to create or use a local copy of the installation registry
+#   Used for disconnected installation
+# [registry_host]
+# registry.example.com
+
+# [registry_host:vars]
+# The following cert_* variables are needed to create the certificates
+#   when creating a disconnected registry. They are not needed to use
+#   an existing disconnected registry.
+# cert_country=US #it must be two letters country
+# cert_state=MyState
+# cert_locality=MyCity
+# cert_organization=MyCompany
+# cert_organizational_unit=MyDepartment
+
+# The port exposed on the disconnected registry host can be changed from
+# the default 5000 to something else by changing the following variable.
+# registry_port=5000
+
+# The directory the mirrored registry files are written to can be modified from teh default /opt/registry by changing the following variable.
+# registry_dir="/opt/registry"
+
+# The following two variables must be set to use an existing disconnected registry.
+#
+# Specify a file that contains extra auth tokens to include in the
+#   pull-secret if they are not already there.
+# disconnected_registry_auths_file=/path/to/registry-auths.json
+
+# Specify a file that contains the addition trust bundle and image
+#   content sources for the local registry. The contents of this file
+#   will be appended to the install-config.yml file.
+# disconnected_registry_mirrors_file=/path/to/install-config-appends.json
+
+
+
+ + + + + +
+ + +
+

The ipmi_address can take a fully qualified name assuming it is +resolvable.

+
+
+

The ipmi_port examples above show how a user can specify a different +ipmi_port for each host within their inventory file. If the +ipmi_port variable is omitted from the inventory file, the default +of 623 will be used.

+
+
+

A detailed description of the vars under the section +Vars regarding install-config.yaml may be reviewed within +Configuration Files if unsure how to populate.

+
+
+
+
+

4.6.1. Enabling dual-stack based deployments (optional).

+
+

Users now can deploy dual-stack based deployments using ansible-playbook by including below variables under inventory/hosts.sample file.

+
+
+
+
ipv6_enabled=True
+dualstack_baremetal=True
+extcidrnet="<ipv4-subnet-for-your-cluster>"   #Ex: 10.0.0.1/24
+extcidrnet6="<ipv6-subnet-for-your-cluster>"  #Ex: fe80:12:0:4567::/64
+
+
+
+ + + + + +
+ + +Only applicable for OCP versions greater than 4.6. +
+
+
+
+
+

4.7. The Ansible playbook.yml

+
+

The Ansible playbook connects to your provision host and +runs through the redhatci.ocp.node_prep role and the +redhatci.ocp.installer role. +No modification is necessary. All modifications of variables +may be done within the inventory/hosts file. A sample file +is located in this repository under inventory/hosts.sample. +From the system that is to run the playbook,

+
+
+
Sample playbook.yml
+
+
---
+- name: IPI on Baremetal Installation Playbook
+  hosts: provisioner
+  collections:
+    - redhatci.ocp
+  roles:
+    - node_prep
+    - installer
+
+
+
+
+

4.8. Customizing the Node Filesystems

+
+

If you need to modify files on the node filesystems, you can augment +the "fake" roots for the masters and workers under the +roles/installer/files/customize_filesystem/{master,worker} +directories. Any files added here will be included in the ignition +config files for each of the machine types, leading to permanent +changes to the node filesystem.

+
+
+ + + + + +
+ + +
+

Do not place any files directly in the "fake" root — only in +subdirectories. Files in the root will cause the ignition process to +fail. (There is a task in the playbook to cleanup the .gitkeep file +in the root, if it is left in place.)

+
+
+
+
+

This will utilize the Ignition +filetranspiler tool, +which you can read about for more information on how to use the "fake" +root directories.

+
+
+

An example of using this customization is to disable a network +interface that you need to not receive a DHCP assignment that is +outside of the cluster configuration. To do this for the eno1 +interface on the master nodes, create the appropriate +etc/sysconfig/network-scripts/ifcfg-eno1 file in the "fake" root:

+
+
+
+
IFCFG_DIR="roles/installer/files/customize_filesystem/master/etc/sysconfig/network-scripts"
+IFNAME="eno1"
+mkdir -p $IFCFG_DIR
+cat << EOF > $IFCFG_DIR/ifcfg-${IFNAME}
+DEVICE=${IFNAME}
+BOOTPROTO=none
+ONBOOT=no
+EOF
+
+
+
+ + + + + +
+ + +
+

By default these directories are empty, and the worker subdirectory +is a symbolic link to the master subdirectory so that changes are +universal.

+
+
+
+
+
+

4.9. Adding Extra Configurations to the OpenShift Installer

+
+

Prior to the installation of Red Hat OpenShift, you may want to include +additional configuration files to be included during the installation. +The installer role handles this.

+
+
+

In order to include the extraconfigs, ensure to place your yaml +files within the roles/installer/files/manifests directory. All the +files provided here will be included when the OpenShift manifests are +created.

+
+
+ + + + + +
+ + +By default this directory is empty. +
+
+
+
+

4.10. Pre-caching RHCOS Images

+
+

If you wish to set up a local cache of RHCOS images on your +provisioning host, set the cache_enabled variable to True in your +hosts file. When requested, the playbook will pre-download RHCOS +images prior to actual cluster deployment.

+
+
+

It places these images in an Apache web server container on the +provisioning host and modifies install-config.yaml to +instruct the bootstrap VM to download the images from that web server +during deployment.

+
+
+ + + + + +
+ + +
+

If you set the clusterosimage and bootstraposimage variables, +then cache_enabled will automatically be set to False. Setting +these variables leaves the responsibility to the end user in ensuring +the RHCOS images are readily available and accessible to the provision +host.

+
+
+
+
+
+

4.11. Disconnected Registry

+
+

A disconnected registry can be used to deploy the cluster. This +registry can exist or can be created.

+
+
+

To use a disconnected registry, set the registries host name in the +[registry_host] group in the inventory file.

+
+
+

4.11.1. Creating a new disconnected registry

+
+

To create a new disconnected registry, the +disconnected_registry_auths_file and +disconnected_registry_mirrors_file variables must not be set.

+
+
+

The certificate information used to generate the host certificate must +be defined. These variables must be defined as variables to the +registry_host group in the inventory file.

+
+
+
+
[registry_host:vars]
+cert_country=US
+cert_state=MyState
+cert_locality=MyCity
+cert_organization=MyCompany
+cert_organizational_unit=MyDepartment
+
+
+
+ + + + + +
+ + +cert_country must be only two letters, i.e. US +
+
+
+
+

4.11.2. Using an Existing Registry

+
+ + + + + +
+ + +If no existing registry is already existing for your fully disconnected +environment, visit Creating a New Disconnected Registry section. +
+
+
+

When using an existing registry, two variables labeled +disconnected_registry_auths_file and the disconnected_registry_mirrors_file +must be set. These variables are located within your inventory/hosts file and +the inventory/hosts.sample file can be used as reference.

+
+
+

The disconnected_registry_auths_file variable should point to a file +containing json data regarding your registry information. This will be appended +to the auths section of the pull secret by the Ansible playbook itself.

+
+
+

An example of the contents of the disconnected_registry_auths_file is shown +below.

+
+
+
+
cat /path/to/registry-auths.json
+{"registry.example.com:5000": {"auth": "ZHVtbXk6ZHsFVtbXk=", "email": "user@example.com" } }
+
+
+
+ + + + + +
+ + +
+

The auth password given base64 encoding of the http credentials used to +create the htpasswd file.

+
+
+

Example:

+
+
+

[user@registry ~]$ b64auth=$( echo -n '<username>:<passwd>' | openssl base64 ) + 
+[user@registry ~]$ echo $b64auth

+
+
+
+
+

The disconnected_registry_mirrors_file variable should point to a file +containing the additionalTrustBundle and imageContentSources (OpenShift +4.13 and below) or imageDigestSources (OpenShift 4.14 and above) for +the disconnected registry. The certificate that goes within the additional +trust bundle is the disconnected registry node’s certificate. The +imageContentSources adds the mirrored information of the registry. The below +content from the install-config-appends.yml file gets automatically appended +by the Ansible playbook.

+
+
+
+
cat /path/to/install-config-appends.yml
+additionalTrustBundle: |
+  -----BEGIN CERTIFICATE-----
+  MIIGPDCCBCSgAwIBAgIUWr1DxDq53hrsk6XVLRXUjfF9m+swDQYJKoZIhvcNAQEL
+  BQAwgZAxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNeVN0YXRlMQ8wDQYDVQQHDAZN
+  eUNpdHkxEjAQBgNVBAoMCU15Q29tcGFueTEVMBMGA1UECwwMTXlEZXBhcnRtZW50
+  .
+  . [ABBREVIATED CERTIFICATE FOR BREVITY]
+  .
+  MTMwMQYDVQQDDCpyZWdpc3RyeS5rbmk3LmNsb3VkLmxhYi5lbmcuYm9zLnJlZGhh
+  dC5jb20wHhcNMjAwNDA3MjM1MzI2WhcNMzAwNDA1MjM1MzI2WjCBkDELMAkGA1UE
+  -----END CERTIFICATE-----
+
+<image-config>: (1)
+- mirrors:
+  - registry.example.com:5000/ocp4/openshift4
+  source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
+- mirrors:
+  - registry.example.com:5000/ocp4/openshift4
+  source: registry.svc.ci.openshift.org/ocp/release
+- mirrors:
+  - registry.example.com:5000/ocp4/openshift4
+  source: quay.io/openshift-release-dev/ocp-release
+
+
+
+

Where:

+
+
+

+ +<1> <image-config> is either imageContentSources for OpenShift 4.13 and below, or imageDigestSources for Openshift 4.14 and above.

+
+
+ + + + + +
+ + +Indentation is important in the yml file. Ensure your copy of the install-config-appends.yml is properly indented as in the example above. +
+
+
+
+
+

4.12. Running the playbook.yml

+
+

With the playbook.yml set and in-place, run the playbook.yml

+
+
+
+
$ export ANSIBLE_CONFIG=./ansible.cfg
+$ ansible-playbook -i inventory/hosts playbook.yml
+
+
+
+
+
+
+

5. Verifying Installation

+
+
+

Once the playbook has successfully completed, verify that your +environment is up and running.

+
+
+
    +
  1. +

    Log into the provision node

    +
    +
    +
    ssh kni@provisioner.example.com
    +
    +
    +
    + + + + + +
    + + +kni user is my privileged user. +
    +
    +
  2. +
  3. +

    Export the kubeconfig file located in the ~/clusterconfigs/auth directory

    +
    +
    +
    export KUBECONFIG=~/clusterconfigs/auth/kubeconfig
    +
    +
    +
  4. +
  5. +

    Verify the nodes in the OpenShift cluster

    +
    +
    +
    [kni@worker-0 ~]$ oc get nodes
    +NAME                                         STATUS   ROLES           AGE   VERSION
    +master-0.openshift.example.com               Ready    master          19h   v1.16.2
    +master-1.openshift.example.com               Ready    master          19h   v1.16.2
    +master-2.openshift.example.com               Ready    master          19h   v1.16.2
    +worker-0.openshift.example.com               Ready    worker          19h   v1.16.2
    +worker-1.openshift.example.com               Ready    worker          19h   v1.16.2
    +
    +
    +
  6. +
+
+
+
+
+

6. Troubleshooting

+
+
+

The following section troubleshoots common errors that +may arise when running the Ansible playbook.

+
+
+

6.1. Unreachable Host

+
+

One of the most common errors is not being able to reach the +provisioner host and seeing an error similar to

+
+
+
+
$ ansible-playbook -i inventory/hosts playbook.yml
+
+PLAY [IPI on Baremetal Installation Playbook] **********************************
+
+TASK [Gathering Facts] *********************************************************
+fatal: [provisioner.example.com]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: ssh: Could not resolve hostname provisioner.example.com: Name or service not known", "unreachable": true}
+
+PLAY RECAP *********************************************************************
+provisioner.example.com    : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0
+
+
+
+

In order to solve this issue, ensure your provisioner hostname is +pingable.

+
+
+
    +
  1. +

    The system you are currently on can ping the provisioner.example.com

    +
    +
    +
    ping provisioner.example.com
    +
    +
    +
  2. +
  3. +

    Once pingable, ensure that you have copied your public SSH key from your local system to the privileged user via the ssh-copy-id command.

    +
    +
    +
    ssh-copy-id kni@provisioner.example.com
    +
    +
    +
    + + + + + +
    + + +When prompted, enter the password of your privileged user (i.e. kni). +
    +
    +
  4. +
  5. +

    Verify connectivity using the ping module in Ansible

    +
    +
    +
    ansible -i inventory/hosts provisioner -m ping
    +provisioner.example.com | SUCCESS => {
    +    "ansible_facts": {
    +        "discovered_interpreter_python": "/usr/libexec/platform-python"
    +    },
    +    "changed": false,
    +    "ping": "pong"
    +}
    +
    +
    +
  6. +
  7. +

    Re-run the Ansible playbook

    +
    +
    +
    $ ansible-playbook -i inventory/hosts playbook.yml
    +
    +
    +
  8. +
+
+
+
+

6.2. Permission Denied Trying To Connect To Host

+
+

Another very common error is getting a permission denied error similar +to:

+
+
+
+
$ ansible-playbook -i inventory/hosts playbook.yml
+
+PLAY [IPI on Baremetal Installation Playbook] *****************************************************************************************************
+
+TASK [Gathering Facts] ****************************************************************************************************************************
+fatal: [provisioner.example.com]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: rlopez@provisioner.example.com: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).", "unreachable": true}
+
+PLAY RECAP ****************************************************************************************************************************************
+provisioner.example.com : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0
+
+
+
+

The above issue is typically related to a problem with your +ansible.cfg file. Either it does not exist, has errors inside it, or +you have not copied your SSH public key onto the +provisioner.example.com system. If you notice closely, the Ansible +playbook attempted to use my rlopez user instead of my kni user +since my local ansible.cfg did not exist AND I had not yet set +the remote_user parameter to kni (my privileged user).

+
+
+
    +
  1. +

    When working with the Ansible playbook ensure you have an ansible.cfg located in the same directory as your playbook.yml file. The contents of the ansible.cfg should look similar to the below with the exception of changing your inventory path (location of inventory directory) and potentially your privileged user if not using kni.

    +
    +
    +
    $ cat ansible.cfg
    +[defaults]
    +inventory=/path/to/baremetal-deploy/ansible-ipi-install/inventory
    +remote_user=kni
    +
    +[privilege_escalation]
    +become=true
    +become_method=sudo
    +
    +
    +
  2. +
  3. +

    Next, ensure that you have copied your public SSH key from your local system to the privileged user via the ssh-copy-id command.

    +
    +
    +
    ssh-copy-id kni@provisioner.example.com
    +
    +
    +
    + + + + + +
    + + +When prompted, enter the password of your privileged user (i.e. kni). +
    +
    +
  4. +
  5. +

    Verify connectivity using the ping module in Ansible

    +
    +
    +
    ansible -i inventory/hosts provisioner -m ping
    +provisioner.example.com | SUCCESS => {
    +    "ansible_facts": {
    +        "discovered_interpreter_python": "/usr/libexec/platform-python"
    +    },
    +    "changed": false,
    +    "ping": "pong"
    +}
    +
    +
    +
  6. +
  7. +

    Re-run the Ansible playbook

    +
    +
    +
    $ ansible-playbook -i inventory/hosts playbook.yml
    +
    +
    +
  8. +
+
+
+
+

6.3. Dig lookup requires the python ‘dnspython’ library and it is not installed

+
+

One of the tasks in the node_prep role captures your API VIP and the +Ingress VIP of your environment using a lookup via dig. It does +this DNS query using the dnspython library. +This error is a little deceiving because the dnspython package +does not need to be installed on the remote server +(i.e. provisioner.example.com) but the package must be installed on +your local host that is running the Ansible playbook.

+
+
+
+
TASK [node_prep : fail] ************************************************************************************************************
+skipping: [provisioner.example.com]
+
+TASK [node_prep : Verify DNS records for API VIP, Wildcard (Ingress) VIP] **********************************************************
+fatal: [provisioner.example.com]: FAILED! => {"msg": "An unhandled exception occurred while running the lookup plugin 'dig'. Error was a <class 'ansible.errors.AnsibleError'>, original message: The dig lookup requires the python 'dnspython' library and it is not installed"}
+
+PLAY RECAP *************************************************************************************************************************
+provisioner.example.com : ok=2    changed=0    unreachable=0    failed=1    skipped=3    rescued=0    ignored=0
+
+
+
+

The above issue can be fixed by simply installing python3-dns on +your local system (assuming your using an OS such as Fedora, Red Hat)

+
+
+

On a local host running Red Hat 8.x, run:

+
+
+
+
# sudo dnf install python3-dns
+
+
+
+

On a local host running Red Hat 7.x, run:

+
+
+
+
# sudo yum install python2-dns
+
+
+
+

On a local host running Fedora, run:

+
+
+
+
# sudo dnf install python3-dns
+
+
+
+

Re-run the Ansible playbook

+
+
+
+
$ ansible-playbook -i inventory/hosts playbook.yml
+
+
+
+
+

6.4. Missing python netaddr library

+
+

The Ansible playbook takes advantage of certain filters such as the +ipaddr +filter. In order to use this filter, your localhost running the +Ansible playbook requires the python netaddr library.

+
+
+

The error when running the playbook looks like the following:

+
+
+
+
TASK [node_prep : Fail if Python modules are missing] ******************************************************************************
+Tuesday 05 May 2020  19:30:19 +0000 (0:00:00.512)       0:00:13.829 ***********
+fatal: [localhost]: FAILED! => {"changed": false, "msg": "Missing python module(s) ['netaddr'] on localhost\n"}
+
+
+
+

The above issue can be fixed by simply installing python3-netaddr on +your local system (assuming your using an OS such as Fedora, Red Hat)

+
+
+

On a local host running Red Hat 8.x, run:

+
+
+
+
# sudo dnf install python3-netaddr
+
+
+
+

On a local host running Red Hat 7.x, run:

+
+
+
+
# sudo yum install python2-netaddr
+
+
+
+

On a local host running Fedora, run:

+
+
+
+
# sudo dnf install python3-netaddr
+
+
+
+

Re-run the Ansible playbook

+
+
+
+
$ ansible-playbook -i inventory/hosts playbook.yml
+
+
+
+
+

6.5. Shared connection closed on provision host when installing packages

+
+

When deploying in an environment where subscription manager is not +being used and a local repository is being setup on the provision host +due to the nature that the provision host is offline, you may see the +following error.

+
+
+
+
TASK [node_prep : Install required packages] ************************************************************************************************
+Thursday 07 May 2020  17:04:21 +0000 (0:00:00.152)       0:00:11.854 **********
+fatal: [provisioner.example.com]: FAILED! => {"changed": false, "module_stderr": "Shared connection to provisioner.example.com closed.\r\n", "module_stdout": "[Errno 101] Network is unreachable\r\n\r\n{\"msg\": \"Nothing to do\", \"changed\": false, \"results\": [], \"rc\": 0, \"invocation\": {\"module_args\": {\"name\": [\"firewalld\", \"tar\", \"libvirt\", \"qemu-kvm\", \"python3-devel\", \"jq\", \"ipmitool\", \"python3-libvirt\", \"python3-lxml\", \"python3-yaml\", \"NetworkManager-libnm\", \"nm-connection-editor\", \"libsemanage-python3\", \"policycoreutils-python3\", \"podman\"], \"state\": \"present\", \"update_cache\": true, \"allow_downgrade\": false, \"autoremove\": false, \"bugfix\": false, \"disable_gpg_check\": false, \"disable_plugin\": [], \"disablerepo\": [], \"download_only\": false, \"enable_plugin\": [], \"enablerepo\": [], \"exclude\": [], \"installroot\": \"/\", \"install_repoquery\": true, \"install_weak_deps\": true, \"security\": false, \"skip_broken\": false, \"update_only\": false, \"validate_certs\": true, \"lock_timeout\": 30, \"conf_file\": null, \"disable_excludes\": null, \"download_dir\": null, \"list\": null, \"releasever\": null}}}\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 0}
+
+
+
+

The error basically means that dnf was not able to load particular +plugins, specifically the product-id and the subscription-manager +plugins. However,since this is a local repository with offline access, +we will want to disable these plugins when this error occurs.

+
+
+

On the provision host, if you run the following command:

+
+
+
+
[kni@provisioner ~]$ sudo dnf info dnf
+Updating Subscription Management repositories.
+Unable to read consumer identity
+[Errno 101] Network is unreachable
+Last metadata expiration check: 0:08:49 ago on Thu 07 May 2020 08:11:19 PM UTC.
+Installed Packages
+Name         : dnf
+Version      : 4.2.7
+Release      : 7.el8_1
+Architecture : noarch
+Size         : 1.7 M
+Source       : dnf-4.2.7-7.el8_1.src.rpm
+Repository   : @System
+From repo    : rhel-8-for-x86_64-baseos-rpms
+Summary      : Package manager
+URL          : https://github.com/rpm-software-management/dnf
+License      : GPLv2+ and GPLv2 and GPL
+Description  : Utility that allows users to manage packages on their systems.
+             : It supports RPMs, modules and comps groups & environments.
+
+
+
+

To ensure the issue is plugin related, we can attempt to run the same command +with plugins disabled as such:

+
+
+
+
[kni@provisioner ~]$ sudo dnf info dnf --disableplugin=product-id,subscription-manager
+Last metadata expiration check: 0:11:17 ago on Thu 07 May 2020 08:11:19 PM UTC.
+Installed Packages
+Name         : dnf
+Version      : 4.2.7
+Release      : 7.el8_1
+Architecture : noarch
+Size         : 1.7 M
+Source       : dnf-4.2.7-7.el8_1.src.rpm
+Repository   : @System
+From repo    : rhel-8-for-x86_64-baseos-rpms
+Summary      : Package manager
+URL          : https://github.com/rpm-software-management/dnf
+License      : GPLv2+ and GPLv2 and GPL
+Description  : Utility that allows users to manage packages on their systems.
+             : It supports RPMs, modules and comps groups & environments.
+
+
+
+

If you notice, the portion that says

+
+
+
+
Unable to read consumer identity
+[Errno 101] Network is unreachable
+
+
+
+

is no longer stated.

+
+
+

For this fix to be permanent, modify the /etc/yum.conf file and include +the plugins=0 into the [main] section of the configuration file.

+
+
+
+
[kni@provisioner ~]$ cat /etc/yum.conf
+
+[main]
+gpgcheck=1
+installonly_limit=3
+clean_requirements_on_remove=True
+best=True
+plugins=0
+
+
+
+
+
+
+

7. Gotchas

+
+
+

7.1. Using become: yes within ansible.cfg or inside playbook.yml

+
+

This Ansible playbook takes advantage of the ansible_user_dir +variable. As such, it is important to note that if within your +ansible.cfg or within the playbook.yml file the privilege +escalation of become: yes is used, this will modify the home +directory to that of the root user (i.e. /root) instead of using the +home directory of your privileged user, kni with a home directory of +/home/kni

+
+
+
+

7.2. Failed to connect to bus: No such file or directory

+
+

The Ansible playbook creates two containers (when enabled) to +store a mirored registry and a caching webserver. +When these containers are created, the playbook also creates a +systemd unit file to ensure these containers are restarted upon +the reboot of the host serving them.

+
+
+

Since these are systemd user services, when logging into a +system to attempt a command such as +systemctl --user status container-cache.service for the +webserver or systemctl --user status container-registry.service +for the mirrored registry, you may get an error such as:

+
+
+
+
[kni@provisioner ~]$ systemctl --user status container-cache
+Failed to connect to bus: No such file or directory
+
+
+
+

What the following error is trying to address is that the +parameter, DBUS_SESSIONBUS_ADDRESS, is not set.

+
+
+

In order to set this variable, we can export as follows:

+
+
+
+
export DBUS_SESSIONBUS_ADDRESS="unix:path/run/user/$id/bus"
+
+
+
+

Once that has been set, if you re-attempt the systemctl command, you should +see output as follows:

+
+
+
+
[kni@provisioner ~]$ systemctl --user status container-cache.service
+● container-cache.service - Podman container-cache.service
+   Loaded: loaded (/home/kni/.config/systemd/user/container-cache.service; enabled; vendor preset: enabled)
+   Active: active (running) since Mon 2020-06-01 19:52:04 UTC; 49min ago
+  Process: 36380 ExecStart=/usr/bin/podman start rhcos_image_cache (code=exited, status=0/SUCCESS)
+ Main PID: 36410 (conmon)
+
+
+
+
+
+
+

Appendix A: Using Ansible Tags with the playbook.yml

+
+
+

As this playbook continues to grow, there may be times when it is +useful to run specific portions of the playbook rather than running +everything the Ansible playbook offers.

+
+
+

For example, a user may only want to run the networking piece of the +playbook or create just the pull-secret.txt file, or just clean up the +environment — just to name a few.

+
+
+

As such the existing playbook has many tags that can be used for such +purposes. By running the following command you can see what options +are available.

+
+
+
+
$ ansible-playbook -i inventory/hosts playbook.yml --list-tasks --list-tags
+
+playbook: playbook.yml
+
+  play #1 (provisioner): IPI on Baremetal Installation Playbook	TAGS: []
+    tasks:
+      include_tasks	TAGS: [validation]
+      include_tasks	TAGS: [subscription]
+      include_tasks	TAGS: [packages]
+      include_tasks	TAGS: [network]
+      include_tasks	TAGS: [network_facts]
+      include_tasks	TAGS: [user]
+      include_tasks	TAGS: [services]
+      include_tasks	TAGS: [firewall]
+      include_tasks	TAGS: [storagepool]
+      include_tasks	TAGS: [clusterconfigs]
+      include_tasks	TAGS: [powerservers]
+      include_tasks	TAGS: [cleanup, getoc]
+      include_tasks	TAGS: [extract, pullsecret]
+      include_tasks	TAGS: [rhcospath]
+      include_tasks	TAGS: [cache]
+      include_tasks	TAGS: [installconfig]
+      include_tasks	TAGS: [metal3config]
+      include_tasks	TAGS: [customfs]
+      include_tasks	TAGS: [manifests]
+      include_tasks	TAGS: [extramanifests]
+      include_tasks	TAGS: [cleanup]
+      include_tasks	TAGS: [install]
+      TASK TAGS: [cache, cleanup, clusterconfigs, customfs, extract, extramanifests, firewall, getoc, install, installconfig, manifests, metal3config, network, network_facts, packages, powerservers, pullsecret, rhcospath, services, storagepool, subscription, user, validation]
+
+
+
+

To break this down further, the following is a description of each tag.

+
+ + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 1. Table Playbook Tag Description
tagdescription

validation

It is always required. It verifies that everything in your environment is set and ready for OpenShift deployment and sets some required internal variables

subscription

subscribe via Red Hat subscription manager

packages

install required package for OpenShift

network

setup the provisioning and baremetal network bridges and bridge slaves

network_facts

regather networking facts of environment

user

add remote user to libvirt group and generate SSH keys

services

enable appropriate services for OpenShift

firewall

set firewall rules for OpenShift

storagepool

define, create, auto start the default storage pool

clusterconfigs

directory that stores all configuration files for OpenShift

powerservers

power off all servers that will be part of the OpenShift cluster

getoc

get the appropriate oc binary, extract it and place within /usr/local/bin

extract

extract the OpenShift installer

pullsecret

copy the pullsecret to the pull-secret.txt file under the remote user home directory

rhcospath

set the RHCOS path

cache

tasks related to enabling RHCOS image caching

installconfig

generates the install-config.YAML

metal3config

generates the metal3-config.YAML

customfs

deals with customizing the filesystem via ignition files

manifests

create the manifests directory

extramanifests

include any extra manifests files

install

Deploy OpenShift

cleanup

clean up the environment within the provisioning node. Does not remove networking

+
+

A.1. How to use the Ansible tags

+
+

The following is an example on how to use the --tags option. In this example, we will just install the packages to the provision node.

