SlideShare ist ein Scribd-Unternehmen logo

OpenShift 4 installation

Robert Bohne
Robert Bohne

OpenShift 4 installation deep dive

Software
1 von 41
Downloaden Sie, um offline zu lesen
Red Hat OpenShift 4 - Installation Robert Bohne SR. SPECIALIST SOLUTION ARCHITECT | OPENSHIFT Twitter: @RobertBohne 1
OPENSHIFT CONTAINER PLATFORM | Architectural Overview 2 EXISTING AUTOMATION TOOLSETS SCM (GIT) CI/CD WORKERMASTER Red Hat® OpenShift® services STORAGE Kubernetes services Monitoring | Logging | Tuned SDN | DNS | Kubelet Infrastructure services etcd NETWORKCOMPUTE Registry Prometheus | Grafana Alertmanager Kibana | Elasticsearch Router Developers Admins WORKER Monitoring | Logging | Tuned SDN | DNS | Kubelet Registry Prometheus | Grafana Alertmanager Kibana | Elasticsearch Router
3 The New Platform Boundary OpenShift 4 is aware of the entire infrastructure and brings the Operating System under management AUTOMATED OPERATIONS KUBERNETES RHEL or RHEL CoreOS OpenShift & Kubernetes certificates & security settings container runtime config allowed maintenance windows software defined networking kernel modules device drivers network interfaces security groups Nodes & Operating System
OPERATING SYSTEM OPERATING SYSTEM OPENSHIFT PLATFORM OPENSHIFT PLATFORM OPENSHIFT 4 (only)OPENSHIFT 3 & 4 INFRASTRUCTURE Full-stack automated install
Red Hat Enterprise Linux CoreOS 5 Immutable foundation for OpenShift clusters Ignition-based Metal and Cloud host configuration Over-the-air automated updates Decreased attack surface Optimized for running containers Minimal Linux distribution RED HAT OPENSHIFT 4
Immutable Operating System OPENSHIFT PLATFORM Red Hat Enterprise Linux CoreOS is versioned with OpenShift CoreOS is tested and shipped in conjunction with the platform. Red Hat runs thousands of tests against these configurations. Red Hat Enterprise Linux CoreOS is managed by the cluster The Operating system is operated as part of the cluster, with the config for components managed by Machine Config Operator: ● CRI-O config ● Kubelet config ● Authorized registries ● SSH config v4.1.6 v4.1.6 RHEL CoreOS admins are responsible for: Nothing. All is installed via Operators and Container Images! There are no RPM’s anymore!
OpenShift Architecture 7 A lightweight, OCI-compliant container runtime Minimal and Secure Architecture Optimized for Kubernetes Runs any OCI-compliant image (including docker)
BROAD ECOSYSTEM OF WORKLOADS CRI-O Support in OpenShift CRI-O 1.13 Kubernetes 1.13 OpenShift 4.1 CRI-O 1.14 Kubernetes 1.14 OpenShift 4.2 CRI-O 1.12 Kubernetes 1.12 OpenShift 4.0 CRI-O tracks and versions identical to Kubernetes, simplifying support permutations
● A Kubernetes thing ● Now part of CNCF! (April 8th) ● OCI daemon ● Implements Kubelet Container Runtime Interface (CRI) CRI-O Container Host Container Container Container Kubernetes READONLY SECURITY FEATURES Run securely in a production cluster No daemon Read-only containers Enable fewer capabilities User namespaces FIPS mode support 9 OCI AND CRI-O
● Built for interfacing with Docker registry ● CLI for images and image registries ● Rejected by upstream Docker ¯_(ツ)_/¯ ● Allows remote inspection of image meta-data - no downloading ● Can copy from one storage to another SKOPEO Image Repository Image Registry Host /var/lib/containers or /var/lib/docker SECURITY FEATURES Share securely No daemon Inspect remote images No pulling potentially malicious images Non-root copy. Bridge between registries. 10 IMAGE COPY WITH SKOPEO
● @ podman.io ● Client only tool, based on the Docker CLI. (same+) ● No daemon! ● Storage for ○ Images - containers/image ○ Containers - containers/storage ● Runtime - runc ● Shares state with CRI-O and with Buildah! PODMAN Images Image Registry Containers Kernel SECURITY FEATURES Run and develop securely No daemon Run without root Isolate with user namespaces Audit who runs what 11 The new container CLI
12 ● Now buildah.io ● Builds OCI compliant images ● No daemon - no “docker socket” ● Does not require a running container ● Can use the host’s user’s secrets. ● Single layer, from scratch images are made easy and it ensures limited manifest. ● If needed you can still maintain Dockerfile based workflow Base RHEL OS Update Layer Java Runtime Layer Application Layer Java runtime and dependencies, and Application From scratch, single layer From base, multi-layer SECURITY FEATURES Build securely No daemon Shrink the attack surface Fine-grained control of the layers Run builds isolated Better secret management Why use Buildah?
13 ● Docker, Red Hat et al. June 2015 ● Two specifications ○ Image format ■ How to package an OCI Image with sufficient information to launch the application on the target platform ○ Runtime ■ How to launch a “filesystem bundle” that is unpacked on disk ● Version 1.0 of each released July 19th 2017 ● Distribution spec started in April, 2018.
14 { "ignition": { "config": {}, "timeouts": {}, "version": "2.1.0" }, "passwd": { "users": [ { "name": "core", "passwordHash": "$6$43y3tkl...", "sshAuthorizedKeys": [ "key1" ] } ] }, "storage": {}, "systemd": {} } Ignition applies a declarative node configuration early in the boot process. Unifies kickstart and cloud-init. ● Generated via openshift-install & MCO ● Configures storage, systemd units, users, & remote configs ● Executed in the initramfs One Touch provisioning via Ignition Machine generated; machine validated
15 ● RHCSA Step 1 ○ Boot into “early userspace” and change a file (/etc/shadow) ● Ignition works the same way ○ Boots into “early userspace” ○ Change disks, files based on JSON ○ Starts the machine ● Based on standard Linux startup process How Ignition works
Network configuration label linux menu label ^Install RHEL CoreOS kernel /images/vmlinuz append initrd=/images/initramfs.img nomodeset rd.neednet=1 coreos.inst=yes ip=192.168.122.9::192.168.122.1:255.255.255.0:core2.example.com:enp1s0:none nameserver=192.168.122.1 coreos.inst.install_dev=sda coreos.inst.image_url=http://192.168.122.1/rhcos.raw.gz coreos.inst.ignition_url=http://192.168.122.1/static.ign 16 ● Default: DHCP! ● Static IP via Kernel Arguments:
17 ● First-boot only ○ Provisioning tool not a CM tool ○ Pass .ign ■ to the firmware via HTTP! ■ or cloud metadata svc (i.e. AWS user-data) ● There’s a great deep dive on Ignition here Ignition Essentials If the first-boot cfg needs tweaks, re-provision the node from scratch!
Updating - Patching 18 Q: How to perform updating, patching? A: Red Hat Enterprise Linux CoreOS, or RHCOS, is intended to be consumed as an embedded version of RHEL that is purpose built-to run OpenShift v4. RHCOS isn't managed or updated outside of OpenShift. Updates are pushed to the platform and pick up OS security errata. If a customer is staying on top of OCP updates, then RHCOS will always be current. The management, and the fact that updates are not independent from the platform make RHCOS behave much closer to an appliance than a traditional OS.
Satellite 19 Q: Can we integrate with Satellite? A: RHEL CoreOS does not include subscription-manager and cannot be registered to Satellite like RHEL. Satellite can provide value in two major ways for RHEL CoreOS: ▸ Provisioning - Satellite is able to serve ignition configurations as well as serve the bits needed for a PXE install. ▸ Mirroring updates - Satellite’s registry can be used to serve the containerized content in disconnected environments.
