Openshift 3.11单机版 离线安装
前置条件
- 虚拟机: 建议系统内存>=6G,CPU>=4。
- 镜像仓库:在虚拟机上能够访问到该镜像仓库,如果没有,推荐使用harbor自建。
- docker:虚拟机上需要安装docker,这里使用的是18.09版本。离线安装可参考 docker 离线安装 或自行下载rpm包安装。
安装步骤
一、前置准备
1、关闭SELINUX
setenforce 0
sed -i "s/SELINUX=enforcing/SELINUX=permissive/g" /etc/selinux/config
2、关闭防火墙
systemctl stop firewalld
systemctl disable firewalld
3、设置IP转发
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
echo "net.bridge.bridge-nf-call-ip6tables = 1" >> /etc/sysctl.conf
echo "net.bridge.bridge-nf-call-iptables = 1" >> /etc/sysctl.conf
modprobe br_netfilter
sysctl -p
4、修改docker配置文件
编辑 /etc/docker/daemon.json 文件
{
"exec-opts": [
"native.cgroupdriver=systemd"
],
"insecure-registries":["harbor.dev.com"]
}
其中 insecure-registries 需要修改为使用的镜像仓库的地址,这是为了拉取镜像时避免由于证书认证问题导致拉取失败。
重启 docker
systemctl daemon-reload
systemctl restart docker
二、安装openshift
1、下载openshift
2、上传至/opt目录解压
mv openshift-origin-server-v3.11.0-0cbc58b-linux-64bit.tar.gz /opt
cd /opt
tar -zxvf openshift-origin-server-v3.11.0-0cbc58b-linux-64bit.tar.gz
3、加入环境变量
# 目录太长,创建一个软连接
ln -s openshift-origin-server-v3.11.0-0cbc58b-linux-64bit /opt/openshift
# 加入环境变量
PATH=$PATH:/opt/openshift/
# 加载环境变量
source /etc/profile
4、下载镜像
在联网的机器上拉取如下镜像
docker pull docker.io/openshift/origin-control-plane:v3.11
docker pull docker.io/openshift/origin-hypershift:v3.11
docker pull docker.io/openshift/origin-node:v3.11
docker pull docker.io/openshift/origin-cli:v3.11
docker pull docker.io/openshift/origin-hyperkube:v3.11
docker pull docker.io/openshift/origin-pod:v3.11
docker pull docker.io/openshift/origin-deployer:v3.11
docker pull docker.io/openshift/origin-haproxy-router:v3.11
docker pull docker.io/openshift/origin-docker-registry:v3.11
docker pull docker.io/openshift/origin-web-console:v3.11
docker pull docker.io/openshift/origin-service-serving-cert-signer:v3.11
镜像拉取完成后将这些镜像上传至前置条件中准备的镜像仓库中,上传完成后,镜像的地址如下
swr.cn-global-3.labcloud.com/other/origin-control-plane:v3.11
# 如果你使用的是harbor,可能如下
<harbor~domain>/<project>/origin-control-plane:v3.11
4、启动集群
# 先创建一个目录,用于存放集群的配置文件
mkdir openshiftconfig
# 启动集群
oc cluster up --skip-registry-check=true --public-hostname="openshift.origin.hcs.com" --base-dir=/root/openshiftconfig
其中:--skip-registry-check=true 表示 Skip Docker daemon registry check
`--public-hostname` 表示对外访问的域名,需要在`hosts` 中配置域名对应的IP
`--base-dir` 表示集群的配置的文件在宿主机存储的位置,一开始是空的,集群启动之后里面才有文件
5、修改组件使用的镜像地址
[root@master ~]# oc cluster up --public-hostname="openshift.origin.hcs.com" --skip-registry-check=true --base-dir=/root/openshiftconfig/
Getting a Docker client ...
Checking if image openshift/origin-control-plane:v3.11 is available ...
Creating shared mount directory on the remote host ...
Determining server IP ...
Checking if OpenShift is already running ...
Checking for supported Docker version (=>1.22) ...
Checking if required ports are available ...
Checking if OpenShift client is configured properly ...
Checking if image openshift/origin-control-plane:v3.11 is available ...
Starting OpenShift using openshift/origin-control-plane:v3.11 ...
I0709 09:15:51.780704 4175900 config.go:40] Running "create-master-config"
I0709 09:15:53.858416 4175900 config.go:46] Running "create-node-config"
I0709 09:15:54.971157 4175900 flags.go:30] Running "create-kubelet-flags"
I0709 09:15:55.523592 4175900 run_kubelet.go:49] Running "start-kubelet"
I0709 09:15:55.754490 4175900 run_self_hosted.go:181] Waiting for the kube-apiserver to be ready ...
启动之后当出现 Waiting for the kube-apiserver to be ready ,使用 docker ps 命令查看启动的容器
找到镜像为 origin-node 容器,进入该容器内部
docker exec -it 0fc0e967b6dd bash
如下进入 pod-manifests目录
[root@master ~]# docker exec -it 0fc0e967b6dd bash
[root@master origin]# ll
total 12
drwxr-xr-x 3 root root 4096 Jul 9 01:15 cluster-up
drwxr-xr-x 4 root root 4096 Jul 9 01:15 openshift.local.config
drwx------ 2 root root 4096 Jul 9 01:15 pod-manifests
会发现有4个 pod 的 yaml 文件
[root@master pod-manifests]# ll
total 16
-rw------- 1 root root 1241 Jul 9 01:15 apiserver.yaml
-rw------- 1 root root 897 Jul 9 01:15 etcd.yaml
-rw------- 1 root root 1700 Jul 9 01:15 kube-controller-manager.yaml
-rw------- 1 root root 1061 Jul 9 01:15 kube-scheduler.yaml
将这4个文件中 image 的拉取地址修改为你自己的镜像仓库的地址:
sed -i 's#openshift/#harbor.dev.com/other/#' apiserver.yaml
sed -i 's#openshift/#harbor.dev.com/other/#' etcd.yaml
sed -i 's#openshift/#harbor.dev.com/other/#' kube-controller-manager.yaml
sed -i 's#openshift/#harbor.dev.com/other/#' kube-scheduler.yaml
注意:上述 harbor.dev.com/other/ 请替换为你自己的仓库地址,并且将镜像设置为公开的
修改完成之后,你会发现大概走到这一步
········
I0709 09:15:55.754490 4175900 run_self_hosted.go:181] Waiting for the kube-apiserver to be ready ...
I0709 09:17:00.767259 4175900 interface.go:26] Installing "kube-proxy" ...
I0709 09:17:00.767296 4175900 interface.go:26] Installing "kube-dns" ...
I0709 09:17:00.767305 4175900 interface.go:26] Installing "openshift-service-cert-signer-operator" ...
I0709 09:17:00.767311 4175900 interface.go:26] Installing "openshift-apiserver" ...
I0709 09:17:00.767377 4175900 apply_template.go:81] Installing "openshift-apiserver"
I0709 09:17:00.767403 4175900 apply_template.go:81] Installing "kube-dns"
I0709 09:17:00.767407 4175900 apply_template.go:81] Installing "openshift-service-cert-signer-operator"
I0709 09:17:00.767449 4175900 apply_template.go:81] Installing "kube-proxy"
I0709 09:17:02.552941 4175900 interface.go:41] Finished installing "kube-proxy" "kube-dns" "openshift-service-cert-signer-operator" "openshift-apiserver"
到这里之后,集群已经能通过 API 或 oc/kubectl 命令行查看集群状态了,但还不够,还需要修改上述 "kube-proxy" "kube-dns" "openshift-service-cert-signer-operator" "openshift-apiserver" 组件使用的镜像地址。
接下来,将 kubeconfig 的配置文件拷贝到 /root/.kube 目录下
cp /root/openshiftconfig/kube-apiserver/admin.kubeconfig /root/.kube/config
其中: /root/openshiftconfig 就是集群启动时指定的 base-dir参数
执行命令 kubectl get all --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-dns pod/kube-dns-6d7l5 0/1 ContainerCreating 0 1s
kube-proxy pod/kube-proxy-z9kpf 0/1 ContainerCreating 0 1s
openshift-apiserver pod/openshift-apiserver-k26p5 0/1 ContainerCreating 0 1s
openshift-core-operators pod/openshift-service-cert-signer-operator-6d477f986b-ccclz 0/1 ContainerCreating 0 1s
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default service/kubernetes ClusterIP 172.30.0.1 <none> 443/TCP 51s
kube-dns service/kube-dns ClusterIP 172.30.0.2 <none> 53/UDP,53/TCP 45s
openshift-apiserver service/api ClusterIP 172.30.158.113 <none> 443/TCP 45s
NAMESPACE NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
kube-dns daemonset.apps/kube-dns 1 1 0 1 0 <none> 45s
kube-proxy daemonset.apps/kube-proxy 1 1 0 1 0 <none> 46s
openshift-apiserver daemonset.apps/openshift-apiserver 1 1 0 1 0 <none> 46s
NAMESPACE NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
openshift-core-operators deployment.apps/openshift-service-cert-signer-operator 1 1 1 0 45s
NAMESPACE NAME DESIRED CURRENT READY AGE
openshift-core-operators replicaset.apps/openshift-service-cert-signer-operator-6d477f986b 1 1 0 1s
可以看到,像 dns、proxy、openshift-apiserver 等这些 pod 并没有正常启动
解决方式:使用 kubectl edit 命令修改部署的 yaml 文件,如下:
kubectl edit daemonset.apps/kube-dns -n kube-dns
修改其中的 image部分,将其修改为自己的镜像仓库的地址。对其余三个依次重复此步骤修改。
修改完成后,如果发现pod还没正常运行,就将原来的pod删除,如 kubectl delete pod/kube-dns-6d7l5 -n kube-dns, 删除后pod重建就可以了
解决完上述问题,大概 会走到这一步
··········
I0709 09:21:18.569265 4175900 apply_list.go:67] Installing "sample-templates/cakephp quickstart"
I0709 09:21:18.569360 4175900 apply_list.go:67] Installing "sample-templates/postgresql"
I0709 09:21:22.051740 4175900 interface.go:41] Finished installing "sample-templates/postgresql" "sample-templates/cakephp quickstart" "sample-templates/dancer quickstart" "sample-templates/django quickstart" "sample-templates/rails quickstart" "sample-templates/sample pipeline" "sample-templates/mysql" "sample-templates/mariadb" "sample-templates/nodejs quickstart" "sample-templates/jenkins pipeline ephemeral" "sample-templates/mongodb"
I0709 09:25:46.089004 4175900 interface.go:41] Finished installing "openshift-router" "sample-templates" "persistent-volumes" "centos-imagestreams" "openshift-image-registry" "openshift-web-console-operator"
到这里又有组件因镜像拉取不到而卡住了,解决方式和上面一致,这里就不再赘述了,将有问题的 deployment 和 daemonset 镜像地址修改正确即可。
NAMESPACE NAME READY STATUS RESTARTS AGE
default pod/persistent-volume-setup-rd264 1/1 Running 0 20s
kube-dns pod/kube-dns-trczh 1/1 Running 0 1m
kube-proxy pod/kube-proxy-4d4x6 1/1 Running 0 56s
kube-system pod/kube-controller-manager-localhost 1/1 Running 0 3m
kube-system pod/kube-scheduler-localhost 1/1 Running 0 3m
kube-system pod/master-api-localhost 1/1 Running 0 3m
kube-system pod/master-etcd-localhost 1/1 Running 0 3m
openshift-apiserver pod/openshift-apiserver-db2sv 1/1 Running 0 2m
openshift-controller-manager pod/openshift-controller-manager-6fgcc 0/1 ErrImagePull 0 19s
openshift-core-operators pod/openshift-service-cert-signer-operator-896576577-b24wz 1/1 Running 0 1m
openshift-core-operators pod/openshift-web-console-operator-664b974ff5-b8hd7 0/1 ErrImagePull 0 16s
openshift-service-cert-signer pod/apiservice-cabundle-injector-8ffbbb6dc-k948s 1/1 Running 0 1m
openshift-service-cert-signer pod/service-serving-cert-signer-668c45d5f-brj8j 1/1 Running 0 1m
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default service/docker-registry ClusterIP 172.30.1.1 <none> 5000/TCP 18s
default service/kubernetes ClusterIP 172.30.0.1 <none> 443/TCP 4m
default service/router ClusterIP 172.30.183.80 <none> 80/TCP,443/TCP,1936/TCP 17s
kube-dns service/kube-dns ClusterIP 172.30.0.2 <none> 53/UDP,53/TCP 4m
openshift-apiserver service/api ClusterIP 172.30.158.113 <none> 443/TCP 4m
openshift-service-cert-signer service/service-serving-cert-signer ClusterIP 172.30.73.95 <none> 443/TCP 1m
NAMESPACE NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
kube-dns daemonset.apps/kube-dns 1 1 1 1 1 <none> 4m
kube-proxy daemonset.apps/kube-proxy 1 1 1 1 1 <none> 4m
openshift-apiserver daemonset.apps/openshift-apiserver 1 1 1 1 1 <none> 4m
openshift-controller-manager daemonset.apps/openshift-controller-manager 1 1 0 1 0 <none> 20s
NAMESPACE NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
openshift-core-operators deployment.apps/openshift-service-cert-signer-operator 1 1 1 1 4m
openshift-core-operators deployment.apps/openshift-web-console-operator 1 1 1 0 17s
openshift-service-cert-signer deployment.apps/apiservice-cabundle-injector 1 1 1 1 1m
openshift-service-cert-signer deployment.apps/service-serving-cert-signer 1 1 1 1 1m
注意:这里修改镜像地址要快速,否则可能会超时失败(猜测)
全部修改完成后,等待一段时间就会出现如下提示,表明安装成功。
Login to server ...
Creating initial project "myproject" ...
Server Information ...
OpenShift server started.
The server is accessible via web console at:
https://openshift.origin.hcs.com:8443
You are logged in as:
User: developer
Password: <any value>
To login as administrator:
oc login -u system:admin
6、登录验证
将域名写到本地 hosts 文件后,浏览器中打开 https://openshift.origin.hcs.com:8443
输入用户名密码,登录,点登录后可能会跳转到 https://127.0.0.1:8443,直接在浏览器地址栏将 127.0.0.1 修改为正确的IP地址即可。
登录成功之后也可能会出现如下的 error invalid request,无需关注,点击左上角的OKD图标即可,跳转之后就正常了。
7、部署验证
部署一个无状态应用测试一下
kind: Deployment
apiVersion: apps/v1
metadata:
name: tomcat
namespace: hello-admin
labels:
appgroup: ''
version: v1
spec:
replicas: 1
selector:
matchLabels:
app: tomcat
version: v1
template:
metadata:
labels:
app: tomcat
version: v1
spec:
containers:
- name: container-1
image: swr.cn-global-3.labcloud.com/migration4cce/tomcat:v11
resources:
limits:
cpu: 100m
memory: 100Mi
requests:
cpu: 100m
memory: 100Mi
imagePullPolicy: IfNotPresent
restartPolicy: Always
dnsPolicy: ClusterFirst
securityContext: {}
imagePullSecrets:
- name: default-secret
部署如果出现如下错误,可能是 docker 的运行时 runc 版本太低了,需要更新 runc 的版本
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 2m default-scheduler Successfully assigned default/tomcat-68b89bb4d7-pg7lt to localhost
Normal Pulling 2m kubelet, localhost pulling image "swr.cn-global-3.labcloud.com/migration4cce/tomcat:v11"
Normal Pulled 2m kubelet, localhost Successfully pulled image "swr.cn-global-3.labcloud.com/migration4cce/tomcat:v11"
Normal Created 58s (x5 over 2m) kubelet, localhost Created container
Warning Failed 58s (x5 over 2m) kubelet, localhost Error: failed to start container "container-1": Error response from daemon: OCI runtime create failed: container_linux.go:330: starting container process caused "process_linux.go:284: applying cgroup configuration for process caused \"No such device or address\"": unknown
Normal Pulled 58s (x4 over 2m) kubelet, localhost Container image "swr.cn-global-3.labcloud.com/migration4cce/tomcat:v11" already present on machine
Warning BackOff 27s (x9 over 2m) kubelet, localhost Back-off restarting failed container
查找一下 runc 的位置
[root@master ~]# which runc
/usr/bin/runc
下载 runc https://github.com/opencontainers/runc/releases/download/v1.1.5/runc.amd64
上传至服务器
# 先备份一下原来的runc
cp /usr/bin/runc /root/runc.bak
# 覆盖旧的runc
mv /root/runc.amd64 /usr/bin/runc
chmod 755 /usr/bin/runc
查看一下 runc 的版本
[root@master ~]# runc --version
runc version 1.1.5
commit: v1.1.5-0-gf19387a6
spec: 1.0.2-dev
go: go1.17.10
libseccomp: 2.5.4
然后删除原来的 deployment, 重新部署一下
kubectl delete -f tomcat.yaml
kubectl apply -f tomcat.yaml
[root@master ~]# kubectl get pod -n hello-admin
NAME READY STATUS RESTARTS AGE
tomcat-68b89bb4d7-9sqlz 1/1 Running 0 4h
以下是 OpenShift 3.x 版本与 Kubernetes 版本的对应关系:
OpenShift 3.6 - 基于 Kubernetes 1.6
OpenShift 3.7 - 基于 Kubernetes 1.7
OpenShift 3.9 - 基于 Kubernetes 1.9
OpenShift 3.10 - 基于 Kubernetes 1.10
OpenShift 3.11 - 基于 Kubernetes 1.11
在 OpenShift 3.11 中,system:admin 用户通常是通过客户端证书认证登录的,而不是通过 OAuth 令牌。这也是为什么您在使用 oc whoami -t 命令时会遇到“no token is currently in use for this session”的错误。对于通过证书认证的 system:admin,没有 OAuth 令牌。
如何获取 OAuth 令牌
如果您需要生成具有管理员权限的 OAuth 令牌,可以创建一个具有足够权限的服务账户(Service Account),然后为该服务账户创建一个 token。以下是步骤:
-
创建服务账户:
oc create sa admin-sa -
为服务账户绑定权限:
为服务账户绑定一个高权限的 ClusterRole,例如cluster-admin:oc adm policy add-cluster-role-to-user cluster-admin -z admin-sa -
获取服务账户的 token:
生成服务账户的 token,并获取它的值:oc serviceaccounts get-token admin-sa该命令将返回一个长字符串,即新创建的服务账户的 OAuth 令牌。
-
使用服务账户的 token 登录:
使用获取的 token 登录 OpenShift:oc login https://openshift3.origin.hcs.com:8443 --token=<admin-sa-token>将
<admin-sa-token>替换为步骤 3 中获取的 token。