+
+
+
Example 1
+
+
ansible-playbook -i inventory/hosts playbook.yml --tags "validation,packages"
+
+
+
+

The example above calls for the setup of the networking and +installation of the packages from the Ansible playbook. Only the tasks +with these specific tags will run.

+
+
+ + + + + +
+ + +Due to the dependencies in the playbook, the validation tag is always required. +
+
+
+
+

A.2. Skipping particular tasks using Ansible tags

+
+

In the event that you want to always skip certain tasks of the +playbook this can be done via the --skip-tag option.

+
+
+

We will use similar example as above where we want to skip the network +setup and the package installation.

+
+
+
Example 1
+
+
ansible-playbook -i inventory/hosts playbook.yml --skip-tags "network,packages"
+
+
+
+
+
+
+

Appendix B: Using a proxy with your Ansible playbook

+
+
+

When running behind a proxy, it is important to properly set the environment +to handle such scenario such that you can run the Ansible playbook. In order +to use a proxy for the ansible playbook set the appropriate variables within +your inventory/hosts file. These values will also be included within your +generated install-config.yaml file.

+
+
+
+
# (Optional) Provide HTTP proxy settings
+#http_proxy=http://USERNAME:PASSWORD@proxy.example.com:8080
+
+# (Optional) Provide HTTPS proxy settings
+#https_proxy=https://USERNAME:PASSWORD@proxy.example.com:8080
+
+# (Optional) comma-separated list of hosts, IP Addresses, or IP ranges in CIDR format
+# excluded from proxying
+# NOTE: OpenShift does not accept '*' as a wildcard attached to a domain suffix
+# i.e. *.example.com
+# Use '.' as the wildcard for a domain suffix as shown in the example below.
+# i.e. .example.com
+#no_proxy_list="172.22.0.0/24,.example.com"
+
+
+
+
+
+
+
+
+1. If creating the mirrored registry, this system will require online access. The registry node may be a virtual machine in order to reduce physical server footprint. +
+
+2. https://github.com/openshift/installer/issues/2762 +
+
+ + + \ No newline at end of file diff --git a/latest/Ansible Playbook Install.pdf b/latest/Ansible Playbook Install.pdf new file mode 100644 index 0000000000..b1ba5ee9da Binary files /dev/null and b/latest/Ansible Playbook Install.pdf differ diff --git a/latest/Deployment.html b/latest/Deployment.html new file mode 100644 index 0000000000..e7062c4aa5 --- /dev/null +++ b/latest/Deployment.html @@ -0,0 +1,6433 @@ + + + + + + + + + + +Deploying Installer Provisioned Infrastructure (IPI) of OpenShift on Bare Metal - 4.9 + + + + + + + + + + + + + + + + +
+
+
+
+ + + + + +
+ + +
Draft documentation
+
+

This document is considered a DRAFT:

+
+
+
    +
  1. +

    It might not be complete

    +
  2. +
  3. +

    It might be not accurate

    +
  4. +
  5. +

    It might break your environment

    +
  6. +
+
+
+
+
+ + + + + +
+ + +
+

Download the PDF version of this document or visit https://openshift-kni.github.io/baremetal-deploy/

+
+
+
+
+
+
+

1. Overview

+
+
+ + + + + +
+ + +
+

The Bare Metal IPI images and code described in this document are for Developer Preview purposes and are not supported by Red Hat at this time.

+
+
+
+
+

Installer-provisioned installation provides support for installing OpenShift Container Platform on bare metal nodes. This guide provides a methodology to achieving a successful installation.

+
+
+

During installer-provisioned installation on bare metal, the installer on the bare metal node labeled as provisioner creates a bootstrap virtual machine (VM). The role of the bootstrap VM is to assist in the process of deploying an OpenShift Container Platform cluster. The bootstrap VM connects to the baremetal network and to the provisioning network, if present, via the network bridges.

+
+
+
+Deployment phase one +
+
+
+

When the installation of OpenShift control plane nodes is complete and fully operational, the installer destroys the bootstrap VM automatically and moves the virtual IP addresses (VIPs) to +the control plane nodes.

+
+
+
+Deployment phase two +
+
+
+
+
+

2. Prerequisites

+
+ +
+

Installer-provisioned installation of OpenShift Container Platform requires:

+
+
+
    +
  1. +

    One provisioner node with Red Hat Enterprise Linux (RHEL) 8.x installed.

    +
  2. +
  3. +

    Three control plane nodes.

    +
  4. +
  5. +

    Baseboard Management Controller (BMC) access to each node.

    +
  6. +
  7. +

    At least one network:

    +
    +
      +
    1. +

      One required routable network

      +
    2. +
    3. +

      One optional network for provisioning nodes; and,

      +
    4. +
    5. +

      One optional management network.

      +
    6. +
    +
    +
  8. +
+
+
+

Before starting an installer-provisioned installation of OpenShift Container Platform, ensure the hardware environment meets the following requirements.

+
+
+

2.1. Node requirements

+
+

Installer-provisioned installation involves a number of hardware node requirements:

+
+
+
    +
  • +

    CPU architecture: All nodes must use x86_64 CPU architecture.

    +
  • +
  • +

    Similar nodes: Red Hat recommends nodes have an identical configuration per role. That is, Red Hat recommends nodes be the same brand and model with the same CPU, memory and storage configuration.

    +
  • +
  • +

    Baseboard Management Controller: The provisioner node must be able to access the baseboard management controller (BMC) of each OpenShift Container Platform cluster node. You may use IPMI, Redfish, or a proprietary protocol.

    +
  • +
  • +

    Latest generation: Nodes must be of the most recent generation. Installer-provisioned installation relies on BMC protocols, which must be compatible across nodes. Additionally, RHEL 8 ships with the most recent drivers for RAID controllers. Ensure that the nodes are recent enough to support RHEL 8 for the provisioner node and RHCOS 8 for the control plane and worker nodes.

    +
  • +
  • +

    Registry node: (Optional) If setting up a disconnected mirrored registry, it is recommended the registry reside in its own node.

    +
  • +
  • +

    Provisioner node: Installer-provisioned installation requires one provisioner node.

    +
  • +
  • +

    Control plane: Installer-provisioned installation requires three control plane nodes for high availability.

    +
  • +
  • +

    Worker nodes: While not required, a typical production cluster has one or more worker nodes. Smaller clusters are more resource efficient for administrators and developers during development, production, and testing.

    +
  • +
  • +

    Network interfaces: Each node must have at least one 10GB network interface for the routable baremetal network. Each node must have one 10GB network interface for a provisioning network when using the provisioning network for deployment. Using the provisioning network is the default configuration. Network interface names must follow the same naming convention across all nodes. For example, the first NIC name on a node, such as eth0 or eno1, must be the same name on all of the other nodes. The same principle applies to the remaining NICs on each node.

    +
  • +
  • +

    Unified Extensible Firmware Interface (UEFI): Installer-provisioned installation requires UEFI boot on all OpenShift Container Platform nodes when using IPv6 addressing on the provisioning network. In addition, UEFI Device PXE Settings must be set to use the IPv6 protocol on the provisioning network NIC, but omitting the provisioning network removes this requirement.

    +
  • +
  • +

    Secure Boot: Many production scenarios require nodes with Secure Boot enabled to verify the node only boots with trusted software, such as UEFI firmware drivers, EFI applications and the operating system. You may deploy with secure boot manually or managed.

    +
    +
      +
    1. +

      Manually: To deploy a OpenShift Container Platform cluster with Secure Boot manually, you must enable UEFI boot mode and Secure Boot on each control plane node and each worker node. Red Hat supports Secure Boot with manually enabled UEFI and Secure Boot only when installer-provisioned installation uses Redfish virtual media.

      +
    2. +
    3. +

      Managed: To deploy a OpenShift Container Platform cluster with managed Secure Boot, you must set the bootMode value to UEFISecureBoot in the install-config.yaml file. Red Hat only supports installer-provisioned installation with managed Secure Boot on 10th generation HPE hardware and 13th generation Dell hardware running firmware version 2.75.75.75 or greater. Deploying with managed Secure Boot does not require Redfish virtual media.

      +
      + + + + + +
      + + +
      +

      Red Hat does not support Secure Boot with self-generated keys.

      +
      +
      +
      +
    4. +
    +
    +
  • +
+
+
+
+

2.2. Firmware requirements for installing with virtual media

+
+

The installer for installer-provisioned OpenShift Container Platform clusters validates the hardware and firmware compatibility with Redfish virtual media. The following table lists supported firmware for installer-provisioned OpenShift Container Platform clusters deployed with Redfish virtual media.

+
+ + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 1. Firmware compatibility for Redfish virtual media
HardwareModelManagementFirmware Versions

HP

10th Generation

iLO5

N/A

9th Generation

iLO4

N/A

Dell

14th Generation

iDRAC 9

v4.20.20.20 - 04.40.00.00

13th Generation

iDRAC 8

v2.75.75.75+

+
+ + + + + +
+ + +
+

Refer to the hardware documentation for the nodes or contact the hardware vendor for information on updating the firmware.

+
+
+

There are no known firmware limitations for HP servers.

+
+
+

For Dell servers, ensure the OpenShift Container Platform cluster nodes have AutoAttach Enabled through the iDRAC console. The menu path is: ConfigurationVirtual MediaAttach ModeAutoAttach . With iDRAC 9 firmware version 04.40.00.00, the Virtual Console plug-in defaults to eHTML5, which causes problems with the InsertVirtualMedia workflow. Set the plug-in to HTML5 to avoid this issue. The menu path is: ConfigurationVirtual consolePlug-in TypeHTML5 .

+
+
+
+
+ + + + + +
+ + +
+

The installer will not initiate installation on a node if the node firmware is below the foregoing versions when installing with virtual media.

+
+
+
+
+
+

2.3. Network requirements

+
+

Installer-provisioned installation of OpenShift Container Platform involves several network requirements by default. First, installer-provisioned installation involves a non-routable provisioning network for provisioning the operating system on each bare metal node and a routable baremetal network. Since installer-provisioned installation deploys ironic-dnsmasq, the networks should have no other DHCP servers running on the same broadcast domain. Network administrators must reserve IP addresses for each node in the OpenShift Container Platform cluster.

+
+
+

OpenShift Container Platform 4.8 and later releases include functionality that uses cluster membership information to generate A/AAAA records. This resolves the node names to their IP addresses. Once the nodes are registered with the API, the cluster can disperse node information without using CoreDNS-mDNS. This eliminates the network traffic associated with multicast DNS.

+
+
+
Network Time Protocol (NTP)
+

Each OpenShift Container Platform node in the cluster must have access to an NTP server. OpenShift Container Platform nodes use NTP to synchronize their clocks. For example, cluster nodes use SSL certificates that require validation, which might fail if the date and time between the nodes are not in sync.

+
+
+ + + + + +
+ + +
+

Define a consistent clock date and time format in each cluster node’s BIOS settings, or installation might fail.

+
+
+
+
+

In OpenShift Container Platform 4.8 and later releases, you may reconfigure the control plane nodes to act as NTP servers on disconnected clusters, and reconfigure worker nodes to retrieve time from the control plane nodes.

+
+
+
Configuring NICs
+

OpenShift Container Platform deploys with two networks:

+
+
+
    +
  • +

    provisioning: The provisioning network is an optional non-routable network used for provisioning the underlying operating system on each node that is a part of the OpenShift Container Platform cluster. The network interface for the provisioning network on each cluster node must have the BIOS or UEFI configured to PXE boot. In OpenShift Container Platform 4.3, when deploying using the provisioning network, the first NIC on each node, such as eth0 or eno1, must interface with the provisioning network. In OpenShift Container Platform 4.4 and later releases, you can specify the provisioning network NIC with the provisioningNetworkInterface configuration setting.

    +
  • +
  • +

    baremetal: The baremetal network is a routable network. In OpenShift Container Platform 4.3, when deploying using the provisioning network, the second NIC on each node, such as eth1 or eno2, must interface with the baremetal network. In OpenShift Container Platform 4.4 and later releases, you can use any NIC order to interface with the baremetal network, provided it is the same NIC order across worker and control plane nodes and not the NIC specified in the provisioningNetworkInterface configuration setting for the provisioning network.

    +
  • +
+
+
+ + + + + +
+ + +
+

Use a compatible approach such that cluster nodes use the same NIC ordering on all cluster nodes. NICs must have heterogeneous hardware with the same NIC naming convention such as eth0 or eno1.

+
+
+
+
+ + + + + +
+ + +
+

When using a VLAN, each NIC must be on a separate VLAN corresponding to the appropriate network.

+
+
+
+
+
Configuring the DNS server
+

Clients access the OpenShift Container Platform cluster nodes over the baremetal network. A network administrator must configure a subdomain or subzone where the canonical name extension is the cluster name.

+
+
+
+
<cluster-name>.<domain-name>
+
+
+
+

For example:

+
+
+
+
test-cluster.example.com
+
+
+
+

You must also specify an api.<cluster-name>.<domain> record in the DNS. In subsequent configuration steps, when you configure network components to run exclusively on the control plane, the internal DNS resolution no longer works. This is an expected outcome.

+
+
+ + + + + +
+ + +
+

Failure to create a DNS record for the API precludes worker nodes from joining the cluster.

+
+
+
+
+

For assistance in configuring the DNS server, check Appendix section for:

+
+ +
+
Reserving IP addresses for nodes with the DHCP server
+

For the baremetal network, a network administrator must reserve a number of IP addresses, including:

+
+
+
    +
  1. +

    Two virtual IP addresses.

    +
    +
      +
    • +

      One IP address for the API endpoint

      +
    • +
    • +

      One IP address for the wildcard ingress endpoint

      +
    • +
    +
    +
  2. +
  3. +

    One IP address for the provisioner node.

    +
  4. +
  5. +

    One IP address for each control plane (master) node.

    +
  6. +
  7. +

    One IP address for each worker node, if applicable.

    +
  8. +
+
+
+ + + + + +
+ + +
Reserving IP addresses so they become static IP addresses
+
+

Some administrators prefer to use static IP addresses so that each node’s IP address remains constant in the absence of a DHCP server. To use static IP addresses in the OpenShift Container Platform cluster, reserve the IP addresses with an infinite lease. During deployment, the installer will reconfigure the NICs from DHCP assigned addresses to static IP addresses. NICs with DHCP leases that are not infinite will remain configured to use DHCP.

+
+
+
+
+ + + + + +
+ + +
Networking between external load balancers and control plane nodes
+
+

External load balancing services and the control plane nodes must run on the same L2 network, and on the same VLAN when using VLANs to route traffic between the load balancing services and the control plane nodes.

+
+
+
+
+

The following table provides an exemplary embodiment of fully qualified domain names. The API and Nameserver addresses begin with canonical name extensions. The host names of the control plane and worker nodes are exemplary, so you can use any host naming convention you prefer.

+
+ +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
UsageHost NameIP

API

api.<cluster-name>.<domain>

<ip>

Ingress LB (apps)

*.apps.<cluster-name>.<domain>

<ip>

Provisioner node

provisioner.<cluster-name>.<domain>

<ip>

Master-0

openshift-master-0.<cluster-name>.<domain>

<ip>

Master-1

openshift-master-1.<cluster-name>-.<domain>

<ip>

Master-2

openshift-master-2.<cluster-name>.<domain>

<ip>

Worker-0

openshift-worker-0.<cluster-name>.<domain>

<ip>

Worker-1

openshift-worker-1.<cluster-name>.<domain>

<ip>

Worker-n

openshift-worker-n.<cluster-name>.<domain>

<ip>

+
+

For assistance in configuring the DHCP server, check Appendix section for:

+
+ +
+
State-driven network configuration requirements (Technology Preview)
+

OpenShift Container Platform supports additional post-installation state-driven network configuration on the secondary network interfaces of cluster nodes using kubernetes-nmstate. For example, system administrators might configure a secondary network interface on cluster nodes after installation for a storage network.

+
+
+ + + + + +
+ + +
+

Configuration must occur before scheduling pods.

+
+
+
+
+

State-driven network configuration requires installing kubernetes-nmstate, and also requires Network Manager running on the cluster nodes. See OpenShift Virtualization > Kubernetes NMState (Tech Preview) for additional details.

+
+

IPv6 considerations

+
+
SLAAC Addressing
+

If you do not plan to use SLAAC [1] addresses on your OpenShift Container Platform node, then it should be disabled for baremetal networks, that means that if your network equipment is configured to send SLAAC addresses when replying to Route Advertisements that behavior should be changed, so it only sends the route and not the SLAAC address.

+
+
+

Install ndptool on your system in order to check what your RAs look like:

+
+
+
+
# Turn down/up baremetal iface on a master Node
+$ sudo nmcli con down "Wired connection 5" && sudo nmcli con up "Wired connection 5"
+Connection 'Wired connection 5' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1983)
+Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2044)
+
+# ndptool monitor on Helper node
+$ sudo ndptool monitor -t ra
+NDP payload len 80, from addr: fe80::c0a4:6464:bcb3:d657, iface: baremetal.153
+  Type: RA
+  Hop limit: 64
+  Managed address configuration: yes
+  Other configuration: no
+  Default router preference: medium
+  Router lifetime: 0s
+  Reachable time: unspecified
+  Retransmit time: unspecified
+  Source linkaddr: 1c:40:24:1b:0c:34
+  Prefix: 2620:52:0:1303::/64, valid_time: 86400s, preferred_time: 14400s, on_link: yes, autonomous_addr_conf: no, router_addr: no
+  Route: ::/0, lifetime: 0s, preference: low
+
+
+
+

The ndptool monitor should report Managed address configuration: yes.

+
+
+
Network Ranges and Configurations
+

Different baremetal and provisioning networks are required for each environment; each environment will have a different IPv6 range for each one of those networks.

+
+
+

In our configuration we used subinterfaces attached to two different physical interfaces, VLAN tagging was done at O.S. level (this required switch ports configured with trunk mode).

+
+
+

Our different IPv6 networks were all routable but usually, the only routable networks are the baremetal ones.

+
+
+

Keep in mind that provisioning networks cannot be in the same broadcast domain, since services such as DHCP are running.

+
+
+ + + + + +
+ + +
Route Advertisement
+
+

Route Advertisement must be enabled for both networks baremetal and provisioning.

+
+
+
+
+
Route Advertisements
+

As mentioned previously, both the baremetal and the provisioning networks must have Route Advertisement enabled. For the baremetal network, the radvd daemon was used, while the provisioning network has RA enabled in the Metal³ dnsmasq, so no configuration is needed.

+
+
+
+

2.4. Configuring nodes

+
+
Configuring nodes when using the provisioning network
+

Each node in the cluster requires the following configuration for proper installation.

+
+
+ + + + + +
+ + +
+

A mismatch between nodes will cause an installation failure.

+
+
+
+
+

While the cluster nodes can contain more than two NICs, the installation process only focuses on the first two NICs:

+
+ +++++ + + + + + + + + + + + + + + + + + +

NIC

Network

VLAN

NIC1

provisioning

<provisioning-vlan>

NIC2

baremetal

<baremetal-vlan>

+
+

NIC1 is a non-routable network (provisioning) that is only used for the installation of the OpenShift Container Platform cluster.

+
+
+

The Red Hat Enterprise Linux (RHEL) 8.x installation process on the provisioner node might vary. To install Red Hat Enterprise Linux (RHEL) 8.x using a local Satellite server or a PXE server, PXE-enable NIC2.

+
+ ++++ + + + + + + + + + + + + + + +

PXE

Boot order

NIC1 PXE-enabled provisioning network

1

NIC2 baremetal network. PXE-enabled is optional.

2

+
+ + + + + +
+ + +
+

Ensure PXE is disabled on all other NICs.

+
+
+
+
+

Configure the control plane and worker nodes as follows:

+
+ ++++ + + + + + + + + + + +

PXE

Boot order

NIC1 PXE-enabled (provisioning network)

1

+
+
Configuring nodes without the provisioning network
+

The installation process requires one NIC:

+
+ +++++ + + + + + + + + + + + + +

NIC

Network

VLAN

NICx

baremetal

<baremetal-vlan>

+
+

NICx is a routable network (baremetal) that is used for the installation of the OpenShift Container Platform cluster, and routable to the internet.

+
+
+
Configuring nodes for Secure Boot manually
+

Secure Boot prevents a node from booting unless it verifies the node is using only trusted software, such as UEFI firmware drivers, EFI applications and the operating system.

+
+
+ + + + + +
+ + +
+

Red Hat only supports manually configured Secure Boot when deploying with Redfish virtual media.

+
+
+
+
+

To enable Secure Boot manually, refer to the hardware guide for the node and execute the following:

+
+
+
    +
  1. +

    Boot the node and enter the BIOS menu.

    +
  2. +
  3. +

    Set the node’s boot mode to UEFI Enabled.

    +
  4. +
  5. +

    Enable Secure Boot.

    +
  6. +
+
+
+ + + + + +
+ + +
+

Red Hat does not support Secure Boot with self-generated keys.

+
+
+
+
+
+

2.5. Out-of-band management

+
+

Nodes will typically have an additional NIC used by the Baseboard Management Controllers (BMCs). These BMCs must be accessible from the provisioner node.

+
+
+

Each node must be accessible via out-of-band management. When using an out-of-band management network, the provisioner node requires access to the out-of-band management network for a successful OpenShift Container Platform 4 installation.

+
+
+

The out-of-band management setup is out of scope for this document. We recommend setting up a separate management network for out-of-band management. However, using the provisioning network or the baremetal network are valid options.

+
+
+
+

2.6. Required data for installation

+
+

Prior to the installation of the OpenShift Container Platform cluster, gather the following information from all cluster nodes:

+
+
+
    +
  • +

    Out-of-band management IP

    +
    +
      +
    • +

      Examples

      +
      +
        +
      • +

        Dell (iDRAC) IP

        +
      • +
      • +

        HP (iLO) IP

        +
      • +
      +
      +
    • +
    +
    +
  • +
+
+
+
When using the provisioning network
+
    +
  • +

    NIC1 (provisioning) MAC address

    +
  • +
  • +

    NIC2 (baremetal) MAC address

    +
  • +
+
+
+
When omitting the provisioning network
+
    +
  • +

    NICx (baremetal) MAC address

    +
  • +
+
+
+
+

2.7. Validation checklist for nodes

+
+
When using the provisioning network
+
    +
  • +

    DHCP reservations use infinite leases to deploy the cluster with static IP addresses. (optional)

    +
  • +
  • +

    NIC1 VLAN is configured for the provisioning network.

    +
  • +
  • +

    NIC2 VLAN is configured for the baremetal network.

    +
  • +
  • +

    NIC1 is PXE-enabled on the provisioner, Control Plane (master), and worker nodes.

    +
  • +
  • +

    PXE has been disabled on all other NICs.

    +
  • +
  • +

    Control plane and worker nodes are configured.

    +
  • +
  • +

    All nodes accessible via out-of-band management.

    +
  • +
  • +

    A separate management network has been created. (optional)

    +
  • +
  • +

    Required data for installation.

    +
  • +
+
+
+
When omitting the provisioning network
+
    +
  • +

    DHCP reservations use infinite leases to deploy the cluster with static IP addresses. (optional)

    +
  • +
  • +

    NICx VLAN is configured for the baremetal network.

    +
  • +
  • +

    Control plane and worker nodes are configured.

    +
  • +
  • +

    All nodes accessible via out-of-band management.

    +
  • +
  • +

    A separate management network has been created. (optional)

    +
  • +
  • +

    Required data for installation.

    +
  • +
+
+
+
Summary
+

After an environment has been prepared according to the documented prerequisites, the installation process is the same as other installer-provisioned platforms.

+
+
+
+
+
+

3. Setting up the environment for an OpenShift installation

+
+ +
+

3.1. Installing RHEL on the provisioner node

+
+

With the networking configuration complete, the next step is to install RHEL 8.X on the provisioner node. The installer uses the provisioner node as the orchestrator while installing the OpenShift Container Platform cluster. For the purposes of this document, installing RHEL on the provisioner node is out of scope. However, options include but are not limited to using a RHEL Satellite server, PXE, or installation media.

+
+
+
+

3.2. Preparing the provisioner node for OpenShift Container Platform installation

+
+

Perform the following steps to prepare the environment.

+
+
+
Procedure
+
    +
  1. +

    Log in to the provisioner node via ssh.

    +
  2. +
  3. +

    Create a non-root user (kni) and provide that user with sudo privileges.

    +
    +
    +
    [root@provisioner ~]# useradd kni
    +[root@provisioner ~]# passwd kni
    +[root@provisioner ~]# echo "kni ALL=(root) NOPASSWD:ALL" | tee -a /etc/sudoers.d/kni
    +[root@provisioner ~]# chmod 0440 /etc/sudoers.d/kni
    +
    +
    +
  4. +
  5. +

    Create an ssh key for the new user.

    +
    +
    +
    [root@provisioner ~]# su - kni -c "ssh-keygen -t rsa -f /home/kni/.ssh/id_rsa -N ''"
    +
    +
    +
  6. +
  7. +

    Log in as the new user on the provisioner node.

    +
    +
    +
    [root@provisioner ~]# su - kni
    +[kni@provisioner ~]$
    +
    +
    +
  8. +
  9. +

    Use Red Hat Subscription Manager to register the provisioner node.

    +
    +
    +
    [kni@provisioner ~]$ sudo subscription-manager register --username=<user> --password=<pass> --auto-attach
    +[kni@provisioner ~]$ sudo subscription-manager repos --enable=rhel-8-for-x86_64-appstream-rpms --enable=rhel-8-for-x86_64-baseos-rpms
    +
    +
    +
    + + + + + +
    + + +
    +

    For more information about Red Hat Subscription Manager, see Using and Configuring Red Hat Subscription Manager.

    +
    +
    +
    +
  10. +
  11. +

    Install the following packages.

    +
    +
    +
    [kni@provisioner ~]$ sudo dnf install -y libvirt qemu-kvm mkisofs python3-devel jq ipmitool
    +
    +
    +
  12. +
  13. +

    Modify the user to add the libvirt group to the newly created user.

    +
    +
    +
    [kni@provisioner ~]$ sudo usermod --append --groups libvirt <user>
    +
    +
    +
  14. +
  15. +

    Restart firewalld and enable the http service.

    +
    +
    +
    [kni@provisioner ~]$ sudo systemctl start firewalld
    +[kni@provisioner ~]$ sudo firewall-cmd --zone=public --add-service=http --permanent
    +[kni@provisioner ~]$ sudo firewall-cmd --add-port=5000/tcp --zone=libvirt  --permanent
    +[kni@provisioner ~]$ sudo firewall-cmd --add-port=5000/tcp --zone=public   --permanent
    +[kni@provisioner ~]$ sudo firewall-cmd --reload
    +
    +
    +
  16. +
  17. +

    Start and enable the libvirtd service.

    +
    +
    +
    [kni@provisioner ~]$ sudo systemctl start libvirtd
    +[kni@provisioner ~]$ sudo systemctl enable libvirtd --now
    +
    +
    +
  18. +
  19. +

    Create the default storage pool and start it.

    +
    +
    +
    [kni@provisioner ~]$ sudo virsh pool-define-as --name default --type dir --target /var/lib/libvirt/images
    +[kni@provisioner ~]$ sudo virsh pool-start default
    +[kni@provisioner ~]$ sudo virsh pool-autostart default
    +
    +
    +
  20. +
  21. +

    Configure networking.

    +
    + + + + + +
    + + +
    +

    This step can also be run from the web console.