Installation Experiences OPENSHIFT PLATFORM Full Stack Automated Simplified opinionated “Best Practices” for cluster provisioning Fully automated installation and updates including host container OS. Pre-existing Infrastructure Customer managed resources & infrastructure provisioning Plug into existing DNS and security boundaries OPENSHIFT CONTAINER PLATFORM Generally AvailableProduct Manager: Katherine Dubé HOSTED OPENSHIFT Azure Red Hat OpenShift Deploy directly from the Azure console. Jointly managed by Red Hat and Microsoft Azure engineers. OpenShift Dedicated Get a powerful cluster, fully Managed by Red Hat engineers and support.
What's new in OpenShift 4.3 4.3 Supported Providers Generally Available Full Stack Automation (IPI) Pre-existing Infrastructure (UPI) Bare Metal PMs: Katherine Dubé (AWS, Azure, GCP), Maria Bracho (BM UPI, VMware, Upgrades), Peter Lauterbach (RHV), Ramon Acedo Rodriguez (OSP, BM IPI), Mike Barrett (IBM Z & Power) * * Support planned for an upcoming 4.3 z-stream release OPENSHIFT PLATFORM *
What means OPENSHIFT PLATFORM Bare Metal ● Installation on physical hardware ;-) ● Installation on Virtual Machines WITHOUT any guest tool / cloud integration! Deploying OpenShift 4.x on non-tested platforms using the bare metal install method For example Hyper-V: Red Hat Enterprise Linux 8 Ecosystem
Full Stack Automated Deployments OPENSHIFT PLATFORM Generally AvailableProduct Manager: Katherine Dubé Day 1: openshift-install - Day 2: Operators openshift-install deployed Control Plane Worker Nodes User managed Operator managed Cloud Resources RH CoreOS OCP Cluster OCP Cluster Resources RH CoreOSRHEL CoreOS Cloud Resources RH CoreOSRH CoreOSRHEL CoreOS
Full Stack Automated Deployments OPENSHIFT PLATFORM Generally AvailableProduct Manager: Katherine Dubé Simplified Cluster Creation Designed to easily provision a “best practices” OpenShift cluster ● New CLI-based installer with interactive guided workflow that allows for customization at each step ● Installer takes care of provisioning the underlying Infrastructure significantly reducing deployment complexity ● Leverages RHEL CoreOS for all node types enabling full stack automation of installation and updates of both platform and host OS content Faster Install The installer typically finishes within 30 minutes ● Only minimal user input needed with all non-essential install config options now handled by component operator CRD’s ● 4.x provides support for AWS deployments with additional provider support planned in future releases ● See the OpenShift documentation for more details $ ./openshift-install --dir ./demo create cluster ? SSH Public Key /Users/demo/.ssh/id_rsa.pub ? Platform aws ? Region us-west-2 ? Base Domain example.com ? Cluster Name demo ? Pull Secret [? for help] ************************************************************* INFO Creating cluster... INFO Waiting up to 30m0s for the Kubernetes API... INFO API v1.11.0+c69f926354 up INFO Waiting up to 30m0s for the bootstrap-complete event... INFO Destroying the bootstrap resources... INFO Waiting up to 10m0s for the openshift-console route to be created... INFO Install complete! INFO Run 'export KUBECONFIG=<your working directory>/auth/kubeconfig' to manage the cluster with 'oc', the OpenShift CLI. INFO The cluster is ready when 'oc login -u kubeadmin -p <provided>' succeeds (wait a few minutes). INFO Access the OpenShift web-console here: https://console-openshift-console.apps.demo.example.com INFO Login to the console with user: kubeadmin, password: <provided>
Deploying to Pre-existing Infrastructure OPENSHIFT PLATFORM Generally AvailableProduct Manager: Katherine Dubé Day 1: openshift-install - Day 2: Operators + Customer Managed Infra & Workers openshift-install deployed Cloud Resources RH CoreOS OCP Cluster OCP Cluster Resources Control Plane Cloud Resources Worker Nodes Customer deployed User managed Operator managed Note: Control plane nodes must run RHEL CoreOS! RH CoreOSRHEL CoreOS RHEL 7 RHEL CoreOS
Comparison between deployments methods OPENSHIFT PLATFORM Generally AvailableProduct Manager: Katherine Dubé Full Stack Automation Pre-existing Infrastructure Build Network Installer User Setup Load Balancers Installer User Configure DNS Installer User Hardware/VM Provisioning Installer User OS Installation Installer User Generate Ignition Configs Installer Installer OS Support Installer: RHEL CoreOS User: RHEL CoreOS + RHEL 7 Node Provisioning / Autoscaling Yes Only for providers with OpenShift Machine API support Customization & Provider Support Best Practices: AWS Yes: AWS, Bare Metal, & VMware
Provider Ignition stored in? Load balancer? Registry Storage? IPI AWS, GCP, Azure S3 Cloud Provider S3 IPI OpenStack Swift KeepaliveD Swift UPI Bare Metal Own Web Server Own Nothing! NFS?* UPI VMware Own Web Server Own Nothing! NFS?* Some dirty details:
DNS Nodes ● A records ● PTR records - at every reboot RH Core OS determination hostname via PTR record! Cluster / Load Balancer ● *.apps.<CN>.<BD>. 86400 IN A <IP of load balancer> ● api.<CN>.<BD>. 86400 IN A <IP of load balancer> ● api-int.<CN>.<BD>. 86400 IN A <IP of load balancer> Etcd Cluster ● SRV Records ○ # _service._proto.name. TTL class SRV priority weight port target. ○ _etcd-server-ssl._tcp.<CN>.<BD> 86400 IN SRV 0 10 2380 etcd-0.<CN>.<BD>. ○ _etcd-server-ssl._tcp.<CN>.<BD> 86400 IN SRV 0 10 2380 etcd-1.<CN>.<BD>. ○ _etcd-server-ssl._tcp.<CN>.<BD> 86400 IN SRV 0 10 2380 etcd-2.<CN>.<BD>. ● Additional A records to the Node/Host-names ○ etcd-0.<CN>.<BD>. 86400 IN A <IP of controleplan/master node 0> ○ etcd-1.<CN>.<BD>. 86400 IN A <IP of controleplan/master node 1> ○ etcd-2.<CN>.<BD>. 86400 IN A <IP of controleplan/master node 2> Do NOT create PTR’s! <CN> = Cluster Name <BD> = Base Domain
Load Balancer & DNS overview
Load balancer & DHCP 30 Bildquelle: Timo Klostermeier / pixelio.de
Deploy to pre-existing infrastructure for AWS, Bare Metal, GCP, & VMware! OPENSHIFT PLATFORM Generally AvailableProduct Manager: Katherine Dubé Customized OpenShift Deployments Enables OpenShift to be deployed to user managed resources and pre-existing infrastructure. ● Customers are responsible for provisioning all infrastructure objects including networks, load balancers, DNS, hardware/VMs and performing host OS installation ● Deployments can be performed both on-premise and to the public cloud ● OpenShift installer handles generating cluster assets (such as node ignition configs and kubeconfig) and aids with cluster bring-up by monitoring for bootstrap-complete and cluster-ready events ● Example native provider templates (AWS CloudFormation and Google Deployment Manager) included to help with user provisioning tasks for creating infrastructure objects ● While RHEL CoreOS is mandatory for the control plane, either RHEL CoreOS or RHEL 7 can be used for the worker/infra nodes $ cat ./demo/install-config.yaml apiVersion: v1 baseDomain: example.com compute: - name: worker replicas: 0 controlPlane: name: master ... $ ./openshift-install --dir ./demo create ignition-config INFO Consuming "Install Config" from target directory $ ./openshift-install --dir ./demo wait-for bootstrap-complete INFO Waiting up to 30m0s for the Kubernetes API at https://api.demo.example.com:6443... INFO API v1.11.0+c69f926354 up INFO Waiting up to 30m0s for the bootstrap-complete event... $ ./openshift-install --dir ./demo wait-for cluster-ready INFO Waiting up to 30m0s for the cluster at https://api.demo.example.com:6443 to initialize... INFO Install complete! Pitfall ● Generates certificates that are only valid for 24 hours! ● To restart: delete the config dir “./demo” !!
