From Fedora Project Wiki

No edit summary
 
(37 intermediate revisions by 3 users not shown)
Line 1: Line 1:
Fedora 19 is when OpenShift Origin first became a feature.
Fedora 19 is when OpenShift Origin first became a feature.
NOTE: (August 8, 2013) This page is getting an update.  It will accommodate F19 cloud images (not just minimal install).  It is also updated with the OpenShift Origin Version 2 documentation.


This page is here to show how to setup OpenShift Origin on Fedora 19 using the packages in Fedora, as opposed to the packages published from upstream.  These steps are written out to be done by hand.  Yes, people can script and/or puppetize these steps.  But these are written out so that people can see, and fine tune them.
This page is here to show how to setup OpenShift Origin on Fedora 19 using the packages in Fedora, as opposed to the packages published from upstream.  These steps are written out to be done by hand.  Yes, people can script and/or puppetize these steps.  But these are written out so that people can see, and fine tune them.
Note: And now they have been written into scripts. https://github.com/tdawson/oo-install-scripts


Goal: By the end of this, you should have two machines.  A broker machine, and one node machine.  You should be able to create applications, that will be put on the node machine.  You should be able to check the status of those applications.  You should be able to point your web browser to the URL of those applications.
Goal: By the end of this, you should have two machines.  A broker machine, and one node machine.  You should be able to create applications, that will be put on the node machine.  You should be able to check the status of those applications.  You should be able to point your web browser to the URL of those applications.
Line 11: Line 15:
* https://www.openshift.com/forums/openshift/fedora-18-openshift-origin-setup-steps-and-testing
* https://www.openshift.com/forums/openshift/fedora-18-openshift-origin-setup-steps-and-testing


= Initial Setup of Broker and Node Machines =
= '''''Initial Setup of Broker and Node Machines''''' =


'''ON BOTH BROKER AND NODE'''
'''ON BOTH BROKER AND NODE'''
Line 22: Line 26:
  /bin/systemctl start  ntpd.service
  /bin/systemctl start  ntpd.service


= Setup and Configure Broker =
'''ON BROKER'''
export DOMAIN="example.com"
export BROKERIP="$(nm-tool | grep Address | grep -v HW | awk '{print $2}')"
export BROKERNAME="broker.example.com"
export NODEIP="--- IP Address from Node machine ---"
export NODENAME="node.example.com"
# Here is the IP Address from Broker machine
nm-tool | grep Address | grep -v HW | awk '{print $2}'


'''ON NODE'''
  export DOMAIN="example.com"
  export DOMAIN="example.com"
  export BROKERIP="$(nm-tool | grep Address | grep -v HW | awk '{print $2}')"
  export BROKERIP="--- IP Address from Broker machine ---"
  export BROKERNAME="broker.example.com"
  export BROKERNAME="broker.example.com"
export NODEIP="$(nm-tool | grep Address | grep -v HW | awk '{print $2}')"
export NODENAME="node.example.com"
# Here is the IP Address from Node machine
nm-tool | grep Address | grep -v HW | awk '{print $2}'
= '''''Setup and Configure Broker''''' =


== Bind DNS ==
== '''Broker: Bind DNS''' ==


  yum -y install bind bind-utils
  yum -y install bind bind-utils
   
   
  KEYFILE=/var/named/${DOMAIN}.key
  KEYFILE=/var/named/${DOMAIN}.key
 
setup DNSSEC key pair
  cd /var/named/
  cd /var/named/
  dnssec-keygen -a HMAC-MD5 -b 512 -n USER -r /dev/urandom ${DOMAIN}
  dnssec-keygen -a HMAC-MD5 -b 512 -n USER -r /dev/urandom ${DOMAIN}
Line 40: Line 59:
  rndc-confgen -a -r /dev/urandom
  rndc-confgen -a -r /dev/urandom
  echo $KEY
  echo $KEY
 
setup permissions for the DNSSEC key pair
  restorecon -v /etc/rndc.* /etc/named.*
  restorecon -v /etc/rndc.* /etc/named.*
  chown -v root:named /etc/rndc.key
  chown -v root:named /etc/rndc.key
  chmod -v 640 /etc/rndc.key
  chmod -v 640 /etc/rndc.key
 
setup forwarders
  echo "forwarders { 8.8.8.8; 8.8.4.4; } ;" >> /var/named/forwarders.conf
  echo "forwarders { 8.8.8.8; 8.8.4.4; } ;" >> /var/named/forwarders.conf
  restorecon -v /var/named/forwarders.conf
  restorecon -v /var/named/forwarders.conf
  chmod -v 755 /var/named/forwarders.conf
  chmod -v 755 /var/named/forwarders.conf
 
setup initial DNS database
  rm -rvf /var/named/dynamic
  rm -rvf /var/named/dynamic
  mkdir -vp /var/named/dynamic
  mkdir -vp /var/named/dynamic
 
  cat <<EOF > /var/named/dynamic/${DOMAIN}.db
  cat <<EOF > /var/named/dynamic/${DOMAIN}.db
  \$ORIGIN .
  \$ORIGIN .
  \$TTL 1 ; 1 seconds (for testing only)
  \$TTL 1 ; 1 seconds (for testing only)
  ${domain} IN SOA ns1.${domain}. hostmaster.${domain}. (
  ${DOMAIN} IN SOA ns1.${DOMAIN}. hostmaster.${DOMAIN}. (
                           2011112904 ; serial
                           2011112904 ; serial
                           60        ; refresh (1 minute)
                           60        ; refresh (1 minute)
Line 62: Line 84:
                           10        ; minimum (10 seconds)
                           10        ; minimum (10 seconds)
                           )
                           )
                       NS ns1.${domain}.
                       NS ns1.${DOMAIN}.
                       MX 10 mail.${domain}.
                       MX 10 mail.${DOMAIN}.
  \$ORIGIN ${domain}.
  \$ORIGIN ${DOMAIN}.
  ns1               A        127.0.0.1
  ns1               A        127.0.0.1
   
   
  EOF
  EOF


  cat <<EOF > /var/named/${domain}.key
Install the DNSSEC key
  key ${domain} {
  cat <<EOF > ${KEYFILE}
  key ${DOMAIN} {
   algorithm HMAC-MD5;
   algorithm HMAC-MD5;
   secret "${KEY}";
   secret "${KEY}";
  };
  };
  EOF
  EOF
 
  cat /var/named/dynamic/${domain}.db
Check the key and database
  cat /var/named/${domain}.key
  cat /var/named/dynamic/${DOMAIN}.db
  cat /var/named/${DOMAIN}.key
 
Set permissions for key and database
  chown -Rv named:named /var/named
  chown -Rv named:named /var/named
  restorecon -rv /var/named
  restorecon -rv /var/named
 
Create the named configuration file
  mv /etc/named.conf /etc/named.conf.openshift
  mv /etc/named.conf /etc/named.conf.openshift
  cat <<EOF > /etc/named.conf
  cat <<EOF > /etc/named.conf
Line 104: Line 130:
     bindkeys-file "/etc/named.iscdlv.key";
     bindkeys-file "/etc/named.iscdlv.key";
   
   
     // set forwarding to the next nearest server (from DHCP response
     // set forwarding to the next nearest server (from DHCP response)
     forward only;
     forward only;
     include "forwarders.conf";
     include "forwarders.conf";
Line 126: Line 152:
  include "/etc/named.rfc1912.zones";
  include "/etc/named.rfc1912.zones";
   
   
  include "${domain}.key";
  include "${DOMAIN}.key";
   
   
  zone "${domain}" IN {
  zone "${DOMAIN}" IN {
     type master;
     type master;
     file "dynamic/${domain}.db";
     file "dynamic/${DOMAIN}.db";
     allow-update { key ${domain} ; } ;
     allow-update { key ${DOMAIN} ; } ;
  };
  };
  EOF
  EOF
 