    +
    +
    +
    +
    +
    Provisioning Network (IPv4 address)
    +
    +
    [kni@provisioner ~]$ sudo nohup bash -c """
    +    nmcli con down "$PROV_CONN"
    +    nmcli con delete "$PROV_CONN"
    +    # RHEL 8.1 appends the word "System" in front of the connection, delete in case it exists
    +    nmcli con down "System $PROV_CONN"
    +    nmcli con delete "System $PROV_CONN"
    +    nmcli connection add ifname provisioning type bridge con-name provisioning
    +    nmcli con add type bridge-slave ifname "$PROV_CONN" master provisioning
    +    nmcli connection modify provisioning ipv4.addresses 172.22.0.1/24 ipv4.method manual
    +    nmcli con down provisioning
    +    nmcli con up provisioning"""
    +
    +
    +
    + + + + + +
    + + +
    +

    The ssh connection might disconnect after executing this step.

    +
    +
    +

    The IPv4 address may be any address as long as it is not routable via the baremetal network.

    +
    +
    +
    +
    +
    Provisioning Network (IPv6 address)
    +
    +
    [kni@provisioner ~]$ sudo nohup bash -c """
    +    nmcli con down "$PROV_CONN"
    +    nmcli con delete "$PROV_CONN"
    +    # RHEL 8.1 appends the word "System" in front of the connection, delete in case it exists
    +    nmcli con down "System $PROV_CONN"
    +    nmcli con delete "System $PROV_CONN"
    +    nmcli connection add ifname provisioning type bridge con-name provisioning
    +    nmcli con add type bridge-slave ifname "$PROV_CONN" master provisioning
    +    nmcli connection modify provisioning ipv6.addresses fd00:1101::1/64 ipv6.method manual
    +    nmcli con down provisioning
    +    nmcli con up provisioning"""
    +
    +
    +
    + + + + + +
    + + +
    +

    The ssh connection might disconnect after executing this step.

    +
    +
    +

    The IPv6 address may be any address as long as it is not routable via the baremetal network.

    +
    +
    +
    +
    + + + + + +
    + + +
    +

    Ensure that UEFI is enabled and UEFI PXE settings are set to the IPv6 protocol when using IPv6 addressing.

    +
    +
    +
    +
  22. +
  23. +

    ssh back into the provisioner node (if required).

    +
    +
    +
    # ssh kni@provisioner.<cluster-name>.<domain>
    +
    +
    +
  24. +
  25. +

    Verify the connection bridges have been properly created.

    +
    +
    +
    [kni@provisioner ~]$ nmcli con show
    +
    +
    +
    +
    +
    NAME               UUID                                  TYPE      DEVICE
    +baremetal          4d5133a5-8351-4bb9-bfd4-3af264801530  bridge    baremetal
    +provisioning       43942805-017f-4d7d-a2c2-7cb3324482ed  bridge    provisioning
    +virbr0             d9bca40f-eee1-410b-8879-a2d4bb0465e7  bridge    virbr0
    +bridge-slave-eno1  76a8ed50-c7e5-4999-b4f6-6d9014dd0812  ethernet  eno1
    +bridge-slave-eno2  f31c3353-54b7-48de-893a-02d2b34c4736  ethernet  eno2
    +
    +
    +
  26. +
  27. +

    Create a pull-secret.txt file.

    +
    +
    +
    [kni@provisioner ~]$ vim pull-secret.txt
    +
    +
    +
    +

    In a web browser, navigate to Install on Bare Metal with user-provisioned infrastructure, and scroll down to the Downloads section. Click Copy pull secret. Paste the contents into the pull-secret.txt file and save the contents in the kni user’s home directory.

    +
    +
  28. +
+
+
+
+

3.3. Retrieving the OpenShift Container Platform installer (GA Release)

+
+

Use the latest-4.x version of the installer to deploy the latest generally +available version of OpenShift Container Platform:

+
+
+
+
[kni@provisioner ~]$ export VERSION=latest-4.9
+export RELEASE_IMAGE=$(curl -s https://mirror.openshift.com/pub/openshift-v4/clients/ocp/$VERSION/release.txt | grep 'Pull From: quay.io' | awk -F ' ' '{print $3}')
+
+
+
+
+

3.4. Extracting the OpenShift Container Platform installer (GA Release)

+
+

After retrieving the installer, the next step is to extract it.

+
+
+
Procedure
+
    +
  1. +

    Set the environment variables:

    +
    +
    +
    [kni@provisioner ~]$ export cmd=openshift-baremetal-install
    +[kni@provisioner ~]$ export pullsecret_file=~/pull-secret.txt
    +[kni@provisioner ~]$ export extract_dir=$(pwd)
    +
    +
    +
  2. +
  3. +

    Get the oc binary:

    +
    +
    +
    [kni@provisioner ~]$ curl -s https://mirror.openshift.com/pub/openshift-v4/clients/ocp/$VERSION/openshift-client-linux.tar.gz | tar zxvf - oc
    +
    +
    +
  4. +
  5. +

    Extract the installer:

    +
    +
    +
    [kni@provisioner ~]$ sudo cp oc /usr/local/bin
    +[kni@provisioner ~]$ oc adm release extract --registry-config "${pullsecret_file}" --command=$cmd --to "${extract_dir}" ${RELEASE_IMAGE}
    +[kni@provisioner ~]$ sudo cp openshift-baremetal-install /usr/local/bin
    +
    +
    +
  6. +
+
+
+
+

3.5. Creating an RHCOS images cache (optional)

+
+

To employ image caching, you must download two images: the Red Hat Enterprise Linux CoreOS (RHCOS) image used by the bootstrap VM and the RHCOS image used by the installer to provision the different nodes. Image caching is optional, but especially useful when running the installer on a network with limited bandwidth.

+
+
+

If you are running the installer on a network with limited bandwidth and the RHCOS images download takes more than 15 to 20 minutes, the installer will timeout. Caching images on a web server will help in such scenarios.

+
+
+

Use the following steps to install a container that contains the images.

+
+
+
    +
  1. +

    Install podman.

    +
    +
    +
    $ sudo dnf install -y podman
    +
    +
    +
  2. +
  3. +

    Open firewall port 8080 to be used for RHCOS image caching.

    +
    +
    +
    $ sudo firewall-cmd --add-port=8080/tcp --zone=public --permanent
    +$ sudo firewall-cmd --reload
    +
    +
    +
  4. +
  5. +

    Create a directory to store the bootstraposimage and clusterosimage.

    +
    +
    +
    $ mkdir /home/kni/rhcos_image_cache
    +
    +
    +
  6. +
  7. +

    Set the appropriate SELinux context for the newly created directory.

    +
    +
    +
    $ sudo semanage fcontext -a -t httpd_sys_content_t "/home/kni/rhcos_image_cache(/.*)?"
    +$ sudo restorecon -Rv rhcos_image_cache/
    +
    +
    +
  8. +
  9. +

    Get the commit ID from the installer. The ID determines which images the installer needs to download.

    +
    +
    +
    $ export COMMIT_ID=$(/usr/local/bin/openshift-baremetal-install version | grep '^built from commit' | awk '{print $4}')
    +
    +
    +
  10. +
  11. +

    Get the URI for the RHCOS image that the installer will deploy on the nodes.

    +
    +
    +
    $ export RHCOS_OPENSTACK_URI=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json  | jq .images.openstack.path | sed 's/"//g')
    +
    +
    +
  12. +
  13. +

    Get the URI for the RHCOS image that the installer will deploy on the bootstrap VM.

    +
    +
    +
    $ export RHCOS_QEMU_URI=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json  | jq .images.qemu.path | sed 's/"//g')
    +
    +
    +
  14. +
  15. +

    Get the path where the images are published.

    +
    +
    +
    $ export RHCOS_PATH=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json | jq .baseURI | sed 's/"//g')
    +
    +
    +
  16. +
  17. +

    Get the SHA hash for the RHCOS image that will be deployed on the bootstrap VM.

    +
    +
    +
    $ export RHCOS_QEMU_SHA_UNCOMPRESSED=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json  | jq -r '.images.qemu["uncompressed-sha256"]')
    +
    +
    +
  18. +
  19. +

    Get the SHA hash for the RHCOS image that will be deployed on the nodes.

    +
    +
    +
    $ export RHCOS_OPENSTACK_SHA_COMPRESSED=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json  | jq -r '.images.openstack.sha256')
    +
    +
    +
  20. +
  21. +

    Download the images and place them in the /home/kni/rhcos_image_cache directory.

    +
    +
    +
    $ curl -L ${RHCOS_PATH}${RHCOS_QEMU_URI} -o /home/kni/rhcos_image_cache/${RHCOS_QEMU_URI}
    +$ curl -L ${RHCOS_PATH}${RHCOS_OPENSTACK_URI} -o /home/kni/rhcos_image_cache/${RHCOS_OPENSTACK_URI}
    +
    +
    +
  22. +
  23. +

    Confirm SELinux type is of httpd_sys_content_t for the newly created files.

    +
    +
    +
    $ ls -Z /home/kni/rhcos_image_cache
    +
    +
    +
  24. +
  25. +

    Create the pod.

    +
    +
    +
    $ podman run -d --name rhcos_image_cache \
    +-v /home/kni/rhcos_image_cache:/var/www/html \
    +-p 8080:8080/tcp \
    +quay.io/centos7/httpd-24-centos7:latest
    +
    +
    +
  26. +
  27. +

    Generate the bootstrapOSImage and clusterOSImage configuration.

    +
    +
    +
    $ export BAREMETAL_IP=$(ip addr show dev baremetal | awk '/inet /{print $2}' | cut -d"/" -f1)
    +$ export RHCOS_OPENSTACK_SHA256=$(zcat /home/kni/rhcos_image_cache/${RHCOS_OPENSTACK_URI} | sha256sum | awk '{print $1}')
    +$ export RHCOS_QEMU_SHA256=$(zcat /home/kni/rhcos_image_cache/${RHCOS_QEMU_URI} | sha256sum | awk '{print $1}')
    +$ export CLUSTER_OS_IMAGE="http://${BAREMETAL_IP}:8080/${RHCOS_OPENSTACK_URI}?sha256=${RHCOS_OPENSTACK_SHA256}"
    +$ export BOOTSTRAP_OS_IMAGE="http://${BAREMETAL_IP}:8080/${RHCOS_QEMU_URI}?sha256=${RHCOS_QEMU_SHA256}"
    +$ echo "${RHCOS_OPENSTACK_SHA256}  ${RHCOS_OPENSTACK_URI}" > /home/kni/rhcos_image_cache/rhcos-ootpa-latest.qcow2.md5sum
    +$ echo "    bootstrapOSImage=${BOOTSTRAP_OS_IMAGE}"
    +$ echo "    clusterOSImage=${CLUSTER_OS_IMAGE}"
    +
    +
    +
  28. +
  29. +

    Add the required configuration to the install-config.yaml file under platform.baremetal.

    +
    +
    +
    platform:
    +  baremetal:
    +    bootstrapOSImage: http://<BAREMETAL_IP>:8080/<RHCOS_QEMU_URI>?sha256=<RHCOS_QEMU_SHA256>
    +    clusterOSImage: http://<BAREMETAL_IP>:8080/<RHCOS_OPENSTACK_URI>?sha256=<RHCOS_OPENSTACK_SHA256>
    +
    +
    +
    +

    See the Configuring the install-config.yaml file section for additional details.

    +
    +
  30. +
+
+
+
+

3.6. Configuration files

+
+

3.6.1. Configuring the install-config.yaml file

+
+

The install-config.yaml file requires some additional details. +Most of the information is teaching the installer and the resulting cluster enough about the available hardware so that it is able to fully manage it.

+
+
+
    +
  1. +

    Configure install-config.yaml. Change the appropriate variables to match the environment, including pullSecret and sshKey.

    +
    +
    +
    apiVersion: v1
    +basedomain: <domain>
    +metadata:
    +  name: <cluster-name>
    +networking:
    +  machineCIDR: <public-cidr>
    +  networkType: OVNKubernetes
    +compute:
    +- name: worker
    +  replicas: 2 (1)
    +controlPlane:
    +  name: master
    +  replicas: 3
    +  platform:
    +    baremetal: {}
    +platform:
    +  baremetal:
    +    apiVIP: <api-ip>
    +    ingressVIP: <wildcard-ip>
    +    provisioningNetworkInterface: <NIC1>
    +    provisioningNetworkCIDR: <CIDR>
    +    hosts:
    +      - name: openshift-master-0
    +        role: master
    +        bmc:
    +          address: ipmi://<out-of-band-ip> (2)
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: default
    +      - name: openshift-master-1
    +        role: master
    +        bmc:
    +          address: ipmi://<out-of-band-ip>
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: default
    +      - name: openshift-master-2
    +        role: master
    +        bmc:
    +          address: ipmi://<out-of-band-ip>
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: default
    +      - name: openshift-worker-0
    +        role: worker
    +        bmc:
    +          address: ipmi://<out-of-band-ip>
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: unknown
    +      - name: openshift-worker-1
    +        role: worker
    +        bmc:
    +          address: ipmi://<out-of-band-ip>
    +          username: <user>
    +          password: <password>
    +        bootMACAddress: <NIC1-mac-address>
    +        hardwareProfile: unknown
    +pullSecret: '<pull_secret>'
    +sshKey: '<ssh_pub_key>'
    +
    +
    +
    + + + + + + + + + +
    1Scale the worker machines based on the number of worker nodes that are part of the OpenShift Container Platform cluster.
    2Refer to the BMC addressing for more options
    +
    +
  2. +
  3. +

    Create a directory to store cluster configs.

    +
    +
    +
    [kni@provisioner ~]$ mkdir ~/clusterconfigs
    +[kni@provisioner ~]$ cp install-config.yaml ~/clusterconfigs
    +
    +
    +
  4. +
  5. +

    Ensure all bare metal nodes are powered off prior to installing the OpenShift Container Platform cluster.

    +
    +
    +
    [kni@provisioner ~]$ ipmitool -I lanplus -U <user> -P <password> -H <management-server-ip> power off
    +
    +
    +
  6. +
  7. +

    Remove old bootstrap resources if any are left over from a previous deployment attempt.

    +
    +
    +
    for i in $(sudo virsh list | tail -n +3 | grep bootstrap | awk {'print $2'});
    +do
    +  sudo virsh destroy $i;
    +  sudo virsh undefine $i;
    +  sudo virsh vol-delete $i --pool $i;
    +  sudo virsh vol-delete $i.ign --pool $i;
    +  sudo virsh pool-destroy $i;
    +  sudo virsh pool-undefine $i;
    +done
    +
    +
    +
  8. +
+
+
+
+

3.6.2. Setting proxy settings within the install-config.yaml file (optional)

+
+

To deploy an OpenShift Container Platform cluster using a proxy, make the following changes to the install-config.yaml file.

+
+
+
+
apiVersion: v1
+baseDomain: <domain>
+proxy:
+  httpProxy: http://USERNAME:PASSWORD@proxy.example.com:PORT
+  httpsProxy: https://USERNAME:PASSWORD@proxy.example.com:PORT
+  noProxy: <WILDCARD_OF_DOMAIN>,<PROVISIONING_NETWORK/CIDR>,<BMC_ADDRESS_RANGE/CIDR>
+
+
+
+

See below for an example of noProxy with values.

+
+
+
+
noProxy: .example.com,172.22.0.0/24,10.10.0.0/24
+
+
+
+

With a proxy enabled, set the appropriate values of the proxy in the corresponding key/value pair.

+
+
+

Key considerations:

+
+
+
    +
  • +

    If the proxy does not have an HTTPS proxy, change the value of httpsProxy from https:// to http://.

    +
  • +
  • +

    If using a provisioning network, include it in the noProxy setting, otherwise the installer will fail.

    +
  • +
  • +

    Set all of the proxy settings as environment variables within the provisioner node. For example, HTTP_PROXY, HTTPS_PROXY, and NO_PROXY.

    +
  • +
+
+
+
+

3.6.3. Modifying the install-config.yaml file for no provisioning network (optional)

+
+

To deploy an OpenShift Container Platform cluster without a provisioning network, make the following changes to the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    apiVIP: <apiVIP>
+    ingressVIP: <ingress/wildcard VIP>
+    provisioningNetwork: "Disabled"
+
+
+
+
+

3.6.4. Modifying the install-config.yaml file for dual-stack network (optional)

+
+

To deploy an OpenShift Container Platform cluster with dual-stack networking, make the following changes to the install-config.yaml file.

+
+
+
+
machineNetwork:
+- cidr: {{ extcidrnet }}
+- cidr: {{ extcidrnet6 }}
+clusterNetwork:
+- cidr: 10.128.0.0/14
+  hostPrefix: 23
+- cidr: fd02::/48
+  hostPrefix: 64
+serviceNetwork:
+- 172.30.0.0/16
+- fd03::/112
+
+
+
+ + + + + +
+ + +In the above snippet, the network settings must match the settings for the cluster’s network environment. The machineNetwork, clusterNetwork, and serviceNetwork configuration settings must have two CIDR entries each. The first CIDR entry is the IPv4 setting and the second CIDR entry is the IPv6 setting. +
+
+
+ + + + + +
+ + +
+

The IPv4 entries must go before the IPv6 entries.

+
+
+
+
+
+

3.6.5. Configuring managed Secure Boot in the install-config.yaml file (optional)

+
+

To enable managed Secure Boot, add the bootMode configuration setting to each node.

+
+
+
Example
+
+
hosts:
+  - name: openshift-master-0
+    role: master
+    bmc:
+      address: ipmi://<out-of-band-ip>
+      username: <user>
+      password: <password>
+    bootMACAddress: <NIC1-mac-address>
+    hardwareProfile: default
+    bootMode: UEFISecureBoot (1)
+
+
+
+ + + + + +
1The bootMode setting is legacy by default. Change it to UEFISecureBoot to enable managed Secure Boot.
+
+
+ + + + + +
+ + +
+

See Node requirements to ensure the nodes can support managed Secure Boot. If not, you can enable Secure Boot manually, which requires Redfish virtual media.

+
+
+
+
+
+

3.6.6. Additional install-config parameters

+
+

See the following tables for the required parameters, the hosts parameter, +and the bmc parameter for the install-config.yaml file.

+
+ + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 2. Required parameters
ParametersDefaultDescription

baseDomain

The domain name for the cluster. For example, example.com.

bootMode

legacy

The boot mode for a node. Options are legacy, UEFI and UEFISecureBoot.

sshKey

The sshKey configuration setting contains the key in the ~/.ssh/id_rsa.pub file required to access the control plane nodes and worker nodes. Typically, this key is from the provisioner node.

pullSecret

The pullSecret configuration setting contains a copy of the pull secret downloaded from the Install OpenShift on Bare Metal page when preparing the provisioner node.

+
+
metadata:
+    name:
+
+

The name to be given to the OpenShift Container Platform cluster. For example, openshift.

+
+
networking:
+    machineCIDR:
+
+

The public CIDR (Classless Inter-Domain Routing) of the external network. For example, 10.0.0.0/24 +or 2620:52:0:1302::/64 +.

+
+
compute:
+  - name: worker
+
+

The OpenShift Container Platform cluster requires a name be provided for worker (or compute) nodes even if there are zero nodes.

+
+
compute:
+    replicas: 2
+
+

Replicas sets the number of worker (or compute) nodes in the OpenShift Container Platform cluster.

+
+
controlPlane:
+    name: master
+
+

The OpenShift Container Platform cluster requires a name for control plane (master) nodes.

+
+
controlPlane:
+    replicas: 3
+
+

Replicas sets the number of control plane (master) nodes included as part of the OpenShift Container Platform cluster.

+

provisioningNetworkInterface

+

The name of the network interface on control plane nodes connected to the +provisioning network.

defaultMachinePlatform

The default configuration used for machine pools without a platform configuration.

apiVIP

api.<clustername.clusterdomain>

The VIP to use for internal API communication.

+

This setting must either be provided or pre-configured in the DNS so that the +default name resolves correctly.

disableCertificateVerification

False

redfish and redfish-virtualmedia need this parameter to manage BMC addresses. The value should be True when using a self-signed certificate for BMC addresses.

ingressVIP

test.apps.<clustername.clusterdomain>

The VIP to use for ingress traffic.

+ + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 3. Optional Parameters
ParametersDefaultDescription

provisioningDHCPRange

172.22.0.10,172.22.0.100

Defines the IP range for nodes on the provisioning network.

+

provisioningNetworkCIDR

+

172.22.0.0/24

The CIDR for the network to use for provisioning. This option is required when not using the default address range on the provisioning network.

clusterProvisioningIP

The third IP address of the provisioningNetworkCIDR.

The IP address within the cluster where the provisioning services run. Defaults to the third IP address of the provisioning subnet. For example, 172.22.0.3.

bootstrapProvisioningIP

The second IP address of the provisioningNetworkCIDR.

The IP address on the bootstrap VM where the provisioning services run while the installer is deploying the control plane (master) nodes. Defaults to the second IP address of the provisioning subnet. For example, 172.22.0.2 +or 2620:52:0:1307::2 +.

externalBridge

baremetal

The name of the baremetal bridge of the hypervisor attached to the baremetal network.

provisioningBridge

provisioning

The name of the provisioning bridge on the provisioner host attached to the provisioning network.

defaultMachinePlatform

The default configuration used for machine pools without a platform configuration.

bootstrapOSImage

A URL to override the default operating system image for the bootstrap node. The URL must contain a SHA-256 hash of the image. For example: +https://mirror.openshift.com/rhcos-<version>-qemu.qcow2.gz?sha256=<uncompressed_sha256>; + or http://[2620:52:0:1307::1]/rhcos-<version>-qemu.x86_64.qcow2.gz?sha256=<uncompressed_sha256> +.

clusterOSImage

A URL to override the default operating system for cluster nodes. The URL must include a SHA-256 hash of the image. For example, https://mirror.openshift.com/images/rhcos-<version>-openstack.qcow2.gz?sha256=<compressed_sha256>;.

provisioningNetwork

Set this parameter to Disabled to disable the requirement for a provisioning network. User may only do virtual media based provisioning, or bring up the cluster using assisted installation. If using power management, BMC’s must be accessible from the machine networks. User must provide two IP addresses on the external network that are used for the provisioning services. +Set this parameter to Managed, which is the default, to fully manage the provisioning network, including DHCP, TFTP, and so on.

+

Set this parameter to Unmanaged to still enable the provisioning network but take care of manual configuration of DHCP. Virtual media provisioning is recommended but PXE is still available if required.

httpProxy

Set this parameter to the appropriate HTTP proxy used within your environment.

httpsProxy

Set this parameter to the appropriate HTTPS proxy used within your environment.

noProxy

Set this parameter to the appropriate list of exclusions for proxy usage within your environment.

+
+
Hosts
+

The hosts parameter is a list of separate bare metal assets used to build the cluster.

+
+ +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Name

Default

Description

name

The name of the BareMetalHost resource to associate with the details. For example, openshift-master-0.

role

The role of the bare metal node. Either master or worker.

bmc

Connection details for the baseboard management controller. See the BMC addressing section for additional details.

bootMACAddress

The MAC address of the NIC the host will use to boot on the provisioning network.

+
+
+

3.6.7. BMC addressing

+
+

Most vendors support BMC addressing with the Intelligent Platform Management Interface or IPMI. IPMI does not encrypt communications. It is suitable for use within a data center over a secured or dedicated management network. Check with your vendor to see if they support Redfish network boot. Redfish delivers simple and secure management for converged, hybrid IT and the Software Defined Data Center or SDDC. Redfish is human readable and machine capable, and leverages common Internet and web services standards to expose information directly to the modern tool chain. If your hardware does not support Redfish network boot, use IPMI.

+
+
+
IPMI
+

Hosts using IPMI use the ipmi://<out-of-band-ip>:<port> address format, which defaults to port 623 if not specified. The following example demonstrates an IPMI configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: ipmi://<out-of-band-ip>
+          username: <user>
+          password: <password>
+
+
+
+
Redfish network boot
+

To enable Redfish, use redfish:// or redfish+http:// to disable TLS. The installer requires both the host name or the IP address and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+
BMC addressing for Dell iDRAC
+
+

The address field for each bmc entry is a URL for connecting to the OpenShift Container Platform cluster nodes, including the type of controller in the URL scheme and its location on the network.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: <host name>
+        role: <master | worker>
+        bmc:
+          address: <address> (1)
+          username: <user>
+          password: <password>
+
+
+
+ + + + + +
1The address configuration setting specifies the protocol.
+
+
+

For Dell hardware, Red Hat supports integrated Dell Remote Access Controller (iDRAC) virtual media, Redfish network boot, and IPMI.

+
+ + ++++ + + + + + + + + + + + + + + + + + + + + +
Table 4. BMC address formats for Dell iDRAC
ProtocolAddress Format

iDRAC virtual media

idrac-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1

Redfish network boot

redfish://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1

IPMI

ipmi://<out-of-band-ip>

+
+ + + + + +
+ + +
+

Use idrac-virtualmedia as the protocol for Redfish virtual media. redfish-virtualmedia will not work on Dell hardware. Dell’s idrac-virtualmedia uses the Redfish standard with Dell’s OEM extensions.

+
+
+
+
+

See the following sections for additional details.

+
+
+
Redfish virtual media for Dell iDRAC
+

For Redfish virtual media on Dell servers, use idrac-virtualmedia:// in the address setting. Using redfish-virtualmedia:// will not work.

+
+
+

The following example demonstrates using iDRAC virtual media within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: idrac-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: idrac-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+ + + + + +
+ + +
+

Currently, Redfish is only supported on Dell with iDRAC firmware versions 4.20.20.20 through 04.40.00.00 for installer-provisioned installations on bare metal deployments. There is a known issue with version 04.40.00.00. With iDRAC 9 firmware version 04.40.00.00, the Virtual Console plug-in defaults to eHTML5, which causes problems with the InsertVirtualMedia workflow. Set the plug-in to HTML5 to avoid this issue. The menu path is: ConfigurationVirtual consolePlug-in TypeHTML5 .

+
+
+

Ensure the OpenShift Container Platform cluster nodes have AutoAttach Enabled through the iDRAC console. The menu path is: ConfigurationVirtual MediaAttach ModeAutoAttach .

+
+
+

Use idrac-virtualmedia:// as the protocol for Redfish virtual media. Using redfish-virtualmedia:// will not work on Dell hardware, because the idrac-virtualmedia:// protocol corresponds to the idrac hardware type and the Redfish protocol in Ironic. Dell’s idrac-virtualmedia:// protocol uses the Redfish standard with Dell’s OEM extensions. Ironic also supports the idrac type with the WSMAN protocol. Therefore, you must specify idrac-virtualmedia:// to avoid unexpected behavior when electing to use Redfish with virtual media on Dell hardware.

+
+
+
+
+
Redfish network boot for iDRAC
+

To enable Redfish, use redfish:// or redfish+http:// to disable transport layer security (TLS). The installer requires both the host name or the IP address and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/System.Embedded.1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+ + + + + +
+ + +
+

Currently, Redfish is only supported on Dell hardware with iDRAC firmware versions 4.20.20.20 through 04.40.00.00 for installer-provisioned installations on bare metal deployments. There is a known issue with version 04.40.00.00. With iDRAC 9 firmware version 04.40.00.00, the Virtual Console plug-in defaults to eHTML5, which causes problems with the InsertVirtualMedia workflow. Set the plug-in to HTML5 to avoid this issue. The menu path is: ConfigurationVirtual consolePlug-in TypeHTML5 .

+
+
+

Ensure the OpenShift Container Platform cluster nodes have AutoAttach Enabled through the iDRAC console. The menu path is: ConfigurationVirtual MediaAttach ModeAutoAttach .

+
+
+

The redfish:// URL protocol corresponds to the redfish hardware type in Ironic.

+
+
+
+
+
+
BMC addressing for HPE iLO
+
+

The address field for each bmc entry is a URL for connecting to the OpenShift Container Platform cluster nodes, including the type of controller in the URL scheme and its location on the network.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: <host name>
+        role: <master | worker>
+        bmc:
+          address: <address> (1)
+          username: <user>
+          password: <password>
+
+
+
+ + + + + +
1The address configuration setting specifies the protocol.
+
+
+

For HPE integrated Lights Out (iLO), Red Hat supports Redfish virtual media, Redfish network boot, and IPMI.

