阿里云上准备三台机器

master hostname: master.openshift.yqb.com ip address: 10.25.158.97
node1 hostname: node1.openshift.yqb.com ip address: 10.25.91.65
node2 hostname: node2.openshift.yqb.com ip address: 10.25.199.113

1、在所有机器上关闭firewalld
close firewalld
systemctl stop firewalld
systemctl disable firewalld
2、在所有机器上安装基础的包
install base
yum install -y wget git net-tools bind-utils iptables-services bridge-utils bash-completion curl vim openssl
3、在master机器上安装dns服务,如果使用已经有的可以忽略
install dns
yum install -y bind
vim /etc/named.conf;修改两行:
allow-query { 0.0.0.0/0; };
listen-on port 53 { any; };
并添加dns转发
如下:
/etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
/*listen-on port 53 { 127.0.0.1; };*/
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { 0.0.0.0/0; };
/*allow-query { localhost; };*/
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
forwarders{
10.143.22.116;
10.143.22.118;
};
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
vim /etc/named.rfc1912.zones ;添加如下内容
/etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
type master;
file "named.loopback";
allow-update { none; };
};
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
zone "openshift.yqb.com" IN {
type master;
allow-update { none; };
};
zone "25.10.in-addr.arpa" IN {
type master;
file "10.25.arpa";
allow-update { none; };
};
vim /var/named/named.openshift.yqb.com;添加文件
/var/named/named.openshift.yqb.com
$TTL 1D
@ IN SOA openshift.yqb.com. rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS @
A 10.25.158.97
master IN A 10.25.158.97
node1 IN A 10.25.91.65
node2 IN A 10.25.199.113
vim /var/named/10.25.arpa ;添加文件
/var/named/10.25.arpa
$TTL 1D
@ IN SOA openshift.yqb.com. rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
AAAA ::1
158.97 PTR 10.25.158.97.openshift.yqb.com.
91.65 PTR 10.25.91.65.openshift.yqb.com.
199.113 PTR 10.25.199.113.openshift.yqb.com.


启动服务:

start named
systemctl enable named
systemctl start named
systemctl status named
将10.25.158.97 添加到所有机器的 /etc/resolv.conf,并注释掉其它nameserver
/etc/resolv.conf
nameserver 10.25.158.97
#nameserver 10.143.22.116
#nameserver 10.143.22.118
options timeout:2 attempts:3 rotate single-request-reopen
4、安装Openshift基础包
install openshift base
yum install -y docker
vim /etc/sysconfig/docker
OPTIONS=' --selinux-enabled --log-driver=json-file --log-opt max-size=50m'
yum install -y centos-release-openshift-origin
5、在master上安装master的包,并设置
install master
yum install -y origin-master origin-pod origin-sdn-ovs origin-dockerregistry
vim /etc/origin/master/master-config.yaml;添加如下
/etc/origin/master/master-config.yaml
****
corsAllowedOrigins:
- //10\.25\.158\.97:8443$
- //127\.0\.0\.1(:|$)
- //localhost(:|$)
- kubernetes.default
- kubernetes.default.svc.cluster.local
- kubernetes
- openshift.default
- openshift.default.svc
- 172.30.0.1
- openshift.default.svc.cluster.local
- kubernetes.default.svc
- openshift
***
schedulerConfigFile: "/etc/origin/master/scheduler.json"
***
networkPluginName: "redhat/openshift-ovs-multitenant"
***
routingConfig:
subdomain: openshift.yqb.com
***
创建调度策略文件scheduler.json,vim /etc/origin/master/scheduler.json
/etc/origin/master/scheduler.json
{
"apiVersion": "v1",
"kind": "Policy",
"predicates": [
{
"name": "MatchNodeSelector"
},
{
"name": "PodFitsResources"
},
{
"name": "PodFitsPorts"
},
{
"name": "NoDiskConflict"
},
{
"name": "NoVolumeZoneConflict"
},
{
"name": "MaxEBSVolumeCount"
},
{
"name": "MaxGCEPDVolumeCount"
},
{
"argument": {
"serviceAffinity": {
"labels": [
"region"
]
}
},
"name": "Region"
}
],
"priorities": [
{
"name": "LeastRequestedPriority",
"weight": 1
},
{
"name": "SelectorSpreadPriority",
"weight": 1
},
{
"argument": {
"serviceAntiAffinity": {
"label": "zone"
}
},
"name": "Zone",
"weight": 2
}
]
}
启动主节点。并配置kub配置文件:
start master
systemctl enable origin-master
systemctl start origin-master
mkdir .kube
ln -s /etc/origin/master/admin.kubeconfig .kube/config
oc login -u system:admin
oc get all
6、在所有node节点上安装node的包
install node
yum install -y origin-node origin-pod origin-sdn-ovs origin-dockerregistry
7、在master节点上生产node的配置文件
node config
mkdir /etc/origin/node1.openshift.yqb.com
mkdir /etc/origin/node2.openshift.yqb.com
ln -s /etc/origin/ openshift.local.config
oc adm create-node-config --node-dir='/etc/origin/node1.openshift.yqb.com/' --dns-domain='openshift.yqb.com' --dns-ip='10.25.158.97' --hostnames='node1.openshift.yqb.com' --master='https://10.25.158.97:8443' --network-plugin='redhat/openshift-ovs-multitenant' --node='node1.openshift.yqb.com'
oc adm create-node-config --node-dir='/etc/origin/node2.openshift.yqb.com/' --dns-domain='openshift.yqb.com' --dns-ip='10.25.158.97' --hostnames='node2.openshift.yqb.com' --master='https://10.25.158.97:8443' --network-plugin='redhat/openshift-ovs-multitenant' --node='node2.openshift.yqb.com'
scp /etc/origin/node1.openshift.yqb.com/*root@node1.openshift.yqb.com:/etc/origin/node/
scp /etc/origin/node2.openshift.yqb.com/*root@node2.openshift.yqb.com:/etc/origin/node/
8、在所有节点上
vim /etc/origin/node/node-config.yaml,在kind后面添加kubeletArguments
kubeletArguments
kind: NodeConfig
kubeletArguments:
node-labels:
- region=primary
- zone=west
将/etc/origin/node/ca.crt内容添加到/etc/ssl/certs/ca-bundle.crt最后
执行启动命令
start node
systemctl enable iptables
systemctl start iptables
systemctl enable docker
systemctl start docker
systemctl enable origin-node
systemctl start origin-node
docker pull openshift/origin-sti-builder
docker pull openshift/origin-deployer
docker pull openshift/origin-docker-registry
docker pull openshift/origin-haproxy-router
docker pull openshift/origin-pod
iptables -N OS_FIREWALL_ALLOW
iptables -I INPUT 8 -j OS_FIREWALL_ALLOW
iptables -I OS_FIREWALL_ALLOW -p tcp -m tcp --dport 10250 -j ACCEPT
iptables -I OS_FIREWALL_ALLOW -p udp -m udp --dport 10250 -j ACCEPT
iptables -I OS_FIREWALL_ALLOW -p tcp -m tcp --dport 10255 -j ACCEPT
iptables -I OS_FIREWALL_ALLOW -p tcp -m tcp --dport 80 -j ACCEPT
iptables -I OS_FIREWALL_ALLOW -p tcp -m tcp --dport 443 -j ACCEPT
iptables -I OS_FIREWALL_ALLOW -p udp -m udp --dport 4789 -j ACCEPT
iptables -I OS_FIREWALL_ALLOW -p udp -m udp --dport 10255 -j ACCEPT
9、在master上执行操作
添加registry
add registry
oc create serviceaccount registry -n default
oadm policy add-scc-to-user privileged system:serviceaccount:default:registry
oadm registry --service-account=registry --mount-host=/opt/openshift-registry
oc create route passthrough --service docker-registry -n default
oc get svc
oc get route
获取到registry的服务IP,这里为172.30.126.243
config registry
oc adm ca create-server-cert --signer-cert=/etc/origin/master/ca.crt --signer-key=/etc/origin/master/ca.key --signer-serial=/etc/origin/master/ca.serial.txt --hostnames="172.30.126.243,docker-registry-default.openshift.yqb.com" --cert=/etc/origin/master/registry.crt --key=/etc/origin/master/registry.key
oc secrets new registry-certificates /etc/origin/master/registry.crt /etc/origin/master/registry.key -n default
oc secrets add registry registry-certificates -n default
oc secrets add default registry-certificates -n default
oc env dc/docker-registry REGISTRY_HTTP_TLS_CERTIFICATE=/etc/secrets/registry.crt REGISTRY_HTTP_TLS_KEY=/etc/secrets/registry.key -n default
oc patch dc/docker-registry -p '{"spec":{"template":{"spec":{"containers":[{"name":"registry","livenessProbe":{"httpGet":{"scheme":"HTTPS"}}}]}}}}' -n default
oc patch dc/docker-registry -p '{"spec":{"template":{"spec":{"containers":[{"name":"registry","readinessProbe":{"httpGet":{"scheme":"HTTPS"}}}]}}}}' -n default
oc volume dc/docker-registry --add --type=secret --secret-name=registry-certificates -m /etc/secrets -n default
oc create serviceaccount router -n default
oadm policy add-scc-to-user hostnetwork system:serviceaccount:default:router
oadm policy add-cluster-role-to-user cluster-reader system:serviceaccount:default:router
oadm router router --replicas=1 --service-account=router
chown 1001:root /opt/openshift-registry
10、添加模板
例如:https://github.com/openshift/origin/tree/master/examples/quickstarts中有很多常用的示例模板,git clone到本地即可,进入example目录
导入方法:
import template
oc create -f image-streams-centos7.json -n openshift
打开浏览器:https://10.25.158.97:8443
用户名密码,都是使用中自动创建的(自己随便写,用户会被自动创建保存)