010.OpenShift綜合實驗及應用

木二發表於2020-06-23

實驗一 安裝OpenShift

1.1 前置準備

[student@workstation ~]$ lab review-install setup

1.2 配置規劃

OpenShift叢集有三個節點:

  • master.lab.example.com:OpenShift master節點,是一個不可排程pod的節點。
  • node1.lab.example.com:一個OpenShift節點,它可以同時執行應用程式和基礎設施pod。
  • node2.lab.example.com:另一個OpenShift節點,它可以同時執行應用程式和基礎設施pod。

所有節點都使用帶有overlay2驅動程式的OverlayFS來儲存Docker,每個節點中的第二個磁碟(vdb)保留給Docker儲存。

所有節點都將使用基於rpm的安裝,使用release v3.9和OpenShift image tag version v3.9.14。

路由的預設域是apps.lab.example.com。Classroom DNS伺服器已經配置為將此域中的所有主機名解析為node1.lab.example.com。

OpenShift叢集使用的所有容器image都儲存在registry.lab.example.com提供的私有倉庫中。

使用兩個基於HTPasswd身份驗證的初始使用者:developer和admin,起密碼都是redhat,developer作為普通使用者,admin作為叢集管理員。

services.lab.example.com中的NFS卷作為OpenShift內部倉庫的持久儲存支援。

services.lab.example.com也為叢集儲存提供NFS服務。

etcd也部署在master節點上,同時儲存使用services.lab.example.com主機提供的NFS共享儲存。

叢集必須與Internet斷開連線,即使用離線包形式。

內部OpenShift倉庫應該由NFS持久儲存支援,儲存位於services.lab.example.com。

master API和控制檯將在埠443上執行。

安裝OpenShift所需的RPM包由已經在所有主機上使用Yum配置檔案定義完成。

/home/student/DO280/labs/review-install資料夾為OpenShift叢集的安裝提供了一個部分完成的Ansible目錄檔案。這個資料夾中包含了執行安裝前和安裝後步驟所需的Ansible playbook。

測試應用程式由Git伺服器http://services.lab.example.com/phphelloworld提供。這是一個簡單的“hello, world”應用程式。可以使用Source-to-Image來部署這個應用程式,以驗證OpenShift叢集是否已部署成功。

1.3 確認Ansible

  1 [student@workstation ~]$ cd /home/student/DO280/labs/review-install/
  2 [student@workstation review-install]$ sudo yum -y install ansible
  3 [student@workstation review-install]$ ansible --version
  4 [student@workstation review-install]$ cat ansible.cfg
  5 [defaults]
  6 remote_user = student
  7 inventory = ./inventory
  8 log_path = ./ansible.log
  9 
 10 [privilege_escalation]
 11 become = yes
 12 become_user = root
 13 become_method = sudo

1.4 檢查Inventory

  1 [student@workstation review-install]$ cp inventory.preinstall inventory		#此為準備工作的Inventory
  2 [student@workstation review-install]$ cat inventory
  3 [workstations]
  4 workstation.lab.example.com
  5 
  6 [nfs]
  7 services.lab.example.com
  8 
  9 [masters]
 10 master.lab.example.com
 11 
 12 [etcd]
 13 master.lab.example.com
 14 
 15 [nodes]
 16 master.lab.example.com
 17 node1.lab.example.com
 18 node2.lab.example.com
 19 
 20 [OSEv3:children]
 21 masters
 22 etcd
 23 nodes
 24 nfs
 25 
 26 #Variables needed by the prepare_install.yml playbook.
 27 [nodes:vars]
 28 registry_local=registry.lab.example.com
 29 use_overlay2_driver=true
 30 insecure_registry=false
 31 run_docker_offline=true
 32 docker_storage_device=/dev/vdb

提示:

Inventory定義了六個主機組:

  • nfs:為叢集儲存提供nfs服務的環境中的vm;
  • masters:OpenShift叢集中用作master角色的節點;
  • etcd:用於OpenShift叢集的etcd服務的節點,本環境中使用master節點;
  • node:OpenShift叢集中的node節點;
  • OSEv3:組成OpenShift叢集的所有接待,包括master、etcd、node或nfs組中的節點。

