OpenShift 4.x HOL Tutorial Summary
https://blog.csdn.net/lggirls/article/details/105421823
https://blog.csdn.net/weixin_43902588/article/details/104830588
OpenShift and CoreOS
We know that Red Hat Enterprise Linux CoreOS (RHCOS) is the Linux operating system used by OpenShift 4 (although Red Hat's RHEL can also be used as the underlying operating system in worker nodes, most users use RHCOS). Fedora CoreOS (FCOS) is the community edition of RHCOS. FCOS/RHCOS is a next-generation container operating system launched by Red Hat after the acquisition of CoreOS that combines the advantages of CoreOS Container Linux and Fedora Atomic Host, with the goal of providing the best container host to run containerized workloads securely and at scale. FCOS/RHCOS integrates Ignition with technologies such as rpm-ostree to be an auto-updated, minimal, monolithic operating system optimized for running containers and Kubernetes. Because they are more in line with the "Immutable Infrastructure" philosophy, they are the OpenShift 4 underlying operating system recommended by RedHat.
The OpenShift 4 installation process automatically installs the commercial version of CoreOS, Red Hat Enterprise Linux CoreOS (RHCOS). According to OpenShift's documentation, RHCOS cannot be installed standalone, it must run with OpenShift 4 (so RHCOS does not have a separate subscription). Fortunately, CoreOS also provides a community version of Fedora CoreOS (FCOS) that can be run independently, which can be completely free to use. Because Fedora CoreOS can be installed and run independently without OpenShift, the environment setting process is simple and efficient, so this series uses Fedora CoreOS as a research environment, and the related operations can basically be adapted to the commercial RHCOS environment.
The installation/configuration process for RHCOS/FCOS is slightly different from RHEL in general. We need to initialize the network, storage, kernel, user, etc. configuration when installing RHCOS through the Ignition configuration file.
Description of the installation environment
Fedora CoreOS supports running in a variety of IaaS environments. This article uses virtualization software to simulate the BareMetal environment, please refer to the Fedora CoreOS documentation for other installation environments. Also make sure that the virtual machine can obtain an IP address via DHCP.
Download Fedora CoreOS media
Installing Fedora CoreOS requires downloading 2 files: CoreOS ISO and FCCT (Fedora CoreOS Config Transpiler), where the Fedora CoreOS ISO file is used to boot the operating system, and the Ignition file generated by the FCCT tool is used to provide Fedora CoreOS system boot parameters.
Note: The operation in this section is performed on any host that can access the Internet, if it is a Windows host, you need to open its SSH service. The following uses "192.168.1.201" as the IP address of the host, and replace "192.168.1.201" with the IP address of your own environment.
3.1 Download the Fedora CoreOS ISO file
Open the https://getfedora.org/en/coreos/download?tab=metal_virtualized&stream=stable page of the Fedofa website and download the ISO file under "Bare Metal". The ISO version downloaded from this article is "fedora-coreos-38.20230819.3.0-live.x86_64.iso".
3.2 Download the FCCT (Fedora CoreOS Config Transpiler) file
Open https://github.com/coreos/butane/releases web page and download the "butane-aarch64-unknown-linux-gnu" file and save it as fcct. This file is used to convert configuration files based on the YAML format into Ignition files based on JSON format.
Install Fedora CoreOS
4.1 Prepare the Ignition file
- Run the following command, and then enter the password after the prompt for "Password:" (the password used in this article is "password"). The command returns a password-encrypted string.
$ openssl passwd -1 -salt yoursalt
Password:
$1$yoursalt$7/tmQXmlhL0pYfN/fyBZS1
- Execute the command to generate a key pair. After execution, the public key id_rsa.pub and private key id_rsa can be generated in the current directory.
$ ssh-keygen -N '' -f ./id_rsa
Generating public/private rsa key pair.
Your identification has been saved in ./ssh-key/id_rsa.
Your public key has been saved in ./ssh-key/id_rsa.pub.
The key fingerprint is:
SHA256:YvrEIpVUwTbJAXZcB+KJEhPPQGIu4XOwWB696Z90sJE root@node1
The key's randomart image is:
+---[RSA 2048]----+
|o+Ooo=*=o.. |
|==oO.=Bo . |
|o=o.=+oo |
|. ooo.E |
| .o o+S |
| ..+o.. |
| . oooo |
| . +o |
| . |
+----[SHA256]-----+
- View the id_rsa.pub public key.
$ cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIBxVOCdtNHBgbEVQseDdRonC/OlP5qm7MoKeuwYFjvg6UKXl8MTplQ4ErV1r994XnkErRBzlxsPdn/s7/alJ8CJ3Po39QDMlJvvy/nG3Vak/naxc6hXwL4to1oJrMhyp7YsY2EzPke+b1FyWD6NZ27mhJnCmNhw4pND6QxfZulVCnlolg9BeTSuXaIRrgLnjdSU+9ojTz6BMVo5MWY+xXRNrydlI4rx19tnd0c62SwQnvjO8i+hCXzNAkwGb8J5KDLs7jYZhjOW4IyHa95NdgWlRDcVICQSbA0makjJyIFK9KDzaTYM0MvCpSkMXo9uTFKwPiKfhBrKw9n8nBegXN root@node1
- Create a config.fcc file with the following contents. The username is core, and you need to replace the password and public key strings generated in the previous two steps with "password_hash" and "ssh_authorized_keys". It should be noted that remote login to CoreOS requires the use of certificates, while direct login to CoreOS can directly use the username and password.
