In a previous article I have written on how easy it is to stand up a test environment of OpenShift. In this article I will describe an example application from the sourcecode to the created image and how this gets deployed. The steps are explained using manual steps, and how OpenShift does it all automated. You will notice, at no point do you have to write a Dockerfile.

Preparation

For this article it is not necessary to have a working test environment, however it does make things clearer. I would suggest you to use OpenShift Origin v1.3 on CentOS 7. Although my previous article showed how to get it up and running on Fedora 24, I experienced an issue with deployment not succeeding*. The steps in the deployment article can be performed by replacing dnf with yum.

Description of the example

The OpenShift project publishes several test applications on GitHub, of which one is a very simple Ruby applica8080. Please, have a look at: http://github.com/openshift/ruby-ex

You will see it consists of four files:

• Gemfile
• Gemfile.local
• config.ru
• README.md

The application itself is only described in config.ru and the needed dependencies are in Gemfile.

Dependencies

To make the application work, we first need:

$ gem install bundler

This will install bundler that can install dependencies as described in the Gemfile. This file describes:

source 'https://rubygems.org'
gem 'rack'
gem 'puma'

The first line says source which points to a gem repository, and each line starting wih gem are bundled packages containing libraries for use in your project. To install all of the required gems (dependencies) from the specified sources:

$ bundle install

The file Gemfile.lock is a snapshot of the Gemfile and is used internally.

config.ru

The application is specified in the file called config.ru. If you open the file you will see it contains route mappings, lines starting with map, for three urls:

• /health
• /lobster
• /

/health

This is a commonly used to provide a simple health-check for applications that are automatically deployed. It allows to quickly test if the application got deployed. In projects I worked on, we also did quick dependency checks, such as a configuration file exists, or another needed endpoint is available. In this application it will respond with a HTTP status code 200 and returns 1 as value.

/lobster

This is a test provided by rack. It shows an ASCII-art lobster. By adding a variable to the URL querystring ?flip=left the direction can be changed.

/

This is the mapping to a bare route. It shows a greeting message on how to use the application using OpenShift to trigger automated builds.

Rackup

Rack is an interface for using Ruby and Ruby frameworks with webservers. It provides an application called rackup to start the application:

$ bundle exec rackup -p 8080 config.ru

Using this command the webserver will bind to port 8080, according to the description in the config.ru file. To see what the mappings do, open:

• http://localhost:8080/health
• http://localhost:8080/lobster
• http://localhost:8080/

Use the example with OpenShift

Deploying an application on OpenShift from source is very simple. A single command can do this. First have a look

$ oc new-app openshift/ruby-20-centos7~https://github.com/[username]/ruby-ex

But before we do, I will explain what this command does. Oversimplified OpenShift does two things:

1. Build
2. Deploy

Note: If you want to perform the command, go ahead. Please fork the repository and change the [username] in this command.

Build: source to image

OpenShift runs container images which are in the Docker format. It will run the CMD instruction for this. So, how does OpenShift know what to run? Convention. Most frameworks have a standard way of doing things, and this is as you noticed also the case with the Ruby example. The creation of the image happens with a tool called source-to-image (S2I).

Source-to-Image (S2I) is a toolkit and workflow for building reproducible Docker images from source code. It uses a base image, and will layer the application on top, configures the runn command, which then results in a containter image for use.

$ s2i build https://github.com/[username]/ruby-ex openshift/ruby-20-centos7 ruby-ex

base image

The base image here is openshift/ruby-20-centos7. The source of this image can be found at the following GitHub repository: s2i-ruby-container

If you look at the Dockerfile source, you will see Software Collections is used to install a specific Ruby version. In this case version 2.0. Software collections solves one of the biggest complaints of using CentOS (or RHEL) as a basis as part of your delivery. It allows you to use multiple versions of software on the same system, without affecting system-wide installed packages.