Booting all machines Bootstrap Master NMaster NMaster N Master NMaster NWorker Web Server "ignition": { "config": { "append": [ { "source": "https://api-int.demo.openshift.pub:22623/config/(master|worker)", "verification": {} [...snipped...] "security": { "tls": { "certificateAuthorities": [ { "source": "data:text/plain;charset=utf-8;base64,LS0t..==", "verification": {} } [...snipped...] The Ignition is quite huge! It contains everything you need to install OpenShift 4, except the images.
Boot the cluster Bootstrap Master NMaster NMaster N Master NMaster NWorker Bootstrapping process step by step: 1. Bootstrap machine boots and starts hosting the remote resources required for master machines to boot. 2. Master machines fetch the remote resources from the bootstrap machine and finish booting. 3. Master machines use the bootstrap node to form an etcd cluster. 4. Bootstrap node starts a temporary Kubernetes control plane using the newly-created etcd cluster. 5. Temporary control plane schedules the production control plane to the master machines. 6. Temporary control plane shuts down, yielding to the production control plane. 7. Bootstrap node injects OpenShift-specific components into the newly formed control plane. 8. Installer then tears down the bootstrap node or if user-provisioned, this needs to be performed by the administrator.
label linux menu label ^Install RHEL CoreOS kernel /images/vmlinuz append initrd=/images/initramfs.img nomodeset rd.neednet=1 coreos.inst=yes ip=192.168.122.9::192.168.122.1:255.255.255.0:core2.example.com:enp1s0:none nameserver=192.168.122.1 coreos.inst.install_dev=sda coreos.inst.image_url=http://192.168.122.1/rhcos.raw.gz coreos.inst.ignition_url=http://192.168.122.1/static.ign Add a node BareMetal Machine Set
1. Boot a node with minimal ignition config: a. certificateAuthorities b. Point to MCO: https://api-int.demo.openshift.pub:22623/config/(master|worker) 2. Two CSR’s are created (sequential, approve the first then the second) 3. Someone approved CSR a. UPI: Administrator 👨🏻‍💻 - during installation auto-approve! b. IPI: Machine Operator 4. Node join the cluster 5. Node starts all pods they need to be a perfect member! (sdn, registry ca,....) Add a node
36 subscription-manager register --username=<user_name> --password=<password> subscription-manager repos --enable="rhel-7-server-rpms" --enable="rhel-7-server-extras-rpms" --enable="rhel-7-server-ose-4.2-rpms" # vi inventory/hosts ---- [all:vars] ansible_user=root #ansible_become=True openshift_kubeconfig_path="~/.kube/config" [new_workers] mycluster-worker-0.example.com mycluster-worker-1.example.com ---- ansible-playbook -i /<path>/inventory/hosts playbooks/scaleup.yml Add a node RHEL Node WIHTOUT Over the Air (OTA) Updates!
● OpenShift retrieves the list of available updates ● Admin selects the target version ● OpenShift is updated over the air ● Auto-update support Over the Air (OTA) Updates Only with Red Hat CoreOS - it doesn’t matter how (IPI vs UPI) you install the cluster!
OPENSHIFT PLATFORM Disconnected “Air-gapped” Installation & Upgrading Generally AvailableProduct Manager: Katherine Dubé Installation Procedure ● Mirror OpenShift content to local container registry in the disconnected environment ● Generate install-config.yaml: $ ./openshift-install create install-config --dir <dir> ○ Edit and add pull secret (PullSecret), CA certificate (additionalTrustBundle), and image content sources (ImageContentSources) to install-config.yaml ● Set the OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE environment variable during the creation of the ignition configs ● Generate the ignition configuration: $ ./openshift-install create ignition-configs --dir <dir> ● Use the resulting ignition files to bootstrap the cluster deployment Overview ● 4.2 introduces support for installing and updating OpenShift clusters in disconnected environments ● Requires local Docker 2.2 spec compliant container registry to host OpenShift content ● Designed to work with the user provisioned infrastructure deployment method ○ Note: Will not work with Installer provisioned infrastructure deployments Admin Local Container Registry Quay.io Container Registry # mirror update image: $ oc adm -a <secret_json> release mirror --from=quay.io/<repo>/<release:version> --to=<local registry>/<repo> --to-release-image=<local registry>/<repo:version> # provide cluster with update image to update to: $ oc adm upgrade --to-mirror=<local repo:version> Local Copy of Update Image Disconnected OpenShift Cluster Red Hat sourced Update Image Mirrored to local registry Cluster updated locally Customer Cluster
What's new in OpenShift 4.3 Simplified Mirroring of OperatorHub BROAD ECOSYSTEM OF WORKLOADS crunchy/postgres-server:9.5 strimzi/kafka-image:latest kubevirt/virt-api:1.0.1 ... Operator Catalog on quay.io 1. Mirror Operator Catalog into container image & push to disconnected registry 2. Parse referenced Operator and app images & push to disconnected registry oc adm catalog build... oc adm catalog mirror... 3. Enable mirror catalog in disconnected cluster oc apply -f ./manifests Red Hat Operators Supported in Disconnected Mode
OPENSHIFT PLATFORM Cluster-wide Egress Proxy Generally AvailableProduct Manager: Marc Curry & Katherine Dubé Overview ● 4.2 introduces support for installing and updating OpenShift clusters through a corporate proxy server ● Leverages new proxy controller within the cluster-network-operator, which is responsible for: ○ Reconciling a proxy object and writing spec > status upon successful validation. ○ Reconciling user-provided trust bundles referenced by trustedCA, validating the trust bundle certificates, merging the certificates with the system trust bundle and publishing the merged bundle to the openshift-config-managed/trusted-ca-bundle configmap. Installation Procedure ● Installer will use PROXY* environment variables from the shell it’s invoked from ● Generate install-config.yaml: $ ./openshift-install create install-config --dir <dir> ○ Edit proxy information (httpProxy, httpsProxy, & noProxy) and CA certificate (‘additionalTrustBundle’) to install-config.yaml ● Installer validates the provided install-config.yaml parameters, renders the necessary assets to create the cluster, and initiates the installation process based on the install method used: $ ./openshift-install create cluster --dir <dir> Corporate Proxy Server Proxy Connected OpenShift Cluster Customer Cluster Internet Quay.io Container Registry Backend Services $ oc get proxy/cluster -o yaml apiVersion: config.openshift.io/v1 kind: Proxy metadata: creationTimestamp: "2019-08-21T22:36:49Z" generation: 2 name: cluster resourceVersion: "24913" selfLink: /apis/config.openshift.io/v1/proxies/cluster uid: 2a344b01-d267-11f9-a4f3-025de4b59c38 spec: httpProxy: http://<username>:<pswd>@<ip>:<port> httpsProxy: https://<username>:<pswd>@<ip>:<port> noProxy: example.com readinessEndpoints: - http://www.google.com - https://www.google.com trustedCA: name: user-ca-bundle status: httpProxy: http://<username>:<pswd>@<ip>:<port> httpsProxy: https://<username>:<pswd>@<ip>:<port> noProxy: 10.0.0.0/16,10.128.0.0/14,127.0.0.1,169.254.169.254,172.30 .0.0/16,api-int.demo.example.com,api.demo.example.openshif t.com,etcd-0.demo.example.com,etcd-1.demo.example.com,etcd -2.demo.example.com,example.com,localhost An admin with privileges can interact with the proxy object using ‘oc’ commands (use the ‘oc edit’ command to modify the proxy information.) Here is an example proxy config:
CONFIDENTIAL Designator Robert Bohne Twitter: @RobertBohne Thanks