+
+ + ++++ + + + + + + + + + + + + + + + + + + + + +
Table 5. BMC address formats for HPE iLO
ProtocolAddress Format

Redfish virtual media

redfish-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/1

Redfish network boot

redfish://<out-of-band-ip>/redfish/v1/Systems/1

IPMI

ipmi://<out-of-band-ip>

+
+

See the following sections for additional details.

+
+
+
Redfish virtual media for HPE iLO
+

To enable Redfish virtual media for HPE servers, use redfish-virtualmedia:// in the address setting. The following example demonstrates using Redfish virtual media within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+ + + + + +
+ + +
+

Redfish virtual media is not supported on 9th generation systems running iLO4, because Ironic does not support iLO4 with virtual media.

+
+
+
+
+
Redfish network boot for HPE iLO
+

To enable Redfish, use redfish:// or redfish+http:// to disable TLS. The installer requires both the host name or the IP address and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+
+
BMC addressing for Fujitsu iRMC
+
+

The address field for each bmc entry is a URL for connecting to the OpenShift Container Platform cluster nodes, including the type of controller in the URL scheme and its location on the network.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: <host name>
+        role: <master | worker>
+        bmc:
+          address: <address> (1)
+          username: <user>
+          password: <password>
+
+
+
+ + + + + +
1The address configuration setting specifies the protocol.
+
+
+

For Fujitsu hardware, Red Hat supports integrated Remote Management Controller (iRMC) and IPMI.

+
+ + ++++ + + + + + + + + + + + + + + + + +
Table 6. BMC address formats for Fujitsu iRMC
ProtocolAddress Format

iRMC

irmc://<out-of-band-ip>

IPMI

ipmi://<out-of-band-ip>

+
+
iRMC
+

Fujitsu nodes can use irmc://<out-of-band-ip> and defaults to port 623. The following example demonstrates an iRMC configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: irmc://<out-of-band-ip>
+          username: <user>
+          password: <password>
+
+
+
+ + + + + +
+ + +
+

Currently Fujitsu supports iRMC S5 firmware version 3.05P and above for installer-provisioned installation on bare metal.

+
+
+
+
+
+
BMC addressing for KVM with sushy-tools Redfish emulator
+
+

The address field for each bmc entry is a URL for connecting to the OpenShift Container Platform cluster nodes, including the type of controller in the URL scheme and its location on the network.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: <host name>
+        role: <master | worker>
+        bmc:
+          address: <address> (1)
+          username: <user>
+          password: <password>
+
+
+
+ + + + + +
1The address configuration setting specifies the protocol.
+
+
+

For KVM working with sushy-tools Redfish emulator, Red Hat supports Redfish virtual media and Redfish network boot.

+
+ + ++++ + + + + + + + + + + + + + + + + +
Table 7. BMC address formats for KVM with sushy-tools Redfish emulator
ProtocolAddress Format

Redfish virtual media

redfish-virtualmedia://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>

Redfish network boot

redfish://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>

+
+ + + + + +
+ + +
+

The sushy-tools Redfish emulator runs from the KVM hypervisor and a single instance acts as the virtual BMC for all the guest machines. This means both the out of band IP address and port, will be same and each individual machine must be identified by its System ID.

+
+
+

You may retrieve the System ID of your guest machines with the following command:

+
+
+
+
---
+$ virsh list --all --name --uuid
+d8ac6bf8-3062-4954-84c3-e097faa17025 compute-0
+84971a71-3935-4a92-8d90-a9f8440dac09 compute-1
+92430f42-8805-4412-959a-2a7252c7c540 compute-2
+0fea5296-db95-41d7-9295-f57cfa50255f control-plane-0
+4986e405-fd3a-483d-9210-8cb120b98f80 control-plane-1
+26bf228c-44fd-4c49-9e6f-44f4b5968b34 control-plane-2
+---
+
+
+
+
+
+

See the following sections for additional details.

+
+
+
Redfish virtual media for KVM with sushy-tools Redfish emulator
+

To enable Redfish virtual media for KVM environments running the sushy-tools Redfish emulator, use redfish-virtualmedia:// in the address setting. The following example demonstrates using Redfish virtual media within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish-virtualmedia://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish-virtualmedia://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+
Redfish network boot for KVM with sushy-tools Redfish emulator
+

To enable Redfish, use redfish:// or redfish+http:// to disable TLS. The installer requires the host name or the IP address, the Redfish emulator listening port and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>
+          username: <user>
+          password: <password>
+
+
+
+

While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.

+
+
+
+
platform:
+  baremetal:
+    hosts:
+      - name: openshift-master-0
+        role: master
+        bmc:
+          address: redfish://<out-of-band-ip>:<sushy-tools-port>/redfish/v1/Systems/<system-id>
+          username: <user>
+          password: <password>
+          disableCertificateVerification: True
+
+
+
+
+
+

3.6.8. Root device hints

+
+

The rootDeviceHints parameter enables the installer to provision the Red Hat Enterprise Linux CoreOS (RHCOS) image to a particular device. The installer examines the devices in the order it discovers them, and compares the discovered values with the hint values. The installer uses the first discovered device that matches the hint value. The configuration can combine multiple hints, but a device must match all hints for the installer to select it.

+
+ + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 8. Subfields
SubfieldDescription

deviceName

A string containing a Linux device name like /dev/vda. The hint must match the actual value exactly.

hctl

A string containing a SCSI bus address like 0:0:0:0. The hint must match the actual value exactly.

model

A string containing a vendor-specific device identifier. The hint can be a substring of the actual value.

vendor

A string containing the name of the vendor or manufacturer of the device. The hint can be a sub-string of the actual value.

serialNumber

A string containing the device serial number. The hint must match the actual value exactly.

minSizeGigabytes

An integer representing the minimum size of the device in gigabytes.

wwn

A string containing the unique storage identifier. The hint must match the actual value exactly.

wwnWithExtension

A string containing the unique storage identifier with the vendor extension appended. The hint must match the actual value exactly.

wwnVendorExtension

A string containing the unique vendor storage identifier. The hint must match the actual value exactly.

rotational

A Boolean indicating whether the device should be a rotating disk (true) or not (false).

+
+
Example usage
+
+
     - name: master-0
+       role: master
+       bmc:
+         address: ipmi://10.10.0.3:6203
+         username: admin
+         password: redhat
+       bootMACAddress: de:ad:be:ef:00:40
+       rootDeviceHints:
+         deviceName: "/dev/sda"
+
+
+
+
+

3.6.9. Creating the OpenShift Container Platform manifests

+
+
    +
  1. +

    Create the OpenShift Container Platform manifests.

    +
    +
    +
    [kni@provisioner ~]$ ./openshift-baremetal-install --dir ~/clusterconfigs create manifests
    +
    +
    +
    +
    +
    INFO Consuming Install Config from target directory
    +WARNING Making control-plane schedulable by setting MastersSchedulable to true for Scheduler cluster settings
    +WARNING Discarding the Openshift Manifest that was provided in the target directory because its dependencies are dirty and it needs to be regenerated
    +
    +
    +
  2. +
+
+
+
+

3.6.10. Configuring NTP for disconnected clusters (optional)

+
+

OpenShift Container Platform installs the chrony Network Time Protocol (NTP) service on the cluster nodes. +Use the following procedure to configure NTP servers on the control plane nodes and configure worker nodes as NTP clients of the control plane nodes before deployment.

+
+
+
+Configuring NTP for disconnected clusters +
+
+
+

OpenShift Container Platform nodes must agree on a date and time to run properly. When worker nodes retrieve the date and time from the NTP servers on the control plane nodes, it enables the installation and operation of clusters that are not connected to a routable network and thereby do not have access to a higher stratum NTP server.

+
+
+
Procedure
+
    +
  1. +

    Create a ~/control-plane-chrony.conf configuration file for the control plane nodes.

    +
    +
    Configuration file example
    +
    +
    # Use public servers from the pool.ntp.org project.
    +# Please consider joining the pool (https://www.pool.ntp.org/join.html).
    +
    +# This file is managed by the machine config operator
    +server openshift-master-0.<cluster-name>.<domain> iburst (1)
    +server openshift-master-1.<cluster-name>.<domain> iburst
    +server openshift-master-2.<cluster-name>.<domain> iburst
    +
    +stratumweight 0
    +driftfile /var/lib/chrony/drift
    +rtcsync
    +makestep 10 3
    +bindcmdaddress 127.0.0.1
    +bindcmdaddress ::1
    +keyfile /etc/chrony.keys
    +commandkey 1
    +generatecommandkey
    +noclientlog
    +logchange 0.5
    +logdir /var/log/chrony
    +
    +# Configure the control plane nodes to serve as local NTP servers
    +# for all worker nodes, even if they are not in sync with an
    +# upstream NTP server.
    +
    +# Allow NTP client access from the local network.
    +allow all
    +# Serve time even if not synchronized to a time source.
    +local stratum 3 orphan
    +
    +
    +
    +

    Where:

    +
    +
    + + + + + +
    1You must replace <cluster-name> with the name of the cluster and replace <domain> with the fully qualified domain name.
    +
    +
  2. +
  3. +

    Create a ~/worker-chrony.conf configuration file for the worker nodes such that worker nodes reference the NTP servers on the control plane nodes.

    +
    +
    Configuration file example
    +
    +
    # This file is managed by the machine config operator
    +server openshift-master-0.<cluster-name>.<domain> iburst (1)
    +server openshift-master-1.<cluster-name>.<domain> iburst
    +server openshift-master-2.<cluster-name>.<domain> iburst
    +
    +stratumweight 0
    +driftfile /var/lib/chrony/drift
    +rtcsync
    +makestep 10 3
    +bindcmdaddress 127.0.0.1
    +bindcmdaddress ::1
    +keyfile /etc/chrony.keys
    +commandkey 1
    +generatecommandkey
    +noclientlog
    +logchange 0.5
    +logdir /var/log/chrony
    +
    +
    +
    +

    Where:

    +
    +
    + + + + + +
    1You must replace <cluster-name> with the name of the cluster and replace <domain> with the fully qualified domain name.
    +
    +
  4. +
  5. +

    Create a ~/ntp-server.yaml configuration file for telling the Machine Configuration Operator to apply the ~/control-plane-chrony.conf settings to the NTP servers on the control plane nodes.

    +
    +
    Configuration file example
    +
    +
    # This example MachineConfig replaces ~/control-plane-chrony.conf
    +apiVersion: machineconfiguration.openshift.io/v1
    +kind: MachineConfig
    +metadata:
    +  labels:
    +    machineconfiguration.openshift.io/role: master
    +  name: 99-master-etc-chrony-conf-override-to-server
    +spec:
    +  config:
    +    ignition:
    +      version: 2.2.0
    +    storage:
    +      files:
    +        - contents:
    +            source: data:text/plain;charset=utf-8;base64,BASE64ENCODEDCONFIGFILE(1)
    +          filesystem: root
    +          mode: 0644
    +          path: /etc/control-plane-chrony.conf
    +
    +
    +
    +

    Where:

    +
    +
    + + + + + +
    1You must replace the BASE64ENCODEDCONFIGFILE string with the base64-encoded string of the ~/control-plane-chrony.conf file in the subsequent step.
    +
    +
  6. +
  7. +

    Generate a base64 string of the ~/control-plane-chrony.conf file.

    +
    +
    +
    $ base64 ~/control-plane-chrony.conf
    +
    +
    +
    +
    Example output
    +
    +
    IyBVc2UgcHVibGljIHNlcnZlcnMgZnJvbSB0aGUgcG9vbC5udHAub3JnIHByb2plY3QuCiMgUGxl
    +YXNlIGNvbnNpZGVyIGpvaW5pbmcgdGhlIHBvb2wgKGh0dHBzOi8vd3d3LnBvb2wubnRwLm9yZy9q
    +b2luLmh0bWwpLgoKIyBUaGlzIGZpbGUgaXMgbWFuYWdlZCBieSB0aGUgbWFjaGluZSBjb25maWcg
    +b3BlcmF0b3IKc2VydmVyIG9wZW5zaGlmdC1tYXN0ZXItMC48Y2x1c3Rlci1uYW1lPi48ZG9tYWlu
    +PiBpYnVyc3QKc2VydmVyIG9wZW5zaGlmdC1tYXN0ZXItMS48Y2x1c3Rlci1uYW1lPi48ZG9tYWlu
    +PiBpYnVyc3QKc2VydmVyIG9wZW5zaGlmdC1tYXN0ZXItMi48Y2x1c3Rlci1uYW1lPi48ZG9tYWlu
    +PiBpYnVyc3QKCnN0cmF0dW13ZWlnaHQgMApkcmlmdGZpbGUgL3Zhci9saWIvY2hyb255L2RyaWZ0
    +CnJ0Y3N5bmMKbWFrZXN0ZXAgMTAgMwpiaW5kY21kYWRkcmVzcyAxMjcuMC4wLjEKYmluZGNtZGFk
    +ZHJlc3MgOjoxCmtleWZpbGUgL2V0Yy9jaHJvbnkua2V5cwpjb21tYW5ka2V5IDEKZ2VuZXJhdGVj
    +b21tYW5ka2V5Cm5vY2xpZW50bG9nCmxvZ2NoYW5nZSAwLjUKbG9nZGlyIC92YXIvbG9nL2Nocm9u
    +eQoKIyBDb25maWd1cmUgdGhlIGNvbnRyb2wgcGxhbmUgbm9kZXMgdG8gc2VydmUgYXMgbG9jYWwg
    +TlRQIHNlcnZlcnMKIyBmb3IgYWxsIHdvcmtlciBub2RlcywgZXZlbiBpZiB0aGV5IGFyZSBub3Qg
    +aW4gc3luYyB3aXRoIGFuCiMgdXBzdHJlYW0gTlRQIHNlcnZlci4KCiMgQWxsb3cgTlRQIGNsaWVu
    +dCBhY2Nlc3MgZnJvbSB0aGUgbG9jYWwgbmV0d29yay4KYWxsb3cgYWxsCiMgU2VydmUgdGltZSBl
    +dmVuIGlmIG5vdCBzeW5jaHJvbml6ZWQgdG8gYSB0aW1lIHNvdXJjZS4KbG9jYWwgc3RyYXR1bSAz
    +IG9ycGhhbgo=
    +
    +
    +
    +

    Replace the BASE64ENCODEDCONFIGFILE string in the ~/ntp-server.yaml with the base64-encoded string.

    +
    +
  8. +
  9. +

    Create a ~/ntp-client.yaml configuration file for telling the Machine Configuration Operator to apply the ~/worker-chrony.conf settings to the NTP clients on the worker nodes.

    +
    +
    Configuration file example
    +
    +
    # This example MachineConfig replaces ~/worker-chrony.conf
    +apiVersion: machineconfiguration.openshift.io/v1
    +kind: MachineConfig
    +metadata:
    +  labels:
    +    machineconfiguration.openshift.io/role: worker
    +  name: 99-master-etc-chrony-conf-override-for-worker
    +spec:
    +  config:
    +    ignition:
    +      version: 2.2.0
    +    storage:
    +      files:
    +        - contents:
    +            source: data:text/plain;charset=utf-8;base64,BASE64ENCODEDCONFIGFILE(1)
    +          filesystem: root
    +          mode: 0644
    +          path: /etc/worker-chrony.conf
    +
    +
    +
    +

    Where:

    +
    +
    + + + + + +
    1You must replace the BASE64ENCODEDCONFIGFILE string with the base64-encoded string of the ~/worker-chrony.conf file in the subsequent step.
    +
    +
  10. +
  11. +

    Generate a base64-encoded string of the ~/worker-chrony.conf file.

    +
    +
    +
    $ base64 ~/worker-chrony.conf
    +
    +
    +
    +
    Example output
    +
    +
    IyBUaGlzIGZpbGUgaXMgbWFuYWdlZCBieSB0aGUgbWFjaGluZSBjb25maWcgb3BlcmF0b3IKc2Vy
    +dmVyIG9wZW5zaGlmdC1tYXN0ZXItMC48Y2x1c3Rlci1uYW1lPi48ZG9tYWluPiBpYnVyc3QKc2Vy
    +dmVyIG9wZW5zaGlmdC1tYXN0ZXItMS48Y2x1c3Rlci1uYW1lPi48ZG9tYWluPiBpYnVyc3QKc2Vy
    +dmVyIG9wZW5zaGlmdC1tYXN0ZXItMi48Y2x1c3Rlci1uYW1lPi48ZG9tYWluPiBpYnVyc3QKCnN0
    +cmF0dW13ZWlnaHQgMApkcmlmdGZpbGUgL3Zhci9saWIvY2hyb255L2RyaWZ0CnJ0Y3N5bmMKbWFr
    +ZXN0ZXAgMTAgMwpiaW5kY21kYWRkcmVzcyAxMjcuMC4wLjEKYmluZGNtZGFkZHJlc3MgOjoxCmtl
    +eWZpbGUgL2V0Yy9jaHJvbnkua2V5cwpjb21tYW5ka2V5IDEKZ2VuZXJhdGVjb21tYW5ka2V5Cm5v
    +Y2xpZW50bG9nCmxvZ2NoYW5nZSAwLjUKbG9nZGlyIC92YXIvbG9nL2Nocm9ueQo=
    +
    +
    +
    +

    Replace the BASE64ENCODEDCONFIGFILE string in the ~/ntp-client.yaml file with the base64-encoded string.

    +
    +
  12. +
  13. +

    Copy the ~/ntp-server.yaml file to the ~/clusterconfigs/manifests directory.

    +
    +
    +
    $ cp ~/ntp-server.yaml ~/clusterconfigs/manifests
    +
    +
    +
  14. +
  15. +

    Copy the ~/ntp-client.yaml file to the ~/clusterconfigs/manifests directory.

    +
    +
    +
    $ cp ~/ntp-client.yaml ~/clusterconfigs/manifests
    +
    +
    +
  16. +
+
+
+
+

3.6.11. Configure network components to run on the control plane

+
+

Configure networking components to run exclusively on the control plane nodes. By default, OpenShift Container Platform allows any node in the machine config pool to host the apiVIP and ingressVIP virtual IP addresses. However, many environments deploy worker nodes in separate subnets from the control plane nodes. Consequently, you must place the apiVIP and ingressVIP virtual IP addresses exclusively with the control plane nodes.

+
+
+
Procedure
+
    +
  1. +

    Change to the directory storing the install-config.yaml file.

    +
    +
    +
    $ cd ~/clusterconfigs
    +
    +
    +
  2. +
  3. +

    Switch to the manifests subdirectory.

    +
    +
    +
    $ cd manifests
    +
    +
    +
  4. +
  5. +

    Create a file named cluster-network-avoid-workers-99-config.yaml.

    +
    +
    +
    $ touch cluster-network-avoid-workers-99-config.yaml
    +
    +
    +
  6. +
  7. +

    Open the cluster-network-avoid-workers-99-config.yaml file in an editor and enter a custom resource (CR) that describes the Operator configuration:

    +
    +
    +
    apiVersion: machineconfiguration.openshift.io/v1
    +kind: MachineConfig
    +metadata:
    +  name: 50-worker-fix-ipi-rwn
    +  labels:
    +    machineconfiguration.openshift.io/role: worker
    +spec:
    +  config:
    +    ignition:
    +      version: 3.1.0
    +    systemd:
    +      units:
    +      - name: nodeip-configuration.service
    +        enabled: true
    +        contents: |
    +          [Unit]
    +          Description=Writes IP address configuration so that kubelet and crio services select a valid node IP
    +          Wants=network-online.target
    +          After=network-online.target ignition-firstboot-complete.service
    +          Before=kubelet.service crio.service
    +          [Service]
    +          Type=oneshot
    +          ExecStart=/bin/bash -c "exit 0 "
    +          [Install]
    +          WantedBy=multi-user.target
    +    storage:
    +      files:
    +        - contents:
    +            source: data:,
    +            verification: {}
    +          filesystem: root
    +          mode: 420
    +          path: /etc/kubernetes/manifests/keepalived.yaml
    +        - contents:
    +            source: data:,
    +            verification: {}
    +          filesystem: root
    +          mode: 420
    +          path: /etc/kubernetes/manifests/mdns-publisher.yaml
    +        - contents:
    +            source: data:,
    +            verification: {}
    +          filesystem: root
    +          mode: 420
    +          path: /etc/kubernetes/manifests/coredns.yaml
    +
    +
    +
    +

    This manifest places the apiVIP and ingressVIP virtual IP addresses on the control plane nodes. Additionally, this manifest deploys the following processes on the control plane nodes only:

    +
    +
    +
      +
    • +

      openshift-ingress-operator

      +
    • +
    • +

      keepalived

      +
    • +
    +
    +
  8. +
  9. +

    Save the cluster-network-avoid-workers-99-config.yaml file.

    +
  10. +
  11. +

    Create a manifests/cluster-ingress-default-ingresscontroller.yaml file.

    +
    +
    +
    apiVersion: operator.openshift.io/v1
    +kind: IngressController
    +metadata:
    +  name: default
    +  namespace: openshift-ingress-operator
    +spec:
    +  nodePlacement:
    +    nodeSelector:
    +      matchLabels:
    +        node-role.kubernetes.io/master: ""
    +
    +
    +
  12. +
  13. +

    Consider backing up the manifests directory. The installer deletes the manifests/ directory when creating the cluster.

    +
  14. +
  15. +

    Modify the cluster-scheduler-02-config.yml manifest to make the control plane nodes schedulable by setting the mastersSchedulable field to true. Control plane nodes are not schedulable by default. For example:

    +
    +
    +
    $ sed -i "s;mastersSchedulable: false;mastersSchedulable: true;g" clusterconfigs/manifests/cluster-scheduler-02-config.yml
    +
    +
    +
    + + + + + +
    + + +
    +

    If control plane nodes are not schedulable, deploying the cluster will fail.

    +
    +
    +
    +
  16. +
  17. +

    Before deploying the cluster, ensure that the api.<cluster-name>.<domain> domain name is resolvable in the DNS. When you configure network components to run exclusively on the control plane, the internal DNS resolution no longer works for worker nodes, which is an expected outcome.

    +
    + + + + + +
    + + +
    +

    Failure to create a DNS record for the API precludes worker nodes from joining the cluster.

    +
    +
    +
    +
  18. +
+
+
+
+
+

3.7. Creating a disconnected registry (optional)

+
+

In some cases, you might want to install an OpenShift Container Platform cluster using a local copy of the installation registry. This could be for enhancing network efficiency because the cluster nodes are on a network that does not have access to the internet.

+
+
+

A local, or mirrored, copy of the registry requires the following:

+
+
+
    +
  • +

    A certificate for the registry node. This can be a self-signed certificate.

    +
  • +
  • +

    A web server that a container on a system will serve.

    +
  • +
  • +

    An updated pull secret that contains the certificate and local repository information.

    +
  • +
+
+
+ + + + + +
+ + +
+

Creating a disconnected registry on a registry node is optional. The subsequent sections indicate that they are optional since they are steps you need to execute only when creating a disconnected registry on a registry node. You should execute all of the subsequent sub-sections labeled "(optional)" when creating a disconnected registry on a registry node.

+
+
+
+
+

3.7.1. Preparing the registry node to host the mirrored registry (optional)

+
+

Make the following changes to the registry node.

+
+
+
Procedure
+
    +
  1. +

    Open the firewall port on the registry node.

    +
    +
    +
    [user@registry ~]$ sudo firewall-cmd --add-port=5000/tcp --zone=libvirt  --permanent
    +[user@registry ~]$ sudo firewall-cmd --add-port=5000/tcp --zone=public   --permanent
    +[user@registry ~]$ sudo firewall-cmd --reload
    +
    +
    +
  2. +
  3. +

    Install the required packages for the registry node.

    +
    +
    +
    [user@registry ~]$ sudo yum -y install python3 podman httpd httpd-tools jq
    +
    +
    +
  4. +
  5. +

    Create the directory structure where the repository information will be held.

    +
    +
    +
    [user@registry ~]$ sudo mkdir -p /opt/registry/{auth,certs,data}
    +
    +
    +
  6. +
+
+
+
+

3.7.2. Generating the self-signed certificate (optional)

+
+

Generate a self-signed certificate for the registry node and put it in the /opt/registry/certs directory.

+
+
+
Procedure
+
    +
  1. +

    Adjust the certificate information as appropriate.

    +
    +
    +
    [user@registry ~]$ host_fqdn=$( hostname --long )
    +[user@registry ~]$ cert_c="<Country Name>"   # Country Name (C, 2 letter code)
    +[user@registry ~]$ cert_s="<State>"          # Certificate State (S)
    +[user@registry ~]$ cert_l="<Locality>"       # Certificate Locality (L)
    +[user@registry ~]$ cert_o="<Organization>"   # Certificate Organization (O)
    +[user@registry ~]$ cert_ou="<Org Unit>"      # Certificate Organizational Unit (OU)
    +[user@registry ~]$ cert_cn="${host_fqdn}"    # Certificate Common Name (CN)
    +
    +[user@registry ~]$ openssl req \
    +    -newkey rsa:4096 \
    +    -nodes \
    +    -sha256 \
    +    -keyout /opt/registry/certs/domain.key \
    +    -x509 \
    +    -days 365 \
    +    -out /opt/registry/certs/domain.crt \
    +    -addext "subjectAltName = DNS:${host_fqdn}" \
    +    -subj "/C=${cert_c}/ST=${cert_s}/L=${cert_l}/O=${cert_o}/OU=${cert_ou}/CN=${cert_cn}"
    +
    +
    +
    + + + + + +
    + + +When replacing <Country Name>, ensure that it only contains two letters. For example, US. +
    +
    +
  2. +
  3. +

    Update the registry node’s ca-trust with the new certificate.

    +
    +
    +
    [user@registry ~]$ sudo cp /opt/registry/certs/domain.crt /etc/pki/ca-trust/source/anchors/
    +[user@registry ~]$ sudo update-ca-trust extract
    +
    +
    +
  4. +
+
+
+
+

3.7.3. Creating the registry podman container (optional)

+
+

The registry container uses the /opt/registry directory for certificates, authentication files, and to store its data files.

+
+
+

The registry container uses httpd and needs an htpasswd file for authentication.

+
+
+
Procedure
+
    +
  1. +

    Create an htpasswd file in /opt/registry/auth for the container to use.

    +
    +
    +
    [user@registry ~]$ htpasswd -bBc /opt/registry/auth/htpasswd <user> <passwd>
    +
    +
    +
    +

    Replace <user> with the user name and <passwd> with the password.

    +
    +
  2. +
  3. +

    Create and start the registry container.

    +
    +
    +
    [user@registry ~]$ podman create \
    +  --name ocpdiscon-registry \
    +  -p 5000:5000 \
    +  -e "REGISTRY_AUTH=htpasswd" \
    +  -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry" \
    +  -e "REGISTRY_HTTP_SECRET=ALongRandomSecretForRegistry" \
    +  -e "REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \
    +  -e "REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt" \
    +  -e "REGISTRY_HTTP_TLS_KEY=/certs/domain.key" \
    +  -e "REGISTRY_COMPATIBILITY_SCHEMA1_ENABLED=true" \
    +  -v /opt/registry/data:/var/lib/registry:z \
    +  -v /opt/registry/auth:/auth:z \
    +  -v /opt/registry/certs:/certs:z \
    +  docker.io/library/registry:2
    +
    +
    +
    +
    +
    [user@registry ~]$ podman start ocpdiscon-registry
    +
    +
    +
  4. +
+
+
+
+

3.7.4. Copy and update the pull-secret (optional)

+
+

Copy the pull secret file from the provisioner node to the registry node and modify it to include the authentication information for the new registry node.

+
+
+
Procedure
+
    +
  1. +

    Copy the pull-secret.txt file.

    +
    +
    +
    [user@registry ~]$ scp kni@provisioner:/home/kni/pull-secret.txt pull-secret.txt
    +
    +
    +
  2. +
  3. +

    Update the host_fqdn environment variable with the fully qualified domain name of the registry node.