Check the named config file
  cat /etc/named.conf
  cat /etc/named.conf
setup permissions of named config file
  chown -v root:named /etc/named.conf
  chown -v root:named /etc/named.conf
  restorecon /etc/named.conf
  restorecon /etc/named.conf
 
Setup firewall
  firewall-cmd --add-service=dns
  firewall-cmd --add-service=dns
  firewall-cmd --permanent --add-service=dns
  firewall-cmd --permanent --add-service=dns
  firewall-cmd --list-all
  firewall-cmd --list-all
Setup and start service
  /bin/systemctl enable named.service
  /bin/systemctl enable named.service
  /bin/systemctl start named.service
  /bin/systemctl start named.service
 
  nsupdate -k ${keyfile}
add entries using nsupdate
  nsupdate -k ${KEYFILE}
  > server 127.0.0.1
  > server 127.0.0.1
  > update delete broker.example.com A
  > update delete broker.example.com A
  > update add broker.example.com 180 A **your broker ip address**
  > update add **your broker full name ** 180 A **your broker ip address**
(example: update add broker.example.com 180 A 192.168.122.220 )
  > send
  > send
  > quit
  > quit
 
Test DNS server
This is best done before hostname has been set.
  ping broker.example.com
  ping broker.example.com
  dig @127.0.0.1 broker.example.com
  dig @127.0.0.1 broker.example.com


== Configure the BROKER DHCP client and hostname ==
== '''Broker: DHCP client and hostname''' ==


echo "prepend domain-name-servers **your broker ip address**;" >> /etc/dhcp/dhclient-eth0.conf
Setup dhcp client
echo "supersede host-name \"broker\";" >> /etc/dhcp/dhclient-eth0.conf
echo "prepend domain-name-servers **your broker ip address**;" >> /etc/dhcp/dhclient-eth0.conf
echo "supersede domain-name \"example.com\";" >> /etc/dhcp/dhclient-eth0.conf
echo "supersede host-name \"broker\";" >> /etc/dhcp/dhclient-eth0.conf
echo "supersede domain-name \"example.com\";" >> /etc/dhcp/dhclient-eth0.conf


echo "broker.example.com" > /etc/hostname
Setup hostname
echo "broker.example.com" > /etc/hostname


== Installing and configuring MongoDB ==
== '''Broker: MongoDB''' ==
Install Software
yum -y install mongodb-server


yum -y install mongodb-server
Tweak config file
vi /etc/mongodb.conf
# Uncomment auth = true
# Add smallfiles = true


vi /etc/mongodb.conf
Setup and start service
# Uncomment auth = true
/usr/bin/systemctl enable mongod.service
# Add smallfiles = true
/usr/bin/systemctl status mongod.service
/usr/bin/systemctl start mongod.service
/usr/bin/systemctl status mongod.service


/usr/bin/systemctl enable mongod.service
Testing
/usr/bin/systemctl status mongod.service
mongo
/usr/bin/systemctl start mongod.service
> show dbs
/usr/bin/systemctl status mongod.service
> exit


# Testing
== '''Broker: Messaging (using QPID)''' ==
mongo
Activemq on F19 isn't ready for OpenShift production.  When it is, we'll use that
> show dbs
For now we'll use QPID with mcollective.
> exit


== Installing and configuring QPID ==
Install Software
# Activemq on F19 isn't ready for production. When it is, we'll use that
  yum install mcollective-qpid-plugin qpid-cpp-server
# For now let's use QPID with mcollective.


yum install mcollective-qpid-plugin qpid-cpp-server
Setup Firewall
firewall-cmd --add-port=5672/tcp
firewall-cmd --add-port=5672/tcp
firewall-cmd --permanent --add-port=5672/tcp
firewall-cmd --permanent --add-port=5672/tcp
firewall-cmd --list-all
firewall-cmd --list-all


/usr/bin/systemctl enable qpidd.service
Setup and start service
/usr/bin/systemctl start qpidd.service
/usr/bin/systemctl enable qpidd.service
/usr/bin/systemctl status qpidd.service
/usr/bin/systemctl start qpidd.service
/usr/bin/systemctl status qpidd.service


== Installing and configuring MCollective client (QPID) ==
== '''Broker: MCollective client ( using QPID)''' ==
yum -y install mcollective-client
Install Software
mv /etc/mcollective/client.cfg /etc/mcollective/client.cfg.orig
yum -y install mcollective-client


cat <<EOF > /etc/mcollective/client.cfg
Move original config file out of the way
topicprefix = /topic/
mv /etc/mcollective/client.cfg /etc/mcollective/client.cfg.orig
main_collective = mcollective
collectives = mcollective
libdir = /usr/libexec/mcollective
loglevel = debug
logfile = /var/log/mcollective-client.log


# Plugins
Create new client config file.  This config file is for using QPID as a messaging platform.
securityprovider = psk
cat <<EOF > /etc/mcollective/client.cfg
plugin.psk = unset
topicprefix = /topic/
connector = qpid
main_collective = mcollective
plugin.qpid.host=broker.example.com
collectives = mcollective
plugin.qpid.secure=false
libdir = /usr/libexec/mcollective
plugin.qpid.timeout=5
loglevel = debug
logfile = /var/log/mcollective-client.log
# Plugins
securityprovider = psk
plugin.psk = unset
connector = qpid
plugin.qpid.host=${BROKERNAME}
plugin.qpid.secure=false
plugin.qpid.timeout=5
# Facts
factsource = yaml
plugin.yaml = /etc/mcollective/facts.yaml
EOF


# Facts
== '''Broker: broker application''' ==
factsource = yaml
Install software
plugin.yaml = /etc/mcollective/facts.yaml
yum -y install openshift-origin-broker openshift-origin-broker-util rubygem-openshift-origin-auth-remote-user rubygem-openshift-origin-msg-broker-mcollective rubygem-openshift-origin-dns-bind
EOF


== Installing and configuring the broker application ==
Modify the broker proxy server name
# When mcollective was updated to 2.2.3 it created a conflict with one of our components.
sed -i -e "s/ServerName .*$/ServerName broker.example.com/" /etc/httpd/conf.d/000002_openshift_origin_broker_servername.conf
# We are working on fixing the conflict, but until then, do the following.
cat /etc/httpd/conf.d/000002_openshift_origin_broker_servername.conf
yumdownloader openshift-origin-msg-common
rpm -Uvh openshift-origin-msg-common-1.4.1-1.fc19.noarch.rpm --nodeps --force


yum -y install openshift-origin-broker openshift-origin-broker-util rubygem-openshift-origin-auth-remote-user rubygem-openshift-origin-msg-broker-mcollective rubygem-openshift-origin-dns-bind
Setup and start service
/usr/bin/systemctl enable httpd.service
/usr/bin/systemctl enable ntpd.service
/usr/bin/systemctl enable sshd.service


sed -i -e "s/ServerName .*$/ServerName broker.example.com/" /etc/httpd/conf.d/000002_openshift_origin_broker_servername.conf
Setup Firewall
cat /etc/httpd/conf.d/000002_openshift_origin_broker_servername.conf
firewall-cmd --add-service=ssh
firewall-cmd --add-service=http
firewall-cmd --add-service=https
firewall-cmd --permanent --add-service=ssh
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --list-all