Empfohlen

Red Hat OpenShift Container Platform Overview
Red Hat OpenShift Container Platform OverviewRed Hat OpenShift Container Platform Overview
Red Hat OpenShift Container Platform Overview
James Falkner
 
Open shift 4 infra deep dive
Open shift 4 infra deep diveOpen shift 4 infra deep dive
Open shift 4 infra deep dive
Winton Winton
 
OpenShift 4, the smarter Kubernetes platform
OpenShift 4, the smarter Kubernetes platformOpenShift 4, the smarter Kubernetes platform
OpenShift 4, the smarter Kubernetes platform
Kangaroot
 
OpenShift Introduction
OpenShift IntroductionOpenShift Introduction
OpenShift Introduction
Red Hat Developers
 
Containers Anywhere with OpenShift by Red Hat
Containers Anywhere with OpenShift by Red HatContainers Anywhere with OpenShift by Red Hat
Containers Anywhere with OpenShift by Red Hat
Amazon Web Services
 
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShiftKubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift
DevOps.com
 
OpenShift Overview
OpenShift OverviewOpenShift Overview
OpenShift Overview
roundman
 
Openshift Container Platform
Openshift Container PlatformOpenshift Container Platform
Openshift Container Platform
DLT Solutions
 

Empfohlen

Red Hat OpenShift Container Platform Overview
Red Hat OpenShift Container Platform OverviewRed Hat OpenShift Container Platform Overview
Red Hat OpenShift Container Platform Overview
James Falkner
 
Open shift 4 infra deep dive
Open shift 4 infra deep diveOpen shift 4 infra deep dive
Open shift 4 infra deep dive
Winton Winton
 
OpenShift 4, the smarter Kubernetes platform
OpenShift 4, the smarter Kubernetes platformOpenShift 4, the smarter Kubernetes platform
OpenShift 4, the smarter Kubernetes platform
Kangaroot
 
OpenShift Introduction
OpenShift IntroductionOpenShift Introduction
OpenShift Introduction
Red Hat Developers
 
Containers Anywhere with OpenShift by Red Hat
Containers Anywhere with OpenShift by Red HatContainers Anywhere with OpenShift by Red Hat
Containers Anywhere with OpenShift by Red Hat
Amazon Web Services
 
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShiftKubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift
DevOps.com
 
OpenShift Overview
OpenShift OverviewOpenShift Overview
OpenShift Overview
roundman
 
Openshift Container Platform
Openshift Container PlatformOpenshift Container Platform
Openshift Container Platform
DLT Solutions
 
OpenShift-Technical-Overview.pdf
OpenShift-Technical-Overview.pdfOpenShift-Technical-Overview.pdf
OpenShift-Technical-Overview.pdf
JuanSalinas593459
 
Introduction to Red Hat OpenShift 4
Introduction to Red Hat OpenShift 4Introduction to Red Hat OpenShift 4
Introduction to Red Hat OpenShift 4
HngNguyn748044
 
Introduction to openshift
Introduction to openshiftIntroduction to openshift
Introduction to openshift
MamathaBusi
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes Basics
Eueung Mulyana
 
Deploy Application on Kubernetes
Deploy Application on KubernetesDeploy Application on Kubernetes
Deploy Application on Kubernetes
Opsta
 
Red Hat OpenShift on Bare Metal and Containerized Storage
Red Hat OpenShift on Bare Metal and Containerized StorageRed Hat OpenShift on Bare Metal and Containerized Storage
Red Hat OpenShift on Bare Metal and Containerized Storage
Greg Hoelzer
 
Introduction to Helm
Introduction to HelmIntroduction to Helm
Introduction to Helm
Harshal Shah
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes Workshop
Bob Killen
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Peng Xiao
 
Red Hat OpenShift Operators - Operators ABC
Red Hat OpenShift Operators - Operators ABCRed Hat OpenShift Operators - Operators ABC
Red Hat OpenShift Operators - Operators ABC
Robert Bohne
 
Gitops: the kubernetes way
Gitops: the kubernetes wayGitops: the kubernetes way
Gitops: the kubernetes way
sparkfabrik
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101
Crevise Technologies
 
Free GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOpsFree GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOps
Weaveworks
 
Kubernetes architecture
Kubernetes architectureKubernetes architecture
Kubernetes architecture
Janakiram MSV
 
OpenShift Enterprise
OpenShift EnterpriseOpenShift Enterprise
OpenShift Enterprise
Ali Sadeghi Ardestani
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Edureka!
 
Red Hat multi-cluster management & what's new in OpenShift
Red Hat multi-cluster management & what's new in OpenShiftRed Hat multi-cluster management & what's new in OpenShift
Red Hat multi-cluster management & what's new in OpenShift
Kangaroot
 
DevOps with Kubernetes
DevOps with KubernetesDevOps with Kubernetes
DevOps with Kubernetes
EastBanc Tachnologies
 
GitOps with ArgoCD
GitOps with ArgoCDGitOps with ArgoCD
GitOps with ArgoCD
CloudOps2005
 
Red Hat Container Strategy
Red Hat Container StrategyRed Hat Container Strategy
Red Hat Container Strategy
Red Hat Events
 
OpenShift_Installation_Deep_Dive_Robert_Bohne.pdf
OpenShift_Installation_Deep_Dive_Robert_Bohne.pdfOpenShift_Installation_Deep_Dive_Robert_Bohne.pdf
OpenShift_Installation_Deep_Dive_Robert_Bohne.pdf
ssuser9e06a61
 
OpenShift Meetup 8th july 2019 at ConSol - OpenShift v4
OpenShift Meetup 8th july 2019 at ConSol - OpenShift v4OpenShift Meetup 8th july 2019 at ConSol - OpenShift v4
OpenShift Meetup 8th july 2019 at ConSol - OpenShift v4
Robert Bohne
 

Weitere ähnliche Inhalte

Was ist angesagt?

