728x90
반응형
📌 목차
1. 개요
본 가이드는 사내 TestBed - KVM 환경에서 Red Hat OpenShift Container Platform (RHOCP) 4.8.14를 설치하는 방법을 정리한 문서입니다.
인터넷이 연결된 환경을 기준으로 구성하며, Bastion 1대 / Master 3대 / Worker 2대로 구성된 간단한 테스트 환경을 목표로 합니다.
🔧 주요 기능 역할
• Bastion: DNS, HAProxy(LB), HTTP 서버
• Bootstrap: 초기 클러스터 구성용
• Worker: Pod가 실행되는 데이터 노드
• Bastion: DNS, HAProxy(LB), HTTP 서버
• Bootstrap: 초기 클러스터 구성용
• Worker: Pod가 실행되는 데이터 노드
공식 설치 가이드는 다음 링크를 참고하세요.
🔗 OpenShift 4.8 공식 문서 🔗 Pull Secret 발급 🔗 OpenShift 설치 파일
2. 인프라 및 네트워크 구성
- Public 네트워크: 55.55.34.0/24
- OCP Management 네트워크: 55.55.35.0/24
간략한 VM 구성 정보와 각 역할에 따른 IP는 다음과 같습니다.
3. Bastion 서버 설정
3.1 패키지 설치 및 설정
dnf install -y vim bash-completion tcpdump tar wget
hostnamectl set-hostname bastion.ocp-dc.hk.com3.2 SELinux 및 방화벽 비활성화
vi /etc/selinux/config # SELINUX=disabled 설정
systemctl disable firewalld --now3.3 HAProxy 설치 및 구성
HAProxy를 설치하고, OpenShift의 API / MCS / Ingress 포트를 노출합니다.
yum install -y haproxy
vi /etc/haproxy/haproxy.cfg
[root@bastion ~]#yum install -y haproxy
[root@bastion ~]#cat /etc/haproxy/haproxy.cfg
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
# utilize system-wide crypto-policies
ssl-default-bind-ciphers PROFILE=SYSTEM
ssl-default-server-ciphers PROFILE=SYSTEM
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
listen stats
bind :9000
mode http
stats enable
stats uri /
monitor-uri /bastion-test
stats refresh 5s
#---------------------------------------------------------------------
# static backend for serving up images, stylesheets and such
#---------------------------------------------------------------------
backend static
balance roundrobin
server static 127.0.0.1:4331 check
#---------------------------------------------------------------------
# RHOCP-API
#---------------------------------------------------------------------
frontend openshift-api-server
bind *:6443
default_backend openshift-api-server
mode tcp
option tcplog
backend openshift-api-server
balance source
mode tcp
server bootstrap 55.55.35.205:6443 check
server master1 55.55.35.211:6443 check
server master2 55.55.35.212:6443 check
server master3 55.55.35.213:6443 check
#---------------------------------------------------------------------
# RHOCP-machine-config-server
#---------------------------------------------------------------------
frontend machine-config-server
bind *:22623
default_backend machine-config-server
mode tcp
option tcplog
backend machine-config-server
balance source
mode tcp
server bootstrap 55.55.35.205:22623 check
server master1 55.55.35.211:22623 check
server master2 55.55.35.212:22623 check
server master3 55.55.35.213:22623 check
#---------------------------------------------------------------------
# RHOCP ingress-http (80)
#---------------------------------------------------------------------
frontend ingress-http
bind *:80
default_backend ingress-http
mode tcp
option tcplog
backend ingress-http
balance source
mode tcp
server worker1 55.55.35.216:80 check
server worker2 55.55.35.217:80 check
#---------------------------------------------------------------------