注意:預設情況下,docker使用線上倉庫下載容器映像。本環境內部無網路,因此將docker倉庫配置為內部私有倉庫。在yml中使用變數引入倉庫配置。

此外,安裝會在每個主機上配置docker守護程式,以使用overlay2 image驅動程式儲存容器映像。Docker支援許多不同的image驅動。如AUFS、Btrfs、Device mapper、OverlayFS。

1.5 確認節點

  1 [student@workstation review-install]$ cat ping.yml
  2 ---
  3 - name: Verify Connectivity
  4   hosts: all
  5   gather_facts: no
  6   tasks:
  7     - name: "Test connectivity to machines."
  8       shell: "whoami"
  9       changed_when: false
 10 [student@workstation review-install]$ ansible-playbook -v ping.yml

clipboard

1.6 準備工作

  1 [student@workstation review-install]$ cat prepare_install.yml
  2 ---
  3 - name: "Host Preparation: Docker tasks"
  4   hosts: nodes
  5   roles:
  6     - docker-storage
  7     - docker-registry-cert
  8     - openshift-node
  9 
 10   #Tasks below were not handled by the roles above.
 11   tasks:
 12     - name: Student Account - Docker Access
 13       user:
 14         name: student
 15         groups: docker
 16         append: yes
 17 
 18 ...
 19 [student@workstation review-install]$ ansible-playbook prepare_install.yml

clipboard

提示:如上yml引入了三個role,具體role內容參考《002.OpenShift安裝與部署》2.5步驟。

1.7 確認驗證

  1 [student@workstation review-install]$ ssh node1 'docker pull rhel7:latest' #驗證是否可以正常pull image

clipboard

1.8 檢查Inventory

  1 [student@workstation review-install]$ cp inventory.partial inventory		#此為正常安裝的完整Inventory
  2 [student@workstation review-install]$ cat inventory
  3 [workstations]
  4 workstation.lab.example.com
  5 
  6 [nfs]
  7 services.lab.example.com
  8 
  9 [masters]
 10 master.lab.example.com
 11 
 12 [etcd]
 13 master.lab.example.com
 14 
 15 [nodes]
 16 master.lab.example.com
 17 node1.lab.example.com openshift_node_labels="{'region':'infra', 'node-role.kubernetes.io/compute':'true'}"
 18 node2.lab.example.com openshift_node_labels="{'region':'infra', 'node-role.kubernetes.io/compute':'true'}"
 19 
 20 [OSEv3:children]
 21 masters
 22 etcd
 23 nodes
 24 nfs
 25 
 26 #Variables needed by the prepare_install.yml playbook.
 27 [nodes:vars]
 28 registry_local=registry.lab.example.com
 29 use_overlay2_driver=true
 30 insecure_registry=false
 31 run_docker_offline=true
 32 docker_storage_device=/dev/vdb
 33 
 34 
 35 [OSEv3:vars]
 36 #General Variables
 37 openshift_disable_check=disk_availability,docker_storage,memory_availability
 38 openshift_deployment_type=openshift-enterprise
 39 openshift_release=v3.9
 40 openshift_image_tag=v3.9.14
 41 
 42 #OpenShift Networking Variables
 43 os_firewall_use_firewalld=true
 44 openshift_master_api_port=443
 45 openshift_master_console_port=443
 46 #default subdomain
 47 openshift_master_default_subdomain=apps.lab.example.com
 48 
 49 #Cluster Authentication Variables
 50 openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider', 'filename': '/etc/origin/master/htpasswd'}]
 51 openshift_master_htpasswd_users={'admin': '$apr1$4ZbKL26l$3eKL/6AQM8O94lRwTAu611', 'developer': '$apr1$4ZbKL26l$3eKL/6AQM8O94lRwTAu611'}
 52 
 53 #Need to enable NFS
 54 openshift_enable_unsupported_configurations=true
 55 #Registry Configuration Variables
 56 openshift_hosted_registry_storage_kind=nfs
 57 openshift_hosted_registry_storage_access_modes=['ReadWriteMany']
 58 openshift_hosted_registry_storage_nfs_directory=/exports
 59 openshift_hosted_registry_storage_nfs_options='*(rw,root_squash)'
 60 openshift_hosted_registry_storage_volume_name=registry
 61 openshift_hosted_registry_storage_volume_size=40Gi
 62 
 63 #etcd Configuration Variables
 64 openshift_hosted_etcd_storage_kind=nfs
 65 openshift_hosted_etcd_storage_nfs_options="*(rw,root_squash,sync,no_wdelay)"
 66 openshift_hosted_etcd_storage_nfs_directory=/exports
 67 openshift_hosted_etcd_storage_volume_name=etcd-vol2
 68 openshift_hosted_etcd_storage_access_modes=["ReadWriteOnce"]
 69 openshift_hosted_etcd_storage_volume_size=1G
 70 openshift_hosted_etcd_storage_labels={'storage': 'etcd'}
 71 
 72 #Modifications Needed for a Disconnected Install
 73 oreg_url=registry.lab.example.com/openshift3/ose-${component}:${version}
 74 openshift_examples_modify_imagestreams=true
 75 openshift_docker_additional_registries=registry.lab.example.com
 76 openshift_docker_blocked_registries=registry.access.redhat.com,docker.io
 77 openshift_web_console_prefix=registry.lab.example.com/openshift3/ose-
 78 openshift_cockpit_deployer_prefix='registry.lab.example.com/openshift3/'
 79 openshift_service_catalog_image_prefix=registry.lab.example.com/openshift3/ose-
 80 template_service_broker_prefix=registry.lab.example.com/openshift3/ose-
 81 ansible_service_broker_image_prefix=registry.lab.example.com/openshift3/ose-
 82 ansible_service_broker_etcd_image_prefix=registry.lab.example.com/rhel7/
 83 [student@workstation review-install]$ lab review-install verify		#本環境使用指令碼驗證

