[설치] 01.사전준비

01. 사전준비사항

가. 아키텍처 정의

오픈시프트를 설치하기 전에 먼저 어떤 아키텍처로 구성할 지를 결정해야 한다.

예를 들어 

1. 인터넷이 되는 환경인지 아닌지(제일 중요)
2. Private Docker Hub 구축
3. Yum Repository 구축
4. Git Hub 구축
5. DNS 구성
6. 마스터 3중화 여부
7. etcd를 분리 여부
8. 서비스 노드와 인프라 노드 분리 여부
9. zone, region 정의
10. 서비스 도메인 명(FQDN)
11. IaaS 기반 설치 등 

다양한 요소를 설치 전에 미리 계획해야 한다.

매뉴얼은 아래와 같은 구성으로 진행할 계획이다.

• 인터넷 불가 환경(disconnected)
• Yum Repository 구축
• 마스터 3중화
• Embedded etcd
• 4node(서비스/인프라 통합) - 서버 부족...
• 별도 DNS 구축
• Docker Hub/Git Hub 구축
• Maven Repository가 필요는 하나 구축에서 제외

아래는 9대의 서버로 구축하는 예시이다.

호스트	IP	역할(OpenShift)	Region	Docker Network	Open vSwitch Network	Service	비고
ocpmaster1.ocp.com	10.1.25.12	마스터 etcd	infra	172.30.0.0/16	192.168.0.0/16
ocpmaster2.ocp.com	10.1.25.13	마스터 etcd	infra	172.30.0.0/16	192.168.0.0/16
ocpmaster3.ocp.com	10.1.25.14	마스터 etcd	infra	172.30.0.0/16	192.168.0.0/16
ocpnode1.ocp.com	10.1.25.15	인프라/서비스 노드	primary	172.30.0.0/16	192.168.0.0/16
ocpnode2.ocp.com	10.1.25.16	인프라/서비스 노드	primary	172.30.0.0/16	192.168.0.0/16
ocpnode3.ocp.com	10.1.25.17	인프라/서비스 노드	primary	172.30.0.0/16	192.168.0.0/16
ocpnode4.ocp.com	10.1.25.18	인프라/서비스 노드 (추가노드)	primary	172.30.0.0/16	192.168.0.0/16
ocpmgmt.ocp.com	10.1.25.11	HA-Proxy	infra	172.30.0.0/16	192.168.0.0/16
ocpdns.ocp.com	10.1.25.10	DNS 배포(설치) Docker Repository

나. 시스템 요구 사양

Masters Physical or virtual system, or an instance running on a public or private IaaS Base OS: RHEL 7.1 or later with "Minimal" installation option, or RHEL Atomic Host  7.2.6 or later 2 vCPU Minimum 16 GB RAM Minimum 40 GB hard disk space for the file system containing /var/

Nodes Physical or virtual system, or an instance running on a public or private IaaS Base OS: RHEL 7.1 or later with "Minimal" installation option, or RHEL Atomic Host 7.2.6 or later NetworkManager 1.0 or later 1 vCPU Minimum 8 GB RAM Minimum 15 GB hard disk space for the file system containing /var/ An additional minimum 15 GB unallocated space to be used for Docker's storage backend

External etcd Nodes Minimum 20 GB hard disk space for etcd data

다. 사이징 참고

Host	Sizing Recommendation
Maximum nodes per cluster	1000
Maximum pods per cluster	120000
Maximum pods per nodes	250
Maximum pods per core	10

라. Required Ports

Table 1. Node to Node

4789

UDP

Required for SDN communication between pods on separate hosts.

Table 2. Nodes to Master

53 or 8053	TCP/UDP	Required for DNS resolution of cluster services (SkyDNS). Installations prior to 3.2 or environments upgraded to 3.2 use port 53. New installations will use 8053 by default so that dnsmasq may be configured.
4789	UDP	Required for SDN communication between pods on separate hosts.
443 or 8443	TCP	Required for node hosts to communicate to the master API, for the node hosts to post back status, to receive tasks, and so on.

Table 3. Master to Node

4789	UDP	Required for SDN communication between pods on separate hosts.
10250	TCP	The master proxies to node hosts via the Kubelet for oc commands.

In the following table, (L) indicates the marked port is also used in loopback mode, enabling the master to communicate with itself.

In a single-master cluster:

• Ports marked with (L) must be open.

• Ports not marked with (L) need not be open.

In a multiple-master cluster, all the listed ports must be open.

Table 4. Master to Master

53 (L) or 8053 (L)	TCP/UDP	Required for DNS resolution of cluster services (SkyDNS). Installations prior to 3.2 or environments upgraded to 3.2 use port 53. New installations will use 8053 by default so that dnsmasq may be configured.
2049 (L)	TCP/UDP	Required when provisioning an NFS host as part of the installer.
2379	TCP	Used for standalone etcd (clustered) to accept changes in state.
2380	TCP	etcd requires this port be open between masters for leader election and peering connections when using standalone etcd (clustered).
4001 (L)	TCP	Used for embedded etcd (non-clustered) to accept changes in state.
4789 (L)	UDP	Required for SDN communication between pods on separate hosts.

Table 5. External to Load Balancer

9000

TCP

If you choose the native HA method, optional to allow access to the HAProxy statistics page.

Table 6. External to Master

443 or 8443

TCP

Required for node hosts to communicate to the master API, for node hosts to post back status, to receive tasks, and so on.

Table 7. IaaS Deployments

22	TCP	Required for SSH by the installer or system administrator.
53 or 8053	TCP/UDP	Required for DNS resolution of cluster services (SkyDNS). Installations prior to 3.2 or environments upgraded to 3.2 use port 53. New installations will use 8053 by default so that dnsmasq may be configured. Only required to be internally open on master hosts.
80 or 443	TCP	For HTTP/HTTPS use for the router. Required to be externally open on node hosts, especially on nodes running the router.
1936	TCP	For router statistics use. Required to be open when running the template router to access statistics, and can be open externally or internally to connections depending on if you want the statistics to be expressed publicly.
4001	TCP	For embedded etcd (non-clustered) use. Only required to be internally open on the master host. 4001 is for server-client connections.
2379 and 2380	TCP	For standalone etcd use. Only required to be internally open on the master host. 2379 is for server-client connections. 2380 is for server-server connections, and is only required if you have clustered etcd.
4789	UDP	For VxLAN use (OpenShift Container Platform SDN). Required only internally on node hosts.
8443	TCP	For use by the OpenShift Container Platform web console, shared with the API server.
10250	TCP	For use by the Kubelet. Required to be externally open on nodes.

마. SELinux

오픈시프트를 설치하기 전에 Security-Enhanced Linux(SELinux)가 반드시 활성화 되어 있어야 한다.

/etc/selinux/config 파일에서 다음 항목을 체크한다.

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

# enforcing - SELinux security policy is enforced.

# permissive - SELinux prints warnings instead of enforcing.

# disabled - No SELinux policy is loaded.

SELINUX=enforcing

# SELINUXTYPE= can take one of these three values:

# targeted - Targeted processes are protected,

# minimum - Modification of targeted policy. Only selected

processes are protected.

# mls - Multi Level Security protection.

SELINUXTYPE=targeted