The image also describes a label io.openshift.expose-services="8080:http" which inidcate that the application on port 8080 will be exposed as HTTP traffic. This also means the container does not need root privileges as the port assignment is above 1024. The application itself will be installed into the folder: /opt/app-root/src.

Running this container can be done with:

$ docker run -p 8080:8080 ruby-ex

[1] Puma starting in cluster mode...
[1] * Version 3.4.0 (ruby 2.0.0-p645), codename: Owl Bowl Brawl
[1] * Min threads: 0, max threads: 16
[1] * Environment: production
[1] * Process workers: 1
[1] * Phased restart available
[1] * Listening on tcp://0.0.0.0:8080
[1] Use Ctrl-C to stop
[1] - Worker 0 (pid: 32) booted, phase: 0

Open the links as previously stated will yield the same results.

$ curl http://localhost:8080/health

The build process can be as simple as a copy for static content, to compiling Java or C/C++ code. For the purpose of this article I will not explain more about the S2I process, but this will certainly be explained in future articles.

New application

If we now look at the previous command again:

$ oc new-app openshift/ruby-20-centos7~https://github.com/[username]/ruby-ex

you can clear see the structure. The first element openshift/ruby-20-centos7 describes the S2I container image for Ruby as hosted at the Docker hub. The second part is the source code path pointing to a git repository.

Please try the command now... OpenShift will create containers for each of the stages used: build, deploy and the final running container. You can check the containers using the command:

$ oc get pod

NAME               READY     STATUS         RESTARTS   AGE
ruby-ex-1-build    0/1       Completed      0          1m

Build stage

If you create this new application, a new container named ruby-ex-1-build. What happened is that the Source-to-image container got pulled which uses the base image and layers the source code on top.

To see what happened, as with the previous command, you can see the build configuration:

$ oc logs bc/ruby-ex

Cloning "https://github.com/gbraad/ruby-ex" ...
        Commit: f63d076b602441ebd65fd0749c5c58ea4bafaf90 (Merge pull request #2 from mfojtik/add-puma)
        Author: Michal Fojtik <mi@mifo.sk>
        Date:   Thu Jun 30 10:47:53 2016 +0200
---> Installing application source ...
---> Building your Ruby application from source ...
---> Running 'bundle install --deployment' ...
Fetching gem metadata from https://rubygems.org/...............
Installing puma (3.4.0)
Installing rack (1.6.4)
Using bundler (1.3.5)
Cannot write a changed lockfile while frozen.
Your bundle is complete!
It was installed into ./bundle
---> Cleaning up unused ruby gems ...
Pushing image 172.30.108.129:5000/myproject/ruby-ex:latest ...
Pushed 0/10 layers, 10% complete
Pushed 1/10 layers, 34% complete
Pushed 2/10 layers, 49% complete
Pushed 3/10 layers, 50% complete
Pushed 4/10 layers, 50% complete
Pushed 5/10 layers, 50% complete
Pushed 6/10 layers, 61% complete
Pushed 7/10 layers, 71% complete
Pushed 8/10 layers, 88% complete
Pushed 9/10 layers, 99% complete
Pushed 10/10 layers, 100% complete
Push successful

The difference is that the resulting image will be placed in the myproject namespace, and pushed to the local repository.

Deployment stage

After the image has been composed, OpenShift will run the container image on the scheduled node. What happens here can be checked with:

$ oc get pod                                                                                                                                                          

NAME              READY     STATUS      RESTARTS   AGE
ruby-ex-1-an801   1/1       Running     0          26s
ruby-ex-1-build   0/1       Completed   0          1m

This means that the build succeeded, the image got deployed and now runs in the a container identified with ruby-ex-1-an801. Note: The container ruby-ex-1-deploy is not shown here as only the logs are of importance.