1.9 安裝OpenShift Ansible playbook

  1 [student@workstation review-install]$ rpm -qa | grep atomic-openshift-utils
  2 [student@workstation review-install]$ sudo yum -y install atomic-openshift-utils

1.10 Ansible安裝OpenShift

  1 [student@workstation review-install]$ ansible-playbook \
  2 /usr/share/ansible/openshift-ansible/playbooks/prerequisites.yml

clipboard

  1 [student@workstation review-install]$ ansible-playbook \
  2 /usr/share/ansible/openshift-ansible/playbooks/deploy_cluster.yml

clipboard

1.11 確認驗證

通過web控制檯使用developer使用者訪問https://master.lab.example.com,驗證叢集已成功配置。

clipboard

1.12 授權

  1 [student@workstation review-install]$ ssh root@master
  2 [root@master ~]# oc whoami
  3 system:admin
  4 [root@master ~]# oc adm policy add-cluster-role-to-user cluster-admin admin

提示:master節點的root使用者,預設為叢集管理員。

1.13 登入測試

  1 [student@workstation ~]$ oc login -u admin -p redhat \
  2 https://master.lab.example.com
  3 [student@workstation ~]$ oc get nodes			#驗證節點情況

clipboard

1.14 驗證pod

  1 [student@workstation ~]$ oc get pods -n default #檢視內部pod

clipboard

1.15 測試S2I

  1 [student@workstation ~]$ oc login -u developer -p redhat \
  2 https://master.lab.example.com
  3 [student@workstation ~]$ oc new-project test-s2i	#建立專案
  4 [student@workstation ~]$ oc new-app --name=hello \
  5 php:5.6~http://services.lab.example.com/php-helloworld