/usr/bin/systemctl enable httpd.service
Generate access key
/usr/bin/systemctl enable ntpd.service
openssl genrsa -out /etc/openshift/server_priv.pem 2048
/usr/bin/systemctl enable sshd.service
openssl rsa -in /etc/openshift/server_priv.pem -pubout > /etc/openshift/server_pub.pem
ssh-keygen -t rsa -b 2048 -f ~/.ssh/rsync_id_rsa
cp -v ~/.ssh/rsync_id_rsa* /etc/openshift/


firewall-cmd --add-service=ssh
Setup selinux boolean variables and set file contexts
firewall-cmd --add-service=http
setsebool -P httpd_unified=on httpd_can_network_connect=on httpd_can_network_relay=on httpd_run_stickshift=on named_write_master_zones=on
firewall-cmd --add-service=https
fixfiles -R rubygem-passenger restore
firewall-cmd --permanent --add-service=ssh
fixfiles -R mod_passenger restore
firewall-cmd --permanent --add-service=http
restorecon -rv /var/run
firewall-cmd --permanent --add-service=https
restorecon -rv /usr/share/gems/gems/passenger-*
firewall-cmd --list-all


openssl genrsa -out /etc/openshift/server_priv.pem 2048
Tweak broker config, if needed
openssl rsa -in /etc/openshift/server_priv.pem -pubout > /etc/openshift/server_pub.pem
vi /etc/openshift/broker.conf
ssh-keygen -t rsa -b 2048 -f ~/.ssh/rsync_id_rsa
# Might not have to do anything but make sure you have the following lines
cp -v ~/.ssh/rsync_id_rsa* /etc/openshift/
CLOUD_DOMAIN="example.com"
VALID_GEAR_SIZES="small,medium"


setsebool -P httpd_unified=on httpd_can_network_connect=on httpd_can_network_relay=on httpd_run_stickshift=on named_write_master_zones=on
== '''Broker: broker plugins and MongoDB user accounts''' ==
fixfiles -R rubygem-passenger restore
Create config files from examples
fixfiles -R mod_passenger restore
cp /etc/openshift/plugins.d/openshift-origin-msg-broker-mcollective.conf.example /etc/openshift/plugins.d/openshift-origin-msg-broker-mcollective.conf
restorecon -rv /var/run
restorecon -rv /usr/share/gems/gems/passenger-*


vi /etc/openshift/broker.conf
Config the DNS plugin
# Might not have to do anything
cd /var/named/
CLOUD_DOMAIN="example.com"
KEY="$(grep Key: K${DOMAIN}*.private | cut -d ' ' -f 2)"
VALID_GEAR_SIZES="small,medium"
cat $KEYFILE
echo $KEY
cat <<EOF > /etc/openshift/plugins.d/openshift-origin-dns-bind.conf
BIND_SERVER="127.0.0.1"
BIND_PORT=53
BIND_KEYNAME="${DOMAIN}"
BIND_KEYVALUE="${KEY}"
BIND_ZONE="${DOMAIN}"
EOF


== Configuring the broker plugins and MongoDB user accounts ==
Configure authentication plugin and add a user
cp -v /var/www/openshift/broker/httpd/conf.d/openshift-origin-auth-remote-user-basic.conf.sample /var/www/openshift/broker/httpd/conf.d/openshift-origin-auth-remote-user.conf
htpasswd -c -b -s /etc/openshift/htpasswd demo demo
# Don't forget your password. <demo password>
cat /etc/openshift/htpasswd


cp /usr/share/gems/gems/openshift-origin-auth-remote-user-*/conf/openshift-origin-auth-remote-user.conf.example /etc/openshift/plugins.d/openshift-origin-auth-remote-user.conf
Add MongoDB account
cp /etc/openshift/plugins.d/openshift-origin-msg-broker-mcollective.conf.example /etc/openshift/plugins.d/openshift-origin-msg-broker-mcollective.conf
grep MONGO /etc/openshift/broker.conf
mongo openshift_broker_dev --eval 'db.addUser("openshift", "mooo")'
# If you are going to change the username and/or password, change broker.conf


domain=example.com
Bundle broker gems
keyfile=/var/named/${domain}.key
yum -y install rubygem-psych rubygem-mocha
cd /var/named/
cd /var/www/openshift/broker
KEY="$(grep Key: K${domain}*.private | cut -d ' ' -f 2)"
gem install mongoid
cat $keyfile
bundle --local
echo $KEY


cd /etc/openshift/plugins.d/
Setup and start services
cat <<EOF > openshift-origin-dns-bind.conf
/usr/bin/systemctl enable openshift-broker.service
BIND_SERVER="127.0.0.1"
/usr/bin/systemctl start httpd.service
BIND_PORT=53
/usr/bin/systemctl start openshift-broker.service
BIND_KEYNAME="${domain}"
/usr/bin/systemctl status openshift-broker.service
BIND_KEYVALUE="${KEY}"
BIND_ZONE="${domain}"
EOF


#pushd /usr/share/selinux/packages/rubygem-openshift-origin-dns-bind/ && make -f /usr/share/selinux/devel/Makefile ; popd
Test basic broker service
#semodule -i /usr/share/selinux/packages/rubygem-openshift-origin-dns-bind/dhcpnamedforward.pp
curl -k -u demo:demo https://localhost/broker/rest/api


cp -v /var/www/openshift/broker/httpd/conf.d/openshift-origin-auth-remote-user-basic.conf.sample /var/www/openshift/broker/httpd/conf.d/openshift-origin-auth-remote-user.conf
= '''''Setup and Configure Node''''' =
htpasswd -c -b -s /etc/openshift/htpasswd demo demopassword
# Don't forget your password. <demo password>
cat /etc/openshift/htpasswd


grep MONGO /etc/openshift/broker.conf
== '''Node: Initial setup/configure''' ==
mongo openshift_broker_dev --eval 'db.addUser("openshift", "mooo")'
'''ON BROKER'''
# If you are going to change the username and/or password, change broker.conf
KEYFILE=/var/named/${DOMAIN}.key


yum -y install rubygem-psych
Register the node in DNS
cd /var/www/openshift/broker
oo-register-dns -h ${NODENAME} -d ${DOMAIN} -n ${NODEIP} -k ${KEYFILE}
# This is being fixed, but for now do the following
vi Gemfile
# remove minitest version
# add gem 'psych'
gem install mongoid
bundle --local


/usr/bin/systemctl enable openshift-broker.service
Copy the broker public key to node
/usr/bin/systemctl start httpd.service
scp /etc/openshift/rsync_id_rsa.pub root@${NODENAME}:/root/.ssh/
/usr/bin/systemctl start openshift-broker.service
/usr/bin/systemctl status openshift-broker.service


curl -k -u demo:demopassword https://localhost/broker/rest/api
'''ON NODE'''
Put the brokers public key in root authorized keys
cat /root/.ssh/rsync_id_rsa.pub >> /root/.ssh/authorized_keys
rm -f /root/.ssh/rsync_id_rsa.pub


= Setup and Configure Node =
'''ON BROKER'''
== Initial setup/configure of the node host ==
Test to make sure we can login using our key
# ON NODE
ssh -i /root/.ssh/rsync_id_rsa root@${NODENAME}
yum update
  exit
yum -y install ntp
/bin/systemctl enable ntpd.service
/bin/systemctl start ntpd.service


# Find out the node ip address
== '''Node: DHCP client and hostname''' ==
nm-tool
Configure the dhcp settings
echo "prepend domain-name-servers **your broker ip address**;" >> /etc/dhcp/dhclient-eth0.conf
echo "supersede host-name \"node\";" >> /etc/dhcp/dhclient-eth0.conf
echo "supersede domain-name \"example.com\";" >> /etc/dhcp/dhclient-eth0.conf


# ON BROKER
Set the hostname
domain=example.com
echo "node.example.com" > /etc/hostname
keyfile=/var/named/${domain}.key
# Use the IP address from the node, found above
oo-register-dns -h node -d ${domain} -n 192.168.122.161 -k ${keyfile}


scp /etc/openshift/rsync_id_rsa.pub root@node.example.com:/root/.ssh/
== '''Node: MCollective'''  ==
'''ON NODE'''
Install Software
yum -y install openshift-origin-msg-node-mcollective mcollective-qpid-plugin