The deployment configuration logs can be shown with:

$ oc logs dc/ruby-ex

[1] Puma starting in cluster mode...
[1] * Version 3.4.0 (ruby 2.0.0-p645), codename: Owl Bowl Brawl
[1] * Min threads: 0, max threads: 16
[1] * Environment: production
[1] * Process workers: 2
[1] * Phased restart available
[1] * Listening on tcp://0.0.0.0:8080
[1] Use Ctrl-C to stop
[1] - Worker 0 (pid: 32) booted, phase: 0
[1] - Worker 1 (pid: 35) booted, phase: 0

Events

To see the flow of execution, you can have a look at:

$ oc get events

This can be helpful if an error occured.

Verify

Now that the application has been deployed on OpenShift, we need to look up the IP address that has been assigned. For this we use:

$ oc get svc

NAME      CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
ruby-ex   172.30.91.160   <none>        8080/TCP   21h

Now we can open the application as http://172.30.91.160:8080/

Conclusion

OpenShift allows you to run prebuilt images or applications based on source. The Source-to-image tooling makes it possible to create reproducible images for deployment of applications based on source. This tool itself is very helpful and is certainly something I will be using, even outside the use of OpenShift. There is no need to create or modify a Dockerfile, which means that the developer can focus on the development process.

If you want to know more about the automated builds, please have a look at the README of the Ruby example. In future articles more detailed descriptions about these topics will certainly be given. I hope this has been helpful. Please consider leaving feedback or tweet this article.

It is hard to remember the time I really sat down in front of the TV, waiting for a programme to show up, and really enjoy it. Mostly it was accompanied with plenty of interruptions. It might have been Star Trek on the public channels that I enjoyed the most. But even Discovery Channel had many interruptions, some were funny, or just slightly annoying, especially when you have the TV on as background sound. With the advent of YouTube, and other User Generated Content websites, or even streaming websites, it is almost unimaginable there used to be a time without being able to watch your favorites.

Some might not know, but I help(ed) a lot with music remixing and artwork. Too bad I do not have the time now, but this is so much fun. Content creation is probably the best people can do as it gives a lot of satisfaction. I consider the teaching I do as a form of content creation. I produced a lot of documents, notes, etc, and people enjoy the way I explain stuff. Even writing code is a creative process:

foreach step in I.take():
  step.move(DIRECTION_TOMORROW)

But remixing music, or posting artwork online, does not pay the bills. Unless of course you are Tiesto, etc. And asking for a donation has not been my thing, although I have received some. I am very thankful for this!

And this is why I give to the content creators that create good stuff. I love the cardgame Magic: the Gathering, and especially some of the youtube channels for this. Patreon is a great idea... and if people create content you read often, consider giving back. Even 1 USD is already good way to show you care. It can buy someone a cup of coffee... and the more people who do, the easier someone can take some time off to create the content you love!

One of the projects I really want to work on again is Gauth. it has been in a neglect, but I can't reserve enough time to do a rewrite... I ask you, consider to become a Patron of my work and hopefully I can improve by giving Gauth a new future, allow me to create more content on my blog... and maybe in the future even more.

And thank you to all who have donated in the past!

If you install Docker on a new Fedora or CentOS system, it is very likely that you use devicemapper. Especially in the case of Fedora cloud images, no special configuration is done to the image. While Atomic images come pre-configured with a dedicated pool. Using devicemapper with loopback can lead to unpredictable behaviour, and while OverlayFS is a nice replacement, you will not be able to use SELinux at the moment. In this short article I will show how to setup a pool for storing the Docker images.

Preparation

For this article I will be using a Fedora 24 installation on an OpenStack cloud provider*. It is a standard Cloud image, which means the root is configured as 'ext4'. I will be attaching a storage volume to the instance. Just like using Virtual Manager, the disk will be identified as /dev/vdb.

First you need to stop the Docker process and remove the existing location. This means you will loose the images, but if they are important, you can either export or push them somewhere else.

$ systemctl stop docker
$ rm -rf /var/lib/docker

After this we will create a basic LVM setup which will use the whole storage volume.

$ pvcreate /dev/vdb
$ vgcreate docker_vol /dev/vdb

We know have a volumegroup named docker_vol.