1.16 測試服務

  1 [student@workstation ~]$ oc get pods			#檢視部署情況
  2 NAME            READY     STATUS    RESTARTS   AGE
  3 hello-1-build   1/1       Running   0          39s
  4 [student@workstation ~]$ oc expose svc hello		#暴露服務
  5 [student@workstation ~]$ curl hello-test-s2i.apps.lab.example.com	#測試訪問
  6 Hello, World! php version is 5.6.25

1.17 實驗判斷

  1 [student@workstation ~]$ lab review-install grade #本環境使用指令碼判斷
  2 [student@workstation ~]$ oc delete project test-s2i #刪除測試專案

實驗二 部署一個應用

2.1 前置準備

  1 [student@workstation ~]$ lab review-deploy setup

2.2 應用規劃

部署一個TODO LIST應用,包含以下三個容器:

一個MySQL資料庫容器,它在TODO列表中儲存關於任務的資料。

一個Apache httpd web伺服器前端容器(todoui),它具有應用程式的靜態HTML、CSS和Javascript。

基於Node.js的API後端容器(todoapi),將RESTful介面公開給前端容器。todoapi容器連線到MySQL資料庫容器來管理應用程式中的資料

2.3 設定策略

  1 [student@workstation ~]$ oc login -u admin -p redhat https://master.lab.example.com
  2 [student@workstation ~]$ oc adm policy remove-cluster-role-from-group \
  3 self-provisioner system:authenticated system:authenticated:oauth
  4 #將專案建立限制為僅叢集管理員角色,普通使用者不能建立新專案。

2.4 建立專案

  1 [student@workstation ~]$ oc new-project todoapp
  2 [student@workstation ~]$ oc policy add-role-to-user edit developer	#授予developer使用者可訪問許可權的角色edit

2.5 設定quota

  1 [student@workstation ~]$ oc project todoapp
  2 [student@workstation ~]$ oc create quota todoapp-quota --hard=pods=1	#設定pod的quota

2.6 建立應用

  1 [student@workstation ~]$ oc login -u developer -p redhat \
  2 https://master.lab.example.com						#使用developer登入
  3 [student@workstation ~]$ oc new-app --name=hello \
  4 php:5.6~http://services.lab.example.com/php-helloworld			#建立應用
  5 [student@workstation ~]$ oc logs -f bc/hello				#檢視build log

clipboard

2.7 檢視部署

  1 [student@workstation ~]$ oc get pods
  2 NAME             READY     STATUS      RESTARTS   AGE
  3 hello-1-build    0/1       Completed   0          2m
  4 hello-1-deploy   1/1       Running     0          1m
  5 [student@workstation ~]$ oc get events
  6 ……
  7 2m          2m           7         hello.15b54ba822fc1029            DeploymentConfig
  8 Warning   FailedCreate            deployer-controller              Error creating deployer pod: pods "hello-1-deploy" is forbidden: exceeded quota: todoapp-quota, requested: pods=1, used: pods=1, limited: pods=
  9 [student@workstation ~]$ oc describe quota
 10 Name:       todoapp-quota
 11 Namespace:  todoapp
 12 Resource    Used  Hard
 13 --------    ----  ----
 14 pods        1     1

結論:由於pod的硬quota限制,導致部署失敗。

2.8 擴充套件quota

  1 [student@workstation ~]$ oc rollout cancel dc hello	#修正quota前取消dc
  2 [student@workstation ~]$ oc login -u admin -p redhat
  3 [student@workstation ~]$ oc project todoapp
  4 [student@workstation ~]$ oc patch resourcequota/todoapp-quota --patch '{"spec":{"hard":{"pods":"10"}}}'

提示:也可以使用oc edit resourcequota todoapp-quota命令修改quota配置。

  1 [student@workstation ~]$ oc login -u developer -p redhat
  2 [student@workstation ~]$ oc describe quota		#確認quota
  3 Name:       todoapp-quota
  4 Namespace:  todoapp
  5 Resource    Used  Hard
  6 --------    ----  ----
  7 pods        0     10