    +
    +
    +
    [user@registry ~]$ host_fqdn=$( hostname --long )
    +
    +
    +
  4. +
  5. +

    Update the b64auth environment variable with the base64 encoding of the http credentials used to create the htpasswd file.

    +
    +
    +
    [user@registry ~]$ b64auth=$( echo -n '<username>:<passwd>' | openssl base64 )
    +
    +
    +
    +

    Replace <username> with the user name and <passwd> with the password.

    +
    +
  6. +
  7. +

    Set the AUTHSTRING environment variable to use the base64 authorization string. The $USER variable is an environment variable containing the name of the current user.

    +
    +
    +
    [user@registry ~]$ AUTHSTRING="{\"$host_fqdn:5000\": {\"auth\": \"$b64auth\",\"email\": \"$USER@redhat.com\"}}"
    +
    +
    +
  8. +
  9. +

    Update the pull-secret.txt file.

    +
    +
    +
    [user@registry ~]$ jq ".auths += $AUTHSTRING" < pull-secret.txt > pull-secret-update.txt
    +
    +
    +
  10. +
+
+
+
+

3.7.5. Mirroring the repository (optional)

+
+
Procedure
+
    +
  1. +

    Copy the oc binary from the provisioner node to the registry node.

    +
    +
    +
    [user@registry ~]$ sudo scp kni@provisioner:/usr/local/bin/oc /usr/local/bin
    +
    +
    +
  2. +
  3. +

    Get the release image and mirror the remote install images to the local repository.

    +
    +
    +
    [user@registry ~]$ export VERSION=latest-4.9
    +[user@registry ~]$ UPSTREAM_REPO=$(curl -s https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/$VERSION/release.txt | awk  '/Pull From/ {print $3}')
    +[user@registry ~]$ /usr/local/bin/oc adm release mirror \
    +  -a pull-secret-update.txt
    +  --from=$UPSTREAM_REPO \
    +  --to-release-image=$LOCAL_REG/$LOCAL_REPO:${VERSION} \
    +  --to=$LOCAL_REG/$LOCAL_REPO
    +
    +
    +
  4. +
+
+
+
+

3.7.6. Modify the install-config.yaml file to use the disconnected registry (optional)

+
+

On the provisioner node, the install-config.yaml file should use the newly created pull-secret from the pull-secret-update.txt file. The install-config.yaml file must also contain the disconnected registry node’s certificate and registry information.

+
+
+
Procedure
+
    +
  1. +

    Add the disconnected registry node’s certificate to the install-config.yaml file. The certificate should follow the "additionalTrustBundle: |" line and be properly indented, usually by two spaces.

    +
    +
    +
    $ echo "additionalTrustBundle: |" >> install-config.yaml
    +$ sed -e 's/^/  /' /opt/registry/certs/domain.crt >> install-config.yaml
    +
    +
    +
  2. +
  3. +

    Add the mirror information for the registry to the install-config.yaml file.

    +
    +
    +
    $ cat <<EOF >> install-config.yaml
    +<image-config>: (1)
    +- mirrors:
    +  - registry.example.com:5000/ocp4/openshift4
    +  source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
    +- mirrors:
    +  - registry.example.com:5000/ocp4/openshift4
    +  source: registry.svc.ci.openshift.org/ocp/release
    +- mirrors:
    +  - registry.example.com:5000/ocp4/openshift4
    +  source: quay.io/openshift-release-dev/ocp-release
    +EOF
    +
    +
    +
    +

    Where:

    +
    +
    + + + + + +
    1You must replace <image-config> with imageContentSources for OpenShift 4.13 and below, or imageDigestSources for Openshift 4.14 and above. +
    + + + + + +
    + + +Replace registry.example.com with the registry’s fully qualified domain name. +
    +
    +
    +
  4. +
+
+
+
+
+

3.8. Deploying routers on worker nodes

+
+

During installation, the installer deploys router pods on worker nodes. By default, the installer installs two router pods. If the initial cluster has only one worker node, or if a deployed cluster requires additional routers to handle external traffic loads destined for services within the OpenShift Container Platform cluster, you can create a yaml file to set an appropriate number of router replicas.

+
+
+ + + + + +
+ + +
+

By default, the installer deploys two routers. +If the cluster has at least two worker nodes, you can skip this section. +For more information on the Ingress Operator see: Ingress Operator in OpenShift Container Platform.

+
+
+
+
+ + + + + +
+ + +
+

If the cluster has no worker nodes, the installer deploys the two routers on the control plane nodes by default. If the cluster has no worker nodes, you can skip this section.

+
+
+
+
+
Procedure
+
    +
  1. +

    Create a router-replicas.yaml file.

    +
    +
    +
    apiVersion: operator.openshift.io/v1
    +kind: IngressController
    +metadata:
    +  name: default
    +  namespace: openshift-ingress-operator
    +spec:
    +  replicas: <num-of-router-pods>
    +  endpointPublishingStrategy:
    +    type: HostNetwork
    +  nodePlacement:
    +    nodeSelector:
    +      matchLabels:
    +        node-role.kubernetes.io/worker: ""
    +
    +
    +
    + + + + + +
    + + +
    +

    Replace <num-of-router-pods> with an appropriate value. If working with just one worker node, set replicas: to 1. If working with more than 3 worker nodes, you can increase replicas: from the default value 2 as appropriate.

    +
    +
    +
    +
  2. +
  3. +

    Save and copy the router-replicas.yaml file to the clusterconfigs/openshift directory.

    +
    +
    +
    cp ~/router-replicas.yaml clusterconfigs/openshift/99_router-replicas.yaml
    +
    +
    +
  4. +
+
+
+
+

3.9. Validation checklist for installation

+
+
    +
  • +

    OpenShift Container Platform installer has been retrieved.

    +
  • +
  • +

    OpenShift Container Platform installer has been extracted.

    +
  • +
  • +

    Required parameters for the install-config.yaml have been configured.

    +
  • +
  • +

    The hosts parameter for the install-config.yaml has been configured.

    +
  • +
  • +

    The bmc parameter for the install-config.yaml has been configured.

    +
  • +
  • +

    Conventions for the values configured in the bmc address field have been applied.

    +
  • +
  • +

    Created a disconnected registry (optional).

    +
  • +
  • +

    Validate disconnected registry settings if in use. (optional)

    +
  • +
  • +

    Deployed routers on worker nodes. (optional)

    +
  • +
+
+
+
+

3.10. Deploying the cluster via the OpenShift Container Platform installer

+
+

Run the OpenShift Container Platform installer:

+
+
+
+
[kni@provisioner ~]$ ./openshift-baremetal-install --dir ~/clusterconfigs --log-level debug create cluster
+
+
+
+
+

3.11. Following the installation

+
+

During the deployment process, you can check the installation’s overall status by issuing the tail command to the .openshift_install.log log file in the install directory folder.

+
+
+
+
[kni@provisioner ~]$ tail -f /path/to/install-dir/.openshift_install.log
+
+
+
+
+

3.12. Verifying static IP address configuration

+
+

If the DHCP reservation for a cluster node specifies an infinite leases, after the installer successfully provisions the node, the dispatcher script will check the node’s network configuration. If the script determines that the network configuration contains an infinite DHCP lease, it creates a new connection using the IP address of the DHCP lease as a static IP address.

+
+
+ + + + + +
+ + +
+

The dispatcher script may run on successfully provisioned nodes while the provisioning of other nodes in the cluster is ongoing.

+
+
+
+
+

To verify the network configuration is working properly, you can:

+
+
+
    +
  • +

    Check the network interface configuration on the node.

    +
  • +
  • +

    Turn off the DHCP server and reboot the OpenShift Container Platform node and and ensure that the network configuration works properly.

    +
  • +
+
+
+
+
+
+

4. Installer-provisioned post-installation configuration

+
+
+

After successfully deploying an installer-provisioned cluster, consider the following post-installation procedures.

+
+
+

4.1. Configuring NTP for disconnected clusters (optional)

+
+

OpenShift Container Platform installs the chrony Network Time Protocol (NTP) service on the cluster nodes. +Use the following procedure to configure NTP servers on the control plane nodes and configure worker nodes as NTP clients of the control plane nodes after a successful deployment.

+
+
+
+Configuring NTP for disconnected clusters +
+
+
+

OpenShift Container Platform nodes must agree on a date and time to run properly. When worker nodes retrieve the date and time from the NTP servers on the control plane nodes, it enables the installation and operation of clusters that are not connected to a routable network and thereby do not have access to a higher stratum NTP server.

+
+
+
Procedure
+
    +
  1. +

    Create a ~/control-plane-chrony.conf configuration file for the control plane nodes.

    +
    +
    Configuration file example
    +
    +
    # Use public servers from the pool.ntp.org project.
    +# Please consider joining the pool (https://www.pool.ntp.org/join.html).
    +
    +# This file is managed by the machine config operator
    +server openshift-master-0.<cluster-name>.<domain> iburst (1)
    +server openshift-master-1.<cluster-name>.<domain> iburst
    +server openshift-master-2.<cluster-name>.<domain> iburst
    +
    +stratumweight 0
    +driftfile /var/lib/chrony/drift
    +rtcsync
    +makestep 10 3
    +bindcmdaddress 127.0.0.1
    +bindcmdaddress ::1
    +keyfile /etc/chrony.keys
    +commandkey 1
    +generatecommandkey
    +noclientlog
    +logchange 0.5
    +logdir /var/log/chrony
    +
    +# Configure the control plane nodes to serve as local NTP servers
    +# for all worker nodes, even if they are not in sync with an
    +# upstream NTP server.
    +
    +# Allow NTP client access from the local network.
    +allow all
    +# Serve time even if not synchronized to a time source.
    +local stratum 3 orphan
    +
    +
    +
    +

    Where:

    +
    +
    + + + + + +
    1You must replace <cluster-name> with the name of the cluster and replace <domain> with the fully qualified domain name.
    +
    +
  2. +
  3. +

    Create a ~/worker-chrony.conf configuration file for the worker nodes such that worker nodes reference the NTP servers on the control plane nodes.

    +
    +
    Configuration file example
    +
    +
    # This file is managed by the machine config operator
    +server openshift-master-0.<cluster-name>.<domain> iburst (1)
    +server openshift-master-1.<cluster-name>.<domain> iburst
    +server openshift-master-2.<cluster-name>.<domain> iburst
    +
    +stratumweight 0
    +driftfile /var/lib/chrony/drift
    +rtcsync
    +makestep 10 3
    +bindcmdaddress 127.0.0.1
    +bindcmdaddress ::1
    +keyfile /etc/chrony.keys
    +commandkey 1
    +generatecommandkey
    +noclientlog
    +logchange 0.5
    +logdir /var/log/chrony
    +
    +
    +
    +

    Where:

    +
    +
    + + + + + +
    1You must replace <cluster-name> with the name of the cluster and replace <domain> with the fully qualified domain name.
    +
    +
  4. +
  5. +

    Create a ~/ntp-server.yaml configuration file for telling the Machine Configuration Operator to apply the ~/control-plane-chrony.conf settings to the NTP servers on the control plane nodes.

    +
    +
    Configuration file example
    +
    +
    # This example MachineConfig replaces ~/control-plane-chrony.conf
    +apiVersion: machineconfiguration.openshift.io/v1
    +kind: MachineConfig
    +metadata:
    +  labels:
    +    machineconfiguration.openshift.io/role: master
    +  name: 99-master-etc-chrony-conf-override-to-server
    +spec:
    +  config:
    +    ignition:
    +      version: 2.2.0
    +    storage:
    +      files:
    +        - contents:
    +            source: data:text/plain;charset=utf-8;base64,BASE64ENCODEDCONFIGFILE(1)
    +          filesystem: root
    +          mode: 0644
    +          path: /etc/control-plane-chrony.conf
    +
    +
    +
    +

    Where:

    +
    +
    + + + + + +
    1You must replace the BASE64ENCODEDCONFIGFILE string with the base64-encoded string of the ~/control-plane-chrony.conf file in the subsequent step.
    +
    +
  6. +
  7. +

    Generate a base64 string of the ~/control-plane-chrony.conf file.

    +
    +
    +
    $ base64 ~/control-plane-chrony.conf
    +
    +
    +
    +
    Example output
    +
    +
    IyBVc2UgcHVibGljIHNlcnZlcnMgZnJvbSB0aGUgcG9vbC5udHAub3JnIHByb2plY3QuCiMgUGxl
    +YXNlIGNvbnNpZGVyIGpvaW5pbmcgdGhlIHBvb2wgKGh0dHBzOi8vd3d3LnBvb2wubnRwLm9yZy9q
    +b2luLmh0bWwpLgoKIyBUaGlzIGZpbGUgaXMgbWFuYWdlZCBieSB0aGUgbWFjaGluZSBjb25maWcg
    +b3BlcmF0b3IKc2VydmVyIG9wZW5zaGlmdC1tYXN0ZXItMC48Y2x1c3Rlci1uYW1lPi48ZG9tYWlu
    +PiBpYnVyc3QKc2VydmVyIG9wZW5zaGlmdC1tYXN0ZXItMS48Y2x1c3Rlci1uYW1lPi48ZG9tYWlu
    +PiBpYnVyc3QKc2VydmVyIG9wZW5zaGlmdC1tYXN0ZXItMi48Y2x1c3Rlci1uYW1lPi48ZG9tYWlu
    +PiBpYnVyc3QKCnN0cmF0dW13ZWlnaHQgMApkcmlmdGZpbGUgL3Zhci9saWIvY2hyb255L2RyaWZ0
    +CnJ0Y3N5bmMKbWFrZXN0ZXAgMTAgMwpiaW5kY21kYWRkcmVzcyAxMjcuMC4wLjEKYmluZGNtZGFk
    +ZHJlc3MgOjoxCmtleWZpbGUgL2V0Yy9jaHJvbnkua2V5cwpjb21tYW5ka2V5IDEKZ2VuZXJhdGVj
    +b21tYW5ka2V5Cm5vY2xpZW50bG9nCmxvZ2NoYW5nZSAwLjUKbG9nZGlyIC92YXIvbG9nL2Nocm9u
    +eQoKIyBDb25maWd1cmUgdGhlIGNvbnRyb2wgcGxhbmUgbm9kZXMgdG8gc2VydmUgYXMgbG9jYWwg
    +TlRQIHNlcnZlcnMKIyBmb3IgYWxsIHdvcmtlciBub2RlcywgZXZlbiBpZiB0aGV5IGFyZSBub3Qg
    +aW4gc3luYyB3aXRoIGFuCiMgdXBzdHJlYW0gTlRQIHNlcnZlci4KCiMgQWxsb3cgTlRQIGNsaWVu
    +dCBhY2Nlc3MgZnJvbSB0aGUgbG9jYWwgbmV0d29yay4KYWxsb3cgYWxsCiMgU2VydmUgdGltZSBl
    +dmVuIGlmIG5vdCBzeW5jaHJvbml6ZWQgdG8gYSB0aW1lIHNvdXJjZS4KbG9jYWwgc3RyYXR1bSAz
    +IG9ycGhhbgo=
    +
    +
    +
    +

    Replace the BASE64ENCODEDCONFIGFILE string in the ~/ntp-server.yaml with the base64-encoded string.

    +
    +
  8. +
  9. +

    Create a ~/ntp-client.yaml configuration file for telling the Machine Configuration Operator to apply the ~/worker-chrony.conf settings to the NTP clients on the worker nodes.

    +
    +
    Configuration file example
    +
    +
    # This example MachineConfig replaces ~/worker-chrony.conf
    +apiVersion: machineconfiguration.openshift.io/v1
    +kind: MachineConfig
    +metadata:
    +  labels:
    +    machineconfiguration.openshift.io/role: worker
    +  name: 99-master-etc-chrony-conf-override-for-worker
    +spec:
    +  config:
    +    ignition:
    +      version: 2.2.0
    +    storage:
    +      files:
    +        - contents:
    +            source: data:text/plain;charset=utf-8;base64,BASE64ENCODEDCONFIGFILE(1)
    +          filesystem: root
    +          mode: 0644
    +          path: /etc/worker-chrony.conf
    +
    +
    +
    +

    Where:

    +
    +
    + + + + + +
    1You must replace the BASE64ENCODEDCONFIGFILE string with the base64-encoded string of the ~/worker-chrony.conf file in the subsequent step.
    +
    +
  10. +
  11. +

    Generate a base64-encoded string of the ~/worker-chrony.conf file.

    +
    +
    +
    $ base64 ~/worker-chrony.conf
    +
    +
    +
    +
    Example output
    +
    +
    IyBUaGlzIGZpbGUgaXMgbWFuYWdlZCBieSB0aGUgbWFjaGluZSBjb25maWcgb3BlcmF0b3IKc2Vy
    +dmVyIG9wZW5zaGlmdC1tYXN0ZXItMC48Y2x1c3Rlci1uYW1lPi48ZG9tYWluPiBpYnVyc3QKc2Vy
    +dmVyIG9wZW5zaGlmdC1tYXN0ZXItMS48Y2x1c3Rlci1uYW1lPi48ZG9tYWluPiBpYnVyc3QKc2Vy
    +dmVyIG9wZW5zaGlmdC1tYXN0ZXItMi48Y2x1c3Rlci1uYW1lPi48ZG9tYWluPiBpYnVyc3QKCnN0
    +cmF0dW13ZWlnaHQgMApkcmlmdGZpbGUgL3Zhci9saWIvY2hyb255L2RyaWZ0CnJ0Y3N5bmMKbWFr
    +ZXN0ZXAgMTAgMwpiaW5kY21kYWRkcmVzcyAxMjcuMC4wLjEKYmluZGNtZGFkZHJlc3MgOjoxCmtl
    +eWZpbGUgL2V0Yy9jaHJvbnkua2V5cwpjb21tYW5ka2V5IDEKZ2VuZXJhdGVjb21tYW5ka2V5Cm5v
    +Y2xpZW50bG9nCmxvZ2NoYW5nZSAwLjUKbG9nZGlyIC92YXIvbG9nL2Nocm9ueQo=
    +
    +
    +
    +

    Replace the BASE64ENCODEDCONFIGFILE string in the ~/ntp-client.yaml file with the base64-encoded string.

    +
    +
  12. +
  13. +

    Apply the ntp-server.yaml policy to the control plane nodes.

    +
    +
    +
    $ oc apply -f ~/ntp-server.yaml
    +
    +
    +
    +
    Example output
    +
    +
    machineconfig.machineconfiguration.openshift.io/99-master-etc-chrony-conf-override-for-server created
    +
    +
    +
  14. +
  15. +

    Apply the ~/ntp-client.yaml policy to the worker nodes.

    +
    +
    +
    $ oc apply -f ~/worker-chrony.conf
    +
    +
    +
    +
    Example output
    +
    +
    machineconfig.machineconfiguration.openshift.io/99-master-etc-chrony-conf-override-for-worker created
    +
    +
    +
  16. +
  17. +

    Check the status of the applied NTP settings.

    +
    +
    +
    $ oc describe machineconfigpool
    +
    +
    +
  18. +
+
+
+
+

4.2. Configuring an external load balancer

+
+

You can configure an OpenShift Container Platform cluster +to use an external load balancer in place of the default load balancer.

+
+
+
Prerequisites
+
    +
  • +

    On your load balancer, TCP over ports 6443, 443, and 80 must be available to any users of your system.

    +
  • +
  • +

    Load balance the API port, 6443, between each of the control plane nodes.

    +
  • +
  • +

    Load balance the application ports, 443 and 80, between all of the compute nodes.

    +
  • +
  • +

    On your load balancer, port 22623, which is used to serve ignition start-up configurations to nodes, is not exposed outside of the cluster.

    +
  • +
  • +

    Your load balancer must be able to access every machine in your cluster. Methods to allow this access include:

    +
    +
      +
    • +

      Attaching the load balancer to the cluster’s machine subnet.

      +
    • +
    • +

      Attaching floating IP addresses to machines that use the load balancer.

      +
    • +
    +
    +
  • +
+
+
+ + + + + +
+ + +
+

External load balancing services and the control plane nodes must run on the same L2 network, and on the same VLAN when using VLANs to route traffic between the load balancing services and the control plane nodes.

+
+
+
+
+
Procedure
+
    +
  1. +

    Enable access to the cluster from your load balancer on ports 6443, 443, and 80.

    +
    +

    As an example, note this HAProxy configuration:

    +
    +
    +
    A section of a sample HAProxy configuration
    +
    +
    ...
    +listen my-cluster-api-6443
    +    bind 0.0.0.0:6443
    +    mode tcp
    +    balance roundrobin
    +    server my-cluster-master-2 192.0.2.2:6443 check
    +    server my-cluster-master-0 192.0.2.3:6443 check
    +    server my-cluster-master-1 192.0.2.1:6443 check
    +listenmy-cluster-apps-443
    +        bind 0.0.0.0:443
    +        mode tcp
    +        balance roundrobin
    +        server my-cluster-worker-0 192.0.2.6:443 check
    +        server my-cluster-worker-1 192.0.2.5:443 check
    +        server my-cluster-worker-2 192.0.2.4:443 check
    +listenmy-cluster-apps-80
    +        bind 0.0.0.0:80
    +        mode tcp
    +        balance roundrobin
    +        server my-cluster-worker-0 192.0.2.7:80 check
    +        server my-cluster-worker-1 192.0.2.9:80 check
    +        server my-cluster-worker-2 192.0.2.8:80 check
    +
    +
    +
  2. +
  3. +

    Add records to your DNS server for the cluster API and apps over the load balancer. For example:

    +
    +
    +
    <load_balancer_ip_address> api.<cluster_name>.<base_domain>
    +<load_balancer_ip_address> apps.<cluster_name>.<base_domain>
    +
    +
    +
  4. +
  5. +

    From a command line, use curl to verify that the external load balancer and DNS configuration are operational.

    +
    +
      +
    1. +

      Verify that the cluster API is accessible:

      +
      +
      +
      $ curl https://<loadbalancer_ip_address>:6443/version --insecure
      +
      +
      +
      +

      If the configuration is correct, you receive a JSON object in response:

      +
      +
      +
      +
      {
      +  "major": "1",
      +  "minor": "11+",
      +  "gitVersion": "v1.11.0+ad103ed",
      +  "gitCommit": "ad103ed",
      +  "gitTreeState": "clean",
      +  "buildDate": "2019-01-09T06:44:10Z",
      +  "goVersion": "go1.10.3",
      +  "compiler": "gc",
      +  "platform": "linux/amd64"
      +}
      +
      +
      +
    2. +
    3. +

      Verify that cluster applications are accessible:

      +
      + + + + + +
      + + +
      +

      You can also verify application accessibility by opening the OpenShift Container Platform console in a web browser.

      +
      +
      +
      +
      +
      +
      $ curl http://console-openshift-console.apps.<cluster_name>.<base_domain> -I -L --insecure
      +
      +
      +
      +

      If the configuration is correct, you receive an HTTP response:

      +
      +
      +
      +
      HTTP/1.1 302 Found
      +content-length: 0
      +location: https://console-openshift-console.apps.<cluster-name>.<base domain>/
      +cache-control: no-cacheHTTP/1.1 200 OK
      +referrer-policy: strict-origin-when-cross-origin
      +set-cookie: csrf-token=39HoZgztDnzjJkq/JuLJMeoKNXlfiVv2YgZc09c3TBOBU4NI6kDXaJH1LdicNhN1UsQWzon4Dor9GWGfopaTEQ==; Path=/; Secure
      +x-content-type-options: nosniff
      +x-dns-prefetch-control: off
      +x-frame-options: DENY
      +x-xss-protection: 1; mode=block
      +date: Tue, 17 Nov 2020 08:42:10 GMT
      +content-type: text/html; charset=utf-8
      +set-cookie: 1e2670d92730b515ce3a1bb65da45062=9b714eb87e93cf34853e87a92d6894be; path=/; HttpOnly; Secure; SameSite=None
      +cache-control: private
      +
      +
      +
    4. +
    +
    +
  6. +
+
+
+
+

4.3. Enabling a provisioning network after installation

+
+

The assisted installer and installer-provisioned installation for bare metal clusters provide the ability to deploy a cluster without a provisioning network. This capability is for scenarios such as proof-of-concept clusters or deploying exclusively with Redfish virtual media when each node’s baseboard management controller is routable via the baremetal network.

+
+
+

In OpenShift Container Platform 4.8 and later, you can enable a provisioning network after installation using the Cluster Baremetal Operator (CBO).

+
+
+
Prerequisites
+
    +
  • +

    A dedicated physical network must exist, connected to all worker and control plane nodes.

    +
  • +
  • +

    You must isolate the native, untagged physical network.

    +
  • +
  • +

    The network cannot have a DHCP server when the provisioningNetwork configuration setting is set to Managed.

    +
  • +
  • +

    You must connect the control plane nodes to the network with the same network interface, such as eth0 or eno1.

    +
  • +
+
+
+
Procedure
+
    +
  1. +

    Identify the provisioning interface name for the cluster nodes. For example, eth0 or eno1.

    +
  2. +
  3. +

    Enable the Preboot eXecution Environment (PXE) on the provisioning network interface of the cluster nodes.

    +
  4. +
  5. +

    Retrieve the current state of the provisioning network and save it to a provisioning configuration resource file:

    +
    +
    +
    $ oc get provisioning -o yaml > enable-provisioning-nw.yaml
    +
    +
    +
  6. +
  7. +

    Modify the provisioning configuration resource file:

    +
    +
    +
    $ vim ~/enable-provisioning-nw.yaml
    +
    +
    +
    +

    Scroll down to the provisioningNetwork configuration setting and change it from Disabled to Managed. Then, add the provisioningOSDownloadURL, provisioningIP, provisioningNetworkCIDR, provisioningDHCPRange, provisioningInterface, and watchAllNameSpaces configuration settings after the provisioningNetwork setting. Provide appropriate values for each setting.

    +
    +
    +
    +
    apiVersion: v1
    +items:
    +- apiVersion: metal3.io/v1alpha1
    +  kind: Provisioning
    +  metadata:
    +    name: provisioning-configuration
    +  spec:
    +    provisioningNetwork: (1)
    +    provisioningOSDownloadURL: (2)
    +    provisioningIP: (3)
    +    provisioningNetworkCIDR: (4)
    +    provisioningDHCPRange: (5)
    +    provisioningInterface: (6)
    +    watchAllNameSpaces: (7)
    +
    +
    +
    +

    where:

    +
    +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    1The provisioningNetwork is one of Managed, Unmanaged, or Disabled. When set to Managed, Metal3 manages the provisioning network and the CBO deploys the Metal3 pod with a configured DHCP server. When set to Unmanaged, the system administrator configures the DHCP server manually.
    2The provisioningOSDownloadURL is a valid HTTPS URL with a valid sha256 checksum that enables the Metal3 pod to download a qcow2 operating system image ending in .qcow2.gz or .qcow2.xz. This field is required whether the provisioning network is Managed, Unmanaged, or Disabled. For example: http://192.168.0.1/images/rhcos-<version>.x86_64.qcow2.gz?sha256=<sha>.
    3The provisioningIP is the static IP address that the DHCP server and ironic use to provision the network. This static IP address must be within the provisioning subnet, and outside of the DHCP range. If you configure this setting, it must have a valid IP address even if the provisioning network is Disabled. The static IP address is bound to the metal3 pod. If the metal3 pod fails and moves to another server, the static IP address also moves to the new server.
    4The Classless Inter-Domain Routing (CIDR) address. If you configure this setting, it must have a valid CIDR address even if the provisioning network is Disabled. For example: 192.168.0.1/24.
    5The DHCP range. This setting is only applicable to a Managed provisioning network. Omit this configuration setting if the provisioning network is Disabled. For example: 192.168.0.64, 192.168.0.253.
    6The NIC name for the provisioning interface on cluster nodes. This setting is only applicable to Managed and Unamanged provisioning networks. Omit this configuration setting if the provisioning network is Disabled.
    7Set this setting to true if you want metal3 to watch namespaces other than the default openshift-machine-api namespace. The default value is false.
    +
    +
  8. +
  9. +

    Save the changes to the provisioning configuration resource file.