Setup Docker storage

Fedora comes with a tool that makes it easy to setup the storage for Docker, called docker-storage-setup. The configuration is done with a file, and in our case it needs to contain the identification of the volume group to use:

$ vi /etc/sysconfig/docker-storage-setup 

VG="docker_vol"

Now you can run:

$ docker-storage-setup

This will create the filesystem and configures Docker to use the storage pool. After this successfully finishes, it has configured the pool to use the xfs filesystem.

Verify

To verify these changes, we will start Docker and run a basic image.

$ systemctl start docker
$ docker info

Storage Driver: devicemapper
 Pool Name: docker_vol-docker--pool
 Pool Blocksize: 524.3 kB
 Base Device Size: 10.74 GB
 Backing Filesystem: xfs
 Data file: 
 Metadata file: 
 Data Space Used: 37.75 MB
 Data Space Total: 21.45 GB
 Data Space Available: 21.41 GB
 Metadata Space Used: 53.25 kB
 Metadata Space Total: 54.53 MB
 Metadata Space Available: 54.47 MB
 Udev Sync Supported: true
 Deferred Removal Enabled: true
 Deferred Deletion Enabled: true
 Deferred Deleted Device Count: 0
 Library Version: 1.02.122 (2016-04-09)

$ docker pull busybox
$ docker run -it --rm busybox
/ # 

Conclusion

Configuration of storage has been really simplified and shouldn't be a reason not to do this. However, still to many people are not aware of the issues with devicemapper and loopback. Having to assign additional software to use Docker can also be a reason why people do not consider doing this, but even OverlayFS is not perfect. Using overlay with SELinux will be possible in the future, and hopefully soon these steps will also not be needed. In any case, the steps involved are simple and if you use Docker on Fedora, needed!

More information

• Friends Don't Let Friends Run Docker on Loopback in Production
• Setting up storage for Project Atomic

In my previous article I described how I used an Ansible playbook and a few roles to stand-up a Kubernetes test environment. In that article I mentioned that to deploy a production-ready environment some work more was required. Luckily, it is now very easy to stand up a production and enterprise-ready container platform for hosting applications, called OpenShift. Through the years OpenShift has undergone a lot of changes, and the latest version Origin v1.3 is very different from the original version. OpenShift sets up a complete Kubernetes environment and with a set of tools it can take care of the whole application lifecycle, from source to deployment. In this article I will give an introduction to setting up a test environment for a developer.

Setup machine

I will setup the environment on a standard Fedora 24 installation. You can use a cloud image as all the needed packages will be specified. After installing the machine, you login as a standard user, which can do a password-less sudo.

$ ssh fedora@89.42.141.96
$ sudo su -
#

Install docker and client

From here all the commands will be run as root, unless otherwise specified.

$ dnf install -y docker curl

This will install the basic packages we need to setup the test cluster. Now from a browser you open the following page: https://github.com/openshift/origin/releases/tag/v1.3.0. This shows the current deliverables for the OpenShift Origin v1.3 release. You need to download the file called like openshift-origin-client-tools-v1.3.0-[...]-linux-64bit.tar.gz

$ curl -sSL https://github.com/openshift/origin/releases/download/v1.3.0/openshift-origin-client-tools-v1.3.0-3ab7af3d097b57f933eccef684a714f2368804e7-linux-64bit.tar.gz -o oc-client.tar.gz
$ tar -zxvf oc-client.tar.gz
$ mkdir -p /opt/openshift/client
$ cp ./openshift-origin-client-tools-v1.3.0-3ab7af3d097b57f933eccef684a714f2368804e7-linux-64bit/oc /opt/openshift/client/oc

Note: I do not install the binary in /usr/bin or /usr/sbin to prevent a conflict with a packaged version, but also because this makes it easier for me to work on a different version of the application. E.g. the current packaged version is v1.2 and does not provide the command we will be using in the next step.

Configure docker

To allow OpenShift to pull and locally cache images, it will deploy a local docker registry. But before docker would be able to use this, we need to specify an insecure registry in the configuration. For this you need to add --insecure-registry 172.30.0.0/16 to /etc/sysconfig/docker.