2.9 重新部署

  1 [student@workstation ~]$ oc rollout latest dc/hello
  2 [student@workstation ~]$ oc get pods			#確認部署成功
  3 NAME            READY     STATUS      RESTARTS   AGE
  4 hello-1-build   0/1       Completed   0          9m
  5 hello-2-qklrr   1/1       Running     0          12s
  6 [student@workstation ~]$ oc delete all -l app=hello	#刪除hello

2.10 配置NFS

  1 [kiosk@foundation0 ~]$ ssh root@services
  2 [root@services ~]# mkdir -p /var/export/dbvol
  3 [root@services ~]# chown nfsnobody:nfsnobody /var/export/dbvol
  4 [root@services ~]# chmod 700 /var/export/dbvol
  5 [root@services ~]# echo "/var/export/dbvol *(rw,async,all_squash)" > /etc/exports.d/dbvol.exports
  6 [root@services ~]# exportfs -a
  7 [root@services ~]# showmount -e

clipboard

提示:本實驗使用services上的NFS提供的共享儲存為後續實驗提供永續性儲存。

2.11 測試NFS

  1 [kiosk@foundation0 ~]$ ssh root@node1
  2 [root@node1 ~]# mount -t nfs services.lab.example.com:/var/export/dbvol /mnt
  3 [root@node1 ~]# ls -la /mnt ; mount | grep /mnt		#測試是否能正常掛載

提示:建議node2做同樣測試,測試完畢需要解除安裝,後續使用持久卷會自動進行掛載。

2.12 建立PV

  1 [student@workstation ~]$ vim /home/student/DO280/labs/review-deploy/todoapi/openshift/mysql-pv.yaml
  2 apiVersion: v1
  3 kind: PersistentVolume
  4 metadata:
  5  name: mysql-pv
  6 spec:
  7  capacity:
  8   storage: 2G
  9  accessModes:
 10   -  ReadWriteMany
 11  nfs:
 12   path: /var/export/dbvol
 13   server: services.lab.example.com
 14 [student@workstation ~]$ oc login -u admin -p redhat
 15 [student@workstation ~]$ oc create -f /home/student/DO280/labs/review-deploy/todoapi/openshift/mysql-pv.yaml
 16 [student@workstation ~]$ oc get pv

clipboard

2.13 匯入模板

  1 [student@workstation ~]$ oc apply -n openshift -f /home/student/DO280/labs/review-deploy/todoapi/openshift/nodejs-mysql-template.yaml

提示:模板檔案見附件。

2.14 使用dockerfile建立image

  1 [student@workstation ~]$ vim /home/student/DO280/labs/review-deploy/todoui/Dockerfile
  2 FROM  rhel7:7.5
  3 
  4 MAINTAINER Red Hat Training <training@redhat.com>
  5 
  6 # DocumentRoot for Apache
  7 ENV HOME /var/www/html
  8 
  9 # Need this for installing HTTPD from classroom yum repo
 10 ADD training.repo /etc/yum.repos.d/training.repo
 11 RUN yum downgrade -y krb5-libs libstdc++ libcom_err && \
 12     yum install -y --setopt=tsflags=nodocs \
 13     httpd \
 14     openssl-devel \
 15     procps-ng \
 16     which && \
 17     yum clean all -y && \
 18     rm -rf /var/cache/yum
 19 
 20 # Custom HTTPD conf file to log to stdout as well as change port to 8080
 21 COPY conf/httpd.conf /etc/httpd/conf/httpd.conf
 22 
 23 # Copy front end static assets to HTTPD DocRoot
 24 COPY src/ ${HOME}/
 25 
 26 # We run on port 8080 to avoid running container as root
 27 EXPOSE 8080
 28 
 29 # This stuff is needed to make HTTPD run on OpenShift and avoid
 30 # permissions issues
 31 RUN rm -rf /run/httpd && mkdir /run/httpd && chmod -R a+rwx /run/httpd
 32 
 33 # Run as apache user and not root
 34 USER 1001
 35 
 36 # Launch apache daemon
 37 CMD /usr/sbin/apachectl -DFOREGROUND
 38 [student@workstation ~]$ cd /home/student/DO280/labs/review-deploy/todoui/
 39 [student@workstation todoui]$ docker build -t todoapp/todoui .
 40 [student@workstation todoui]$ docker images
 41 REPOSITORY                       TAG                 IMAGE ID            CREATED             SIZE
 42 todoapp/todoui                   latest              0249e1c69e38        39 seconds ago      239 MB
 43 registry.lab.example.com/rhel7   7.5                 4bbd153adf84        12 months ago       201 MB