Free GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOpsFree GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOps
Weaveworks
 

Was ist angesagt? (20)

OpenShift-Technical-Overview.pdf
OpenShift-Technical-Overview.pdfOpenShift-Technical-Overview.pdf
OpenShift-Technical-Overview.pdf
 
Introduction to Red Hat OpenShift 4
Introduction to Red Hat OpenShift 4Introduction to Red Hat OpenShift 4
Introduction to Red Hat OpenShift 4
 
Introduction to openshift
Introduction to openshiftIntroduction to openshift
Introduction to openshift
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes Basics
 
Deploy Application on Kubernetes
Deploy Application on KubernetesDeploy Application on Kubernetes
Deploy Application on Kubernetes
 
Red Hat OpenShift on Bare Metal and Containerized Storage
Red Hat OpenShift on Bare Metal and Containerized StorageRed Hat OpenShift on Bare Metal and Containerized Storage
Red Hat OpenShift on Bare Metal and Containerized Storage
 
Introduction to Helm
Introduction to HelmIntroduction to Helm
Introduction to Helm
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes Workshop
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
 
Red Hat OpenShift Operators - Operators ABC
Red Hat OpenShift Operators - Operators ABCRed Hat OpenShift Operators - Operators ABC
Red Hat OpenShift Operators - Operators ABC
 
Gitops: the kubernetes way
Gitops: the kubernetes wayGitops: the kubernetes way
Gitops: the kubernetes way
 
Kubernetes 101
Kubernetes 101Kubernetes 101
Kubernetes 101
 
Free GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOpsFree GitOps Workshop + Intro to Kubernetes & GitOps
Free GitOps Workshop + Intro to Kubernetes & GitOps
 
Kubernetes architecture
Kubernetes architectureKubernetes architecture
Kubernetes architecture
 
OpenShift Enterprise
OpenShift EnterpriseOpenShift Enterprise
OpenShift Enterprise
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
 
Red Hat multi-cluster management & what's new in OpenShift
Red Hat multi-cluster management & what's new in OpenShiftRed Hat multi-cluster management & what's new in OpenShift
Red Hat multi-cluster management & what's new in OpenShift
 
DevOps with Kubernetes
DevOps with KubernetesDevOps with Kubernetes
DevOps with Kubernetes
 
GitOps with ArgoCD
GitOps with ArgoCDGitOps with ArgoCD
GitOps with ArgoCD
 
Red Hat Container Strategy
Red Hat Container StrategyRed Hat Container Strategy
Red Hat Container Strategy
 

Ähnlich wie OpenShift 4 installation

What_s_New_in_OpenShift_Container_Platform_4.6.pdf
What_s_New_in_OpenShift_Container_Platform_4.6.pdfWhat_s_New_in_OpenShift_Container_Platform_4.6.pdf
What_s_New_in_OpenShift_Container_Platform_4.6.pdf
chalermpany
 

Ähnlich wie OpenShift 4 installation (20)

OpenShift_Installation_Deep_Dive_Robert_Bohne.pdf
OpenShift_Installation_Deep_Dive_Robert_Bohne.pdfOpenShift_Installation_Deep_Dive_Robert_Bohne.pdf
OpenShift_Installation_Deep_Dive_Robert_Bohne.pdf
 
OpenShift Meetup 8th july 2019 at ConSol - OpenShift v4
OpenShift Meetup 8th july 2019 at ConSol - OpenShift v4OpenShift Meetup 8th july 2019 at ConSol - OpenShift v4
OpenShift Meetup 8th july 2019 at ConSol - OpenShift v4
 
What_s_New_in_OpenShift_Container_Platform_4.6.pdf
What_s_New_in_OpenShift_Container_Platform_4.6.pdfWhat_s_New_in_OpenShift_Container_Platform_4.6.pdf
What_s_New_in_OpenShift_Container_Platform_4.6.pdf
 
AWS Summit Singapore 2019 | Latest Trends for Cloud-Native Application Develo...
AWS Summit Singapore 2019 | Latest Trends for Cloud-Native Application Develo...AWS Summit Singapore 2019 | Latest Trends for Cloud-Native Application Develo...
AWS Summit Singapore 2019 | Latest Trends for Cloud-Native Application Develo...
 
Open shift 4-update
Open shift 4-updateOpen shift 4-update
Open shift 4-update
 
Linux Containers and Docker SHARE.ORG Seattle 2015
Linux Containers and Docker SHARE.ORG Seattle 2015Linux Containers and Docker SHARE.ORG Seattle 2015
Linux Containers and Docker SHARE.ORG Seattle 2015
 
Red Hat Forum Benelux 2015
Red Hat Forum Benelux 2015Red Hat Forum Benelux 2015
Red Hat Forum Benelux 2015
 
Building stateful applications on Kubernetes with Rook
Building stateful applications on Kubernetes with RookBuilding stateful applications on Kubernetes with Rook
Building stateful applications on Kubernetes with Rook
 
Meetup Openshift Geneva 03/10
Meetup Openshift Geneva 03/10Meetup Openshift Geneva 03/10
Meetup Openshift Geneva 03/10
 
Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment
 
Red Hat and kubernetes: awesome stuff coming your way
Red Hat and kubernetes: awesome stuff coming your wayRed Hat and kubernetes: awesome stuff coming your way
Red Hat and kubernetes: awesome stuff coming your way
 
HPC on OpenStack
HPC on OpenStackHPC on OpenStack
HPC on OpenStack
 
OpenShift Container Platform 4.12 Release Notes
OpenShift Container Platform 4.12 Release NotesOpenShift Container Platform 4.12 Release Notes
OpenShift Container Platform 4.12 Release Notes
 
Openshift 3.10 & Container solutions for Blockchain, IoT and Data Science
Openshift 3.10 & Container solutions for Blockchain, IoT and Data ScienceOpenshift 3.10 & Container solutions for Blockchain, IoT and Data Science
Openshift 3.10 & Container solutions for Blockchain, IoT and Data Science
 
DR_PRESENT 1
DR_PRESENT 1DR_PRESENT 1
DR_PRESENT 1
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloud
 
Learn OpenStack from trystack.cn
Learn OpenStack from trystack.cnLearn OpenStack from trystack.cn
Learn OpenStack from trystack.cn
 
Introduction to Docker
Introduction to DockerIntroduction to Docker
Introduction to Docker
 
Coscup2018 itri android-in-cloud
Coscup2018 itri android-in-cloudCoscup2018 itri android-in-cloud
Coscup2018 itri android-in-cloud
 
Build Your Own PaaS, Just like Red Hat's OpenShift from LinuxCon 2013 New Orl...
Build Your Own PaaS, Just like Red Hat's OpenShift from LinuxCon 2013 New Orl...Build Your Own PaaS, Just like Red Hat's OpenShift from LinuxCon 2013 New Orl...
Build Your Own PaaS, Just like Red Hat's OpenShift from LinuxCon 2013 New Orl...
 

Kürzlich hochgeladen

TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Nitya salvi
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
VishalKumarJha10
 

Kürzlich hochgeladen (20)

Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 

OpenShift 4 installation

  • 1. Red Hat OpenShift 4 - Installation Robert Bohne SR. SPECIALIST SOLUTION ARCHITECT | OPENSHIFT Twitter: @RobertBohne 1
  • 2. OPENSHIFT CONTAINER PLATFORM | Architectural Overview 2 EXISTING AUTOMATION TOOLSETS SCM (GIT) CI/CD WORKERMASTER Red Hat® OpenShift® services STORAGE Kubernetes services Monitoring | Logging | Tuned SDN | DNS | Kubelet Infrastructure services etcd NETWORKCOMPUTE Registry Prometheus | Grafana Alertmanager Kibana | Elasticsearch Router Developers Admins WORKER Monitoring | Logging | Tuned SDN | DNS | Kubelet Registry Prometheus | Grafana Alertmanager Kibana | Elasticsearch Router
  • 3. 3 The New Platform Boundary OpenShift 4 is aware of the entire infrastructure and brings the Operating System under management AUTOMATED OPERATIONS KUBERNETES RHEL or RHEL CoreOS OpenShift & Kubernetes certificates & security settings container runtime config allowed maintenance windows software defined networking kernel modules device drivers network interfaces security groups Nodes & Operating System
  • 4. OPERATING SYSTEM OPERATING SYSTEM OPENSHIFT PLATFORM OPENSHIFT PLATFORM OPENSHIFT 4 (only)OPENSHIFT 3 & 4 INFRASTRUCTURE Full-stack automated install
  • 5. Red Hat Enterprise Linux CoreOS 5 Immutable foundation for OpenShift clusters Ignition-based Metal and Cloud host configuration Over-the-air automated updates Decreased attack surface Optimized for running containers Minimal Linux distribution RED HAT OPENSHIFT 4
  • 6. Immutable Operating System OPENSHIFT PLATFORM Red Hat Enterprise Linux CoreOS is versioned with OpenShift CoreOS is tested and shipped in conjunction with the platform. Red Hat runs thousands of tests against these configurations. Red Hat Enterprise Linux CoreOS is managed by the cluster The Operating system is operated as part of the cluster, with the config for components managed by Machine Config Operator: ● CRI-O config ● Kubelet config ● Authorized registries ● SSH config v4.1.6 v4.1.6 RHEL CoreOS admins are responsible for: Nothing. All is installed via Operators and Container Images! There are no RPM’s anymore!
  • 7. OpenShift Architecture 7 A lightweight, OCI-compliant container runtime Minimal and Secure Architecture Optimized for Kubernetes Runs any OCI-compliant image (including docker)
  • 8. BROAD ECOSYSTEM OF WORKLOADS CRI-O Support in OpenShift CRI-O 1.13 Kubernetes 1.13 OpenShift 4.1 CRI-O 1.14 Kubernetes 1.14 OpenShift 4.2 CRI-O 1.12 Kubernetes 1.12 OpenShift 4.0 CRI-O tracks and versions identical to Kubernetes, simplifying support permutations
  • 9. ● A Kubernetes thing ● Now part of CNCF! (April 8th) ● OCI daemon ● Implements Kubelet Container Runtime Interface (CRI) CRI-O Container Host Container Container Container Kubernetes READONLY SECURITY FEATURES Run securely in a production cluster No daemon Read-only containers Enable fewer capabilities User namespaces FIPS mode support 9 OCI AND CRI-O
  • 10. ● Built for interfacing with Docker registry ● CLI for images and image registries ● Rejected by upstream Docker ¯_(ツ)_/¯ ● Allows remote inspection of image meta-data - no downloading ● Can copy from one storage to another SKOPEO Image Repository Image Registry Host /var/lib/containers or /var/lib/docker SECURITY FEATURES Share securely No daemon Inspect remote images No pulling potentially malicious images Non-root copy. Bridge between registries. 10 IMAGE COPY WITH SKOPEO
  • 11. ● @ podman.io ● Client only tool, based on the Docker CLI. (same+) ● No daemon! ● Storage for ○ Images - containers/image ○ Containers - containers/storage ● Runtime - runc ● Shares state with CRI-O and with Buildah! PODMAN Images Image Registry Containers Kernel SECURITY FEATURES Run and develop securely No daemon Run without root Isolate with user namespaces Audit who runs what 11 The new container CLI
  • 12. 12 ● Now buildah.io ● Builds OCI compliant images ● No daemon - no “docker socket” ● Does not require a running container ● Can use the host’s user’s secrets. ● Single layer, from scratch images are made easy and it ensures limited manifest. ● If needed you can still maintain Dockerfile based workflow Base RHEL OS Update Layer Java Runtime Layer Application Layer Java runtime and dependencies, and Application From scratch, single layer From base, multi-layer SECURITY FEATURES Build securely No daemon Shrink the attack surface Fine-grained control of the layers Run builds isolated Better secret management Why use Buildah?
  • 13. 13 ● Docker, Red Hat et al. June 2015 ● Two specifications ○ Image format ■ How to package an OCI Image with sufficient information to launch the application on the target platform ○ Runtime ■ How to launch a “filesystem bundle” that is unpacked on disk ● Version 1.0 of each released July 19th 2017 ● Distribution spec started in April, 2018.
  • 14. 14 { "ignition": { "config": {}, "timeouts": {}, "version": "2.1.0" }, "passwd": { "users": [ { "name": "core", "passwordHash": "$6$43y3tkl...", "sshAuthorizedKeys": [ "key1" ] } ] }, "storage": {}, "systemd": {} } Ignition applies a declarative node configuration early in the boot process. Unifies kickstart and cloud-init. ● Generated via openshift-install & MCO ● Configures storage, systemd units, users, & remote configs ● Executed in the initramfs One Touch provisioning via Ignition Machine generated; machine validated
  • 15. 15 ● RHCSA Step 1 ○ Boot into “early userspace” and change a file (/etc/shadow) ● Ignition works the same way ○ Boots into “early userspace” ○ Change disks, files based on JSON ○ Starts the machine ● Based on standard Linux startup process How Ignition works
  • 16. Network configuration label linux menu label ^Install RHEL CoreOS kernel /images/vmlinuz append initrd=/images/initramfs.img nomodeset rd.neednet=1 coreos.inst=yes ip=192.168.122.9::192.168.122.1:255.255.255.0:core2.example.com:enp1s0:none nameserver=192.168.122.1 coreos.inst.install_dev=sda coreos.inst.image_url=http://192.168.122.1/rhcos.raw.gz coreos.inst.ignition_url=http://192.168.122.1/static.ign 16 ● Default: DHCP! ● Static IP via Kernel Arguments:
  • 17. 17 ● First-boot only ○ Provisioning tool not a CM tool ○ Pass .ign ■ to the firmware via HTTP! ■ or cloud metadata svc (i.e. AWS user-data) ● There’s a great deep dive on Ignition here Ignition Essentials If the first-boot cfg needs tweaks, re-provision the node from scratch!
  • 18. Updating - Patching 18 Q: How to perform updating, patching? A: Red Hat Enterprise Linux CoreOS, or RHCOS, is intended to be consumed as an embedded version of RHEL that is purpose built-to run OpenShift v4. RHCOS isn't managed or updated outside of OpenShift. Updates are pushed to the platform and pick up OS security errata. If a customer is staying on top of OCP updates, then RHCOS will always be current. The management, and the fact that updates are not independent from the platform make RHCOS behave much closer to an appliance than a traditional OS.
  • 19. Satellite 19 Q: Can we integrate with Satellite? A: RHEL CoreOS does not include subscription-manager and cannot be registered to Satellite like RHEL. Satellite can provide value in two major ways for RHEL CoreOS: ▸ Provisioning - Satellite is able to serve ignition configurations as well as serve the bits needed for a PXE install. ▸ Mirroring updates - Satellite’s registry can be used to serve the containerized content in disconnected environments.