variant: fcos
version: 1.1.0
passwd:
users:
- name: core
password_hash: "$1$yoursalt$7/tmQXmlhL0pYfN/fyBZS1"
ssh_authorized_keys:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIBxVOCdtNHBgbEVQseDdRonC/OlP5qm7MoKeuwYFjvg6UKXl8MTplQ4ErV1r994XnkErRBzlxsPdn/s7/alJ8CJ3Po39QDMlJvvy/nG3Vak/naxc6hXwL4to1oJrMhyp7YsY2EzPke+b1FyWD6NZ27mhJnCmNhw4pND6QxfZulVCnlolg9BeTSuXaIRrgLnjdSU+9ojTz6BMVo5MWY+xXRNrydlI4rx19tnd0c62SwQnvjO8i+hCXzNAkwGb8J5KDLs7jYZhjOW4IyHa95NdgWlRDcVICQSbA0makjJyIFK9KDzaTYM0MvCpSkMXo9uTFKwPiKfhBrKw9n8nBegXN root@node1"
- Execute the command to convert config.fcc to config.ign using fcct.
$ fcct config.fcc -o config.ign
$ more config.ign
{
"ignition": {
"version": "3.1.0"
},
"passwd": {
"users": [
{
"name": "core",
"passwordHash": "$1$yoursalt$7/tmQXmlhL0pYfN/fyBZS1",
"sshAuthorizedKeys": [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIBxVOCdtNHBgbEVQseDdRonC/OlP5qm7MoKeuwYFjvg6UKXl8MTplQ4ErV1r994XnkErRBzlxsPdn/s7/alJ8CJ3Po39QDMlJvvy/nG3Vak/naxc6hXwL4to1oJrMhyp7YsY2EzPke+b1FyWD6NZ27mhJnCmNhw4pND6QxfZulVCnlolg9BeTSuXaIRrgLnjdSU+9ojTz6BMVo5MWY+xXRNrydlI4rx19tnd0c62SwQnvjO8i+hCXzNAkwGb8J5KDLs7jYZhjOW4IyHa95NdgWlRDcVICQSbA0makjJyIFK9KDzaTYM0MvCpSkMXo9uTFKwPiKfhBrKw9n8nBegXN root@node1"
]
}
]
}
}
4.2 Install and access Fedora CoreOS
- Create a virtual machine called Fedora-CoreOS. Use the previously downloaded Fedora CoreOS ISO file - "fedora-coreos-32.20200907.3.0-live.x86_64.iso" - as the boot disk, then set the boot order of the system to hard disk first, and finally use a Bridge-type network.
- Start the virtual machine, and after the startup is completed, the console of the virtual machine will stop in the following screenshot. Note: The red image indicates that the Ignition file was not found. In addition, according to the description of the screenshot, we can know that when the original CoreOS ISO was first started, it was running in memory. At this point, we need to provide it with the Ignition file so that CoreOS can complete the installation.
- Run the following command in the CoreOS virtual machine console to pass the previously generated config.ign file from the external host to the current directory of the CoreOS virtual machine:
[core@bogon ~]$ scp [email protected]:/root/config.ign ./
- Run the following command in the CoreOS virtual machine console to install CoreOS to the "/dev/sda" hard disk according to the "config.ign" file (you can use the "fdisk -l" command to confirm that "/dev/sda" is on the system).
[core@bogon ~]$ sudo coreos-installer install /dev/sda --ignition-file config.ign
- Restart the CoreOS virtual machine after the installation is complete.
4.3 Log in to access CoreOS
- After the CoreOS virtual machine finishes starting, you can log in to CoreOS with core/password in the CoreOS virtual machine console.
- Run the command on the external host to confirm that you can log in to CoreOS using the private key you created earlier.
$ ssh core@<COREOS_IP> -i id_rsa
Fedora CoreOS 32.20200907.3.0
Tracker: https://github.com/coreos/fedora-coreos-tracker
Discuss: https://discussion.fedoraproject.org/c/server/coreos/
Last login: Tue Oct 6 15:15:50 2020
- Confirm that it is no longer possible to log in to CoreOS directly with username/password on the external host (this is because the default CoreOS can only log in through certificates, and later we will set up that you can log in using username/password).
$ ssh core@<COREOS_IP>
Permission denied (publickey,gssapi-keyex,gssapi-with-mic). Setting up coreos can be logged in using username/password
#. 1. 修改core用户密码
$. sudo passwd core
# 2. 修改sshd配置
$. sudo vi /etc/ssh/sshd_config
# 修改相应字段为如下内容:
PasswordAuthentication yes
# 3. 重启sshd服务
$. sudo systemctl restart sshd.service
$. systemctl status sshd.service
# 4. 接下来就可以用xshell等工具远程登录rhcos机器了 - CoreOS adds users and gives sudo permissions
Log in to CoreOS with your root account
username is the login name of the user you want to add
- Add the user to the root group
useradd -g rot username - Add sudo permissions
visudo -f /etc/sudoers.d/username - Open File Input
user1ALL=(ALL) NOPASSWD: ALL Save to exit
- Log in to the system with username, and then run the following code to check whether the authorization is successful
username@server ~ $ sudo docker imagesREPOSITORY TAG IMAGE ID CREATED SIZE reference
https://www.amitbondwal.com/fedora-coreos-installation-on-bare-metal/
https://docs.fedoraproject.org/en-US/fedora-coreos/fcct-config/
https://www.vultr.com/docs/ignition