Installing Red Hat OpenShift Container Platform with Contrail Networking

Installing Red Hat OpenShift Container Platform

1. Install CentOS 7.3 minimal distribution on both master and slave nodes.
2. Download the Contrail-Ansible package and the Contrail-Kubernetes-Docker-Images package from Juniper’s download site and copy them to the master node. You must create an account to download the packages.
3. Install the Extra Packages for Enterprise Linux (EPEL) on the master and slave nodes.

   (all-nodes)# yum install git epel-release vim NetworkManager –y 
   (all-nodes)# yum update -y

4. Install all dependencies, set SELinux to “enforcing”, and reboot the nodes.

   (master)# yum install kernel-devel kernel-headers –y 
   (master)# yum install ansible pyOpenSSL python-cryptography python-lxml -y 
   (slave)# yum install kernel-devel kernel-headers nfs-utils socat -y 
   (all-nodes)# vi /etc/sysconfig/selinux
   SELINUX=enforcing
   (all-nodes)# reboot

5. Enable password-free SSH access to all nodes from the master node and verify that you can log in without a password.

   (master)# ssh-keygen –t rsa 
   (master)# ssh-copy-id <root@<master-node-ip> 
   (master)# ssh-copy-id <root@<slave-node-ip>
   

6. Add hostnames of all nodes to the /etc/hosts file and verify that you can resolve the hostnames to IP addresses.

   (all-nodes)# cat /etc/hosts
   192.0.2.0 5b4s40.device.example.net 5b4s40 #master-node 
   192.0.2.1 5b4s41.device.example.net 5b4s41 #slave-node
   (master)# ping <slave-hostname>
   

7. Clone the OpenShift Ansible project-repo.

   (master)# git clone https://github.com/openshift/openshift-ansible 
   (master)# cd openshift-ansible

8. Populate the files ose-prerequisites and ose-install.

   (master)# vi /root/openshift-ansible/inventory/byo/ose-prerequisites.yml 
   (master)# vi /root/openshift-ansible/inventory/byo/ose-install

   For more information, see ose-prerequisites.yml and ose-install.

9. Run the ansible-playbook which will install the prerequisites on the nodes and install the atomic-openshift packages that you downloaded.

   (master)# ansible-playbook -i inventory/byo/ose-install inventory/byo/ose-prerequisites.yml

10. Run the ansible-playbook to install OpenShift.

    (master)# ansible-playbook -i inventory/byo/ose-install playbooks/byo/openshift_facts.yml 
    (master)# ansible-playbook -i inventory/byo/ose-install playbooks/byo/config.yml

Installing Contrail Networking for Red Hat OpenShift

1. Clone the contrail-ansible project repo.

   (master)# mkdir contrail-ansible && cd contrail-ansible 
   (master)# tar -xvzf contrail-ansible*.tar.gz 
   (master)# mkdir playbooks/container_images && cd playbooks/container_images

2. Untar the contrail-kubernetes-docker-images package.

   (master)# tar -xvzf contrail-kubernetes-docker-images_4.0.0.0-20.tgz

3. Populate the inventory/hosts file.

   (master)# vi /root/contrail-ansible/playbooks/inventory/my-inventory/hosts

   For more information, see hosts.

4. Populate the YAML file with configuration parameters specific to your system.

   (master)# vi /root/contrail-ansible/playbooks/inventory/my-inventory/group_vars/all.yml

   For more information, see all.yml.

5. Run the Ansible playbook to install Contrail Networking.

   (master)# ansible-playbook -i inventory/my-inventory site.yml

Initializing Red Hat OpenShift Container and Contrail Networking

1. Create a new project and move into the project context.

   (master)# oc login -u system:admin 
   (master)# oc new-project juniper 
   (master)# oc project juniper

2. Create a service account to access the APIs.

   (master)# oc create serviceaccount useroot

3. Bind the service account to the role.

   (master)# oadm policy add-cluster-role-to-user cluster-reader \
   system:serviceaccount:juniper:useroot

4. Add the user to a privileged security context constraint.

   (master)# oadm policy add-scc-to-user privileged system:serviceaccount:juniper:useroot

5. Assign the cluster-admin role to the admin user.

   (master)# oadm policy add-cluster-role-to-user cluster-admin admin

6. Assign a token to a service account.

   (master)# oc serviceaccounts get-token useroot

7. Copy the service account token and log in to the contrail-kube-manager container.

   (master)# docker ps (master)# docker exec -it contrail-kube-manager bash

8. Add the token to the contrail-kubernetes.conf file.

   (contrail-kube-manager)# vi /etc/contrail/contrail-kubernetes.conf
   [VNC]
   …
   token = serviceaccount-token

   For more information, see contrail-kubernetes.conf.

9. Ensure that the cluster_project dict is empty.

   (contrail-kube-manager)# vi /etc/contrail/contrail-kubernetes.conf
   cluster_project = {}

10. Restart the contrail-kube-manager service.

    (contrail-kube-manager)# supervisorctl -s unix:///var/run/supervisord_kubernetes.sock 
    supervisor> restart all 
    supervisor> status 
    supervisor> exit

11. Log in to the slave node and move the OpenShift Container Network Interface (CNI) to a different location.

    (slave)# cd /etc/cni/net.d 
    (slave)# mv 80-openshift-sdn.conf /etc/

12. Log in to the respective Web-UI dashboards.
    1. Create a password for the admin user to log in to the UI and assign permissions.

       (master)# htpasswd /etc/origin/master/htpasswd admin 
       (master)# oc login -u admin

    2. Log in to Contrail Web-UI.

       OpenShift Web-UI: https://<master-node-IP>:8443 
       Contrail Web-UI: https://<master-node-IP>:8143

    3. Enable Images to Run with USER in the Docker file and edit the restricted SCC.

       (master)# oc edit scc restricted

    4. Change the runAsUser.Type strategy to RunAsAny.

       runAsUser:
       type: RunAsAny

    5. Set up BGP peering with the gateway router.

       Configure > Infrastructure > BGP Routers

    6. Set up a network IPAM under the “default” project.

       Configure > Networking > IP Address Management > default-domain > default

    7. Create a public virtual network.

       Configure > Networking > Networks > default-domain > default