    +
  10. +
  11. +

    Apply the provisioning configuration resource file to the cluster:

    +
    +
    +
    $ oc apply -f enable-provisioning-nw.yaml
    +
    +
    +
  12. +
+
+
+
+
+
+

5. Day 2 operations

+
+
+

The following sections are optional, but may be of interest after the initial deployment has been completed.

+
+
+

5.1. Accessing the web console

+
+

The web console runs as a pod on the master. The static assets required to run +the web console are served by the pod. Once OpenShift Container Platform is successfully +installed, find the URL for the web console and login credentials for your +installed cluster in the CLI output of the installation program. For example:

+
+
+
Example output
+
+
INFO Install complete!
+INFO Run 'export KUBECONFIG=<your working directory>/auth/kubeconfig' to manage the cluster with 'oc', the OpenShift CLI.
+INFO The cluster is ready when 'oc login -u kubeadmin -p <provided>' succeeds (wait a few minutes).
+INFO Access the OpenShift web-console here: https://console-openshift-console.apps.demo1.openshift4-beta-abcorp.com
+INFO Login to the console with user: kubeadmin, password: <provided>
+
+
+
+

Use those details to log in and access the web console.

+
+
+

Additionally, you can execute:

+
+
+
+
oc whoami --show-console
+
+
+
+

To obtain the url for the console.

+
+
+
+

5.2. Backing up the cluster configuration

+
+

At this point you have a working OpenShift 4 cluster on baremetal. +In order to take advantage of the baremetal hardware that was the provision node, +you can repurpose the provisioning node as a worker. +Prior to reprovisioning the node, it is recommended to backup some existing files.

+
+
+
Procedure
+
    +
  1. +

    Tar the clusterconfig folder and download it to your local machine.

    +
    +
    +
    tar cvfz clusterconfig.tar.gz ~/clusterconfig
    +
    +
    +
  2. +
  3. +

    Copy the Private part for the SSH Key configured on the install-config.yaml file to your local machine.

    +
    +
    +
    tar cvfz clusterconfigsh.tar.gz ~/.ssh/id_rsa*
    +
    +
    +
  4. +
  5. +

    Copy the install-config.yaml and metal3-config.yaml files.

    +
    +
    +
    tar cvfz yamlconfigs.tar.gz install-config.yaml metal3-config.yaml
    +
    +
    +
  6. +
+
+
+
+

5.3. Expanding the cluster

+
+

After deploying an installer-provisioned OpenShift Container Platform cluster, you can use the following procedures to expand the number of worker nodes. Ensure that each prospective worker node meets the prerequisites.

+
+
+ + + + + +
+ + +
+

Expanding the cluster using RedFish Virtual Media involves meeting minimum firmware requirements. See Firmware requirements for installing with virtual media in the Prerequisites section for additional details when expanding the cluster using RedFish Virtual Media.

+
+
+
+
+

5.3.1. Preparing the bare metal node

+
+

Expanding the cluster requires a DHCP server. Each node must have a DHCP reservation.

+
+
+ + + + + +
+ + +
Reserving IP addresses so they become static IP addresses
+
+

Some administrators prefer to use static IP addresses so that each node’s IP address remains constant in the absence of a DHCP server. To use static IP addresses in the OpenShift Container Platform cluster, reserve the IP addresses in the DHCP server with an infinite lease. After the installer provisions the node successfully, the dispatcher script will check the node’s network configuration. If the dispatcher script finds that the network configuration contains a DHCP infinite lease, it will recreate the connection as a static IP connection using the IP address from the DHCP infinite lease. NICs without DHCP infinite leases will remain unmodified.

+
+
+
+
+

Preparing the bare metal node requires executing the following procedure from the provisioner node.

+
+
+
Procedure
+
    +
  1. +

    Get the oc binary, if needed. It should already exist on the provisioner node.

    +
    +
    +
    [kni@provisioner ~]$ export VERSION=latest-4.9
    +[kni@provisioner ~]$ curl -s https://mirror.openshift.com/pub/openshift-v4/clients/ocp/$VERSION/openshift-client-linux-$VERSION.tar.gz | tar zxvf - oc
    +
    +
    +
    +
    +
    [kni@provisioner ~]$ sudo cp oc /usr/local/bin
    +
    +
    +
  2. +
  3. +

    Power off the bare metal node via the baseboard management controller and ensure it is off.

    +
  4. +
  5. +

    Retrieve the user name and password of the bare metal node’s baseboard management controller. Then, create base64 strings from the user name and password. In the following example, the user name is root and the password is calvin.

    +
    +
    +
    [kni@provisioner ~]$ echo -ne "root" | base64
    +
    +
    +
    +
    +
    [kni@provisioner ~]$ echo -ne "calvin" | base64
    +
    +
    +
  6. +
  7. +

    Create a configuration file for the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ vim bmh.yaml
    +
    +
    +
    +
    +
    ---
    +apiVersion: v1
    +kind: Secret
    +metadata:
    +  name: openshift-worker-<num>-bmc-secret
    +type: Opaque
    +data:
    +  username: <base64-of-uid>
    +  password: <base64-of-pwd>
    +---
    +apiVersion: metal3.io/v1alpha1
    +kind: BareMetalHost
    +metadata:
    +  name: openshift-worker-<num>
    +spec:
    +  online: true
    +  bootMACAddress: <NIC1-mac-address>
    +  bmc:
    +    address: <protocol>://<bmc-ip>
    +    credentialsName: openshift-worker-<num>-bmc-secret
    +
    +
    +
    +

    Replace <num> for the worker number of the bare metal node in the two name fields and the credentialsName field. Replace <base64-of-uid> with the base64 string of the user name. Replace <base64-of-pwd> with the base64 string of the password. Replace <NIC1-mac-address> with the MAC address of the bare metal node’s first NIC.

    +
    +
    +

    Refer to the BMC addressing section for additional BMC configuration options. Replace <protocol> with the BMC protocol, such as IPMI, RedFish, or others. +Replace <bmc-ip> with the IP address of the bare metal node’s baseboard management controller.

    +
    +
    + + + + + +
    + + +
    +

    If the MAC address of an existing bare metal node matches the MAC address of a bare metal host that you are attempting to provision, then the Ironic installation will fail. If the host enrollment, inspection, cleaning, or other Ironic steps fail, the metal3-baremetal-operator will continuously retry. See Diagnosing a host duplicate MAC address for more information.

    +
    +
    +
    +
  8. +
  9. +

    Create the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api create -f bmh.yaml
    +
    +
    +
    +
    +
    secret/openshift-worker-<num>-bmc-secret created
    +baremetalhost.metal3.io/openshift-worker-<num> created
    +
    +
    +
    +

    Where <num> will be the worker number.

    +
    +
  10. +
  11. +

    Power up and inspect the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  12. +
+
+
+
+

5.3.2. Preparing to deploy with Virtual Media on the baremetal network

+
+

If the provisioning network is enabled, and you want to expand the cluster using Virtual Media on the baremetal network, execute the following procedure.

+
+
+
Procedure
+
    +
  1. +

    Edit the provisioning configuration resource (CR) to enable deploying with Virtual Media on the baremetal network.

    +
    +
    +
    oc edit provisioning
    +
    +
    +
    +
    +
      apiVersion: metal3.io/v1alpha1
    +  kind: Provisioning
    +  metadata:
    +    creationTimestamp: "2021-08-05T18:51:50Z"
    +    finalizers:
    +    - provisioning.metal3.io
    +    generation: 8
    +    name: provisioning-configuration
    +    resourceVersion: "551591"
    +    uid: f76e956f-24c6-4361-aa5b-feaf72c5b526
    +  spec:
    +    preProvisioningOSDownloadURLs: {}
    +    provisioningDHCPRange: 172.22.0.10,172.22.0.254
    +    provisioningIP: 172.22.0.3
    +    provisioningInterface: enp1s0
    +    provisioningNetwork: Managed
    +    provisioningNetworkCIDR: 172.22.0.0/24
    +    provisioningOSDownloadURL: http://192.168.111.1/images/rhcos-49.84.202107010027-0-openstack.x86_64.qcow2.gz?sha256=c7dde5f96826c33c97b5a4ad34110212281916128ae11100956f400db3d5299e
    +    virtualMediaViaExternalNetwork: true (1)
    +  status:
    +    generations:
    +    - group: apps
    +      hash: ""
    +      lastGeneration: 7
    +      name: metal3
    +      namespace: openshift-machine-api
    +      resource: deployments
    +    - group: apps
    +      hash: ""
    +      lastGeneration: 1
    +      name: metal3-image-cache
    +      namespace: openshift-machine-api
    +      resource: daemonsets
    +    observedGeneration: 8
    +    readyReplicas: 0
    +
    +
    +
    + + + + + +
    1Add virtualMediaViaExternalNetwork: true to the provisioning CR.
    +
    +
  2. +
  3. +

    Edit the machine set to use the API VIP address.

    +
    +
    +
    oc edit machineset
    +
    +
    +
    +
    +
      apiVersion: machine.openshift.io/v1beta1
    +  kind: MachineSet
    +  metadata:
    +    creationTimestamp: "2021-08-05T18:51:52Z"
    +    generation: 11
    +    labels:
    +      machine.openshift.io/cluster-api-cluster: ostest-hwmdt
    +      machine.openshift.io/cluster-api-machine-role: worker
    +      machine.openshift.io/cluster-api-machine-type: worker
    +    name: ostest-hwmdt-worker-0
    +    namespace: openshift-machine-api
    +    resourceVersion: "551513"
    +    uid: fad1c6e0-b9da-4d4a-8d73-286f78788931
    +  spec:
    +    replicas: 2
    +    selector:
    +      matchLabels:
    +        machine.openshift.io/cluster-api-cluster: ostest-hwmdt
    +        machine.openshift.io/cluster-api-machineset: ostest-hwmdt-worker-0
    +    template:
    +      metadata:
    +        labels:
    +          machine.openshift.io/cluster-api-cluster: ostest-hwmdt
    +          machine.openshift.io/cluster-api-machine-role: worker
    +          machine.openshift.io/cluster-api-machine-type: worker
    +          machine.openshift.io/cluster-api-machineset: ostest-hwmdt-worker-0
    +      spec:
    +        metadata: {}
    +        providerSpec:
    +          value:
    +            apiVersion: baremetal.cluster.k8s.io/v1alpha1
    +            hostSelector: {}
    +            image:
    +              checksum: http:/172.22.0.3:6181/images/rhcos-49.84.202107010027-0-openstack.x86_64.qcow2/cached-rhcos-49.84.202107010027-0-openstack.x86_64.qcow2.md5sum (1)
    +              url: http://172.22.0.3:6181/images/rhcos-49.84.202107010027-0-openstack.x86_64.qcow2/cached-rhcos-49.84.202107010027-0-openstack.x86_64.qcow2 (2)
    +            kind: BareMetalMachineProviderSpec
    +            metadata:
    +              creationTimestamp: null
    +            userData:
    +              name: worker-user-data
    +  status:
    +    availableReplicas: 2
    +    fullyLabeledReplicas: 2
    +    observedGeneration: 11
    +    readyReplicas: 2
    +    replicas: 2
    +
    +
    +
    + + + + + + + + + +
    1Edit the checksum URL to use the API VIP address.
    2Edit the url URL to use the API VIP address.
    +
    +
  4. +
+
+
+
Diagnosing a duplicate MAC address when provisioning a new host in the cluster
+
+

If the MAC address of an existing bare-metal node in the cluster matches the MAC address of a bare-metal host you are attempting to add to the cluster, the Bare Metal Operator associates the host with the existing node. If the host enrollment, inspection, cleaning, or other Ironic steps fail, the Bare Metal Operator retries the installation continuously. A registration error is displayed for the failed bare-metal host.

+
+
+

You can diagnose a duplicate MAC address by examining the bare-metal hosts that are running in the openshift-machine-api namespace.

+
+
+
Prerequisites
+
    +
  • +

    Install an OpenShift Container Platform cluster on bare metal.

    +
  • +
  • +

    Install the OpenShift Container Platform CLI oc.

    +
  • +
  • +

    Log in as a user with cluster-admin privileges.

    +
  • +
+
+
+
Procedure
+

To determine whether a bare-metal host that fails provisioning has the same MAC address as an existing node, do the following:

+
+
+
    +
  1. +

    Get the bare-metal hosts running in the openshift-machine-api namespace:

    +
    +
    +
    $ oc get bmh -n openshift-machine-api
    +
    +
    +
    +
    Example output
    +
    +
    NAME                 STATUS   PROVISIONING STATUS      CONSUMER
    +openshift-master-0   OK       externally provisioned   openshift-zpwpq-master-0
    +openshift-master-1   OK       externally provisioned   openshift-zpwpq-master-1
    +openshift-master-2   OK       externally provisioned   openshift-zpwpq-master-2
    +openshift-worker-0   OK       provisioned              openshift-zpwpq-worker-0-lv84n
    +openshift-worker-1   OK       provisioned              openshift-zpwpq-worker-0-zd8lm
    +openshift-worker-2   error    registering
    +
    +
    +
  2. +
  3. +

    To see more detailed information about the status of the failing host, run the following command replacing <bare_metal_host_name> with the name of the host:

    +
    +
    +
    $ oc get -n openshift-machine-api bmh <bare_metal_host_name> -o yaml
    +
    +
    +
    +
    Example output
    +
    +
    ...
    +status:
    +  errorCount: 12
    +  errorMessage: MAC address b4:96:91:1d:7c:20 conflicts with existing node openshift-worker-1
    +  errorType: registration error
    +...
    +
    +
    +
  4. +
+
+
+
+
+

5.3.3. Provisioning the bare metal node

+
+

Provisioning the bare metal node requires executing the following procedure from the provisioner node.

+
+
+
Procedure
+
    +
  1. +

    Ensure the PROVISIONING STATUS is ready before provisioning the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$  oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  2. +
  3. +

    Get a count of the number of worker nodes.

    +
    +
    +
    [kni@provisioner ~]$ oc get nodes
    +
    +
    +
    +
    +
    NAME                                                STATUS   ROLES           AGE     VERSION
    +provisioner.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-1.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-2.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-3.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-worker-0.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-worker-1.openshift.example.com            Ready    master          30h     v1.16.2
    +
    +
    +
  4. +
  5. +

    Get the machine set.

    +
    +
    +
    [kni@provisioner ~]$ oc get machinesets -n openshift-machine-api
    +
    +
    +
    +
    +
    NAME                                DESIRED   CURRENT   READY   AVAILABLE   AGE
    +...
    +openshift-worker-0.example.com      1         1         1       1           55m
    +openshift-worker-1.example.com      1         1         1       1           55m
    +
    +
    +
  6. +
  7. +

    Increase the number of worker nodes by one.

    +
    +
    +
    [kni@provisioner ~]$ oc scale --replicas=<num> machineset <machineset> -n openshift-machine-api
    +
    +
    +
    +

    Replace <num> with the new number of worker nodes. Replace <machineset> with the name of the machine set from the previous step.

    +
    +
  8. +
  9. +

    Check the status of the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number. The status changes from ready to provisioning.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       provisioning          openshift-worker-<num>-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
    +

    The provisioning status remains until the OpenShift Container Platform cluster provisions the node. This can take 30 minutes or more. Once complete, the status will change to provisioned.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       provisioned           openshift-worker-<num>-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  10. +
  11. +

    Once provisioned, ensure the bare metal node is ready.

    +
    +
    +
    [kni@provisioner ~]$ oc get nodes
    +
    +
    +
    +
    +
    NAME                                          STATUS   ROLES   AGE     VERSION
    +provisioner.openshift.example.com             Ready    master  30h     v1.16.2
    +openshift-master-1.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-master-2.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-master-3.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-worker-0.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-worker-1.openshift.example.com      Ready    master  30h     v1.16.2
    +openshift-worker-<num>.openshift.example.com  Ready    worker  3m27s   v1.16.2
    +
    +
    +
    +

    You can also check the kubelet.

    +
    +
    +
    +
    [kni@provisioner ~]$ ssh openshift-worker-<num>
    +
    +
    +
    +
    +
    [kni@openshift-worker-<num>]$ journalctl -fu kubelet
    +
    +
    +
  12. +
+
+
+
+

5.3.4. Preparing the provisioner node to be deployed as a worker node

+
+
Procedure
+

Perform the following steps prior to converting the provisioner node to a worker node.

+
+
+
    +
  1. +

    ssh to a system (for example, a laptop) that can access the out of band management network of the current provisioner node.

    +
  2. +
  3. +

    Copy the backups clusterconfig.tar.gz, clusterconfigsh.tar.gz, and amlconfigs.tar.gz to the new system.

    +
  4. +
  5. +

    Copy the oc binary from the existing provisioning node to the new system.

    +
  6. +
  7. +

    Make a note of the mac addresses, the baremetal network IP used for the provisioner node, and the IP address of +the Out of band Management Network.

    +
  8. +
  9. +

    Reboot the system and ensure that PXE is enabled on the provisioning network and PXE is disabled for all other NICs.

    +
  10. +
  11. +

    If installation was performed using a Satellite server, remove the Host entry for the existing provisioning node.

    +
  12. +
  13. +

    Install the ipmitool on the new system in order to power off the provisioner node.

    +
  14. +
+
+
+
+

5.3.5. Adding a worker node to an existing cluster

+
+
Procedure
+
    +
  1. +

    Retrieve the username and password of the bare metal node’s baseboard management controller. Then, create base64 strings from the username and password. In the following example, the username is root and the password is calvin.

    +
    +
    +
    [kni@provisioner ~]$ echo -ne "root" | base64
    +
    +
    +
    +
    +
    [kni@provisioner ~]$ echo -ne "calvin" | base64
    +
    +
    +
  2. +
  3. +

    Create a configuration file for the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ vim bmh.yaml
    +
    +
    +
    +
    +
    ---
    +apiVersion: v1
    +kind: Secret
    +metadata:
    +  name: openshift-worker-<num>-bmc-secret
    +type: Opaque
    +data:
    +  username: <base64-of-uid>
    +  password: <base64-of-pwd>
    +---
    +apiVersion: metal3.io/v1alpha1
    +kind: BareMetalHost
    +metadata:
    +  name: openshift-worker-<num>
    +spec:
    +  online: true
    +  bootMACAddress: <NIC1-mac-address>
    +  bmc:
    +    address: ipmi://<bmc-ip>
    +    credentialsName: openshift-worker-<num>-bmc-secret
    +
    +
    +
    +

    Replace <num> for the worker number of bare metal node in two name fields and credentialsName field. Replace <base64-of-uid> with the base64 string of the username. Replace <base64-of-pwd> with the base64 string of the password. Replace <NIC1-mac-address> with the MAC address of the bare metal node’s first NIC. Replace <bmc-ip> with the IP address of the bare metal node’s baseboard management controller.

    +
    +
  4. +
+
+
+ + + + + +
+ + +
+

When using redfish or redfish-virtualmedia, add the +appropriate addressing as described in the BMC addressing section. See BMC addressing for details.

+
+
+
+
+
    +
  1. +

    Create the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api create -f bmh.yaml
    +
    +
    +
    +
    +
    secret/openshift-worker-<num>-bmc-secret created
    +baremetalhost.metal3.io/openshift-worker-<num> created
    +
    +
    +
    +

    Where <num> will be the worker number.

    +
    +
  2. +
  3. +

    Power up and inspect the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  4. +
  5. +

    Ensure the PROVISIONING STATUS is ready before provisioning the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$  oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  6. +
  7. +

    Get a count of the number of worker nodes.

    +
    +
    +
    [kni@provisioner ~]$ oc get nodes
    +
    +
    +
  8. +
  9. +

    Get the machine set.

    +
    +
    +
    [kni@provisioner ~]$ oc get machinesets -n openshift-machine-api
    +
    +
    +
    +
    +
    NAME                                DESIRED   CURRENT   READY   AVAILABLE   AGE
    +openshift-worker-0.example.com      1         1         1       1           55m
    +openshift-worker-1.example.com      1         1         1       1           55m
    +openshift-worker-2.example.com      1         1         1       1           55m
    +
    +
    +
  10. +
  11. +

    Increase the number of worker nodes by 1.

    +
    +
    +
    [kni@provisioner ~]$ oc scale --replicas=<num> machineset <machineset> -n openshift-machine-api
    +
    +
    +
    +

    Replace <num> with the new number of worker nodes. Replace <machineset> with the name of the machine set from the previous step.

    +
    +
  12. +
  13. +

    Check the status of the bare metal node.

    +
    +
    +
    [kni@provisioner ~]$ oc -n openshift-machine-api get bmh openshift-worker-<num>
    +
    +
    +
    +

    Where <num> is the worker node number. The status changes from ready to provisioning.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       provisioning          openshift-worker-<num>-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
    +

    The provisioning status remains until the OpenShift Container Platform cluster provisions the node. This may take 30 minutes or more. Once complete, the status will change to provisioned.

    +
    +
    +
    +
    NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-<num>   OK       provisioned           openshift-worker-<num>-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  14. +
  15. +

    Once provisioned, ensure the bare metal node is ready.

    +
    +
    +
    [kni@provisioner ~]$ oc get nodes
    +
    +
    +
    +
    +
    NAME                                                STATUS   ROLES           AGE     VERSION
    +provisioner.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-1.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-master-2.openshift.example.com            Ready    master          30h     v1.16.2
    +openshift-worker-<num>.openshift.example.com        Ready    worker          3m27s   v1.16.2
    +
    +
    +
    +

    You can also check the kubelet.

    +
    +
    +
    +
    [kni@provisioner ~]$ ssh openshift-worker-<num>
    +
    +
    +
    +
    +
    [kni@openshift-worker-<num>]$ journalctl -fu kubelet
    +
    +
    +
  16. +
+
+
+
Appending DNS records
+
+
Configuring Bind (Option 1)
+
+
Procedure
+
    +
  1. +

    Login to the DNS server using ssh.

    +
  2. +
  3. +

    Suspend updates to all dynamic zones: rndc freeze.

    +
  4. +
  5. +

    Edit /var/named/dynamic/example.com.

    +
    +
    +
    $ORIGIN openshift.example.com.
    +<OUTPUT_OMITTED>
    +openshift-worker-1      A       <ip-of-worker-1>
    +openshift-worker-2      A       <ip-of-worker-2>
    +
    +
    +
    + + + + + +
    + + +
    +

    Remove the provisioner as it is replaced by openshift-worker-2.

    +
    +
    +
    +
  6. +
  7. +

    Increase the SERIAL value by 1.

    +
  8. +
  9. +

    Edit /var/named/dynamic/1.0.10.in-addr.arpa.

    +
    + + + + + +
    + + +
    +

    The filename 1.0.10.in-addr.arpa is the reverse of the public CIDR example 10.0.1.0/24.

    +
    +
    +
    +
  10. +
  11. +

    Increase the SERIAL value by 1.

    +
  12. +
  13. +

    Enable updates to all dynamic zones and reload them: rndc thaw.

    +
  14. +
+
+
+
+
Configuring dnsmasq (Option 2)
+
+
Procedure
+

Append the following DNS record to the /etc/hosts file on the server hosting the dnsmasq service.

+
+
+
+
<OUTPUT_OMITTED>
+<NIC2-IP> openshift-worker-1.openshift.example.com openshift-worker-1
+<NIC2-IP> openshift-worker-2.openshift.example.com openshift-worker-2
+
+
+
+ + + + + +
+ + +
+

Remove the provisioner.openshift.example.com entry as it is replaced by worker-2

+
+
+
+
+
+
+
Appending DHCP reservations
+
+
Configuring dhcpd (Option 1)
+
+
Procedure
+
    +
  1. +

    Login to the DHCP server using ssh.

    +
  2. +
  3. +

    Edit /etc/dhcp/dhcpd.hosts.

    +
    +
    +
    host openshift-worker-2 {
    +     option host-name "worker-2";
    +     hardware ethernet <NIC2-mac-address>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +
    +
    +
    + + + + + +
    + + +
    +

    Remove the provisioner as it is replaced by openshift-worker-2.

    +
    +
    +
    +
  4. +
  5. +

    Restart the dhcpd service.

    +
    +
    +
    systemctl restart dhcpd
    +
    +
    +
  6. +
+
+
+
+
Configuring dnsmasq (Option 2)
+
+
Procedure
+
    +
  1. +

    Append the following DHCP reservation to the /etc/dnsmasq.d/example.dns file on the server hosting the dnsmasq service.

    +
    +
    +
    <OUTPUT_OMITTED>
    +dhcp-host=<NIC2-mac-address>,openshift-worker-1.openshift.example.com,<ip-of-worker-1>
    +dhcp-host=<NIC2-mac-address>,openshift-worker-2.openshift.example.com,<ip-of-worker-2>
    +
    +
    +
    + + + + + +
    + + +
    +

    Remove the provisioner.openshift.example.com entry as it is replaced by worker-2

    +
    +
    +
    +
  2. +
  3. +

    Restart the dnsmasq service.

    +
    +
    +
    systemctl restart dnsmasq
    +
    +
    +
  4. +
+
+
+
+
+
Deploying the provisioner node as a worker node using Metal3
+
+

After you have completed the prerequisites, perform the deployment process.

+
+
+
Procedure
+
    +
  1. +

    Power off the node using ipmitool and confirm the provisioning node is powered off.

    +
    +
    +
    ssh <server-with-access-to-management-net>
    +# Use the user, password and Management net IP adddress to shutdown the system
    +ipmitool -I lanplus -U <user> -P <password> -H <management-server-ip> power off
    +# Confirm the server is powered down
    +ipmitool -I lanplus -U <user> -P <password> -H <management-server-ip> power status
    +Chassis Power is off
    +
    +
    +
  2. +
  3. +

    Get base64 strings for the Out of band Management credentials. In this example, the user is root and the password is calvin.

    +
    +
    +
    # Use echo -ne, otherwise you will get your secrets with \n which will cause issues
    +# Get root username in base64
    +echo -ne "root" | base64
    +# Get root password in base64
    +echo -ne "calvin" | base64
    +
    +
    +
  4. +
  5. +

    Configure the BaremetalHost bmh.yaml file.

    +
    +
    +
    ---
    +apiVersion: v1
    +kind: Secret
    +metadata:
    +  name: openshift-worker-2-bmc-secret
    +type: Opaque
    +data:
    +  username: ca2vdAo=
    +  password: MWAwTWdtdC0K
    +---
    +apiVersion: metal3.io/v1alpha1
    +kind: BareMetalHost
    +metadata:
    +  name: openshift-worker-2
    +spec:
    +  online: true
    +  bootMACAddress: <NIC1-mac-address>
    +  bmc:
    +    address: ipmi://<out-of-band-ip>
    +    credentialsName: openshift-worker-2-bmc-secret
    +
    +
    +
  6. +
  7. +

    Create the BaremetalHost.

    +
    +
    +
    ./oc -n openshift-machine-api create -f bmh.yaml
    +secret/openshift-worker-2-bmc-secret created
    +baremetalhost.metal3.io/openshift-worker-2 created
    +
    +
    +
  8. +
  9. +

    Power up and inspect the node.

    +
    +
    +
    ./oc -n openshift-machine-api get bmh openshift-worker-2
    +
    +NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-2   OK       inspecting                       ipmi://<out-of-band-ip>                      true
    +
    +
    +
  10. +
  11. +

    After finishing the inspection, the node is ready to be provisioned.

    +
    +
    +
    ./oc -n openshift-machine-api get bmh openshift-worker-2
    +
    +NAME                 STATUS   PROVISIONING STATUS   CONSUMER   BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-2   OK       ready                            ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  12. +
  13. +

    Scale the workers machineset. Previously, there were two replicas during original installation.