  • 20. Installation Experiences OPENSHIFT PLATFORM Full Stack Automated Simplified opinionated “Best Practices” for cluster provisioning Fully automated installation and updates including host container OS. Pre-existing Infrastructure Customer managed resources & infrastructure provisioning Plug into existing DNS and security boundaries OPENSHIFT CONTAINER PLATFORM Generally AvailableProduct Manager: Katherine Dubé HOSTED OPENSHIFT Azure Red Hat OpenShift Deploy directly from the Azure console. Jointly managed by Red Hat and Microsoft Azure engineers. OpenShift Dedicated Get a powerful cluster, fully Managed by Red Hat engineers and support.
  • 21. What's new in OpenShift 4.3 4.3 Supported Providers Generally Available Full Stack Automation (IPI) Pre-existing Infrastructure (UPI) Bare Metal PMs: Katherine Dubé (AWS, Azure, GCP), Maria Bracho (BM UPI, VMware, Upgrades), Peter Lauterbach (RHV), Ramon Acedo Rodriguez (OSP, BM IPI), Mike Barrett (IBM Z & Power) * * Support planned for an upcoming 4.3 z-stream release OPENSHIFT PLATFORM *
  • 22. What means OPENSHIFT PLATFORM Bare Metal ● Installation on physical hardware ;-) ● Installation on Virtual Machines WITHOUT any guest tool / cloud integration! Deploying OpenShift 4.x on non-tested platforms using the bare metal install method For example Hyper-V: Red Hat Enterprise Linux 8 Ecosystem
  • 23. Full Stack Automated Deployments OPENSHIFT PLATFORM Generally AvailableProduct Manager: Katherine Dubé Day 1: openshift-install - Day 2: Operators openshift-install deployed Control Plane Worker Nodes User managed Operator managed Cloud Resources RH CoreOS OCP Cluster OCP Cluster Resources RH CoreOSRHEL CoreOS Cloud Resources RH CoreOSRH CoreOSRHEL CoreOS
  • 24. Full Stack Automated Deployments OPENSHIFT PLATFORM Generally AvailableProduct Manager: Katherine Dubé Simplified Cluster Creation Designed to easily provision a “best practices” OpenShift cluster ● New CLI-based installer with interactive guided workflow that allows for customization at each step ● Installer takes care of provisioning the underlying Infrastructure significantly reducing deployment complexity ● Leverages RHEL CoreOS for all node types enabling full stack automation of installation and updates of both platform and host OS content Faster Install The installer typically finishes within 30 minutes ● Only minimal user input needed with all non-essential install config options now handled by component operator CRD’s ● 4.x provides support for AWS deployments with additional provider support planned in future releases ● See the OpenShift documentation for more details $ ./openshift-install --dir ./demo create cluster ? SSH Public Key /Users/demo/.ssh/id_rsa.pub ? Platform aws ? Region us-west-2 ? Base Domain example.com ? Cluster Name demo ? Pull Secret [? for help] ************************************************************* INFO Creating cluster... INFO Waiting up to 30m0s for the Kubernetes API... INFO API v1.11.0+c69f926354 up INFO Waiting up to 30m0s for the bootstrap-complete event... INFO Destroying the bootstrap resources... INFO Waiting up to 10m0s for the openshift-console route to be created... INFO Install complete! INFO Run 'export KUBECONFIG=<your working directory>/auth/kubeconfig' to manage the cluster with 'oc', the OpenShift CLI. INFO The cluster is ready when 'oc login -u kubeadmin -p <provided>' succeeds (wait a few minutes). INFO Access the OpenShift web-console here: https://console-openshift-console.apps.demo.example.com INFO Login to the console with user: kubeadmin, password: <provided>
  • 25. Deploying to Pre-existing Infrastructure OPENSHIFT PLATFORM Generally AvailableProduct Manager: Katherine Dubé Day 1: openshift-install - Day 2: Operators + Customer Managed Infra & Workers openshift-install deployed Cloud Resources RH CoreOS OCP Cluster OCP Cluster Resources Control Plane Cloud Resources Worker Nodes Customer deployed User managed Operator managed Note: Control plane nodes must run RHEL CoreOS! RH CoreOSRHEL CoreOS RHEL 7 RHEL CoreOS
  • 26. Comparison between deployments methods OPENSHIFT PLATFORM Generally AvailableProduct Manager: Katherine Dubé Full Stack Automation Pre-existing Infrastructure Build Network Installer User Setup Load Balancers Installer User Configure DNS Installer User Hardware/VM Provisioning Installer User OS Installation Installer User Generate Ignition Configs Installer Installer OS Support Installer: RHEL CoreOS User: RHEL CoreOS + RHEL 7 Node Provisioning / Autoscaling Yes Only for providers with OpenShift Machine API support Customization & Provider Support Best Practices: AWS Yes: AWS, Bare Metal, & VMware
  • 27. Provider Ignition stored in? Load balancer? Registry Storage? IPI AWS, GCP, Azure S3 Cloud Provider S3 IPI OpenStack Swift KeepaliveD Swift UPI Bare Metal Own Web Server Own Nothing! NFS?* UPI VMware Own Web Server Own Nothing! NFS?* Some dirty details:
  • 28. DNS Nodes ● A records ● PTR records - at every reboot RH Core OS determination hostname via PTR record! Cluster / Load Balancer ● *.apps.<CN>.<BD>. 86400 IN A <IP of load balancer> ● api.<CN>.<BD>. 86400 IN A <IP of load balancer> ● api-int.<CN>.<BD>. 86400 IN A <IP of load balancer> Etcd Cluster ● SRV Records ○ # _service._proto.name. TTL class SRV priority weight port target. ○ _etcd-server-ssl._tcp.<CN>.<BD> 86400 IN SRV 0 10 2380 etcd-0.<CN>.<BD>. ○ _etcd-server-ssl._tcp.<CN>.<BD> 86400 IN SRV 0 10 2380 etcd-1.<CN>.<BD>. ○ _etcd-server-ssl._tcp.<CN>.<BD> 86400 IN SRV 0 10 2380 etcd-2.<CN>.<BD>. ● Additional A records to the Node/Host-names ○ etcd-0.<CN>.<BD>. 86400 IN A <IP of controleplan/master node 0> ○ etcd-1.<CN>.<BD>. 86400 IN A <IP of controleplan/master node 1> ○ etcd-2.<CN>.<BD>. 86400 IN A <IP of controleplan/master node 2> Do NOT create PTR’s! <CN> = Cluster Name <BD> = Base Domain
  • 29. Load Balancer & DNS overview
  • 30. Load balancer & DHCP 30 Bildquelle: Timo Klostermeier / pixelio.de
  • 31. Deploy to pre-existing infrastructure for AWS, Bare Metal, GCP, & VMware! OPENSHIFT PLATFORM Generally AvailableProduct Manager: Katherine Dubé Customized OpenShift Deployments Enables OpenShift to be deployed to user managed resources and pre-existing infrastructure. ● Customers are responsible for provisioning all infrastructure objects including networks, load balancers, DNS, hardware/VMs and performing host OS installation ● Deployments can be performed both on-premise and to the public cloud ● OpenShift installer handles generating cluster assets (such as node ignition configs and kubeconfig) and aids with cluster bring-up by monitoring for bootstrap-complete and cluster-ready events ● Example native provider templates (AWS CloudFormation and Google Deployment Manager) included to help with user provisioning tasks for creating infrastructure objects ● While RHEL CoreOS is mandatory for the control plane, either RHEL CoreOS or RHEL 7 can be used for the worker/infra nodes $ cat ./demo/install-config.yaml apiVersion: v1 baseDomain: example.com compute: - name: worker replicas: 0 controlPlane: name: master ... $ ./openshift-install --dir ./demo create ignition-config INFO Consuming "Install Config" from target directory $ ./openshift-install --dir ./demo wait-for bootstrap-complete INFO Waiting up to 30m0s for the Kubernetes API at https://api.demo.example.com:6443... INFO API v1.11.0+c69f926354 up INFO Waiting up to 30m0s for the bootstrap-complete event... $ ./openshift-install --dir ./demo wait-for cluster-ready INFO Waiting up to 30m0s for the cluster at https://api.demo.example.com:6443 to initialize... INFO Install complete! Pitfall ● Generates certificates that are only valid for 24 hours! ● To restart: delete the config dir “./demo” !!