# ON NODE
Move original configuration out of the way
cat /root/.ssh/rsync_id_rsa.pub >> /root/.ssh/authorized_keys
mv /etc/mcollective/server.cfg /etc/mcollective/server.cfg.orig
rm -f /root/.ssh/rsync_id_rsa.pub


# ON BROKER
Create new configuration
ssh -i /root/.ssh/rsync_id_rsa root@node.example.com
cat <<EOF > /etc/mcollective/server.cfg
exit
topicprefix = /topic/
main_collective = mcollective
collectives = mcollective
libdir = /usr/libexec/mcollective
logfile = /var/log/mcollective.log
loglevel = debug
daemonize = 1
direct_addressing = n
# Plugins
securityprovider = psk
plugin.psk = unset
connector = qpid
plugin.qpid.host=${BROKERNAME}
plugin.qpid.secure=false
plugin.qpid.timeout=5
# Facts
factsource = yaml
plugin.yaml = /etc/mcollective/facts.yaml
EOF


#Find out the broker ip address
Setup and start services
nm-tool
/bin/systemctl enable mcollective.service
/bin/systemctl start  mcollective.service


=== Configure the NODE DHCP client and hostname ===
'''ON BROKER'''
# ON NODE
mco ping
echo "prepend domain-name-servers **your broker ip address**;" >> /etc/dhcp/dhclient-eth0.conf
# node should show up on mco ping
echo "supersede host-name \"node\";" >> /etc/dhcp/dhclient-eth0.conf
echo "supersede domain-name \"example.com\";" >> /etc/dhcp/dhclient-eth0.conf
echo "node.example.com" > /etc/hostname


reboot
== '''Node: node application''' ==
Install software
yum -y install rubygem-openshift-origin-node rubygem-passenger-native openshift-origin-port-proxy openshift-origin-node-util
yum -y install openshift-origin-cartridge-cron-1.4 openshift-origin-cartridge-diy-0.1


== Setting up MCollective on the node host ==
Setup firewall
# ON NODE
firewall-cmd --add-service=ssh
yum -y install openshift-origin-msg-node-mcollective
firewall-cmd --add-service=http
mv /etc/mcollective/server.cfg /etc/mcollective/server.cfg.orig
firewall-cmd --add-service=https
firewall-cmd --permanent --add-service=ssh
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --list-all


cat <<EOF > /etc/mcollective/server.cfg
== '''Node: PAM namespace module, cgroups, and user quotas''' ==
topicprefix = /topic/
PAM
main_collective = mcollective
sed -i -e 's|pam_selinux|pam_openshift|g' /etc/pam.d/sshd
collectives = mcollective
libdir = /usr/libexec/mcollective
for f in "runuser" "runuser-l" "sshd" "su" "system-auth-ac"
logfile = /var/log/mcollective.log
do
loglevel = debug
  t="/etc/pam.d/$f"
daemonize = 1
  if ! grep -q "pam_namespace.so" "$t"
direct_addressing = n
  then
    echo -e "session\t\trequired\tpam_namespace.so no_unmount_on_close" >> "$t"
  fi
done


# Plugins
CGROUPS
securityprovider = psk
plugin.psk = unset
connector = qpid
plugin.qpid.host=broker.example.com
plugin.qpid.secure=false
plugin.qpid.timeout=5


# Facts
Cgroups Config - Need to still fixup the cgroup configurations
factsource = yaml
echo "mount {" >> /etc/cgconfig.conf
plugin.yaml = /etc/mcollective/facts.yaml
echo "        cpu    = /cgroup/all;" >> /etc/cgconfig.conf
EOF
echo "        cpuacct = /cgroup/all;" >> /etc/cgconfig.conf
echo "        memory  = /cgroup/all;" >> /etc/cgconfig.conf
echo "        freezer = /cgroup/all;" >> /etc/cgconfig.conf
echo "        net_cls = /cgroup/all;" >> /etc/cgconfig.conf
echo "}" >> /etc/cgconfig.conf
restorecon -v /etc/cgconfig.conf
mkdir /cgroup
restorecon -RFvv /cgroup


/bin/systemctl enable mcollective.service
Cgroups enable and startup services
/bin/systemctl start mcollective.service
/bin/systemctl enable cgconfig.service
/bin/systemctl enable cgred.service
  /usr/sbin/chkconfig openshift-cgroups on
/bin/systemctl restart  cgconfig.service
/bin/systemctl restart  cgred.service
/usr/sbin/service openshift-cgroups restart


# ON BROKER
DISK QUOTA
mco ping
# Edit fstab and add usrquota to whichever filesystem
#   has /var/lib/openshift on it
UUID=b9e21eae-4b8c-4936-9f5d-d10631ff535e / ext4    defaults,usrquota 1 1
# reboot or remount
mount -o remount /
quotacheck -cmug /


== Setting up node packages on the node host ==
== '''Node: SELinux and System Control''' ==
# ON NODE
Setup SELINUX Booleans
yum -y install rubygem-openshift-origin-node rubygem-passenger-native openshift-origin-port-proxy openshift-origin-node-util
setsebool -P httpd_unified=on httpd_can_network_connect=on httpd_can_network_relay=on httpd_read_user_content=on httpd_enable_homedirs=on httpd_run_stickshift=on allow_polyinstantiation=on
yum -y install openshift-origin-cartridge-cron-1.4 openshift-origin-cartridge-diy-0.1


firewall-cmd --add-service=ssh
Update selinux file setting
firewall-cmd --add-service=http
restorecon -rv /var/run
firewall-cmd --add-service=https
restorecon -rv /usr/sbin/mcollectived /var/log/mcollective.log /var/run/mcollectived.pid
firewall-cmd --permanent --add-service=ssh
restorecon -rv /var/lib/openshift /etc/openshift/node.conf /etc/httpd/conf.d/openshift
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --list-all


== Configuring PAM namespace module, cgropus, and user quotas on the node host ==
SYSTEM CONTROL SETTINGS
# ON NODE
echo "# Added for OpenShift" >> /etc/sysctl.d/openshift.conf
# PAM
echo "kernel.sem = 250  32000 32  4096" >> /etc/sysctl.d/openshift.conf
sed -i -e 's|pam_selinux|pam_openshift|g' /etc/pam.d/sshd
echo "net.ipv4.ip_local_port_range = 15000 35530" >> /etc/sysctl.d/openshift.conf
echo "net.netfilter.nf_conntrack_max = 1048576" >> /etc/sysctl.d/openshift.conf
sysctl -p /etc/sysctl.d/openshift.conf


for f in "runuser" "runuser-l" "sshd" "su" "system-auth-ac"
== '''Node: SSH, Port Proxy, and Node application''' ==
do
SSH
  t="/etc/pam.d/$f"
vi /etc/ssh/sshd_config
  if ! grep -q "pam_namespace.so" "$t"
> AcceptEnv GIT_SSH
  then
    echo -e "session\t\trequired\tpam_namespace.so no_unmount_on_close" >> "$t"
perl -p -i -e "s/^#MaxSessions .*$/MaxSessions 40/" /etc/ssh/sshd_config
  fi
perl -p -i -e "s/^#MaxStartups .*$/MaxStartups 40/" /etc/ssh/sshd_config
done
/bin/systemctl restart  sshd.service


#CGROUPS
PORT PROXY
#echo "mount {" >> /etc/cgconfig.conf
firewall-cmd --add-port=35531-65535/tcp
#echo "        cpu    = /cgroup/all;" >> /etc/cgconfig.conf
firewall-cmd --permanent --add-port=35531-65535/tcp
#echo "        cpuacct = /cgroup/all;" >> /etc/cgconfig.conf
  firewall-cmd --list-all
#echo "        memory = /cgroup/all;" >> /etc/cgconfig.conf
#echo "        freezer = /cgroup/all;" >> /etc/cgconfig.conf
/bin/systemctl enable openshift-port-proxy.service
#echo "        net_cls = /cgroup/all;" >> /etc/cgconfig.conf
/bin/systemctl restart  openshift-port-proxy.service
#echo "}" >> /etc/cgconfig.conf
#restorecon -v /etc/cgconfig.conf
#mkdir /cgroup
#restorecon -RFvv /cgroup


