Introduction
In my previous post, I described how to build your own Centos 7 system, with Docker (and docker-compose) installed, so that you could run an IBM Security Verify Access system using containers.
This post extends that system so that you can explore deployment of Verify Access on Red Hat OpenShift. Actually this post installs OKD (a.k.a OpenShift Origin) which is the Open Source upstream version of OpenShift 3.11.
OpenShift is an orchestration technology which provides a common container management layer, and a set of common services, that are consistent no matter where it is installed. OpenShift can be deployed in any cloud or private data center infrastructure where Linux VMs can be deployed. Some cloud providers (such as IBM and Red Hat) also offer OpenShift clusters as a service.
This post provides step-by-step instructions for installing and starting a single node OKD cluster on your test system using the built-in capabilities of the OKD v3.11 "oc" tool. Once you have completed the steps in this post, you’ll be able to use my Verify Access with OpenShift cookbook.
Pre-requisites
This post assumes that you already have a Centos 7 system set up. Instructions for this are in my previous post. For my environment, I used a virtual machine running under VMWare but you could use a different hypervisor or a physical machine. For my virtual machine I used these settings:
- Minimum 8GB Memory
- Minimum 30GB Disk
- Minimum 4 CPUs
This blog assumes you have a standard user account. I created a standard user with username of demouser
but you can choose your own name. You will also need root access for the installation steps.
Install oc command-line client
OpenShift clusters are managed using a REST API. The oc
utility provides a command-line client for this REST API.
As root, enter the following command to install the oc utility and set up command completion:
curl -L https://github.com/openshift/origin/releases/download/v3.11.0/openshift-origin-client-tools-v3.11.0-0cbc58b-linux-64bit.tar.gz | tar -xzC /usr/local/share && ln -s /usr/local/share/openshift*/oc /usr/local/bin
echo "source <(oc completion bash)" >> /etc/bashrc
Configure Docker for local (insecure) Registry
An OpenShift cluster includes a local registry where images are staged for deployment. In order for the underlying Docker system to be able to use this registry, it must be specified as an allowed insecure registry.
As root, enter the following commands to allow the insecure local registry and restart the Docker daemon:
cat <<EOF > /etc/docker/daemon.json
{
"insecure-registries" : ["172.30.0.0/16"]
}
EOF
systemctl restart docker.service
Configure Firewall
In order for services within the OpenShift cluster to be able to communicate, the Firewall must be configured to permit the necessary traffic.
As root, enter the following commands:
DOCKER_BRIDGE=`docker network inspect -f "{{range .IPAM.Config }}{{ .Subnet }}{{end}}" bridge`
sudo firewall-cmd --permanent --new-zone dockerc
sudo firewall-cmd --permanent --zone dockerc --add-source $DOCKER_BRIDGE
sudo firewall-cmd --permanent --zone dockerc --add-port={80,443,8443}/tcp
sudo firewall-cmd --permanent --zone dockerc --add-port={53,8053}/udp
sudo firewall-cmd --reload
Start OKD cluster for the first time
As the standard user, enter the following command to start OKD cluster for the first time. It's a good idea to specify the base-dir during startup otherwise the cluster working directory will be created in current directory:
oc cluster up --base-dir ~/openshift.local.clusterup
This first start can take several minutes as assets are downloaded from the internet to initialize the OKD cluster.
If start is successful, the following message is shown:
Login to server ...
Creating initial project "myproject" ...
Server Information ...
OpenShift server started.
The server is accessible via web console at:
https://127.0.0.1:8443
You are logged in as:
User: developer
Password: <any value>
To login as administrator:
oc login -u system:admin
The OKD cluster is now ready for use.
Stop cluster to release memory
If you're not going to use it right away, you can now stop the cluster to reduce CPU and memory usage:
oc cluster down
Add entries to /etc/hosts
If you haven't added these entries already, as root, enter the following command to add a couple of static host mappings:
cat <<EOF >> /etc/hosts
127.0.0.2 lmi.iamlab.ibm.com
127.0.0.3 www.iamlab.ibm.com
EOF
Congratulations! You now have a working OKD environment in which you can explore installation of IBM Security Verify Access using OpenShift.