$ vi /etc/sysconfig/docker

OPTIONS='--selinux-enabled --log-driver=journald --insecure-registry 172.30.0.0/16'

After this we will setup to allow the standard user to communicate with the docker daemon over the docker socket. This is not a necessary step, and does not make the system more secure. It does make it easier not having to move between user and using sudo all the time.

$ groupadd docker
$ usermod -a -G docker fedora
$ chgrp docker /var/run/docker.sock

After this you can start docker and move on the actual installation of OpenShift.

$ systemctl enable docker
$ systemctl start docker

Note: we will be running this environment with devicemapper as Storage Driver. This is not an ideal situation. If you do further tests, consider changing the storage with docker-storage-setup to use a dedicated volume.

Running OpenShift

Since version 1.3 of OpenShift, the client provides a cluster up commands which stands up a very simple all-in-one cluster, with a configured registry, router, image streams, and default templates.

As the fedora user, you can check if you can access docker

$ docker ps

CONTAINER ID    IMAGE   COMMAND     CREATED     STATUS      PORTS   NAMES

No containers should be returned. This mean you can communicate with the docker daemon. Now you are ready to start the test cluster.

cluster up

$ export PATH=$PATH:/opt/openshift/client/
$ ./oc cluster up
-- Checking OpenShift client ... OK
-- Checking Docker client ... OK
-- Checking Docker version ... OK
-- Checking for existing OpenShift container ... OK
-- Checking for openshift/origin:v1.3.0 image ... OK
-- Checking Docker daemon configuration ... OK
-- Checking for available ports ... OK
-- Checking type of volume mount ... 
   Using nsenter mounter for OpenShift volumes
-- Creating host directories ... OK
-- Finding server IP ... 
   Using 10.5.0.27 as the server IP
-- Starting OpenShift container ... 
   Creating initial OpenShift configuration
   Starting OpenShift using container 'origin'
   Waiting for API server to start listening
   OpenShift server started
-- Installing registry ... OK
-- Installing router ... OK
-- Importing image streams ... OK
-- Importing templates ... OK
-- Login to server ... OK
-- Creating initial project "myproject" ... OK
-- Server Information ... 
   OpenShift server started.
   The server is accessible via web console at:
       https://10.5.0.27:8443

   You are logged in as:
       User:     developer
       Password: developer

   To login as administrator:
       oc login -u system:admin

And that was it! Now you are running an OpenShift environment. You can check this as follows:

$ docker ps

CONTAINER ID        IMAGE                                     COMMAND                  CREATED             STATUS              PORTS               NAMES
cebba70022a6        openshift/origin-haproxy-router:v1.3.0    "/usr/bin/openshift-r"   16 seconds ago      Up 15 seconds                           k8s_router.9426645a_router-1-o3454_default_ba2e0814-8483-11e6-924a-fa163e29da46_e9a13a8d
32aa5e84a04d        openshift/origin-docker-registry:v1.3.0   "/bin/sh -c 'DOCKER_R"   17 seconds ago      Up 15 seconds                           k8s_registry.f0a205a4_docker-registry-1-v57os_default_b9fc0130-8483-11e6-924a-fa163e29da46_24863324
03ee38d125cb        openshift/origin-pod:v1.3.0               "/pod"                   18 seconds ago      Up 16 seconds                           k8s_POD.4a82dc9f_router-1-o3454_default_ba2e0814-8483-11e6-924a-fa163e29da46_ea6d1d08
44d6f8d2d9d6        openshift/origin-pod:v1.3.0               "/pod"                   18 seconds ago      Up 16 seconds                           k8s_POD.9fa2fe82_docker-registry-1-v57os_default_b9fc0130-8483-11e6-924a-fa163e29da46_76754271
60e7cc5f4e5d        openshift/origin-deployer:v1.3.0          "/usr/bin/openshift-d"   21 seconds ago      Up 19 seconds                           k8s_deployment.59c7ba3f_router-1-deploy_default_b3660c7b-8483-11e6-924a-fa163e29da46_8e02f47a
f1fe993ddcac        openshift/origin-pod:v1.3.0               "/pod"                   22 seconds ago      Up 20 seconds                           k8s_POD.4a82dc9f_router-1-deploy_default_b3660c7b-8483-11e6-924a-fa163e29da46_9a38fe5e
72068a244ac8        openshift/origin:v1.3.0                   "/usr/bin/openshift s"   49 seconds ago      Up 48 seconds                           origin