/bin/systemctl enable cgconfig.service
NODE SETUP
/bin/systemctl enable cgred.service
/bin/systemctl enable httpd.service
/usr/sbin/chkconfig openshift-cgroups on
/bin/systemctl enable openshift-gears.service
/bin/systemctl restart cgconfig.service
/bin/systemctl restart cgred.service
vi /etc/openshift/node.conf
/usr/sbin/service openshift-cgroups restart
> PUBLIC_HOSTNAME="node.example.com"
> PUBLIC_IP="192.168.122.161" (Node IP Address)
  > BROKER_HOST="192.168.122.220" (Broker IP Address)
  > CLOUD_DOMAIN="example.com"
/etc/cron.minutely/openshift-facts


#DISK QUOTA
== '''Node: Reboot''' ==
# Edit fstab and add usrquota to whichever filesystem
We need to reboot to load all the node stuff correctly
#  has /var/lib/openshift on it
reboot
UUID=b9e21eae-4b8c-4936-9f5d-d10631ff535e / ext4    defaults,usrquota 1 1
# reboot or remount
mount -o remount /
quotacheck -cmug /


== Configuring SELinux and System Control on the node host ==
= '''''Testing''''' =
# ON NODE
==Test on Broker (after node is back up)==
# SELINUX
setsebool -P httpd_unified=on httpd_can_network_connect=on httpd_can_network_relay=on httpd_read_user_content=on httpd_enable_homedirs=on httpd_run_stickshift=on allow_polyinstantiation=on


restorecon -rv /var/run
'''Check Messaging'''
restorecon -rv /usr/sbin/mcollectived /var/log/mcollective.log /var/run/mcollectived.pid
mco ping
restorecon -rv /var/lib/openshift /etc/openshift/node.conf /etc/httpd/conf.d/openshift
Should look like
node.example.com                        time=239.51 ms
---- ping statistics ----
1 replies max: 239.51 min: 239.51 avg: 239.51


# SYSTEM CONTROL SETTINGS
'''Check Broker'''
echo "# Added for OpenShift" >> /etc/sysctl.d/openshift.conf
curl -k -u demo:demo https://localhost/broker/rest/api
echo "kernel.sem = 250  32000 32  4096" >> /etc/sysctl.d/openshift.conf
Should look like
echo "net.ipv4.ip_local_port_range = 15000 35530" >> /etc/sysctl.d/openshift.conf
{"data":{"API":{"href":"https://localhost/broker/rest/api","method":"GET","optional_params":[],"rel":"API entry point","required_params":[]},"GET_ENVIRONMENT":{"href":"https://localhost/broker/rest/environment","method":"GET","optional_params":[],"rel":"Get environment information","required_params":[]},"GET_USER"
echo "net.netfilter.nf_conntrack_max = 1048576" >> /etc/sysctl.d/openshift.conf
...
sysctl -p /etc/sysctl.d/openshift.conf
:id","type":"string","valid_options":[]}]}},"messages":[],"status":"ok","supported_api_versions":[1.0,1.1,1.2,1.3],"type":"links","version":"1.3"}


== Configuring SSH, Port Proxy, and Node on the node host ==
'''Check and Setup User'''
# ON NODE
yum -y install rubygem-rhc
# SSH
LIBRA_SERVER=broker.example.com rhc setup
vi /etc/ssh/sshd_config
Should look like (Note: Generate a token now? no - client can handle it, broker in F19 cannot)
> AcceptEnv GIT_SSH
OpenShift Client Tools (RHC) Setup Wizard
This wizard will help you upload your SSH keys, set your application namespace, and
check that other programs like Git are properly installed.
The server's certificate is self-signed, which means that a secure connection can't be
established to 'broker.example.com'.
You may bypass this check, but any data you send to the server could be intercepted by
others.
Connect without checking the certificate? (yes|no): yes
Login to broker.example.com: demo
Password: ****
 
OpenShift can create and store a token on disk which allows to you to access the
server without using your password. The key is stored in your home directory and
should be kept secret.  You can delete the key at any time by running 'rhc logout'.
Generate a token now? (yes|no) no
Saving configuration to /root/.openshift/express.conf ... done
No SSH keys were found. We will generate a pair of keys for you.
    Created: /root/.ssh/id_rsa.pub
Your public SSH key must be uploaded to the OpenShift server to access code.  Upload
now? (yes|no)
yes
Since you do not have any keys associated with your OpenShift account, your new key
will be uploaded as the 'default' key.
Uploading key 'default' ... done
Checking for git ... found git version 1.8.2.1
Checking common problems .. done
Checking your namespace ... none
Your namespace is unique to your account and is the suffix of the public URLs we
assign to your applications. You may configure your namespace here or leave it blank
and use 'rhc create-domain' to create a namespace later.  You will not be able to
create applications without first creating a namespace.
Please enter a namespace (letters and numbers only) |<none>|: demoland


perl -p -i -e "s/^#MaxSessions .*$/MaxSessions 40/" /etc/ssh/sshd_config
Create an app
perl -p -i -e "s/^#MaxStartups .*$/MaxStartups 40/" /etc/ssh/sshd_config
rhc domain show -p demo
rhc app create test1 diy-0.1 -p demo


/bin/systemctl restart sshd.service
==Test on Local Machine (after node is back up)==
Setup your machine to use broker as a name server (Note: This might mess up normal network operations.)
vi /etc/resolve.conf
# At the first line put "nameserver *broker ip address*"
  nameserver 192.168.122.220


# PORT PROXY
'''Check and Setup User'''
 
yum -y install rubygem-rhc
firewall-cmd --add-port=35531-65535/tcp
LIBRA_SERVER=broker.example.com rhc setup
firewall-cmd --permanent --add-port=35531-65535/tcp
Should look like (Note: Generate a token now? no - client can handle it, broker in F19 cannot)
firewall-cmd --list-all
OpenShift Client Tools (RHC) Setup Wizard
 
/bin/systemctl enable openshift-port-proxy.service
This wizard will help you upload your SSH keys, set your application namespace, and
/bin/systemctl restart openshift-port-proxy.service
check that other programs like Git are properly installed.
 
# NODE SETUP
The server's certificate is self-signed, which means that a secure connection can't be
/bin/systemctl enable openshift-gears.service
established to 'broker.example.com'.
 
   
# Find node and broker IP address
You may bypass this check, but any data you send to the server could be intercepted by
nm-tool
others.
 
vi /etc/openshift/node.conf
Connect without checking the certificate? (yes|no): yes
> PUBLIC_HOSTNAME="node.example.com"
Login to broker.example.com: demo
> PUBLIC_IP="192.168.122.161" (Node IP Address)
Password: ****
> BROKER_HOST="192.168.122.220" (Broker IP Address)
 
> CLOUD_DOMAIN="example.com"
OpenShift can create and store a token on disk which allows to you to access the
server without using your password. The key is stored in your home directory and
should be kept secret.  You can delete the key at any time by running 'rhc logout'.
Generate a token now? (yes|no) no
Saving configuration to /root/.openshift/express.conf ... done
No SSH keys were found. We will generate a pair of keys for you.
    Created: /root/.ssh/id_rsa.pub
Your public SSH key must be uploaded to the OpenShift server to access code. Upload
now? (yes|no)
yes
Since you do not have any keys associated with your OpenShift account, your new key
will be uploaded as the 'default' key.
Uploading key 'default' ... done
Checking for git ... found git version 1.8.2.1
Checking common problems .. done
Checking your namespace ... none
Your namespace is unique to your account and is the suffix of the public URLs we
assign to your applications. You may configure your namespace here or leave it blank
and use 'rhc create-domain' to create a namespace later. You will not be able to
create applications without first creating a namespace.
Please enter a namespace (letters and numbers only) |<none>|: demoland


/etc/cron.minutely/openshift-facts
Create an app
rhc domain show -p demo
rhc app create test2 diy-0.1 -p demo


== Reboot Node and test ==
# ON NODE
reboot


# ON BROKER (after node is back up)
'''Check App'''
mco ping
You should be able to go to the following URL in your web browser.
curl -k -u demo:demo https://localhost/broker/rest/api


yum -y install rubygem-rhc
http://test2-demoland.example.com/
LIBRA_SERVER=broker.example.com rhc setup

Latest revision as of 13:39, 8 August 2013

Fedora 19 is when OpenShift Origin first became a feature.