    +
    +
    +
    ./oc get machineset -n openshift-machine-api
    +NAME            DESIRED   CURRENT   READY   AVAILABLE   AGE
    +openshift-worker-2   0         0                             21h
    +
    +./oc -n openshift-machine-api scale machineset openshift-worker-2 --replicas=3
    +
    +
    +
  14. +
  15. +

    The baremetal host moves to provisioning status. This can take as long as 30 minutes. You can follow the status +from the node console.

    +
    +
    +
    oc -n openshift-machine-api get bmh openshift-worker-2
    +
    +NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-2   OK       provisioning          openshift-worker-0-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  16. +
  17. +

    When the node is provisioned it moves to provisioned status.

    +
    +
    +
    oc -n openshift-machine-api get bmh openshift-worker-2
    +
    +NAME                 STATUS   PROVISIONING STATUS   CONSUMER                  BMC                 HARDWARE PROFILE   ONLINE   ERROR
    +openshift-worker-2   OK       provisioned           openshift-worker-2-65tjz   ipmi://<out-of-band-ip>   unknown            true
    +
    +
    +
  18. +
  19. +

    When the kubelet finishes initialization the node is ready for use. +You can connect to the node and run journalctl -fu kubelet to check the process.

    +
    +
    +
    oc get node
    +NAME                                            STATUS   ROLES           AGE     VERSION
    +openshift-master-0.openshift.example.com        Ready    master          30h     v1.16.2
    +openshift-master-1.openshift.example.com        Ready    master          30h     v1.16.2
    +openshift-master-2.openshift.example.com        Ready    master          30h     v1.16.2
    +openshift-worker-0.openshift.example.com        Ready    worker          3m27s   v1.16.2
    +openshift-worker-1.openshift.example.com        Ready    worker          3m27s   v1.16.2
    +openshift-worker-2.openshift.example.com        Ready    worker          3m27s   v1.16.2
    +
    +
    +
  20. +
+
+
+
+
+
+
+
+

6. Appendix

+
+
+

In this section of the document, extra information is provided that is outside of the regular workflow.

+
+
+

6.1. Troubleshooting

+
+

Troubleshooting the installation is out of scope of the Deployment Guide. For more details on troubleshooting deployment, refer to our Troubleshooting guide.

+
+
+
+

6.2. Creating DNS Records

+
+

Two options are documented for configuring DNS records:

+
+ +
+

6.2.1. Configuring Bind (Option 1)

+
+

Use Option 1 if access to the appropriate DNS server for the baremetal network is accessible or a request +to your network admin to create the DNS records is an option. +If this is not an option, skip this section and go to section Create DNS records using dnsmasq (Option 2).

+
+
+

Create a subzone with the name of the cluster that is going to be used on your domain. +In our example, the domain used is example.com and the cluster name used is openshift. +Make sure to change these according to your environment specifics.

+
+
+
Procedure
+
    +
  1. +

    Login to the DNS server using ssh.

    +
  2. +
  3. +

    Suspend updates to all dynamic zones: rndc freeze.

    +
  4. +
  5. +

    Edit /var/named/dynamic/example.com.

    +
    +
    +
    $ORIGIN openshift.example.com.
    +$TTL 300        ; 5 minutes
    +@  IN  SOA  dns1.example.com.  hostmaster.example.com. (
    +       2001062501  ; serial
    +       21600       ; refresh after 6 hours
    +       3600        ; retry after 1 hour
    +       604800      ; expire after 1 week
    +       86400 )     ; minimum TTL of 1 day
    +;
    +api                     A       <api-ip>
    +ns1                     A       <dns-vip-ip>
    +$ORIGIN apps.openshift.example.com.
    +*                       A       <wildcard-ingress-lb-ip>
    +$ORIGIN openshift.example.com.
    +provisioner             A       <NIC2-ip-of-provision>
    +openshift-master-0      A       <NIC2-ip-of-openshift-master-0>
    +openshift-master-1      A       <NIC2-ip-of-openshift-master-1>
    +openshift-master-2      A       <NIC2-ip-of-openshift-master-2>
    +openshift-worker-0      A       <NIC2-ip-of-openshift-worker-0>
    +openshift-worker-1      A       <NIC2-ip-of-openshift-worker-1>
    +
    +
    +
  6. +
  7. +

    Increase the serial value by 1.

    +
  8. +
  9. +

    Edit /var/named/dynamic/1.0.10.in-addr.arpa.

    +
    +
    +
    $ORIGIN 1.0.10.in-addr.arpa.
    +$TTL 300
    +@  IN  SOA  dns1.example.com.  hostmaster.example.com. (
    +       2001062501  ; serial
    +       21600       ; refresh after 6 hours
    +       3600        ; retry after 1 hour
    +       604800      ; expire after 1 week
    +       86400 )     ; minimum TTL of 1 day
    +;
    +126 IN      PTR      provisioner.openshift.example.com.
    +127	IN        	PTR    	openshift-master-0.openshift.example.com.
    +128	IN        	PTR    	openshift-master-1.openshift.example.com.
    +129	IN 	        PTR   	openshift-master-2.openshift.example.com.
    +130	IN 	        PTR   	openshift-worker-0.openshift.example.com.
    +131	IN        	PTR    	openshift-worker-1.openshift.example.com.
    +132 IN      PTR     api.openshift.example.com.
    +133 IN      PTR     ns1.openshift.example.com.
    +
    +
    +
    + + + + + +
    + + +
    +

    In this example, the IP addresses 10.0.1.126-133 are pointed to the corresponding fully qualified domain name.

    +
    +
    +
    +
    + + + + + +
    + + +
    +

    The filename 1.0.10.in-addr.arpa is the reverse of the public CIDR example 10.0.1.0/24.

    +
    +
    +
    +
  10. +
  11. +

    Increase the serial value by 1.

    +
  12. +
  13. +

    Enable updates to all dynamic zones and reload them: rndc thaw.

    +
  14. +
+
+
+
+

6.2.2. Configuring dnsmasq (Option 2)

+
+

To create DNS records, open the /etc/hosts file and add the NIC2 (baremetal net) IP followed by the hostname. +In our example, the domain used is example.com and the cluster name used is openshift. +Make sure to change these according to your environment specifics.

+
+
+
Procedure
+
    +
  1. +

    Edit /etc/hosts and add the NIC2 (baremetal net) IP followed by the hostname.

    +
    +
    +
    cat /etc/hosts
    +127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
    +::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
    +<NIC2-IP> provisioner.openshift.example.com provisioner
    +<NIC2-IP> openshift-master-0.openshift.example.com openshift-master-0
    +<NIC2-IP> openshift-master-1.openshift.example.com openshift-master-1
    +<NIC2-IP> openshift-master-2.openshift.example.com openshift-master-2
    +<NIC2-IP> openshift-worker-0.openshift.example.com openshift-worker-0
    +<NIC2-IP> openshift-worker-1.openshift.example.com openshift-worker-1
    +<API-IP>  api.openshift.example.com api
    +<DNS-VIP-IP> ns1.openshift.example.com ns1
    +
    +
    +
  2. +
  3. +

    Open the appropriate firewalld DNS service and reload the rules.

    +
    +
    +
    systemctl restart firewalld
    +firewall-cmd --add-service=dns --permanent
    +firewall-cmd --reload
    +
    +
    +
  4. +
+
+
+
+
+

6.3. Creating DHCP reservations

+
+

Two options are documented for configuring DHCP:

+
+ +
+

6.3.1. Configuring dhcpd (Option 1)

+
+

Use Option 1 if access to the appropriate DHCP server for the baremetal network is accessible or a request +to your network admin to create the DHCP reservations is an option. +If this is not an option, skip this section and go to section Create DHCP records using dnsmasq (Option 2).

+
+
+
    +
  1. +

    Login to the DHCP server using ssh.

    +
  2. +
  3. +

    Edit /etc/dhcp/dhcpd.hosts.

    +
    +
    +
    host provisioner {
    +     option host-name "provisioner";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +host openshift-master-0 {
    +     option host-name "openshift-master-0";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +
    +host openshift-master-1 {
    +     option host-name "openshift-master-1";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +
    +host openshift-master-2 {
    +     option host-name "openshift-master-2";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +host openshift-worker-0 {
    +     option host-name "openshift-worker-0";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +host openshift-worker-1 {
    +     option host-name "openshift-worker-1";
    +     hardware ethernet <mac-address-of-NIC2>;
    +     option domain-search "openshift.example.com";
    +     fixed-address <ip-address-of-NIC2>;
    +  }
    +
    +
    +
  4. +
  5. +

    Restart the dhcpd service.

    +
    +
    +
    systemctl restart dhcpd
    +
    +
    +
  6. +
+
+
+
+

6.3.2. Configuring dnsmasq (Option 2)

+
+

Set up dnsmasq on a server that can access the baremetal network.

+
+
+
Procedure
+
    +
  1. +

    Install dnsmasq.

    +
    +
    +
    dnf install -y dnsmasq
    +
    +
    +
  2. +
  3. +

    Change to the /etc/dnsmasq.d directory.

    +
    +
    +
    cd /etc/dnsmasq.d
    +
    +
    +
  4. +
  5. +

    Create a file that reflects your OpenShift cluster appended by .dns.

    +
    +
    +
    touch <filename>.dns
    +
    +
    +
  6. +
  7. +

    Open the appropriate firewalld DHCP service.

    +
    +
    +
    systemctl restart firewalld
    +firewall-cmd --add-service=dhcp --permanent
    +firewall-cmd --reload
    +
    +
    +
  8. +
  9. +

    Define DNS configuration file

    +
    IPv4
    +
    +

    Here is an example of the .dns file for IPv4.

    +
    +
    +
    +
    domain-needed
    +bind-dynamic
    +bogus-priv
    +domain=openshift.example.com
    +dhcp-range=<baremetal-net-starting-ip,baremetal-net-ending-ip>
    +#dhcp-range=10.0.1.4,10.0.14
    +dhcp-option=3,<baremetal-net-gateway-ip>
    +#dhcp-option=3,10.0.1.254
    +resolv-file=/etc/resolv.conf.upstream
    +interface=<nic-with-access-to-baremetal-net>
    +#interface=em2
    +server=<ip-of-existing-server-on-baremetal-net>
    +
    +
    +#Wildcard for apps -- make changes to cluster-name (openshift) and domain (example.com)
    +address=/.apps.openshift.example.com/<wildcard-ingress-lb-ip>
    +
    +#Static IPs for Masters
    +dhcp-host=<NIC2-mac-address>,provisioner.openshift.example.com,<ip-of-provisioner>
    +dhcp-host=<NIC2-mac-address>,openshift-master-0.openshift.example.com,<ip-of-openshift-master-0>
    +dhcp-host=<NIC2-mac-address>,openshift-master-1.openshift.example.com,<ip-of-openshift-master-1>
    +dhcp-host=<NIC2-mac-address>,openshift-master-2.openshift.example.com,<ip-of-openshift-master-2>
    +dhcp-host=<NIC2-mac-address>,openshift-worker-0.openshift.example.com,<ip-of-openshift-worker-0>
    +dhcp-host=<NIC2-mac-address>,openshift-worker-1.openshift.example.com,<ip-of-openshift-worker-1>
    +
    +
    +
    IPv6
    +
    +

    Here is an example of the .dns file for IPv6.

    +
    +
    +
    +
    strict-order
    +bind-dynamic
    +bogus-priv
    +dhcp-authoritative
    +dhcp-range=baremetal,<baremetal-IPv6-dhcp-range-start>,<baremetal-IPv6-dhcp-range-end>,<range-prefix>
    +dhcp-option=baremetal,option6:dns-server,[<IPv6-DNS-Server>]
    +
    +resolv-file=/etc/resolv.conf.upstream
    +except-interface=lo
    +dhcp-lease-max=81
    +log-dhcp
    +
    +domain=openshift.example.com,<baremetal-IPv6-cidr>,local
    +
    +# static host-records
    +address=/.apps.openshift.example.com/<wildcard-ingress-lb-ip>
    +host-record=api.openshift.example.com,<api-ip>
    +host-record=ns1.openshift.example.com,<dns-ip>
    +host-record=openshift-master-0.openshift.example.com,<ip-of-openshift-master-0>
    +host-record=openshift-master-1.openshift.example.com,<ip-of-openshift-master-1>
    +host-record=openshift-master-2.openshift.example.com,<ip-of-openshift-master-1>
    +# Registry
    +host-record=registry.openshift.example.com,<ip-of-registry-server>
    +
    +#Static IPs for Masters
    +dhcp-host=<baremetal-nic-duid>,openshift-master-0.openshift.example.com,<ip-of-openshift-master-0>
    +dhcp-host=<baremetal-nic-duid>,openshift-master-1.openshift.example.com,<ip-of-openshift-master-1>
    +dhcp-host=<baremetal-nic-duid>,openshift-master-2.openshift.example.com,<ip-of-openshift-master-2>
    +
    +
    +
  10. +
  11. +

    Create the resolv.conf.upstream file to provide DNS fowarding to an existing DNS server for resolution +to the outside world.

    +
    +
    +
    search <domain.com>
    +nameserver <ip-of-my-existing-dns-nameserver>
    +
    +
    +
  12. +
  13. +

    Restart the dnsmasq service.

    +
    +
    +
    systemctl restart dnsmasq
    +
    +
    +
  14. +
  15. +

    Verify the dnsmasq service is running.

    +
    +
    +
    systemctl status dnsmasq
    +
    +
    +
  16. +
+
+
+
+
+
+
+
+
+
+1. Stateless Address AutoConfiguration +
+
+ + + \ No newline at end of file diff --git a/latest/Deployment.pdf b/latest/Deployment.pdf new file mode 100644 index 0000000000..49f091beb6 Binary files /dev/null and b/latest/Deployment.pdf differ diff --git a/latest/Troubleshooting.html b/latest/Troubleshooting.html new file mode 100644 index 0000000000..b7fdca8630 --- /dev/null +++ b/latest/Troubleshooting.html @@ -0,0 +1,2020 @@ + + + + + + + + + + +Troubleshooting Guide for IPI Installation + + + + + + + + + + + + + + + + +
+
+
+ +
+ + + + + +
+ + +
Draft documentation
+
+

This document is considered a DRAFT:

+
+
+
    +
  1. +

    It might not be complete

    +
  2. +
  3. +

    It might be not accurate

    +
  4. +
  5. +

    It might break your environment

    +
  6. +
+
+
+
+
+ + + + + +
+ + +
+

Download the PDF version of this document or visit https://openshift-kni.github.io/baremetal-deploy/

+
+
+
+
+

While attempting to deploy Installer Provisioned Infrastructure (IPI) of OpenShift on Bare Metal (BM), you may run into a situation where you need to troubleshoot your environment. This document provides troubleshooting guidance and tips in solving common issues that may arise.

+
+
+
+
+

1. Troubleshooting the installer workflow

+
+
+

Prior to troubleshooting the installation environment, it is critical to understand the overall flow of the IPI installation on bare metal. The diagrams below provide a troubleshooting flow with a step-by-step breakdown for the environment.

+
+
+

Flow-Diagram-1

+
+
+

Workflow 1 of 4 illustrates a troubleshooting workflow when the install-config.yaml file has errors or the Red Hat Enterprise Linux CoreOS (RHCOS) images are inaccessible. Troubleshooting suggestions can be found at

+
+ +
+

Flow-Diagram-2

+
+
+

Workflow 2 of 4 illustrates a troubleshooting workflow for bootstrap VM issues, bootstrap VMs that cannot boot up the cluster nodes, and inspecting logs.

+
+
+

Flow-Diagram-3

+
+
+

Workflow 3 of 4 illustrates a troubleshooting workflow for cluster nodes that will not PXE boot.

+
+
+

Flow-Diagram-4

+
+
+

Workflow 4 of 4 illustrates a troubleshooting workflow from + a non-accessible API to a validated installation.

+
+
+
+
+

2. Troubleshooting install-config.yaml

+
+
+

The install-config.yaml configuration file represents all of the nodes that are part of the OpenShift Container Platform cluster. The file contains the necessary options consisting of but not limited to apiVersion, baseDomain, imageContentSources (OpenShift 4.13 and below) or imageDigestSources (OpenShirt 4.14 and above), and virtual IP addresses. If errors occur early in the deployment of the OpenShift Container Platform cluster, the errors are likely in the install-config.yaml configuration file.

+
+
+
Procedure
+
    +
  1. +

    Use the guidelines in YAML-tips.

    +
  2. +
  3. +

    Verify the YAML syntax is correct using syntax-check.

    +
  4. +
  5. +

    Verify the Red Hat Enterprise Linux CoreOS (RHCOS) QEMU images are properly defined and accessible via the URL provided in the install-config.yaml. For example:

    +
    +
    +
    $ curl -s -o /dev/null -I -w "%{http_code}\n" http://webserver.example.com:8080/rhcos-44.81.202004250133-0-qemu.x86_64.qcow2.gz?sha256=7d884b46ee54fe87bbc3893bf2aa99af3b2d31f2e19ab5529c60636fbd0f1ce7
    +
    +
    +
    +

    If the output is 200, there is a valid response from the webserver storing the bootstrap VM image.

    +
    +
  6. +
+
+
+
+
+

3. Bootstrap VM issues

+
+
+

The OpenShift Container Platform installer spawns a bootstrap node virtual machine, which handles provisioning the OpenShift Container Platform cluster nodes.

+
+
+
Procedure
+
    +
  1. +

    About 10 to 15 minutes after triggering the installer, check to ensure the bootstrap VM is operational using the virsh command:

    +
    +
    +
    $ sudo virsh list
    +
    +
    +
    +
    +
     Id    Name                           State
    + --------------------------------------------
    + 12    openshift-xf6fq-bootstrap      running
    +
    +
    +
    + + + + + +
    + + +
    +

    The name of the bootstrap VM is always the cluster name followed by a random set of characters and ending in the word "bootstrap."

    +
    +
    +
    +
    +

    If the bootstrap VM is not running after 10-15 minutes, troubleshoot why it is not running. Possible issues include:

    +
    +
  2. +
  3. +

    Verify libvirtd is running on the system:

    +
    +
    +
    $ systemctl status libvirtd
    +
    +
    +
    +
    +
    ● libvirtd.service - Virtualization daemon
    +   Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; vendor preset: enabled)
    +   Active: active (running) since Tue 2020-03-03 21:21:07 UTC; 3 weeks 5 days ago
    +     Docs: man:libvirtd(8)
    +           https://libvirt.org
    + Main PID: 9850 (libvirtd)
    +    Tasks: 20 (limit: 32768)
    +   Memory: 74.8M
    +   CGroup: /system.slice/libvirtd.service
    +           ├─ 9850 /usr/sbin/libvirtd
    +
    +
    +
    +

    If the bootstrap VM is operational, log into it.

    +
    +
  4. +
  5. +

    Use the virsh console command to find the IP address of the bootstrap VM:

    +
    +
    +
    $ sudo virsh console example.com
    +
    +
    +
    +
    +
    Connected to domain example.com
    +Escape character is ^]
    +
    +Red Hat Enterprise Linux CoreOS 43.81.202001142154.0 (Ootpa) 4.3
    +SSH host key: SHA256:BRWJktXZgQQRY5zjuAV0IKZ4WM7i4TiUyMVanqu9Pqg (ED25519)
    +SSH host key: SHA256:7+iKGA7VtG5szmk2jB5gl/5EZ+SNcJ3a2g23o0lnIio (ECDSA)
    +SSH host key: SHA256:DH5VWhvhvagOTaLsYiVNse9ca+ZSW/30OOMed8rIGOc (RSA)
    +ens3:  fd35:919d:4042:2:c7ed:9a9f:a9ec:7
    +ens4: 172.22.0.2 fe80::1d05:e52e:be5d:263f
    +localhost login:
    +
    +
    +
    + + + + + +
    + + +
    +

    When deploying a OpenShift Container Platform cluster without the provisioning network, you must use a public IP address and not a private IP address like 172.22.0.2.

    +
    +
    +
    +
  6. +
  7. +

    Once you obtain the IP address, log in to the bootstrap VM using the ssh command:

    +
    + + + + + +
    + + +
    +

    In the console output of the previous step, you can use the IPv6 IP address provided by ens3 or the IPv4 IP provided by ens4.

    +
    +
    +
    +
    +
    +
    $ ssh core@172.22.0.2
    +
    +
    +
  8. +
+
+
+

If you are not successful logging in to the bootstrap VM, you have likely encountered one of the following scenarios:

+
+
+
    +
  • +

    You cannot reach the 172.22.0.0/24 network. Verify network connectivity on the provisioner host specifically around the provisioning network bridge. This will not be the issue if you are not using the provisioning network.

    +
  • +
  • +

    You cannot reach the bootstrap VM via the public network. When attempting +to SSH via baremetal network, verify connectivity on the +provisioner host specifically around the baremetal network bridge.

    +
  • +
  • +

    You encountered Permission denied (publickey,password,keyboard-interactive). When +attempting to access the bootstrap VM, a Permission denied error +might occur. Verify that the SSH key for the user attempting to log +into the VM is set within the install-config.yaml file.

    +
  • +
+
+
+

3.1. Bootstrap VM cannot boot up the cluster nodes

+
+

During the deployment, it is possible for the bootstrap VM to fail to boot the cluster nodes, which prevents the VM from provisioning the nodes with the RHCOS image. This scenario can arise due to:

+
+
+
    +
  • +

    A problem with the install-config.yaml file.

    +
  • +
  • +

    Issues with out-of-band network access via the baremetal network.

    +
  • +
+
+
+

To verify the issue, there are three containers related to ironic:

+
+
+
    +
  • +

    ironic-api

    +
  • +
  • +

    ironic-conductor

    +
  • +
  • +

    ironic-inspector

    +
  • +
+
+
+
Procedure
+
    +
  1. +

    Log in to the bootstrap VM:

    +
    +
    +
    $ ssh core@172.22.0.2
    +
    +
    +
  2. +
  3. +

    To check the container logs, execute the following:

    +
    +
    +
    [core@localhost ~]$ sudo podman logs -f <container-name>
    +
    +
    +
    +

    Replace <container-name> with one of ironic-api, ironic-conductor, or ironic-inspector. If you encounter an issue where the control plane nodes are not booting up via PXE, check the ironic-conductor pod. The ironic-conductor pod contains the most detail about the attempt to boot the cluster nodes, because it attempts to log in to the node over IPMI.

    +
    +
  4. +
+
+
+
Potential reason
+

The cluster nodes might be in the ON state when deployment started.

+
+
+
Solution
+

Power off the OpenShift Container Platform cluster nodes before you begin the +installation over IPMI:

+
+
+
+
$ ipmitool -I lanplus -U root -P <password> -H <out-of-band-ip> power off
+
+
+
+
+

3.2. Inspecting logs

+
+

When experiencing issues downloading or accessing the RHCOS images, first verify that the URL is correct in the install-config.yaml configuration file.

+
+
+
Example of internal webserver hosting RHCOS images
+
+
bootstrapOSImage: http://<ip:port>/rhcos-43.81.202001142154.0-qemu.x86_64.qcow2.gz?sha256=9d999f55ff1d44f7ed7c106508e5deecd04dc3c06095d34d36bf1cd127837e0c
+clusterOSImage: http://<ip:port>/rhcos-43.81.202001142154.0-openstack.x86_64.qcow2.gz?sha256=a1bda656fa0892f7b936fdc6b6a6086bddaed5dafacedcd7a1e811abb78fe3b0
+
+
+
+

The ipa-downloader and coreos-downloader containers download resources from a webserver or the external quay.io registry, whichever the install-config.yaml configuration file specifies. Verify the following two containers are up and running and inspect their logs as needed:

+
+
+
    +
  • +

    ipa-downloader

    +
  • +
  • +

    coreos-downloader

    +
  • +
+
+
+
Procedure
+
    +
  1. +

    Log in to the bootstrap VM:

    +
    +
    +
    $ ssh core@172.22.0.2
    +
    +
    +
  2. +
  3. +

    Check the status of the ipa-downloader and coreos-downloader containers within the bootstrap VM:

    +
    +
    +
    [core@localhost ~]$ podman logs -f ipa-downloader
    +
    +
    +
    +
    +
    [core@localhost ~]$ podman logs -f coreos-downloader
    +
    +
    +
    +

    If the bootstrap VM cannot access the URL to the images, use the curl command to verify that the VM can access the images.

    +
    +
  4. +
  5. +

    To inspect the bootkube logs that indicate if all the containers launched during the deployment phase, execute the following:

    +
    +
    +
    [core@localhost ~]$ journalctl -xe
    +
    +
    +
    +
    +
    [core@localhost ~]$ journalctl -b -f -u bootkube.service
    +
    +
    +
  6. +
  7. +

    Verify all the pods, including dnsmasq, mariadb, httpd, and ironic, are running:

    +
    +
    +
    [core@localhost ~]$ sudo podman ps
    +
    +
    +
  8. +
  9. +

    If there are issues with the pods, check the logs of the containers with issues. To check the log of the ironic-api, execute the following:

    +
    +
    +
    [core@localhost ~]$ sudo podman logs <ironic-api>
    +
    +
    +
  10. +
+
+
+
+
+
+

4. Ironic Bootstrap issues

+
+
+

The OpenShift Container Platform installer spawns a bootstrap node virtual machine, which handles provisioning the OpenShift Container Platform cluster nodes. The cluster nodes are powered on, introspected and finally provisioned using Ironic.

+
+
+

Sometimes you might need to connect to the Ironic service running on the bootstrap node virtual machine to troubleshoot issues related to Ironic.

+
+
+
Procedure
+
    +
  1. +

    About 10 to 15 minutes after triggering the installer, check to ensure the bootstrap VM is operational using the virsh command:

    +
    +
    +
    [kni@provisioner ~]$ sudo virsh list
    +
    +
    +
    +
    +
     Id    Name                           State
    + --------------------------------------------
    + 12    openshift-xf6fq-bootstrap      running
    +
    +
    +
  2. +
  3. +

    Use the virsh console command to find the IP address of the bootstrap VM:

    +
    +
    +
    [kni@provisioner ~]$ sudo virsh console openshift-xf6fq-bootstrap
    +
    +
    +
    +
    +
    Connected to domain openshift-xf6fq-bootstrap
    +Escape character is ^]
    +
    +Red Hat Enterprise Linux CoreOS 43.81.202001142154.0 (Ootpa) 4.3
    +SSH host key: SHA256:BRWJktXZgQQRY5zjuAV0IKZ4WM7i4TiUyMVanqu9Pqg (ED25519)
    +SSH host key: SHA256:7+iKGA7VtG5szmk2jB5gl/5EZ+SNcJ3a2g23o0lnIio (ECDSA)
    +SSH host key: SHA256:DH5VWhvhvagOTaLsYiVNse9ca+ZSW/30OOMed8rIGOc (RSA)
    +ens3:  fd35:919d:4042:2:c7ed:9a9f:a9ec:7
    +ens4: 172.22.0.2 fe80::1d05:e52e:be5d:263f
    +localhost login:
    +
    +
    +
  4. +
  5. +

    Once you obtain the IP address, log in to the bootstrap VM using the ssh command:

    +
    + + + + + +
    + + +
    +

    In the console output of the previous step, the IPv6 IP provided by ens3 or the IPv4 IP provided by ens4 can be used.

    +
    +
    +
    +
    +
    +
    [kni@provisioner ~]$ ssh core@172.22.0.2
    +
    +
    +
  6. +
  7. +

    Make sure Ironic containers are running:

    +
    +
    +
    [core@localhost ~]$ sudo podman ps | grep ironic
    +90251a35d1e2  quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:a5603d959546a8293deaee66332da4fa3cb96bcd04c26967070c247085ca7203                        2 minutes ago  Up 2 minutes ago         ironic-api
    +168e712c9996  quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:c6af62509b3d66effe8e16c81e42e75e124ccb5770f82efb010ecc3ebadc48b8                        2 minutes ago  Up 2 minutes ago         ironic-inspector
    +025f8247bfb0  quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:a5603d959546a8293deaee66332da4fa3cb96bcd04c26967070c247085ca7203                        2 minutes ago  Up 2 minutes ago         ironic-conductor
    +
    +
    +
  8. +
  9. +

    Get the value for the bootstrapProvisioningIp property from your install-config.yaml.

