Installing IBM Cloud Private with OpenShift
You can install IBM Cloud Private with OpenShift by using the IBM Cloud Private installer.
Installation can be completed in four main steps:
- Configure the boot node
- Set up the installation environment
- Configure your cluster
- Run the IBM Cloud Private installer
- Post installation tasks
Configure the boot node
The IBM Cloud Private with OpenShift installer can run from either a dedicated boot node or an OpenShift master node. If the boot node is not an OpenShift node, install Docker for your boot node only.
The boot node is the node that is used for the installation of your cluster. The boot node is usually your master node. For more information about the boot node, see Boot node.
You need a version of Docker that is supported by IBM Cloud Private with OpenShift installed on your boot node. All versions of Docker that are supported by OpenShift are supported for the boot node. For more information about the supported Docker versions, see OpenShift Docker installation .
For the procedure to install Docker, see Manually installing Docker.
Set up the installation environment
- Log in to the boot node as a user with root permissions or as a user with sudo privileges.
-
Download the installation files for IBM Cloud Private 3.1.2. You must download the correct file or files for the type of nodes in your cluster. You can obtain these files from the IBM Passport Advantage® website.
- For a Red Hat Enterprise Linux OpenShift (64-bit) cluster, download the
ibm-cloud-private-rhos-3.1.2.tar.gz
file.
- For a Red Hat Enterprise Linux OpenShift (64-bit) cluster, download the
-
Extract the image and load them into Docker. Extracting the images might take a few minutes.
tar xf ibm-cloud-private-rhos-3.1.2.tar.gz -O | sudo docker load
-
Create an installation directory to store the IBM Cloud Private configuration files in and change to that directory.
For example, to store the configuration files in
/opt/ibm-cloud-private-rhos-3.1.2
, run the following commands:mkdir /opt/ibm-cloud-private-rhos-3.1.2; \ cd /opt/ibm-cloud-private-rhos-3.1.2
-
Extract the cluster directory:
sudo docker run --rm -v $(pwd):/data:z -e LICENSE=accept ibmcom/icp-inception-amd64:3.1.2-rhel-ee cp -r cluster /data
If SELinux is enabled on the boot node, run the following command:
sudo docker run --rm -v $(pwd):/data -e LICENSE=accept --security-opt label:disable ibmcom/icp-inception-amd64:3.1.2-rhel-ee cp -r cluster /data
-
Copy the
ibm-cloud-private-rhos-3.1.2.tar.gz
to the cluster and images:sudo cp ibm-cloud-private-rhos-3.1.2.tar.gz cluster/images
-
Create cluster configuration files. The OpenShift configuration files are found on the OpenShift Master node.
-
Copy the OpenShift
admin.kubeconfig
file to the cluster directory. The OpenShiftadmin.kubeconfig
file can be found in the/etc/origin/master/admin.kubeconfig
directory:sudo cp /etc/origin/master/admin.kubeconfig cluster/kubeconfig
-
Copy the OpenShOpenShiftift SSH key to the cluster directory:
sudo cp ~/.ssh/id_rsa cluster/ssh_key
-
Copy the OpenShift inventory file to the cluster directory:
sudo cp openshift-ansible/inventory/hosts cluster/
If your boot node is different from the OpenShift master node, then the previous files must be copied to the boot node.
-
Configure your cluster
-
Update the
config.yaml
file that you extracted in step 5 with the following configurations:cluster_CA_domain: <your-openshift-master-fqdn> tiller_service_ip: "None" mariadb_privileged: "false" install_on_openshift: true storage_class: <storage class available in OpenShift> ## Kubernetes apiserver port (OpenShift port) kube_apiserver_secure_port: 8443 ## Cluster Router settings router_http_port: 5080 router_https_port: 5443 ## Nginx Ingress settings ingress_http_port: 3080 ingress_https_port: 3443
In the previous sample, you can set the ports to any available free port number. Note: You must replace the port number 8443 for
kube_apiserver_secure_port
with the port number on which your OpenShift Kubernetes API server is listening. -
Update the label on master node with compute role
oc label node <master node host name? node-role.kubernetes.io/compute=true
-
Set up a default password in the
config.yaml
file that meets the default password enforcement rule; and optionally define a custom set of password rules.-
In the
/<installation_directory>/cluster/config.yaml
file, set thedefault_admin_password
. The password must satisfy all regular expressions that are specified inpassword_rules
. -
Optional: Define a set of password rules. You can define one or more rules as regular expressions in an array list that the password must pass. For example, a rule can state that the password must be longer than a specified number of characters and/or that it must contain at least one special character. The rules are written as regular expressions that are supported by the Go programming language. For example:
password_rules: - '^.{10,}' - '.*[!@#\$%\^&\*].*'
To disable the
password_rule
, add(.*)
password_rules: - '(.*)'
Notes: The
default_admin_password
must match all rules that are defined. Ifpassword_rules
is not defined, thedefault_admin_password
must meet the default passport enforcement rule.
-
Run the IBM Cloud Private installer
-
Run the
install-on-openshift
command:sudo docker run -t --net=host -e LICENSE=accept -v $(pwd):/installer/cluster:z ibmcom/icp-inception-amd64:3.1.2-rhel-ee install-on-openshift
-
If SELinux is enabled on the boot node, run the following command:
sudo docker run --rm -v $(pwd):/installer/cluster:z -e LICENSE=accept --security-opt label:disable ibmcom/icp-inception-amd64:3.1.2-rhel-ee install-on-openshift
Access your cluster
Access your cluster by using a different port than the one that was used for standalone IBM Cloud Private. From a web browser, browse to the URL of your cluster. For a list of supported browsers, see Supported browsers.
Post installation tasks
Correct the security context constraints
To correct the security context constraints, run the following command:
kubectl --kubeconfig /etc/origin/master/admin.kubeconfig patch scc icp-scc -p '{"allowPrivilegedContainer": true}'
The output should resemble the following text:
# kubectl --kubeconfig /etc/origin/master/admin.kubeconfig patch scc icp-scc -p '{"allowPrivilegedContainer": true}'
securitycontextconstraints "icp-scc" patched
After you apply the new security context constraints, you see the following update:
# kubectl --kubeconfig /etc/origin/master/admin.kubeconfig get scc icp-scc
NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP PRIORITY READONLYROOTFS VOLUMES
icp-scc true [] MustRunAs RunAsAny RunAsAny RunAsAny 1 false [configMap downwardAPI emptyDir hostPath nfs persistentVolumeClaim projected secret]
Fix file permissions
If SELinux is enabled on the master node and if helm-repo and mgmt-repo pods are in error state, run the following commands to fix the file permissions on the master node.
sudo mkdir -p /var/lib/icp/helmrepo
sudo mkdir -p /var/lib/icp/mgmtrepo
sudo chcon -Rt svirt_sandbox_file_t /var/lib/icp/helmrepo
sudo chcon -Rt svirt_sandbox_file_t /var/lib/icp/mgmtrepo