NOTE: (August 8, 2013) This page is getting an update. It will accommodate F19 cloud images (not just minimal install). It is also updated with the OpenShift Origin Version 2 documentation.

This page is here to show how to setup OpenShift Origin on Fedora 19 using the packages in Fedora, as opposed to the packages published from upstream. These steps are written out to be done by hand. Yes, people can script and/or puppetize these steps. But these are written out so that people can see, and fine tune them.

Note: And now they have been written into scripts. https://github.com/tdawson/oo-install-scripts

Goal: By the end of this, you should have two machines. A broker machine, and one node machine. You should be able to create applications, that will be put on the node machine. You should be able to check the status of those applications. You should be able to point your web browser to the URL of those applications.

Note: There is no web console in Fedora 19. That will be in Fedora 20.

These instructions were created most from the following two places.

Initial Setup of Broker and Node Machines

ON BOTH BROKER AND NODE

# Start with a Fedora 19 minimal install
yum -y update
# avoid clock skew
yum -y install ntp
/bin/systemctl enable ntpd.service
/bin/systemctl start  ntpd.service

ON BROKER

export DOMAIN="example.com"
export BROKERIP="$(nm-tool | grep Address | grep -v HW | awk '{print $2}')"
export BROKERNAME="broker.example.com"
export NODEIP="--- IP Address from Node machine ---"
export NODENAME="node.example.com"
# Here is the IP Address from Broker machine
nm-tool | grep Address | grep -v HW | awk '{print $2}'

ON NODE

export DOMAIN="example.com"
export BROKERIP="--- IP Address from Broker machine ---"
export BROKERNAME="broker.example.com"
export NODEIP="$(nm-tool | grep Address | grep -v HW | awk '{print $2}')"
export NODENAME="node.example.com"
# Here is the IP Address from Node machine
nm-tool | grep Address | grep -v HW | awk '{print $2}'

Setup and Configure Broker

Broker: Bind DNS

yum -y install bind bind-utils

KEYFILE=/var/named/${DOMAIN}.key

setup DNSSEC key pair

cd /var/named/
dnssec-keygen -a HMAC-MD5 -b 512 -n USER -r /dev/urandom ${DOMAIN}
KEY="$(grep Key: K${DOMAIN}*.private | cut -d ' ' -f 2)"
cd -
rndc-confgen -a -r /dev/urandom
echo $KEY

setup permissions for the DNSSEC key pair

restorecon -v /etc/rndc.* /etc/named.*
chown -v root:named /etc/rndc.key
chmod -v 640 /etc/rndc.key

setup forwarders

echo "forwarders { 8.8.8.8; 8.8.4.4; } ;" >> /var/named/forwarders.conf
restorecon -v /var/named/forwarders.conf
chmod -v 755 /var/named/forwarders.conf

setup initial DNS database

rm -rvf /var/named/dynamic
mkdir -vp /var/named/dynamic

cat <<EOF > /var/named/dynamic/${DOMAIN}.db
\$ORIGIN .
\$TTL 1	; 1 seconds (for testing only)
${DOMAIN} IN SOA ns1.${DOMAIN}. hostmaster.${DOMAIN}. (
                         2011112904 ; serial
                         60         ; refresh (1 minute)
                         15         ; retry (15 seconds)
                         1800       ; expire (30 minutes)
                         10         ; minimum (10 seconds)
                          )
                     NS ns1.${DOMAIN}.
                     MX 10 mail.${DOMAIN}.
\$ORIGIN ${DOMAIN}.
ns1	              A        127.0.0.1

EOF

Install the DNSSEC key

cat <<EOF > ${KEYFILE}
key ${DOMAIN} {
  algorithm HMAC-MD5;
  secret "${KEY}";
};
EOF

Check the key and database

cat /var/named/dynamic/${DOMAIN}.db
cat /var/named/${DOMAIN}.key

Set permissions for key and database

chown -Rv named:named /var/named
restorecon -rv /var/named

Create the named configuration file

mv /etc/named.conf /etc/named.conf.openshift
cat <<EOF > /etc/named.conf
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
    listen-on port 53 { any; };
    directory "/var/named";
    dump-file "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    allow-query { any; };
    recursion yes;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";

    // set forwarding to the next nearest server (from DHCP response)
    forward only;
    include "forwarders.conf";
};

logging {
    channel default_debug {
        file "data/named.run";
        severity dynamic;
    };
};

// use the default rndc key
include "/etc/rndc.key";
 
controls {
    inet 127.0.0.1 port 953
    allow { 127.0.0.1; } keys { "rndc-key"; };
};

include "/etc/named.rfc1912.zones";

include "${DOMAIN}.key";

zone "${DOMAIN}" IN {
    type master;
    file "dynamic/${DOMAIN}.db";
    allow-update { key ${DOMAIN} ; } ;
};
EOF

Check the named config file

cat /etc/named.conf

setup permissions of named config file

chown -v root:named /etc/named.conf
restorecon /etc/named.conf

Setup firewall

firewall-cmd --add-service=dns
firewall-cmd --permanent --add-service=dns
firewall-cmd --list-all

Setup and start service

/bin/systemctl enable named.service
/bin/systemctl start named.service

add entries using nsupdate

nsupdate -k ${KEYFILE}
> server 127.0.0.1
> update delete broker.example.com A
> update add **your broker full name ** 180 A **your broker ip address**
(example: update add broker.example.com 180 A 192.168.122.220 )
> send
> quit

Test DNS server This is best done before hostname has been set.

ping broker.example.com
dig @127.0.0.1 broker.example.com

Broker: DHCP client and hostname

Setup dhcp client

echo "prepend domain-name-servers **your broker ip address**;" >> /etc/dhcp/dhclient-eth0.conf
echo "supersede host-name \"broker\";" >> /etc/dhcp/dhclient-eth0.conf
echo "supersede domain-name \"example.com\";" >> /etc/dhcp/dhclient-eth0.conf

Setup hostname

echo "broker.example.com" > /etc/hostname

Broker: MongoDB

Install Software

yum -y install mongodb-server

Tweak config file

vi /etc/mongodb.conf
# Uncomment auth = true
# Add smallfiles = true

Setup and start service

/usr/bin/systemctl enable mongod.service
/usr/bin/systemctl status mongod.service
/usr/bin/systemctl start mongod.service
/usr/bin/systemctl status mongod.service

Testing

mongo
> show dbs
> exit

Broker: Messaging (using QPID)

Activemq on F19 isn't ready for OpenShift production. When it is, we'll use that For now we'll use QPID with mcollective.