# RHOCP ingress-httpi (443)
#---------------------------------------------------------------------
frontend ingress-https
bind *:443
default_backend ingress-https
mode tcp
option tcplog
backend ingress-https
balance source
mode tcp
server worker1 55.55.35.216:443 check
server worker2 55.55.35.217:443 check
[root@bastion ~]#systemctl enable haproxy --now
3.4 HTTP 서버 설치 (포트 8080 사용)
[root@bastion haproxy]#dnf install -y httpd
[root@bastion ~]#cat /etc/httpd/conf/httpd.conf | grep Listen
# Listen: Allows you to bind Apache to specific IP addresses and/or
# Change this to Listen on specific IP addresses as shown below to
#Listen 12.34.56.78:80
Listen 8080
[root@bastion conf]#systemctl enable httpd --now
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/lib/systemd/system/httpd.service.3.5 CoreOS 이미지 다운로드 및 이동
[root@bastion ~]#wget https://mirror.openshift.com/pub/openshift-v4/dependencies/rhcos/4.8/4.8.14/rhcos-4.8.14-x86_64-live-initramfs.x86_64.img
[root@bastion ~]#wget https://mirror.openshift.com/pub/openshift-v4/dependencies/rhcos/4.8/4.8.14/rhcos-4.8.14-x86_64-live-kernel-x86_64
[root@bastion ~]#wget https://mirror.openshift.com/pub/openshift-v4/dependencies/rhcos/4.8/4.8.14/rhcos-4.8.14-x86_64-metal.x86_64.raw.gz
[root@bastion ~]#wget https://mirror.openshift.com/pub/openshift-v4/dependencies/rhcos/4.8/4.8.14/rhcos-4.8.14-x86_64-live-rootfs.x86_64.img
[root@bastion ~]#mv rhcos-4.8.14-x86_64-live-initramfs.x86_64.img /var/www/html/
[root@bastion ~]#mv rhcos-4.8.14-x86_64-live-rootfs.x86_64.img /var/www/html/
[root@bastion ~]#mv rhcos-4.8.14-x86_64-live-kernel-x86_64 /var/www/html/
[root@bastion ~]#mv rhcos-4.8.14-x86_64-metal.x86_64.raw.gz /var/www/html/
[root@bastion ~]#mv /var/www/html/rhcos-4.8.14-x86_64-metal.x86_64.raw.gz /var/www/html/rhcos.tar.gz
[root@bastion ~]#systemctl restart httpd3.6 DNS 구성 (bind 사용)
[root@bastion ~]#dnf install -y bind bind-utils
[root@bastion ~]#systemctl enable named --now
[root@bastion ~]#cat /etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { none; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
# rfc1912 zone 파일 수정
[root@bastion ~]#cat /etc/named.rfc1912.zones
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
zone "hk.com" IN {
type master;
file "/var/named/ocp-dc.hk.com.zone";
allow-update { none; };
};
zone "35.55.55.in-addr.arpa" IN {
type master;
file "/var/named/35.55.55.in-addr.rev";
allow-update { none; };
};
# Zone 파일 설정 (DNS 정방향)
[root@bastion ~]#cat /var/named/ocp-dc.hk.com.zone
$TTL 1D
@ IN SOA @ ns.hk.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS ns.hk.com.
@ IN A 55.55.35.200 ;
; Ancillary services
lb.ocp-dc IN A 55.55.35.200
; Bastion or Jumphost
ns IN A 55.55.35.200 ;
; OCP Cluster
bootstrap.ocp-dc IN A 55.55.35.205
master1.ocp-dc IN A 55.55.35.211
master2.ocp-dc IN A 55.55.35.212
master3.ocp-dc IN A 55.55.35.213
api.ocp-dc IN A 55.55.35.200
api-int.ocp-dc IN A 55.55.35.200
*.apps.ocp-dc IN A 55.55.35.200
# Zone 파일 설정 (DNS 역방향)
[root@bastion ~]#cat /var/named/35.55.55.in-addr.rev
$TTL 1D
@ IN SOA hk.com. ns.hk.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS ns.