    +
  10. +
  11. +

    Create a clouds.yaml file:

    +
    +
    +
    clouds:
    +  metal3-bootstrap:
    +    auth_type: none
    +    baremetal_endpoint_override: http://<bootstrapProvisioningIp>:6385
    +    baremetal_introspection_endpoint_override: http://<bootstrapProvisioningIp>:5050
    +
    +
    +
    + + + + + +
    + + +
    +

    Make sure in the file above you change <bootstrapProvisioningIp> with the value from your install-config.yaml file.

    +
    +
    +
    +
  12. +
  13. +

    Run the ironic-client on the bootstrap VM using podman:

    +
    +
    +
    [core@localhost ~]$ podman run -ti --rm --entrypoint /bin/bash -v /path/to/clouds.yaml:/clouds.yaml -e OS_CLOUD=metal3-bootstrap quay.io/metal3-io/ironic-client
    +
    +
    +
  14. +
  15. +

    Once you’re in the container, run the following command to see the status of the nodes on Ironic:

    +
    +
    +
    [root@1facad6bccff /]# baremetal node list
    +
    +
    +
    +

    The expected states for the nodes are clean-waitavailabledeployingwait call-backactive.

    +
    +
    +
      +
    • +

      clean-wait: The IPA (Ironic Python Agent) will clean the node main disk and write RHCOS to it. After that will report the node status back to Ironic.

      +
    • +
    • +

      available: The node has been introspected and it’s ready to be provisioned.

      +
    • +
    • +

      deploying: The node is being provisioned with RHCOS + the required Ignition configs.

      +
    • +
    • +

      wait call-back: The node is deployed and Ironic is waiting for the node to finish everything before marking the node as active.

      +
    • +
    • +

      active: The node is fully provisioned from an Ironic perspective.

      +
    • +
    +
    +
  16. +
+
+
+

If you are not getting any output, you have likely encountered of the following scenarios:

+
+
+
    +
  • +

    You cannot reach the bootstrapProvisioningIp from the bootstrap VM.

    +
  • +
  • +

    The Ironic conductor was not able to power on and configure the nodes to boot with the IPA image.

    +
  • +
  • +

    The machine running the openshift-install binary cannot access the bootstrapProvisioningIp on port 6385.

    +
  • +
+
+
+
+
+

5. Cluster nodes will not PXE boot

+
+
+

When OpenShift Container Platform cluster nodes will not PXE boot, execute the following checks on the cluster nodes that will not PXE boot. This procedure does not apply when installing a OpenShift Container Platform cluster without the provisioning network.

+
+
+
Procedure
+
    +
  1. +

    Check the network connectivity to the provisioning network.

    +
  2. +
  3. +

    Ensure PXE is enabled on the NIC for the provisioning network and PXE is disabled for all other NICs.

    +
  4. +
  5. +

    Verify that the install-config.yaml configuration file has the proper hardware profile and boot MAC address for the NIC connected to the provisioning network. For example:

    +
    +
    Master node settings
    +
    +
    bootMACAddress: 24:6E:96:1B:96:90 # MAC of bootable provisioning NIC
    +hardwareProfile: default          #master node settings
    +
    +
    +
    +
    Worker node settings
    +
    +
    bootMACAddress: 24:6E:96:1B:96:90 # MAC of bootable provisioning NIC
    +hardwareProfile: unknown          #worker node settings
    +
    +
    +
  6. +
+
+
+
+
+

6. The API is not accessible

+
+
+

When the cluster is running and clients cannot access the API, domain name resolution issues might impede access to the API.

+
+
+
Procedure
+
    +
  1. +

    Hostname Resolution: Check the cluster nodes to ensure they have a fully qualified domain name, and not just localhost.localdomain. For example:

    +
    +
    +
    $ hostname
    +
    +
    +
    +

    If a hostname is not set, set the correct hostname. For example:

    +
    +
    +
    +
    $ hostnamectl set-hostname <hostname>
    +
    +
    +
  2. +
  3. +

    Incorrect Name Resolution: Ensure that each node has the correct name resolution in the DNS server using dig and nslookup. For example:

    +
    +
    +
    $ dig api.<cluster-name>.example.com
    +
    +
    +
    +
    +
    ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> api.<cluster-name>.example.com
    +;; global options: +cmd
    +;; Got answer:
    +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37551
    +;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
    +
    +;; OPT PSEUDOSECTION:
    +; EDNS: version: 0, flags:; udp: 4096
    +; COOKIE: 866929d2f8e8563582af23f05ec44203d313e50948d43f60 (good)
    +;; QUESTION SECTION:
    +;api.<cluster-name>.example.com. IN A
    +
    +;; ANSWER SECTION:
    +api.<cluster-name>.example.com. 10800 IN	A 10.19.13.86
    +
    +;; AUTHORITY SECTION:
    +<cluster-name>.example.com. 10800 IN NS	<cluster-name>.example.com.
    +
    +;; ADDITIONAL SECTION:
    +<cluster-name>.example.com. 10800 IN A	10.19.14.247
    +
    +;; Query time: 0 msec
    +;; SERVER: 10.19.14.247#53(10.19.14.247)
    +;; WHEN: Tue May 19 20:30:59 UTC 2020
    +;; MSG SIZE  rcvd: 140
    +
    +
    +
    +

    The output in the foregoing example indicates that the appropriate IP address for the api.<cluster-name>.example.com VIP is 10.19.13.86. This IP address should reside on the baremetal network.

    +
    +
  4. +
+
+
+
+
+

7. Cleaning up previous installations

+
+
+

In the event of a previous failed deployment, remove the artifacts from the failed attempt before attempting to deploy OpenShift Container Platform again.

+
+
+
Procedure
+
    +
  1. +

    Power off all bare metal nodes prior to installing the OpenShift Container Platform cluster:

    +
    +
    +
    $ ipmitool -I lanplus -U <user> -P <password> -H <management-server-ip> power off
    +
    +
    +
  2. +
  3. +

    Remove all old bootstrap resources if any are left over from a previous deployment attempt:

    +
    +
    +
    for i in $(sudo virsh list | tail -n +3 | grep bootstrap | awk {'print $2'});
    +do
    +  sudo virsh destroy $i;
    +  sudo virsh undefine $i;
    +  sudo virsh vol-delete $i --pool $i;
    +  sudo virsh vol-delete $i.ign --pool $i;
    +  sudo virsh pool-destroy $i;
    +  sudo virsh pool-undefine $i;
    +done
    +
    +
    +
  4. +
  5. +

    Remove the following from the clusterconfigs directory to prevent Terraform from failing:

    +
    +
    +
    $ rm -rf ~/clusterconfigs/auth ~/clusterconfigs/terraform* ~/clusterconfigs/tls ~/clusterconfigs/metadata.json
    +
    +
    +
  6. +
+
+
+
+
+

8. Issues with creating the registry

+
+
+

When creating a disconnected registry, you might encounter a "User Not Authorized" error when attempting to mirror the registry. This error might occur if you fail to append the new authentication to the existing pull-secret.txt file.

+
+
+
Procedure
+
    +
  1. +

    Check to ensure authentication is successful:

    +
    +
    +
    [user@registry ~]$ /usr/local/bin/oc adm release mirror \
    +  -a pull-secret-update.json
    +  --from=$UPSTREAM_REPO \
    +  --to-release-image=$LOCAL_REG/$LOCAL_REPO:${VERSION} \
    +  --to=$LOCAL_REG/$LOCAL_REPO
    +
    +
    +
    + + + + + +
    + + +
    +

    Example output of the variables used to mirror the install images:

    +
    +
    +
    +
    UPSTREAM_REPO=${RELEASE_IMAGE}
    +LOCAL_REG=<registry_FQDN>:<registry_port>
    +LOCAL_REPO='ocp4/openshift4'
    +
    +
    +
    +

    The values of RELEASE_IMAGE and VERSION were set during the Retrieving OpenShift Installer step of the Setting up the environment for an OpenShift installation section.

    +
    +
    +
    +
  2. +
  3. +

    After mirroring the registry, confirm that you can access it in your +disconnected environment:

    +
    +
    +
    $ curl -k -u <user>:<password> https://registry.example.com:<registry-port>/v2/_catalog
    +{"repositories":["<Repo-Name>"]}
    +
    +
    +
  4. +
+
+
+
+
+

9. Miscellaneous issues

+
+
+

9.1. Addressing the runtime network not ready error

+
+

After the deployment of a cluster you might receive the following error:

+
+
+
+
`runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:Network plugin returns error: Missing CNI default network`
+
+
+
+

The Cluster Network Operator is responsible for deploying the networking components in response to a special object created by the installer. It runs very early in the installation process, after the control plane (master) nodes have come up, but before the bootstrap control plane has been torn down. It can be indicative of more subtle installer issues, such as long delays in bringing up control plane (master) nodes or issues with apiserver communication.

+
+
+
Procedure
+
    +
  1. +

    Inspect the pods in the openshift-network-operator namespace:

    +
    +
    +
    $ oc get all -n openshift-network-operator
    +
    +
    +
    +
    +
    NAME                                    READY STATUS            RESTARTS   AGE
    +pod/network-operator-69dfd7b577-bg89v   0/1   ContainerCreating 0          149m
    +
    +
    +
  2. +
  3. +

    On the provisioner node, determine that the network configuration exists:

    +
    +
    +
    $ kubectl get network.config.openshift.io cluster -oyaml
    +
    +
    +
    +
    +
    apiVersion: config.openshift.io/v1
    +kind: Network
    +metadata:
    +  name: cluster
    +spec:
    +  serviceNetwork:
    +  - 172.30.0.0/16
    +  clusterNetwork:
    +  - cidr: 10.128.0.0/14
    +    hostPrefix: 23
    +  networkType: OpenShiftSDN
    +
    +
    +
    +

    If it does not exist, the installer did not create it. To determine why the installer did not create it, execute the following:

    +
    +
    +
    +
    $ openshift-install create manifests
    +
    +
    +
  4. +
  5. +

    Check that the network-operator is running:

    +
    +
    +
    $ kubectl -n openshift-network-operator get pods
    +
    +
    +
  6. +
  7. +

    Retrieve the logs:

    +
    +
    +
    $ kubectl -n openshift-network-operator logs -l "name=network-operator"
    +
    +
    +
    +

    On high availability clusters with three or more control plane (master) nodes, the Operator will perform leader election and all other Operators will sleep. For additional details, see Troubleshooting.

    +
    +
  8. +
+
+
+
+

9.2. Cluster nodes not getting the correct IPv6 address over DHCP

+
+

If the cluster nodes are not getting the correct IPv6 address over DHCP, check the following:

+
+
+
    +
  1. +

    Ensure the reserved IPv6 addresses reside outside the DHCP range.

    +
  2. +
  3. +

    In the IP address reservation on the DHCP server, ensure the reservation specifies the correct DHCP Unique Identifier (DUID). For example:

    +
    +
    +
    # This is a dnsmasq dhcp reservation, 'id:00:03:00:01' is the client id and '18:db:f2:8c:d5:9f' is the MAC Address for the NIC
    +id:00:03:00:01:18:db:f2:8c:d5:9f,openshift-master-1,[2620:52:0:1302::6]
    +
    +
    +
  4. +
  5. +

    Ensure that route announcements are working.

    +
  6. +
  7. +

    Ensure that the DHCP server is listening on the required interfaces serving the IP address ranges.

    +
  8. +
+
+
+
+

9.3. Cluster nodes not getting the correct hostname over DHCP

+
+

During IPv6 deployment, cluster nodes must get their hostname over DHCP. Sometimes the NetworkManager does not assign the hostname immediately. A control plane (master) node might report an error such as:

+
+
+
+
Failed Units: 2
+  NetworkManager-wait-online.service
+  nodeip-configuration.service
+
+
+
+

This error indicates that the cluster node likely booted without first receiving a hostname from the DHCP server, which causes kubelet to boot +with a localhost.localdomain hostname. To address the error, force the node to renew the hostname.

+
+
+
Procedure
+
    +
  1. +

    Retrieve the hostname:

    +
    +
    +
    [core@master-X ~]$ hostname
    +
    +
    +
    +

    If the hostname is localhost, proceed with the following steps.

    +
    +
    + + + + + +
    + + +
    +

    Where X is the master node number.

    +
    +
    +
    +
  2. +
  3. +

    Force the cluster node to renew the DHCP lease:

    +
    +
    +
    [core@master-X ~]$ sudo nmcli con up "<bare-metal-nic>"
    +
    +
    +
    +

    Replace <bare-metal-nic> with the wired connection corresponding to the baremetal network.

    +
    +
  4. +
  5. +

    Check hostname again:

    +
    +
    +
    [core@master-X ~]$ hostname
    +
    +
    +
  6. +
  7. +

    If the hostname is still localhost.localdomain, restart NetworkManager:

    +
    +
    +
    [core@master-X ~]$ sudo systemctl restart NetworkManager
    +
    +
    +
  8. +
  9. +

    If the hostname is still localhost.localdomain, wait a few minutes and check again. If the hostname remains localhost.localdomain, repeat the previous steps.

    +
  10. +
  11. +

    Restart the nodeip-configuration service:

    +
    +
    +
    [core@master-X ~]$ sudo systemctl restart nodeip-configuration.service
    +
    +
    +
    +

    This service will reconfigure the kubelet service with the correct hostname references.

    +
    +
  12. +
  13. +

    Reload the unit files definition since the kubelet changed in the previous step:

    +
    +
    +
    [core@master-X ~]$ sudo systemctl daemon-reload
    +
    +
    +
  14. +
  15. +

    Restart the kubelet service:

    +
    +
    +
    [core@master-X ~]$ sudo systemctl restart kubelet.service
    +
    +
    +
  16. +
  17. +

    Ensure kubelet booted with the correct hostname:

    +
    +
    +
    [core@master-X ~]$ sudo journalctl -fu kubelet.service
    +
    +
    +
  18. +
+
+
+

If the cluster node is not getting the correct hostname over DHCP after the cluster is up and running, such as during a reboot, the cluster will have a pending csr. Do not approve a csr, or other issues might arise.

+
+
+
Addressing a csr
+
    +
  1. +

    Get CSRs on the cluster:

    +
    +
    +
    $ oc get csr
    +
    +
    +
  2. +
  3. +

    Verify if a pending csr contains Subject Name: localhost.localdomain:

    +
    +
    +
    $ oc get csr <pending_csr> -o jsonpath='{.spec.request}' | base64 -d | openssl req -noout -text
    +
    +
    +
  4. +
  5. +

    Remove any csr that contains Subject Name: localhost.localdomain:

    +
    +
    +
    $ oc delete csr <wrong_csr>
    +
    +
    +
  6. +
+
+
+
+

9.4. Routes do not reach endpoints

+
+

During the installation process, it is possible to encounter a Virtual Router Redundancy Protocol (VRRP) conflict. This conflict might occur if a previously used OpenShift Container Platform node that was once part of a cluster deployment using a specific cluster name is still running but not part of the current OpenShift Container Platform cluster deployment using that same cluster name. For example, a cluster was deployed using the cluster name openshift, deploying three control plane (master) nodes and three worker nodes. Later, a separate install uses the same cluster name openshift, but this redeployment only installed three control plane (master) nodes, leaving the three worker nodes from a previous deployment in an ON state. This might cause a Virtual Router Identifier (VRID) conflict and a VRRP conflict.

+
+
+
    +
  1. +

    Get the route:

    +
    +
    +
    $ oc get route oauth-openshift
    +
    +
    +
  2. +
  3. +

    Check the service endpoint:

    +
    +
    +
    $ oc get svc oauth-openshift
    +
    +
    +
    +
    +
    NAME              TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)   AGE
    +oauth-openshift   ClusterIP   172.30.19.162   <none>        443/TCP   59m
    +
    +
    +
  4. +
  5. +

    Attempt to reach the service from a control plane (master) node:

    +
    +
    +
    [core@master0 ~]$ curl -k https://172.30.19.162
    +
    +
    +
    +
    +
    {
    +  "kind": "Status",
    +  "apiVersion": "v1",
    +  "metadata": {
    +  },
    +  "status": "Failure",
    +  "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
    +  "reason": "Forbidden",
    +  "details": {
    +  },
    +  "code": 403
    +
    +
    +
  6. +
  7. +

    Identify the authentication-operator errors from the provisioner node:

    +
    +
    +
    $ oc logs deployment/authentication-operator -n openshift-authentication-operator
    +
    +
    +
    +
    +
    Event(v1.ObjectReference{Kind:"Deployment", Namespace:"openshift-authentication-operator", Name:"authentication-operator", UID:"225c5bd5-b368-439b-9155-5fd3c0459d98", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Normal' reason: 'OperatorStatusChanged' Status for clusteroperator/authentication changed: Degraded message changed from "IngressStateEndpointsDegraded: All 2 endpoints for oauth-server are reporting"
    +
    +
    +
  8. +
+
+
+
Solution
+
    +
  1. +

    Ensure that the cluster name for every deployment is unique, ensuring no conflict.

    +
  2. +
  3. +

    Turn off all the rogue nodes which are not part of the cluster deployment that are using the same cluster name. Otherwise, the authentication pod of the OpenShift Container Platform cluster might never start successfully.

    +
  4. +
+
+
+
+

9.5. Failed Ignition during Firstboot

+
+

During the Firstboot, the Ignition configuration may fail.

+
+
+
Procedure
+
    +
  1. +

    Connect to the node where the Ignition configuration failed:

    +
    +
    +
    Failed Units: 1
    +  machine-config-daemon-firstboot.service
    +
    +
    +
  2. +
  3. +

    Restart the machine-config-daemon-firstboot service:

    +
    +
    +
    [core@worker-X ~]$ sudo systemctl restart machine-config-daemon-firstboot.service
    +
    +
    +
  4. +
+
+
+
+

9.6. NTP out of sync

+
+

The deployment of OpenShift Container Platform clusters depends on NTP synchronized clocks among the cluster nodes. Without synchronized clocks, the deployment may fail due to clock drift if the time difference is greater than two seconds.

+
+
+
Procedure
+
    +
  1. +

    Check for differences in the AGE of the cluster nodes. For example:

    +
    +
    +
    $ oc get nodes
    +
    +
    +
    +
    +
    NAME                         STATUS   ROLES    AGE   VERSION
    +master-0.cloud.example.com   Ready    master   145m   v1.16.2
    +master-1.cloud.example.com   Ready    master   135m   v1.16.2
    +master-2.cloud.example.com   Ready    master   145m   v1.16.2
    +worker-2.cloud.example.com   Ready    worker   100m   v1.16.2
    +
    +
    +
  2. +
  3. +

    Check for inconsistent timing delays due to clock drift. For example:

    +
    +
    +
    $ oc get bmh -n openshift-machine-api
    +
    +
    +
    +
    +
    master-1   error registering master-1  ipmi://<out-of-band-ip>
    +
    +
    +
    +
    +
    $ sudo timedatectl
    +
    +
    +
    +
    +
                   Local time: Tue 2020-03-10 18:20:02 UTC
    +           Universal time: Tue 2020-03-10 18:20:02 UTC
    +                 RTC time: Tue 2020-03-10 18:36:53
    +                Time zone: UTC (UTC, +0000)
    +System clock synchronized: no
    +              NTP service: active
    +          RTC in local TZ: no
    +
    +
    +
  4. +
+
+
+
Addressing clock drift in existing clusters
+
    +
  1. +

    Create a chrony.conf file and encode it as base64 string. For example:

    +
    +
    +
    $ cat << EOF | base 64
    +server <NTP-server> iburst(1)
    +stratumweight 0
    +driftfile /var/lib/chrony/drift
    +rtcsync
    +makestep 10 3
    +bindcmdaddress 127.0.0.1
    +bindcmdaddress ::1
    +keyfile /etc/chrony.keys
    +commandkey 1
    +generatecommandkey
    +noclientlog
    +logchange 0.5
    +logdir /var/log/chrony
    +EOF
    +
    +
    +
    + + + + + +
    1Replace <NTP-server> with the IP address of the NTP server. Copy the output. +
    +
    +
    [text-in-base-64]
    +
    +
    +
    +
  2. +
  3. +

    Create a MachineConfig object, replacing the base64 string with +the [text-in-base-64] string generated in the output of the previous step. The following example adds the file to the control plane (master) nodes. You can modify the file for worker nodes or make an additional machine config for the worker role.

    +
    +
    +
    $ cat << EOF > ./99_masters-chrony-configuration.yaml
    +apiVersion: machineconfiguration.openshift.io/v1
    +kind: MachineConfig
    +metadata:
    +  creationTimestamp: null
    +  labels:
    +    machineconfiguration.openshift.io/role: master
    +  name: 99-master-etc-chrony-conf
    +spec:
    +  config:
    +    ignition:
    +      config: {}
    +      security:
    +        tls: {}
    +      timeouts: {}
    +      version: 3.1.0
    +    networkd: {}
    +    passwd: {}
    +    storage:
    +      files:
    +      - contents:
    +          source: data:text/plain;charset=utf-8;base64,[text-in-base-64](1)
    +        group:
    +          name: root
    +        mode: 420
    +        overwrite: true
    +        path: /etc/chrony.conf
    +        user:
    +          name: root
    +  osImageURL: ""
    +
    +
    +
    + + + + + +
    1Replace [text-in-base-64] with the base64 string.
    +
    +
  4. +
  5. +

    Make a backup copy of the configuration file. For example:

    +
    +
    +
    $ cp 99_masters-chrony-configuration.yaml 99_masters-chrony-configuration.yaml.backup
    +
    +
    +
  6. +
  7. +

    Apply the configuration file:

    +
    +
    +
    $ oc apply -f ./masters-chrony-configuration.yaml
    +
    +
    +
  8. +
  9. +

    Ensure the System clock synchronized value is yes:

    +
    +
    +
    $ sudo timedatectl
    +
    +
    +
    +
    +
                   Local time: Tue 2020-03-10 19:10:02 UTC
    +           Universal time: Tue 2020-03-10 19:10:02 UTC
    +                 RTC time: Tue 2020-03-10 19:36:53
    +                Time zone: UTC (UTC, +0000)
    +System clock synchronized: yes
    +              NTP service: active
    +          RTC in local TZ: no
    +
    +
    +
    +

    To setup clock synchronization prior to deployment, generate the manifest files and add this file to the openshift directory. For example:

    +
    +
    +
    +
    $ cp chrony-masters.yaml ~/clusterconfigs/openshift/99_masters-chrony-configuration.yaml
    +
    +
    +
    +

    Then, continue to create the cluster.

    +
    +
  10. +
+
+
+
+
+
+

10. Reviewing the installation

+
+
+

After installation, ensure the installer deployed the nodes and pods successfully.

+
+
+
Procedure
+
    +
  1. +

    When the OpenShift Container Platform cluster nodes are installed appropriately, the following Ready state is seen within the STATUS column:

    +
    +
    +
    $ oc get nodes
    +
    +
    +
    +
    +
    NAME                   STATUS   ROLES           AGE  VERSION
    +master-0.example.com   Ready    master,worker   4h   v1.16.2
    +master-1.example.com   Ready    master,worker   4h   v1.16.2
    +master-2.example.com   Ready    master,worker   4h   v1.16.2
    +
    +
    +
  2. +
  3. +

    Confirm the installer deployed all pods successfully. The following command +removes any pods that are still running or have completed as part of the output.

    +
    +
    +
    $ oc get pods --all-namespaces | grep -iv running | grep -iv complete
    +
    +
    +
  4. +
+
+
+
+
+ + + \ No newline at end of file diff --git a/latest/Troubleshooting.pdf b/latest/Troubleshooting.pdf new file mode 100644 index 0000000000..0d6401007b Binary files /dev/null and b/latest/Troubleshooting.pdf differ diff --git a/redirects.json b/redirects.json new file mode 100644 index 0000000000..9e26dfeeb6 --- /dev/null +++ b/redirects.json @@ -0,0 +1 @@ +{} \ No newline at end of file diff --git a/robots.txt b/robots.txt new file mode 100644 index 0000000000..04590bb901 --- /dev/null +++ b/robots.txt @@ -0,0 +1 @@ +Sitemap: https://openshift-kni.github.io/baremetal-deploy/sitemap.xml diff --git a/sitemap.xml b/sitemap.xml new file mode 100644 index 0000000000..70b12cb0ad --- /dev/null +++ b/sitemap.xml @@ -0,0 +1,166 @@ + + + +https://openshift-kni.github.io/baremetal-deploy/ + + +https://openshift-kni.github.io/baremetal-deploy/4.3/Deployment.html +2024-12-22T18:59:26-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/4.3/Deployment.pdf +2024-12-22T18:59:31-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/4.3/Troubleshooting.html +2024-12-22T18:59:32-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/4.3/Troubleshooting.pdf +2024-12-22T18:59:34-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/4.4/Deployment.html +2024-12-22T18:59:17-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/4.4/Deployment.pdf +2024-12-22T18:59:22-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/4.4/Troubleshooting.html +2024-12-22T18:59:23-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/4.4/Troubleshooting.pdf +2024-12-22T18:59:25-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/4.5/Deployment.html +2024-12-22T18:59:08-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/4.5/Deployment.pdf +2024-12-22T18:59:13-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/4.5/Troubleshooting.html +2024-12-22T18:59:14-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/4.5/Troubleshooting.pdf +2024-12-22T18:59:16-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/4.6/Deployment.html +2024-12-22T18:58:58-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/4.6/Deployment.pdf +2024-12-22T18:59:04-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/4.6/Troubleshooting.html +2024-12-22T18:59:05-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/4.6/Troubleshooting.pdf +2024-12-22T18:59:07-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/4.7/Deployment.html +2024-12-22T18:58:49-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/4.7/Deployment.pdf +2024-12-22T18:58:55-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/4.7/Troubleshooting.html +2024-12-22T18:58:55-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/4.7/Troubleshooting.pdf +2024-12-22T18:58:58-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/4.8/Deployment.html +2024-12-22T18:58:38-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/4.8/Deployment.pdf +2024-12-22T18:58:45-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/4.8/Troubleshooting.html +2024-12-22T18:58:46-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/4.8/Troubleshooting.pdf +2024-12-22T18:58:48-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/4.9/Ansible%20Playbook%20Disconnected%20Install.html +2024-12-22T18:59:38-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/4.9/Ansible%20Playbook%20Disconnected%20Install.pdf +2024-12-22T18:59:41-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/4.9/Ansible%20Playbook%20Install.html +2024-12-22T18:59:35-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/4.9/Ansible%20Playbook%20Install.pdf +2024-12-22T18:59:38-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/4.9/Deployment.html +2024-12-22T18:59:41-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/4.9/Deployment.pdf +2024-12-22T18:59:49-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/4.9/Troubleshooting.html +2024-12-22T18:59:49-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/4.9/Troubleshooting.pdf +2024-12-22T18:59:52-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/latest/Ansible%20Playbook%20Disconnected%20Install.html +2024-12-22T18:59:38-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/latest/Ansible%20Playbook%20Disconnected%20Install.pdf +2024-12-22T18:59:41-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/latest/Ansible%20Playbook%20Install.html +2024-12-22T18:59:35-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/latest/Ansible%20Playbook%20Install.pdf +2024-12-22T18:59:38-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/latest/Deployment.html +2024-12-22T18:59:41-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/latest/Deployment.pdf +2024-12-22T18:59:49-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/latest/Troubleshooting.html +2024-12-22T18:59:49-06:00 + + +https://openshift-kni.github.io/baremetal-deploy/latest/Troubleshooting.pdf +2024-12-22T18:59:52-06:00 + +