Install Software

yum install mcollective-qpid-plugin qpid-cpp-server

Setup Firewall

firewall-cmd --add-port=5672/tcp
firewall-cmd --permanent --add-port=5672/tcp
firewall-cmd --list-all

Setup and start service

/usr/bin/systemctl enable qpidd.service
/usr/bin/systemctl start qpidd.service
/usr/bin/systemctl status qpidd.service

Broker: MCollective client ( using QPID)

Install Software

yum -y install mcollective-client

Move original config file out of the way

mv /etc/mcollective/client.cfg /etc/mcollective/client.cfg.orig

Create new client config file. This config file is for using QPID as a messaging platform.

cat <<EOF > /etc/mcollective/client.cfg
topicprefix = /topic/
main_collective = mcollective
collectives = mcollective
libdir = /usr/libexec/mcollective
loglevel = debug
logfile = /var/log/mcollective-client.log

# Plugins
securityprovider = psk
plugin.psk = unset
connector = qpid
plugin.qpid.host=${BROKERNAME}
plugin.qpid.secure=false
plugin.qpid.timeout=5

# Facts
factsource = yaml
plugin.yaml = /etc/mcollective/facts.yaml
EOF

Broker: broker application

Install software

yum -y install openshift-origin-broker openshift-origin-broker-util rubygem-openshift-origin-auth-remote-user rubygem-openshift-origin-msg-broker-mcollective rubygem-openshift-origin-dns-bind

Modify the broker proxy server name

sed -i -e "s/ServerName .*$/ServerName broker.example.com/" /etc/httpd/conf.d/000002_openshift_origin_broker_servername.conf 
cat /etc/httpd/conf.d/000002_openshift_origin_broker_servername.conf

Setup and start service

/usr/bin/systemctl enable httpd.service
/usr/bin/systemctl enable ntpd.service
/usr/bin/systemctl enable sshd.service

Setup Firewall

firewall-cmd --add-service=ssh
firewall-cmd --add-service=http
firewall-cmd --add-service=https
firewall-cmd --permanent --add-service=ssh
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --list-all

Generate access key

openssl genrsa -out /etc/openshift/server_priv.pem 2048
openssl rsa -in /etc/openshift/server_priv.pem -pubout > /etc/openshift/server_pub.pem
ssh-keygen -t rsa -b 2048 -f ~/.ssh/rsync_id_rsa
cp -v ~/.ssh/rsync_id_rsa* /etc/openshift/

Setup selinux boolean variables and set file contexts

setsebool -P httpd_unified=on httpd_can_network_connect=on httpd_can_network_relay=on httpd_run_stickshift=on named_write_master_zones=on
fixfiles -R rubygem-passenger restore
fixfiles -R mod_passenger restore
restorecon -rv /var/run
restorecon -rv /usr/share/gems/gems/passenger-*

Tweak broker config, if needed

vi /etc/openshift/broker.conf
# Might not have to do anything but make sure you have the following lines
CLOUD_DOMAIN="example.com"
VALID_GEAR_SIZES="small,medium"

Broker: broker plugins and MongoDB user accounts

Create config files from examples

cp /etc/openshift/plugins.d/openshift-origin-msg-broker-mcollective.conf.example /etc/openshift/plugins.d/openshift-origin-msg-broker-mcollective.conf

Config the DNS plugin

cd /var/named/
KEY="$(grep Key: K${DOMAIN}*.private | cut -d ' ' -f 2)"
cat $KEYFILE
echo $KEY

cat <<EOF > /etc/openshift/plugins.d/openshift-origin-dns-bind.conf
BIND_SERVER="127.0.0.1"
BIND_PORT=53
BIND_KEYNAME="${DOMAIN}"
BIND_KEYVALUE="${KEY}"
BIND_ZONE="${DOMAIN}"
EOF

Configure authentication plugin and add a user

cp -v /var/www/openshift/broker/httpd/conf.d/openshift-origin-auth-remote-user-basic.conf.sample /var/www/openshift/broker/httpd/conf.d/openshift-origin-auth-remote-user.conf
htpasswd -c -b -s /etc/openshift/htpasswd demo demo
# Don't forget your password. <demo password>
cat /etc/openshift/htpasswd

Add MongoDB account

grep MONGO /etc/openshift/broker.conf
mongo openshift_broker_dev --eval 'db.addUser("openshift", "mooo")'
# If you are going to change the username and/or password, change broker.conf

Bundle broker gems

yum -y install rubygem-psych rubygem-mocha
cd /var/www/openshift/broker
gem install mongoid
bundle --local

Setup and start services

/usr/bin/systemctl enable openshift-broker.service
/usr/bin/systemctl start httpd.service
/usr/bin/systemctl start openshift-broker.service
/usr/bin/systemctl status openshift-broker.service

Test basic broker service

curl -k -u demo:demo https://localhost/broker/rest/api

Setup and Configure Node

Node: Initial setup/configure

ON BROKER

KEYFILE=/var/named/${DOMAIN}.key

Register the node in DNS

oo-register-dns -h ${NODENAME} -d ${DOMAIN} -n ${NODEIP} -k ${KEYFILE}

Copy the broker public key to node

scp /etc/openshift/rsync_id_rsa.pub root@${NODENAME}:/root/.ssh/

ON NODE Put the brokers public key in root authorized keys

cat /root/.ssh/rsync_id_rsa.pub >> /root/.ssh/authorized_keys
rm -f /root/.ssh/rsync_id_rsa.pub

ON BROKER Test to make sure we can login using our key

ssh -i /root/.ssh/rsync_id_rsa root@${NODENAME}
exit

Node: DHCP client and hostname

Configure the dhcp settings

echo "prepend domain-name-servers **your broker ip address**;" >> /etc/dhcp/dhclient-eth0.conf
echo "supersede host-name \"node\";" >> /etc/dhcp/dhclient-eth0.conf
echo "supersede domain-name \"example.com\";" >> /etc/dhcp/dhclient-eth0.conf

Set the hostname

echo "node.example.com" > /etc/hostname

Node: MCollective

ON NODE Install Software

yum -y install openshift-origin-msg-node-mcollective mcollective-qpid-plugin

Move original configuration out of the way

mv /etc/mcollective/server.cfg /etc/mcollective/server.cfg.orig

Create new configuration

cat <<EOF > /etc/mcollective/server.cfg
topicprefix = /topic/
main_collective = mcollective
collectives = mcollective
libdir = /usr/libexec/mcollective
logfile = /var/log/mcollective.log
loglevel = debug
daemonize = 1
direct_addressing = n

# Plugins
securityprovider = psk
plugin.psk = unset
connector = qpid
plugin.qpid.host=${BROKERNAME}
plugin.qpid.secure=false
plugin.qpid.timeout=5

# Facts
factsource = yaml
plugin.yaml = /etc/mcollective/facts.yaml
EOF

Setup and start services

/bin/systemctl enable mcollective.service
/bin/systemctl start  mcollective.service

ON BROKER

mco ping
# node should show up on mco ping

Node: node application

Install software

yum -y install rubygem-openshift-origin-node rubygem-passenger-native openshift-origin-port-proxy openshift-origin-node-util
yum -y install openshift-origin-cartridge-cron-1.4 openshift-origin-cartridge-diy-0.1

Setup firewall

firewall-cmd --add-service=ssh
firewall-cmd --add-service=http
firewall-cmd --add-service=https
firewall-cmd --permanent --add-service=ssh
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --list-all

Node: PAM namespace module, cgroups, and user quotas

PAM

sed -i -e 's|pam_selinux|pam_openshift|g' /etc/pam.d/sshd

for f in "runuser" "runuser-l" "sshd" "su" "system-auth-ac"
do
  t="/etc/pam.d/$f"
  if ! grep -q "pam_namespace.so" "$t"
  then
    echo -e "session\t\trequired\tpam_namespace.so no_unmount_on_close" >> "$t"
  fi
done