200 IN PTR ns.
200 IN PTR bastion.ocp-dc.hk.com.
205 IN PTR bootstrap.ocp-dc.hk.com.
211 IN PTR master1.ocp-dc.hk.com.
212 IN PTR master2.ocp-dc.hk.com.
213 IN PTR master3.ocp-dc.hk.com.
200 IN PTR api.ocp-dc.hk.com.
200 IN PTR api-int.ocp-dc.hk.com.
# zone 파일 권한 설정
[root@bastion named]#cd /var/named
[root@bastion named]#chown root:named 35.55.55.in-addr.rev
[root@bastion named]#chown root:named ocp-dc.hk.com.zone
[root@bastion named]#systemctl restart named
4. RHOCP 설치 준비
4.1 바이너리 다운로드 및 키 생성
[root@bastion ~]#ssh-keygen -t rsa -b 4096 -N ''
[root@bastion ~]#wget https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.8.14/openshift-client-linux.tar.gz
[root@bastion ~]#wget https://mirror.openshift.com/pub/openshift-v4/clients/ocp/4.8.14/openshift-install-linux.tar.gz
[root@bastion ~]# tar xvf openshift-install-linux.tar.gz -C /usr/local/bin/
[root@bastion ~]# tar xvf openshift-client-linux.tar.gz -C /usr/local/bin/4.2 install-config.yaml 생성
[root@bastion ~]#mkdir -p /root/ocp/config
[root@bastion ~]#cd /root/ocp/config/
[root@bastion config]#cat install-config.yaml
apiVersion: v1
baseDomain: hk.com
compute:
- hyperthreading: Enabled
name: worker
replicas: 0
controlPlane:
hyperthreading: Enabled
name: master
replicas: 3
metadata:
name: ocp-dc #cluster name
networking:
clusterNetworks:
- cidr: 10.128.0.0/14
hostPrefix: 23
networkType: OpenShiftSDN
serviceNetwork:
- 172.30.0.0/16
platform:
none: {}
fips: false
pullSecret: '{pull secret 정보 필요}'
sshKey: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDLN6gJubKTHWbQL0QRUcpIcpTJaJiGjttKPDbR71WJkgvp41ia+ZX1Y7iJPU7rDx8E2bDtBRc+be+Q0X361n1RxVH2cRro2eCPLu/kPu7rXeWSJxFutCXzJ9E/9SCmBqNBQ1Iv78ysuSFhkOxGsMCt0nqsO3nJVeVr9TZRUx7CpO4adkCBKAKjLuBYjT1xR3QEY5KKLBPQpxEG7z4xWx1xuRNnqPzDTBy/CvoHSxKH+AgXEdOoSBE8d+zUDCTWCYiMA+NZjOlWMJUKtGJrOU6hIUfMj+OIH7xBl27MWZ0hso4l7Qu8SE3ptGH27+AijQUBnreRYzodPmxbWtKD5wqENNMyIZocEIOV+OAnevrJZwdpmG7rtX8d2f4PaK8PX3P6ChlKOszn1P/AkqoqQlJODIvVJe+qr4bYVyy1Lck1i36wMU9R1z80zA2LhaCTnwf2wB28B6ngwL4XlukyPwfbacBRMkArkSaIUOHVHRKt8RKeL7l1qBI9FsKEWJNWTZt55rGXbRnvcuOuoVTS3UaxcNQP4WZbW72B6BTel9lDWkAlCKcfgnRK9xs+OdTkhZD+EZP9gM8AmaGgDRmpsFgeRAgaEUhMFO+k/NCwiTR6CXxxeRjwvyXDx8MCG8N5A3YZ+M/keLFPHf7wg2agOURAjJ8a8WJvlmFtDbC1bBhulw== root@bastion.ocp-dc.hk.com'
# pulsect : https://console.redhat.com/openshift/create
# sshKey -> cat /root/,ssh/id_rsa.pub 값을 추가
[root@bastion config]#mkdir backup
[root@bastion config]#cp install-config.yaml ./backup/install-config.yaml
4.3 manifests 및 ignition 파일 생성
## Manifest 생성
[root@bastion config]#openshift-install create manifests --dir=/root/ocp/config/
INFO Consuming Install Config from target directory
WARNING Making control-plane schedulable by setting MastersSchedulable to true for Scheduler cluster settings
INFO Manifests created in: /root/ocp/config/manifests and /root/ocp/config/openshift
[root@bastion config]#cd openshift/
[root@bastion openshift]#ls
99_kubeadmin-password-secret.yaml 99_openshift-machineconfig_99-master-ssh.yaml
99_openshift-cluster-api_master-user-data-secret.yaml 99_openshift-machineconfig_99-worker-ssh.yaml
99_openshift-cluster-api_worker-user-data-secret.yaml openshift-install-manifests.yaml
[root@bastion config]#openshift-install create ignition-configs --dir /root/ocp/config
INFO Consuming Master Machines from target directory
INFO Consuming Worker Machines from target directory
INFO Consuming Common Manifests from target directory
INFO Consuming Openshift Manifests from target directory
INFO Consuming OpenShift Install (Manifests) from target directory
INFO Ignition-Configs created in: /root/ocp/config and /root/ocp/config/auth
## ignition 파일 생성
[root@bastion config]#ls /root/ocp/config/
auth backup bootstrap.ign master.ign metadata.json worker.ign
[root@bastion config]#mkdir /var/www/html/ign
[root@bastion config]#cp *.ign /var/www/html/ign/
[root@bastion config]#chmod 777 /var/www/html/ign/*.ign
[root@bastion config]#systemctl restart httpd5. RHOCP 배포
5.1 bootstrap, master, worker 설치
# bootstrap 노드는 아래 명령으로 설치
sudo coreos-installer install /dev/vda --insecure-ignition -I http://55.55.35.200:8080/ign/bootstrap.ign -n
# master 노드는 아래 명령으로 설치
sudo coreos-installer install /dev/vda --insecure-ignition -I http://55.55.35.200:8080/ign/master.ign -n
# worker 노드는 아래 명령으로 설치
sudo coreos-installer install /dev/vda --insecure-ignition -I http://55.55.35.200:8080/ign/worker.ign -n5.2 bootstrap 완료 확인
bootstrap 설치한 방식과 동일하게 master 3대 노드를 설치합니다.
