Keith Tenzer

Keith Tenzer

Solutions Architect at Temporal

Deploying OpenShift Enterprise from Ansible Tower

7 minute read

ansible-tower-logotype-large-rgb-fullgrey-300x124 plus_sign openshiftlogo

Overview

In this article we will look at how to use Ansible Tower to deploy and manage OpenShift environments. OpenShift of course uses Ansible as its deployment and configuration tool already. While that is great, using Tower provides several major advantages:

  • UI for OpenShift deployment and configuration management
  • Secure store for credentials
  • RBAC and ability to delegate different responsibilities for OpenShift deployments
  • Easy to visualize and manage multiple OpenShift environments and even versions of OpenShift
  • History, audit trail and detailed logging in central location for all OpenShift environments and deployments

Prepare OpenShift Environment

In this example we will be doing an all-in-one deployment of OpenShift. The following steps should be done on OpenShift masters and nodes. Again here we just have one node since it is an all-in-one.

CONFIGURE A VMs WITH FOLLOWING:

  • RHEL 7.2
  • 2 CPUs
  • 4096 RAM
  • 30GB disk for OS
  • 25GB disk for docker images

REGISTER VALID SUBSCRIPTION

# subscription-manager register
# subscription-manager attach --pool=843298293829382
# subscription-manager repos --disable="*"
#subscription-manager repos \
    --enable="rhel-7-server-rpms" \
    --enable="rhel-7-server-extras-rpms" \
    --enable="rhel-7-server-ose-3.3-rpms"

INSTALL REQUIRED TOOLS

# yum install -y wget git net-tools bind-utils iptables-services bridge-utils bash-completion

UPDATE

# yum update -y

RESTART OPENSHIFT MASTER

# systemctl reboot

CONFIGURE DOCKER

# yum install -y docker-1.10.3

ENABLE DOCKER DAEMON TO PULL FROM OPENSHIFT REGISTRY

# vi /etc/sysconfig/docker
OPTIONS='--selinux-enabled --insecure-registry 172.30.0.0/16'

SETUP DOCKER STORAGE FOR OPENSHIFT REGISTRY

Note: we will use the second disk for configuring docker storage.

# cat <<EOF > /etc/sysconfig/docker-storage-setup
DEVS=/dev/vdb
VG=docker-vg
EOF
# docker-storage-setup

ENABLE AND START DOCKER DAEMON

# systemctl enable docker
# systemctl start docker

Import OpenShift inventory into Ansible Tower

These steps should be done directly on the host running Ansible Tower.

Create Inventory in Ansible Tower

Under inventories add a new inventory.

ans_group

Create directors for OpenShift inventory

# mkdir /root/ose3

Setup ansible-hosts file

# vi /root/ose3/ansible-hosts
##########################
### OSEv3 Server Types ###
##########################
[OSEv3:children]
masters
nodes
etcd

##############################
### host group for masters ###
##############################
[masters]
ose3-master2.lab.com

###################################
### host group for etcd servers ###
###################################
[etcd]
ose3-master2.lab.com

##################################################
### host group for nodes, includes region info ###
##################################################
[nodes]
ose3-master2.lab.com openshift_schedulable=True

Create directory for group_vars

Note: this is required because Tower import tool does not yet support [groupname:vars] directly in inventory file.

# mkdir /root/ose3/group_vars

Setup OpenShift parameters using group_vars file

# vi /root/ose3/group_Vars/OSEv3
ansible_ssh_user: root
os_sdn_network_plugin_name: 'redhat/openshift-ovs-subnet'
deployment_type: openshift-enterprise
openshift_master_default_subdomain: apps.lab.com
openshift_master_identity_providers: [{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider', 'filename': '/etc/origin/master/htpasswd'}]
openshift_node_kubelet_args: {'maximum-dead-containers': ['100'], 'maximum-dead-containers-per-container': ['2'], 'minimum-container-ttl-duration': ['10s'], 'max-pods': ['110'], 'image-gc-high-threshold': ['90'], 'image-gc-low-threshold': ['80']}
logrotate_scripts: [{"name": "syslog", "path": "/var/log/cron\n/var/log/maillog\n/var/log/messages\n/var/log/secure\n/var/log/spooler\n", "options": ["daily", "rotate 7", "compress", "sharedscripts", "missingok"], "scripts": {"postrotate": "/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true"}}]
openshift_docker_options: "--log-opt max-size=1M --log-opt max-file=3"
openshift_node_iptables_sync_period: 5s
openshift_master_pod_eviction_timeout: 3m
osm_controller_args: {'resource-quota-sync-period': ['10s']}
osm_api_server_args: {'max-requests-inflight': ['400']}
openshift_use_dnsmasq: false

Import OpenShift inventory

# tower-manage inventory_import --source=/root/ose --inventory-name="OSE_3.3" --overwrite --overwrite-vars

After import is complete you should see inventory. Under OSE_3.3 inventory, a group called OSEv3 should be visible. If you edit the OSEv3 group you should see the variables used to drive OpenShift deployment. Here you can easily change things in order to update or change OpenShift deployment.

ansible_inv2

Under the OSEv3 group you should see all the OpenShift server groups and under those the actual systems.

ansible_inv1

Configure Ansible Tower

Create Project in Tower

Under projects add a new project. Add Github URL to ansible-openshift project. Ensure you add the correct branch. OpenShift v3.3 correlates to branch release-1.3. You should add a separate project for every release.

Note: make sure you check what version of ansible-openshift correlates to version of OpenShift you want to deploy!

ans1

Add credentials for OpenShift nodes

Under settings->credentials add new credentials called OSE.

Note: In this example I added the root user and password but you can use non-root user or ssh keys instead of password. In fact there is already a group_var parameter to use sudo.

ans_pwd

Add job template

Under job templates add a new template. Select the inventory, project and machine credentials. Select playbooks/byo/config.yaml for the playbook.

ans_template

Deploy OpenShift

To deploy or update your OpenShift deployment you simply need to run the playbook from Tower by clicking the rocket next to your job template.

ans_deploy

You can follow the deployment status by looking at the job in Tower.

ans_job

Summary

In this article we looked at how to deploy OpenShift using Ansible Tower. The default method for deploying and managing OpenShift is Ansible Core. Tower however gives you a lot of advantages providing central management, credentials store, RBAC, maintain multiple versions or multiple OpenShift environments and of course the more you do with ansible the more sense it makes to start using Tower. I hope you found this article informative and interesting. Looking forward to hearing your thoughts and feedback.

Happy OpenShifting!

(c) 2016 Keith Tenzer

You may also enjoy

Mutating Temporal Workflows with Update

9 minute read

Overview Temporal has just released a brand new primitive into it’s programming model called Update! As of the writing of this article, Update is in private...

Temporal Worker Versioning

8 minute read

Overview In this article we will cover the new feature, Worker Versioning. First, as of the writing of this article, Worker Versioning is in private beta an...

Temporal Cloud Certificate Rotation

8 minute read

Overview In this article we will look at how to rotate certificates in Temporal cloud. There are two possible certificate rotation scenarios. Scenario 1:...

Temporal Fundamentals Part I: Basics

11 minute read

Overview This is a five part series focused on Temporal fundamentals. It represents, in my words, what I have learned along the way and what I would’ve like...