CGROUPS

Cgroups Config - Need to still fixup the cgroup configurations

echo "mount {" >> /etc/cgconfig.conf
echo "        cpu     = /cgroup/all;" >> /etc/cgconfig.conf
echo "        cpuacct = /cgroup/all;" >> /etc/cgconfig.conf
echo "        memory  = /cgroup/all;" >> /etc/cgconfig.conf
echo "        freezer = /cgroup/all;" >> /etc/cgconfig.conf
echo "        net_cls = /cgroup/all;" >> /etc/cgconfig.conf
echo "}" >> /etc/cgconfig.conf
restorecon -v /etc/cgconfig.conf
mkdir /cgroup
restorecon -RFvv /cgroup

Cgroups enable and startup services

/bin/systemctl enable cgconfig.service
/bin/systemctl enable cgred.service
/usr/sbin/chkconfig openshift-cgroups on
/bin/systemctl restart  cgconfig.service
/bin/systemctl restart  cgred.service
/usr/sbin/service openshift-cgroups restart

DISK QUOTA

# Edit fstab and add usrquota to whichever filesystem 
#   has /var/lib/openshift on it
UUID=b9e21eae-4b8c-4936-9f5d-d10631ff535e / ext4    defaults,usrquota 1 1
# reboot or remount
mount -o remount /
quotacheck -cmug /

Node: SELinux and System Control

Setup SELINUX Booleans

setsebool -P httpd_unified=on httpd_can_network_connect=on httpd_can_network_relay=on httpd_read_user_content=on httpd_enable_homedirs=on httpd_run_stickshift=on allow_polyinstantiation=on

Update selinux file setting

restorecon -rv /var/run
restorecon -rv /usr/sbin/mcollectived /var/log/mcollective.log /var/run/mcollectived.pid
restorecon -rv /var/lib/openshift /etc/openshift/node.conf /etc/httpd/conf.d/openshift

SYSTEM CONTROL SETTINGS

echo "# Added for OpenShift" >> /etc/sysctl.d/openshift.conf
echo "kernel.sem = 250  32000 32  4096" >> /etc/sysctl.d/openshift.conf
echo "net.ipv4.ip_local_port_range = 15000 35530" >> /etc/sysctl.d/openshift.conf
echo "net.netfilter.nf_conntrack_max = 1048576" >> /etc/sysctl.d/openshift.conf
sysctl -p /etc/sysctl.d/openshift.conf

Node: SSH, Port Proxy, and Node application

SSH

vi /etc/ssh/sshd_config
> AcceptEnv GIT_SSH

perl -p -i -e "s/^#MaxSessions .*$/MaxSessions 40/" /etc/ssh/sshd_config
perl -p -i -e "s/^#MaxStartups .*$/MaxStartups 40/" /etc/ssh/sshd_config

/bin/systemctl restart  sshd.service

PORT PROXY

firewall-cmd --add-port=35531-65535/tcp
firewall-cmd --permanent --add-port=35531-65535/tcp
firewall-cmd --list-all

/bin/systemctl enable openshift-port-proxy.service
/bin/systemctl restart  openshift-port-proxy.service

NODE SETUP

/bin/systemctl enable httpd.service
/bin/systemctl enable openshift-gears.service

vi /etc/openshift/node.conf
> PUBLIC_HOSTNAME="node.example.com"
> PUBLIC_IP="192.168.122.161" (Node IP Address)
> BROKER_HOST="192.168.122.220" (Broker IP Address)
> CLOUD_DOMAIN="example.com"

/etc/cron.minutely/openshift-facts

Node: Reboot

We need to reboot to load all the node stuff correctly

reboot

Testing

Test on Broker (after node is back up)

Check Messaging

mco ping

Should look like

node.example.com                         time=239.51 ms

---- ping statistics ----
1 replies max: 239.51 min: 239.51 avg: 239.51 

Check Broker

curl -k -u demo:demo https://localhost/broker/rest/api

Should look like

{"data":{"API":{"href":"https://localhost/broker/rest/api","method":"GET","optional_params":[],"rel":"API entry point","required_params":[]},"GET_ENVIRONMENT":{"href":"https://localhost/broker/rest/environment","method":"GET","optional_params":[],"rel":"Get environment information","required_params":[]},"GET_USER"
...
:id","type":"string","valid_options":[]}]}},"messages":[],"status":"ok","supported_api_versions":[1.0,1.1,1.2,1.3],"type":"links","version":"1.3"}

Check and Setup User

yum -y install rubygem-rhc
LIBRA_SERVER=broker.example.com rhc setup

Should look like (Note: Generate a token now? no - client can handle it, broker in F19 cannot)

OpenShift Client Tools (RHC) Setup Wizard

This wizard will help you upload your SSH keys, set your application namespace, and
check that other programs like Git are properly installed.

The server's certificate is self-signed, which means that a secure connection can't be
established to 'broker.example.com'.

You may bypass this check, but any data you send to the server could be intercepted by
others.

Connect without checking the certificate? (yes|no): yes
Login to broker.example.com: demo
Password: ****
 
OpenShift can create and store a token on disk which allows to you to access the
server without using your password. The key is stored in your home directory and
should be kept secret.  You can delete the key at any time by running 'rhc logout'.
Generate a token now? (yes|no) no

Saving configuration to /root/.openshift/express.conf ... done

No SSH keys were found. We will generate a pair of keys for you.

    Created: /root/.ssh/id_rsa.pub

Your public SSH key must be uploaded to the OpenShift server to access code.  Upload
now? (yes|no)
yes

Since you do not have any keys associated with your OpenShift account, your new key
will be uploaded as the 'default' key.

Uploading key 'default' ... done

Checking for git ... found git version 1.8.2.1

Checking common problems .. done

Checking your namespace ... none

Your namespace is unique to your account and is the suffix of the public URLs we
assign to your applications. You may configure your namespace here or leave it blank
and use 'rhc create-domain' to create a namespace later.  You will not be able to
create applications without first creating a namespace.

Please enter a namespace (letters and numbers only) |<none>|: demoland

Create an app

rhc domain show -p demo
rhc app create test1 diy-0.1 -p demo

Test on Local Machine (after node is back up)

Setup your machine to use broker as a name server (Note: This might mess up normal network operations.)

vi /etc/resolve.conf
# At the first line put "nameserver *broker ip address*"
nameserver 192.168.122.220

Check and Setup User

yum -y install rubygem-rhc
LIBRA_SERVER=broker.example.com rhc setup

Should look like (Note: Generate a token now? no - client can handle it, broker in F19 cannot)

OpenShift Client Tools (RHC) Setup Wizard

This wizard will help you upload your SSH keys, set your application namespace, and
check that other programs like Git are properly installed.

The server's certificate is self-signed, which means that a secure connection can't be
established to 'broker.example.com'.

You may bypass this check, but any data you send to the server could be intercepted by
others.

Connect without checking the certificate? (yes|no): yes
Login to broker.example.com: demo
Password: ****
 
OpenShift can create and store a token on disk which allows to you to access the
server without using your password. The key is stored in your home directory and
should be kept secret.  You can delete the key at any time by running 'rhc logout'.
Generate a token now? (yes|no) no

Saving configuration to /root/.openshift/express.conf ... done

No SSH keys were found. We will generate a pair of keys for you.

    Created: /root/.ssh/id_rsa.pub

Your public SSH key must be uploaded to the OpenShift server to access code.  Upload
now? (yes|no)
yes

Since you do not have any keys associated with your OpenShift account, your new key
will be uploaded as the 'default' key.

Uploading key 'default' ... done

Checking for git ... found git version 1.8.2.1

Checking common problems .. done

Checking your namespace ... none

Your namespace is unique to your account and is the suffix of the public URLs we
assign to your applications. You may configure your namespace here or leave it blank
and use 'rhc create-domain' to create a namespace later.  You will not be able to
create applications without first creating a namespace.

Please enter a namespace (letters and numbers only) |<none>|: demoland

Create an app

rhc domain show -p demo
rhc app create test2 diy-0.1 -p demo


Check App You should be able to go to the following URL in your web browser.

http://test2-demoland.example.com/