  • 32. Booting all machines Bootstrap Master NMaster NMaster N Master NMaster NWorker Web Server "ignition": { "config": { "append": [ { "source": "https://api-int.demo.openshift.pub:22623/config/(master|worker)", "verification": {} [...snipped...] "security": { "tls": { "certificateAuthorities": [ { "source": "data:text/plain;charset=utf-8;base64,LS0t..==", "verification": {} } [...snipped...] The Ignition is quite huge! It contains everything you need to install OpenShift 4, except the images.
  • 33. Boot the cluster Bootstrap Master NMaster NMaster N Master NMaster NWorker Bootstrapping process step by step: 1. Bootstrap machine boots and starts hosting the remote resources required for master machines to boot. 2. Master machines fetch the remote resources from the bootstrap machine and finish booting. 3. Master machines use the bootstrap node to form an etcd cluster. 4. Bootstrap node starts a temporary Kubernetes control plane using the newly-created etcd cluster. 5. Temporary control plane schedules the production control plane to the master machines. 6. Temporary control plane shuts down, yielding to the production control plane. 7. Bootstrap node injects OpenShift-specific components into the newly formed control plane. 8. Installer then tears down the bootstrap node or if user-provisioned, this needs to be performed by the administrator.
  • 34. label linux menu label ^Install RHEL CoreOS kernel /images/vmlinuz append initrd=/images/initramfs.img nomodeset rd.neednet=1 coreos.inst=yes ip=192.168.122.9::192.168.122.1:255.255.255.0:core2.example.com:enp1s0:none nameserver=192.168.122.1 coreos.inst.install_dev=sda coreos.inst.image_url=http://192.168.122.1/rhcos.raw.gz coreos.inst.ignition_url=http://192.168.122.1/static.ign Add a node BareMetal Machine Set
  • 35. 1. Boot a node with minimal ignition config: a. certificateAuthorities b. Point to MCO: https://api-int.demo.openshift.pub:22623/config/(master|worker) 2. Two CSR’s are created (sequential, approve the first then the second) 3. Someone approved CSR a. UPI: Administrator 👨🏻‍💻 - during installation auto-approve! b. IPI: Machine Operator 4. Node join the cluster 5. Node starts all pods they need to be a perfect member! (sdn, registry ca,....) Add a node
  • 36. 36 subscription-manager register --username=<user_name> --password=<password> subscription-manager repos --enable="rhel-7-server-rpms" --enable="rhel-7-server-extras-rpms" --enable="rhel-7-server-ose-4.2-rpms" # vi inventory/hosts ---- [all:vars] ansible_user=root #ansible_become=True openshift_kubeconfig_path="~/.kube/config" [new_workers] mycluster-worker-0.example.com mycluster-worker-1.example.com ---- ansible-playbook -i /<path>/inventory/hosts playbooks/scaleup.yml Add a node RHEL Node WIHTOUT Over the Air (OTA) Updates!
  • 37. ● OpenShift retrieves the list of available updates ● Admin selects the target version ● OpenShift is updated over the air ● Auto-update support Over the Air (OTA) Updates Only with Red Hat CoreOS - it doesn’t matter how (IPI vs UPI) you install the cluster!
  • 38. OPENSHIFT PLATFORM Disconnected “Air-gapped” Installation & Upgrading Generally AvailableProduct Manager: Katherine Dubé Installation Procedure ● Mirror OpenShift content to local container registry in the disconnected environment ● Generate install-config.yaml: $ ./openshift-install create install-config --dir <dir> ○ Edit and add pull secret (PullSecret), CA certificate (additionalTrustBundle), and image content sources (ImageContentSources) to install-config.yaml ● Set the OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE environment variable during the creation of the ignition configs ● Generate the ignition configuration: $ ./openshift-install create ignition-configs --dir <dir> ● Use the resulting ignition files to bootstrap the cluster deployment Overview ● 4.2 introduces support for installing and updating OpenShift clusters in disconnected environments ● Requires local Docker 2.2 spec compliant container registry to host OpenShift content ● Designed to work with the user provisioned infrastructure deployment method ○ Note: Will not work with Installer provisioned infrastructure deployments Admin Local Container Registry Quay.io Container Registry # mirror update image: $ oc adm -a <secret_json> release mirror --from=quay.io/<repo>/<release:version> --to=<local registry>/<repo> --to-release-image=<local registry>/<repo:version> # provide cluster with update image to update to: $ oc adm upgrade --to-mirror=<local repo:version> Local Copy of Update Image Disconnected OpenShift Cluster Red Hat sourced Update Image Mirrored to local registry Cluster updated locally Customer Cluster
  • 39. What's new in OpenShift 4.3 Simplified Mirroring of OperatorHub BROAD ECOSYSTEM OF WORKLOADS crunchy/postgres-server:9.5 strimzi/kafka-image:latest kubevirt/virt-api:1.0.1 ... Operator Catalog on quay.io 1. Mirror Operator Catalog into container image & push to disconnected registry 2. Parse referenced Operator and app images & push to disconnected registry oc adm catalog build... oc adm catalog mirror... 3. Enable mirror catalog in disconnected cluster oc apply -f ./manifests Red Hat Operators Supported in Disconnected Mode
  • 40. OPENSHIFT PLATFORM Cluster-wide Egress Proxy Generally AvailableProduct Manager: Marc Curry & Katherine Dubé Overview ● 4.2 introduces support for installing and updating OpenShift clusters through a corporate proxy server ● Leverages new proxy controller within the cluster-network-operator, which is responsible for: ○ Reconciling a proxy object and writing spec > status upon successful validation. ○ Reconciling user-provided trust bundles referenced by trustedCA, validating the trust bundle certificates, merging the certificates with the system trust bundle and publishing the merged bundle to the openshift-config-managed/trusted-ca-bundle configmap. Installation Procedure ● Installer will use PROXY* environment variables from the shell it’s invoked from ● Generate install-config.yaml: $ ./openshift-install create install-config --dir <dir> ○ Edit proxy information (httpProxy, httpsProxy, & noProxy) and CA certificate (‘additionalTrustBundle’) to install-config.yaml ● Installer validates the provided install-config.yaml parameters, renders the necessary assets to create the cluster, and initiates the installation process based on the install method used: $ ./openshift-install create cluster --dir <dir> Corporate Proxy Server Proxy Connected OpenShift Cluster Customer Cluster Internet Quay.io Container Registry Backend Services $ oc get proxy/cluster -o yaml apiVersion: config.openshift.io/v1 kind: Proxy metadata: creationTimestamp: "2019-08-21T22:36:49Z" generation: 2 name: cluster resourceVersion: "24913" selfLink: /apis/config.openshift.io/v1/proxies/cluster uid: 2a344b01-d267-11f9-a4f3-025de4b59c38 spec: httpProxy: http://<username>:<pswd>@<ip>:<port> httpsProxy: https://<username>:<pswd>@<ip>:<port> noProxy: example.com readinessEndpoints: - http://www.google.com - https://www.google.com trustedCA: name: user-ca-bundle status: httpProxy: http://<username>:<pswd>@<ip>:<port> httpsProxy: https://<username>:<pswd>@<ip>:<port> noProxy: 10.0.0.0/16,10.128.0.0/14,127.0.0.1,169.254.169.254,172.30 .0.0/16,api-int.demo.example.com,api.demo.example.openshif t.com,etcd-0.demo.example.com,etcd-1.demo.example.com,etcd -2.demo.example.com,example.com,localhost An admin with privileges can interact with the proxy object using ‘oc’ commands (use the ‘oc edit’ command to modify the proxy information.) Here is an example proxy config: