010.OpenShift綜合實驗及應用
阿新 • • 發佈:2020-06-23
實驗一 安裝OpenShift
1.1 前置準備
[[email protected] ~]$ lab review-install setup
1.2 配置規劃
OpenShift叢集有三個節點:
- master.lab.example.com:OpenShift master節點,是一個不可排程pod的節點。
- node1.lab.example.com:一個OpenShift節點,它可以同時執行應用程式和基礎設施pod。
- node2.lab.example.com:另一個OpenShift節點,它可以同時執行應用程式和基礎設施pod。
所有節點都使用帶有overlay2驅動程式的OverlayFS來儲存Docker,每個節點中的第二個磁碟(vdb)保留給Docker儲存。
所有節點都將使用基於rpm的安裝,使用release v3.9和OpenShift image tag version v3.9.14。
路由的預設域是apps.lab.example.com。Classroom DNS伺服器已經配置為將此域中的所有主機名解析為node1.lab.example.com。
OpenShift叢集使用的所有容器image都儲存在registry.lab.example.com提供的私有倉庫中。
使用兩個基於HTPasswd身份驗證的初始使用者:developer和admin,起密碼都是redhat,developer作為普通使用者,admin作為叢集管理員。
services.lab.example.com中的NFS卷作為OpenShift內部倉庫的持久儲存支援。
services.lab.example.com也為叢集儲存提供NFS服務。
etcd也部署在master節點上,同時儲存使用services.lab.example.com主機提供的NFS共享儲存。
叢集必須與Internet斷開連線,即使用離線包形式。
內部OpenShift倉庫應該由NFS持久儲存支援,儲存位於services.lab.example.com。
master API和控制檯將在埠443上執行。
安裝OpenShift所需的RPM包由已經在所有主機上使用Yum配置檔案定義完成。
/home/student/DO280/labs/review-install資料夾為OpenShift叢集的安裝提供了一個部分完成的Ansible目錄檔案。這個資料夾中包含了執行安裝前和安裝後步驟所需的Ansible playbook。
測試應用程式由Git伺服器http://services.lab.example.com/phphelloworld提供。這是一個簡單的“hello, world”應用程式。可以使用Source-to-Image來部署這個應用程式,以驗證OpenShift叢集是否已部署成功。
1.3 確認Ansible
1 [[email protected] ~]$ cd /home/student/DO280/labs/review-install/
2 [[email protected] review-install]$ sudo yum -y install ansible
3 [[email protected] review-install]$ ansible --version
4 [[email protected] review-install]$ cat ansible.cfg
5 [defaults]
6 remote_user = student7 inventory = ./inventory
8 log_path = ./ansible.log
9
10 [privilege_escalation]
11 become = yes
12 become_user = root
13 become_method = sudo
1.4 檢查Inventory
1 [[email protected] review-install]$ cp inventory.preinstall inventory #此為準備工作的Inventory
2 [[email protected] review-install]$ cat inventory3 [workstations]
4 workstation.lab.example.com
5
6 [nfs]
7 services.lab.example.com
8
9 [masters]
10 master.lab.example.com
11
12 [etcd]
13 master.lab.example.com
14
15 [nodes]
16 master.lab.example.com
17 node1.lab.example.com
18 node2.lab.example.com
19
20 [OSEv3:children]
21 masters
22 etcd
23 nodes
24 nfs
25
26 #Variables needed by the prepare_install.yml playbook.
27 [nodes:vars]
28 registry_local=registry.lab.example.com
29 use_overlay2_driver=true
30 insecure_registry=false
31 run_docker_offline=true
32 docker_storage_device=/dev/vdb
提示:
Inventory定義了六個主機組:
- nfs:為叢集儲存提供nfs服務的環境中的vm;
- masters:OpenShift叢集中用作master角色的節點;
- etcd:用於OpenShift叢集的etcd服務的節點,本環境中使用master節點;
- node:OpenShift叢集中的node節點;
- OSEv3:組成OpenShift叢集的所有接待,包括master、etcd、node或nfs組中的節點。
注意:預設情況下,docker使用線上倉庫下載容器映像。本環境內部無網路,因此將docker倉庫配置為內部私有倉庫。在yml中使用變數引入倉庫配置。
此外,安裝會在每個主機上配置docker守護程式,以使用overlay2 image驅動程式儲存容器映像。Docker支援許多不同的image驅動。如AUFS、Btrfs、Device mapper、OverlayFS。
1.5 確認節點
1 [[email protected] review-install]$ cat ping.yml
2 ---
3 - name: Verify Connectivity
4 hosts: all
5 gather_facts: no
6 tasks:
7 - name: "Test connectivity to machines."
8 shell: "whoami"
9 changed_when: false
10 [[email protected] review-install]$ ansible-playbook -v ping.yml
1.6 準備工作
1 [[email protected] review-install]$ cat prepare_install.yml
2 ---
3 - name: "Host Preparation: Docker tasks"
4 hosts: nodes
5 roles:
6 - docker-storage
7 - docker-registry-cert
8 - openshift-node
9
10 #Tasks below were not handled by the roles above.
11 tasks:
12 - name: Student Account - Docker Access
13 user:
14 name: student
15 groups: docker
16 append: yes
17
18 ...
19 [[email protected] review-install]$ ansible-playbook prepare_install.yml
提示:如上yml引入了三個role,具體role內容參考《002.OpenShift安裝與部署》2.5步驟。
1.7 確認驗證
1 [[email protected] review-install]$ ssh node1 'docker pull rhel7:latest' #驗證是否可以正常pull image
1.8 檢查Inventory
1 [[email protected] review-install]$ cp inventory.partial inventory #此為正常安裝的完整Inventory
2 [[email protected] review-install]$ cat inventory
3 [workstations]
4 workstation.lab.example.com
5
6 [nfs]
7 services.lab.example.com
8
9 [masters]
10 master.lab.example.com
11
12 [etcd]
13 master.lab.example.com
14
15 [nodes]
16 master.lab.example.com
17 node1.lab.example.com openshift_node_labels="{'region':'infra', 'node-role.kubernetes.io/compute':'true'}"
18 node2.lab.example.com openshift_node_labels="{'region':'infra', 'node-role.kubernetes.io/compute':'true'}"
19
20 [OSEv3:children]
21 masters
22 etcd
23 nodes
24 nfs
25
26 #Variables needed by the prepare_install.yml playbook.
27 [nodes:vars]
28 registry_local=registry.lab.example.com
29 use_overlay2_driver=true
30 insecure_registry=false
31 run_docker_offline=true
32 docker_storage_device=/dev/vdb
33
34
35 [OSEv3:vars]
36 #General Variables
37 openshift_disable_check=disk_availability,docker_storage,memory_availability
38 openshift_deployment_type=openshift-enterprise
39 openshift_release=v3.9
40 openshift_image_tag=v3.9.14
41
42 #OpenShift Networking Variables
43 os_firewall_use_firewalld=true
44 openshift_master_api_port=443
45 openshift_master_console_port=443
46 #default subdomain
47 openshift_master_default_subdomain=apps.lab.example.com
48
49 #Cluster Authentication Variables
50 openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider', 'filename': '/etc/origin/master/htpasswd'}]
51 openshift_master_htpasswd_users={'admin': '$apr1$4ZbKL26l$3eKL/6AQM8O94lRwTAu611', 'developer': '$apr1$4ZbKL26l$3eKL/6AQM8O94lRwTAu611'}
52
53 #Need to enable NFS
54 openshift_enable_unsupported_configurations=true
55 #Registry Configuration Variables
56 openshift_hosted_registry_storage_kind=nfs
57 openshift_hosted_registry_storage_access_modes=['ReadWriteMany']
58 openshift_hosted_registry_storage_nfs_directory=/exports
59 openshift_hosted_registry_storage_nfs_options='*(rw,root_squash)'
60 openshift_hosted_registry_storage_volume_name=registry
61 openshift_hosted_registry_storage_volume_size=40Gi
62
63 #etcd Configuration Variables
64 openshift_hosted_etcd_storage_kind=nfs
65 openshift_hosted_etcd_storage_nfs_options="*(rw,root_squash,sync,no_wdelay)"
66 openshift_hosted_etcd_storage_nfs_directory=/exports
67 openshift_hosted_etcd_storage_volume_name=etcd-vol2
68 openshift_hosted_etcd_storage_access_modes=["ReadWriteOnce"]
69 openshift_hosted_etcd_storage_volume_size=1G
70 openshift_hosted_etcd_storage_labels={'storage': 'etcd'}
71
72 #Modifications Needed for a Disconnected Install
73 oreg_url=registry.lab.example.com/openshift3/ose-${component}:${version}
74 openshift_examples_modify_imagestreams=true
75 openshift_docker_additional_registries=registry.lab.example.com
76 openshift_docker_blocked_registries=registry.access.redhat.com,docker.io
77 openshift_web_console_prefix=registry.lab.example.com/openshift3/ose-
78 openshift_cockpit_deployer_prefix='registry.lab.example.com/openshift3/'
79 openshift_service_catalog_image_prefix=registry.lab.example.com/openshift3/ose-
80 template_service_broker_prefix=registry.lab.example.com/openshift3/ose-
81 ansible_service_broker_image_prefix=registry.lab.example.com/openshift3/ose-
82 ansible_service_broker_etcd_image_prefix=registry.lab.example.com/rhel7/
83 [[email protected] review-install]$ lab review-install verify #本環境使用指令碼驗證
1.9 安裝OpenShift Ansible playbook
1 [[email protected] review-install]$ rpm -qa | grep atomic-openshift-utils
2 [[email protected] review-install]$ sudo yum -y install atomic-openshift-utils
1.10 Ansible安裝OpenShift
1 [[email protected] review-install]$ ansible-playbook \
2 /usr/share/ansible/openshift-ansible/playbooks/prerequisites.yml
1 [[email protected] review-install]$ ansible-playbook \
2 /usr/share/ansible/openshift-ansible/playbooks/deploy_cluster.yml
1.11 確認驗證
通過web控制檯使用developer使用者訪問https://master.lab.example.com,驗證叢集已成功配置。
1.12 授權
1 [[email protected] review-install]$ ssh [email protected]
2 [[email protected] ~]# oc whoami
3 system:admin
4 [[email protected] ~]# oc adm policy add-cluster-role-to-user cluster-admin admin
提示:master節點的root使用者,預設為叢集管理員。
1.13 登入測試
1 [[email protected] ~]$ oc login -u admin -p redhat \
2 https://master.lab.example.com
3 [[email protected] ~]$ oc get nodes #驗證節點情況
1.14 驗證pod
1 [[email protected] ~]$ oc get pods -n default #檢視內部pod
1.15 測試S2I
1 [[email protected] ~]$ oc login -u developer -p redhat \
2 https://master.lab.example.com
3 [[email protected] ~]$ oc new-project test-s2i #建立專案
4 [[email protected] ~]$ oc new-app --name=hello \
5 php:5.6~http://services.lab.example.com/php-helloworld
1.16 測試服務
1 [[email protected] ~]$ oc get pods #檢視部署情況
2 NAME READY STATUS RESTARTS AGE
3 hello-1-build 1/1 Running 0 39s
4 [[email protected] ~]$ oc expose svc hello #暴露服務
5 [[email protected] ~]$ curl hello-test-s2i.apps.lab.example.com #測試訪問
6 Hello, World! php version is 5.6.25
1.17 實驗判斷
1 [[email protected] ~]$ lab review-install grade #本環境使用指令碼判斷
2 [[email protected] ~]$ oc delete project test-s2i #刪除測試專案
實驗二 部署一個應用
2.1 前置準備
1 [[email protected] ~]$ lab review-deploy setup
2.2 應用規劃
部署一個TODO LIST應用,包含以下三個容器:
一個MySQL資料庫容器,它在TODO列表中儲存關於任務的資料。
一個Apache httpd web伺服器前端容器(todoui),它具有應用程式的靜態HTML、CSS和Javascript。
基於Node.js的API後端容器(todoapi),將RESTful介面公開給前端容器。todoapi容器連線到MySQL資料庫容器來管理應用程式中的資料
2.3 設定策略
1 [[email protected] ~]$ oc login -u admin -p redhat https://master.lab.example.com
2 [[email protected] ~]$ oc adm policy remove-cluster-role-from-group \
3 self-provisioner system:authenticated system:authenticated:oauth
4 #將專案建立限制為僅叢集管理員角色,普通使用者不能建立新專案。
2.4 建立專案
1 [[email protected] ~]$ oc new-project todoapp
2 [[email protected] ~]$ oc policy add-role-to-user edit developer #授予developer使用者可訪問許可權的角色edit
2.5 設定quota
1 [[email protected] ~]$ oc project todoapp
2 [[email protected] ~]$ oc create quota todoapp-quota --hard=pods=1 #設定pod的quota
2.6 建立應用
1 [[email protected] ~]$ oc login -u developer -p redhat \
2 https://master.lab.example.com #使用developer登入
3 [[email protected] ~]$ oc new-app --name=hello \
4 php:5.6~http://services.lab.example.com/php-helloworld #建立應用
5 [[email protected] ~]$ oc logs -f bc/hello #檢視build log
2.7 檢視部署
1 [[email protected] ~]$ oc get pods
2 NAME READY STATUS RESTARTS AGE
3 hello-1-build 0/1 Completed 0 2m
4 hello-1-deploy 1/1 Running 0 1m
5 [[email protected] ~]$ oc get events
6 ……
7 2m 2m 7 hello.15b54ba822fc1029 DeploymentConfig
8 Warning FailedCreate deployer-controller Error creating deployer pod: pods "hello-1-deploy" is forbidden: exceeded quota: todoapp-quota, requested: pods=1, used: pods=1, limited: pods=
9 [[email protected] ~]$ oc describe quota
10 Name: todoapp-quota
11 Namespace: todoapp
12 Resource Used Hard
13 -------- ---- ----
14 pods 1 1
結論:由於pod的硬quota限制,導致部署失敗。
2.8 擴充套件quota
1 [[email protected] ~]$ oc rollout cancel dc hello #修正quota前取消dc
2 [[email protected] ~]$ oc login -u admin -p redhat
3 [[email protected] ~]$ oc project todoapp
4 [[email protected] ~]$ oc patch resourcequota/todoapp-quota --patch '{"spec":{"hard":{"pods":"10"}}}'
提示:也可以使用oc edit resourcequota todoapp-quota命令修改quota配置。
1 [[email protected] ~]$ oc login -u developer -p redhat
2 [[email protected] ~]$ oc describe quota #確認quota
3 Name: todoapp-quota
4 Namespace: todoapp
5 Resource Used Hard
6 -------- ---- ----
7 pods 0 10
2.9 重新部署
1 [[email protected] ~]$ oc rollout latest dc/hello
2 [[email protected] ~]$ oc get pods #確認部署成功
3 NAME READY STATUS RESTARTS AGE
4 hello-1-build 0/1 Completed 0 9m
5 hello-2-qklrr 1/1 Running 0 12s
6 [[email protected] ~]$ oc delete all -l app=hello #刪除hello
2.10 配置NFS
1 [[email protected] ~]$ ssh [email protected]
2 [[email protected] ~]# mkdir -p /var/export/dbvol
3 [[email protected] ~]# chown nfsnobody:nfsnobody /var/export/dbvol
4 [[email protected] ~]# chmod 700 /var/export/dbvol
5 [[email protected] ~]# echo "/var/export/dbvol *(rw,async,all_squash)" > /etc/exports.d/dbvol.exports
6 [[email protected] ~]# exportfs -a
7 [[email protected] ~]# showmount -e
提示:本實驗使用services上的NFS提供的共享儲存為後續實驗提供永續性儲存。
2.11 測試NFS
1 [[email protected] ~]$ ssh [email protected]
2 [[email protected] ~]# mount -t nfs services.lab.example.com:/var/export/dbvol /mnt
3 [[email protected] ~]# ls -la /mnt ; mount | grep /mnt #測試是否能正常掛載
提示:建議node2做同樣測試,測試完畢需要解除安裝,後續使用持久卷會自動進行掛載。
2.12 建立PV
1 [[email protected] ~]$ vim /home/student/DO280/labs/review-deploy/todoapi/openshift/mysql-pv.yaml
2 apiVersion: v1
3 kind: PersistentVolume
4 metadata:
5 name: mysql-pv
6 spec:
7 capacity:
8 storage: 2G
9 accessModes:
10 - ReadWriteMany
11 nfs:
12 path: /var/export/dbvol
13 server: services.lab.example.com
14 [[email protected] ~]$ oc login -u admin -p redhat
15 [[email protected] ~]$ oc create -f /home/student/DO280/labs/review-deploy/todoapi/openshift/mysql-pv.yaml
16 [[email protected] ~]$ oc get pv
2.13 匯入模板
1 [[email protected] ~]$ oc apply -n openshift -f /home/student/DO280/labs/review-deploy/todoapi/openshift/nodejs-mysql-template.yaml
提示:模板檔案見附件。
2.14 使用dockerfile建立image
1 [[email protected] ~]$ vim /home/student/DO280/labs/review-deploy/todoui/Dockerfile
2 FROM rhel7:7.5
3
4 MAINTAINER Red Hat Training <[email protected]>
5
6 # DocumentRoot for Apache
7 ENV HOME /var/www/html
8
9 # Need this for installing HTTPD from classroom yum repo
10 ADD training.repo /etc/yum.repos.d/training.repo
11 RUN yum downgrade -y krb5-libs libstdc++ libcom_err && \
12 yum install -y --setopt=tsflags=nodocs \
13 httpd \
14 openssl-devel \
15 procps-ng \
16 which && \
17 yum clean all -y && \
18 rm -rf /var/cache/yum
19
20 # Custom HTTPD conf file to log to stdout as well as change port to 8080
21 COPY conf/httpd.conf /etc/httpd/conf/httpd.conf
22
23 # Copy front end static assets to HTTPD DocRoot
24 COPY src/ ${HOME}/
25
26 # We run on port 8080 to avoid running container as root
27 EXPOSE 8080
28
29 # This stuff is needed to make HTTPD run on OpenShift and avoid
30 # permissions issues
31 RUN rm -rf /run/httpd && mkdir /run/httpd && chmod -R a+rwx /run/httpd
32
33 # Run as apache user and not root
34 USER 1001
35
36 # Launch apache daemon
37 CMD /usr/sbin/apachectl -DFOREGROUND
38 [[email protected] ~]$ cd /home/student/DO280/labs/review-deploy/todoui/
39 [[email protected] todoui]$ docker build -t todoapp/todoui .
40 [[email protected] todoui]$ docker images
41 REPOSITORY TAG IMAGE ID CREATED SIZE
42 todoapp/todoui latest 0249e1c69e38 39 seconds ago 239 MB
43 registry.lab.example.com/rhel7 7.5 4bbd153adf84 12 months ago 201 MB
2.15 推送倉庫
1 [[email protected] todoui]$ docker tag todoapp/todoui:latest \
2 registry.lab.example.com/todoapp/todoui:latest
3 [[email protected] todoui]$ docker push \
4 registry.lab.example.com/todoapp/todoui:latest
提示:將從dockerfile建立的image打標,然後push至內部倉庫。
2.16 匯入IS
1 [[email protected] todoui]$ oc whoami -c
2 todoapp/master-lab-example-com:443/admin
3 [[email protected] todoui]$ oc import-image todoui \
4 --from=registry.lab.example.com/todoapp/todoui \
5 --confirm -n todoapp #將docker image匯入OpenShift的Image Streams
6 [[email protected] todoui]$ oc get is -n todoapp
7 NAME DOCKER REPO TAGS UPDATED
8 todoui docker-registry.default.svc:5000/todoapp/todoui latest 13 seconds ago
9 [[email protected] todoui]$ oc describe is todoui -n todoapp #檢視is
2.17 建立應用
瀏覽器登入https://master.lab.example.com,選擇todoapp的專案。
檢視目錄。
語言——>JavaScript——Node.js + MySQL (Persistent)。
參考下表建立應用:
| 名稱 | 值 |
| Git Repository URL | http://services.lab.example.com/todoapi |
| Application Hostname | todoapi.apps.lab.example.com |
| MySQL Username | todoapp |
| MySQL Password | todoapp |
| Database name | todoappdb |
| Database Administrator Password | redhat |
create進行建立。
Overview進行檢視。
2.18 測試資料庫
1 [[email protected] ~]$ oc port-forward mysql-1-6hq4d 3306:3306 #保持埠轉發
2 [[email protected] ~]$ mysql -h127.0.0.1 -u todoapp -ptodoapp todoappdb < /home/student/DO280/labs/review-deploy/todoapi/sql/db.sql
3 #匯入測試資料至資料庫
4 [[email protected] ~]$ mysql -h127.0.0.1 -u todoapp -ptodoapp todoappdb -e "select id, description, case when done = 1 then 'TRUE' else 'FALSE' END as done from Item;"
5 #檢視是否匯入成功
2.19 訪問測試
1 [[email protected] ~]$ curl -s http://todoapi.apps.lab.example.com/todo/api/host | python -m json.tool #curl訪問
2 {
3 "hostname": "todoapi-1-kxlnx",
4 "ip": "10.128.0.12"
5 }
6 [[email protected] ~]$ curl -s http://todoapi.apps.lab.example.com/todo/api/items | python -m json.tool #curl訪問
2.20 建立應用
1 [[email protected] ~]$ oc new-app --name=todoui -i todoui #使用todoui is建立應用
2 [[email protected] ~]$ oc get pods
3 NAME READY STATUS RESTARTS AGE
4 mysql-1-6hq4d 1/1 Running 0 9m
5 todoapi-1-build 0/1 Completed 0 9m
6 todoapi-1-kxlnx 1/1 Running 0 8m
7 todoui-1-wwg28 1/1 Running 0 32s
2.21 暴露服務
1 [[email protected] ~]$ oc expose svc todoui --hostname=todo.apps.lab.example.com
瀏覽器訪問:http://todo.apps.lab.example.com
2.22 實驗判斷
1 [[email protected] ~]$ lab review-deploy grade #本環境使用指令碼判斷