master 노드 설치전에 bootstrap 설치에 시간이 걸릴 수 있는데 (노드 성능에 따라..) 아래 출력 로그가 확인이 되면 마스터 노드 설치를 진행합니다.
openshift-install --dir=/root/ocp/config wait-for bootstrap-complete --log-level=info5.3 Cluster 구성 확인
master 3대를 설치를 완료하였다면, 아래 로그 정보가 나타나는데, "It is now safe to remove the bootstrap resources" 해당 메시지가 출력되면 master3대를 통해 정상적으로 Cluster가 구성되었다는 것으로 이 이후에는 bootstrap 노드가 필요하지 않습니다.
[root@bastion ~]#openshift-install --dir=/root/ocp/config/ wait-for bootstrap-complete --log-level=info
INFO Waiting up to 20m0s for the Kubernetes API at https://api.ocp-dc.hk.com:6443...
INFO API v1.21.1+a620f50 up
INFO Waiting up to 30m0s for bootstrapping to complete...
INFO It is now safe to remove the bootstrap resources
INFO Time elapsed: 0s
5.3 bootstrap 제거 및 HAProxy 설정 변경
# HAProxy 설정에서 bootstrap 주석 처리
backend openshift-api-server
balance source
mode tcp
#server bootstrap 55.55.35.205:6443 check
backend machine-config-server
balance source
mode tcp
#server bootstrap 55.55.35.205:22623 check
[root@bastion ~]#systemctl restart haproxy6. 설치 확인 및 마무리
6.1 kubeconfig 환경 변수 설정
vi ~/.bash_profile
export KUBECONFIG=/root/ocp/config/auth/kubeconfig6.2 노드 및 컴포넌트 확인
oc get node
NAME STATUS ROLES AGE VERSION
master1.ocp-dc.hk.com Ready master,worker 2d20h v1.21.1+a620f50
master2.ocp-dc.hk.com Ready master,worker 2d20h v1.21.1+a620f50
master3.ocp-dc.hk.com Ready master,worker 2d20h v1.21.1+a620f50
oc get co # Cluster Operator 상태 확인
모든 Cluster Operator가 True / False / False 여야 정상입니다.6.3 설치 완료 메시지 확인
openshift-install --dir=/root/ocp/config wait-for install-complete
INFO Waiting up to 40m0s for the cluster at https://api.ocp-dc.hk.com:6443 to initialize...
INFO Waiting up to 10m0s for the openshift-console route to be created...
INFO Install complete!
INFO To access the cluster as the system:admin user when using 'oc', run 'export KUBECONFIG=/root/ocp/config/auth/kubeconfig'
INFO Access the OpenShift web-console here: https://console-openshift-console.apps.ocp-dc.hk.com
INFO Login to the console with user: "kubeadmin", and password: "xxxxxxxxx"
INFO Time elapsed: 0s
## 개인 노트북에서 사용하는 경우, 외부 또는 회사 DNS 서버를 설정이 있기 때문에 hosts 파일에 직접 설정해줘야합니다
예) 55.55.55
웹 콘솔 접속: https://console-openshift-console.apps.ocp-dc.hk.com
💡 Tip: Worker 노드 추가
동일한 방식으로 worker.ign을 활용하여 추가 노드 설치 가능하며, 역할을 분리하려면 "master, worker" 롤을 조정해야 합니다. "위 5.1에서 worker노드 설치 명령어 참고"
[root@bastion ~]#oc get node
NAME STATUS ROLES AGE VERSION
master1.ocp-dc.hk.com Ready master,worker 2d20h v1.21.1+a620f50
master2.ocp-dc.hk.com Ready master,worker 2d20h v1.21.1+a620f50
master3.ocp-dc.hk.com Ready master,worker 2d20h v1.21.1+a620f50
worker1.ocp-dc.hk.com Ready worker 2d20h v1.21.1+a620f50
현재 기준 4.18 버전까지 출시했네요.. 가장 최신 설치 가이드는 아래 링크를 참고하시기 바랍니다.
728x90
반응형
'컨테이너 플랫폼' 카테고리의 다른 글
| RHOCP4 클러스터에서 노드를 효과적으로 관리하는 방법 (0) | 2025.05.26 |
|---|---|
| Kubernetes Dashboard 설치 및 구성 가이드 (0) | 2025.05.15 |
| Podman 설치 및 사용법 (2) | 2025.05.07 |