2.15 推送倉庫

  1 [student@workstation todoui]$ docker tag todoapp/todoui:latest \
  2 registry.lab.example.com/todoapp/todoui:latest
  3 [student@workstation todoui]$ docker push \
  4 registry.lab.example.com/todoapp/todoui:latest

提示:將從dockerfile建立的image打標,然後push至內部倉庫。

2.16 匯入IS

  1 [student@workstation todoui]$ oc whoami -c
  2 todoapp/master-lab-example-com:443/admin
  3 [student@workstation todoui]$ oc import-image todoui \
  4 --from=registry.lab.example.com/todoapp/todoui \
  5 --confirm -n todoapp					#將docker image匯入OpenShift的Image Streams
  6 [student@workstation todoui]$ oc get is -n todoapp
  7 NAME      DOCKER REPO                                       TAGS      UPDATED
  8 todoui    docker-registry.default.svc:5000/todoapp/todoui   latest    13 seconds ago
  9 [student@workstation todoui]$ oc describe is todoui -n todoapp	#檢視is

clipboard

2.17 建立應用

瀏覽器登入https://master.lab.example.com,選擇todoapp的專案。

clipboard

檢視目錄。

clipboard

語言——>JavaScript——Node.js + MySQL (Persistent)。

clipboard

參考下表建立應用:

名稱
Git Repository URL
http://services.lab.example.com/todoapi
Application Hostname
todoapi.apps.lab.example.com
MySQL Username
todoapp
MySQL Password
todoapp
Database name
todoappdb
Database Administrator Password
redhat

clipboard

create進行建立。

clipboard

Overview進行檢視。

clipboard

2.18 測試資料庫

  1 [student@workstation ~]$ oc port-forward mysql-1-6hq4d 3306:3306		#保持埠轉發
  2 [student@workstation ~]$ mysql -h127.0.0.1 -u todoapp -ptodoapp todoappdb < /home/student/DO280/labs/review-deploy/todoapi/sql/db.sql
  3 #匯入測試資料至資料庫
  4 [student@workstation ~]$ mysql -h127.0.0.1 -u todoapp -ptodoapp todoappdb -e "select id, description, case when done = 1 then 'TRUE' else 'FALSE' END as done from Item;"
  5 #檢視是否匯入成功

2.19 訪問測試

  1 [student@workstation ~]$ curl -s http://todoapi.apps.lab.example.com/todo/api/host | python -m json.tool	#curl訪問
  2 {
  3     "hostname": "todoapi-1-kxlnx",
  4     "ip": "10.128.0.12"
  5 }
  6 [student@workstation ~]$ curl -s http://todoapi.apps.lab.example.com/todo/api/items | python -m json.tool	#curl訪問

clipboard

2.20 建立應用

  1 [student@workstation ~]$ oc new-app --name=todoui -i todoui	#使用todoui is建立應用
  2 [student@workstation ~]$ oc get pods
  3 NAME              READY     STATUS      RESTARTS   AGE
  4 mysql-1-6hq4d     1/1       Running     0          9m
  5 todoapi-1-build   0/1       Completed   0          9m
  6 todoapi-1-kxlnx   1/1       Running     0          8m
  7 todoui-1-wwg28    1/1       Running     0          32s

2.21 暴露服務

  1 [student@workstation ~]$ oc expose svc todoui --hostname=todo.apps.lab.example.com

瀏覽器訪問:http://todo.apps.lab.example.com

clipboard

2.22 實驗判斷

  1 [student@workstation ~]$ lab review-deploy grade #本環境使用指令碼判斷

相關文章