Client connection

After running the command oc cluster up you will be automatically logged in. For this it writes the login configuration in ~/.kube/. If you want to change you can login using:

$ oc login

The standard user provided is developer.

Verify

Now we need to verify if we can deploy a simple application. However, without changes, OpenShift will not run containers with a root-user process. For example an nginx container would fail with a permission denied error.

Instead, we will for now run a simple Hello container:

$ oc run hello-openshift --image=docker.io/openshift/hello-openshift:latest --port=8080 --expose

service "hello-openshift" created
deploymentconfig "hello-openshift" created

This would create the container and schedule it. You can check the progress with:

$ oc get pod

NAME                        READY     STATUS    RESTARTS   AGE
hello-openshift-1-xi7f0     1/1       Running   0          9m

You will also see a -deploy container. This is not needed for our verification.

To check the application, we need to get the IP address that has been assigned to the Pod. You can do this as follows:

$ oc get pod hello-openshift-1-xi7f0 -o yaml | grep podIP

  podIP: 172.17.0.7

All you have to do now is open the endpoint:

$ curl 172.17.0.7:8080

Hello OpenShift!

And that is it, you have a working OpenShift test cluster.

Teardown

If you are down with this, you simply do a:

$ oc cluster down

and all the containers used in the deployment will be torn down.

Conclusion

Using OpenShift's cluster up command you can easily setup an environment for developers to run and test their applications. The current of OpenShift provided with Fedora 24 does not offer this command, as the packaged version is v1.2. However, this change is in Rawhide and is therefore expected to be released as part of Fedora 25.

In future articles I will detail more about how to create applications for the OpenShift container platform, and how to check and maintain the life cycle of the deployed application. For now, take a look at the other source of information below.

More information

• OpenShift Homepage
• OpenShift Origin at GitHub
• Knowledge-base article about OpenShift

Recently I did a lot of tests with Atomic, such as a creating custom images for Ceph, and ways to provide an immutable infrastructure. However, Atomic is meant to be a host platform for a container platform using Kubernetes. Their Getting Started guide describes how to setup a basic environment to host containerized applications. However, this is a manual approach and with the help of Vincent* I create a way to deploy this Kubernetes environment on Atomic and a standard CentOS installation using Ansible. In this article I will describe the components and provide instructions on how to deploy this basic environment yourself.

Requirements

To deploy the Kubernetes environment you will need either Atomic Host or a standard CentOS installation. If you are using this for testing purposes, a cloud image on an OpenStack provider will do. The described Ansible scripts will work properly on both Atomic Host and CentOS cloud images. Although it has not been tested on Fedora, it should be able to make this work with minimal changes. If you do, please contribute these changes back.

You will need at least 2 (virtual) machines. One will be configured as the Kubernetes master and the remaining node(s) can be configured as minions or deployment nodes. I have used at least 4 nodes; a general controller node to perform the deployment from (also configured to install the Kubernetes client), a master node and at least two deployment nodes. Take note that this deployment does not handle docker-storage-setup and High Availability.

Setup for deployment

Almost all the deployments I perform are initiated from a short-lived controller node. This is a machine that allows incoming and outgoing traffic, and mostly gets configured with an external Floating IP. This host can be seen as a jumphost. I will configure it with a dedicated set of SSH keys for communication with the other machines. You do not have to do this, and if you have limited resources, consider this host to be the same as the Kubernetes master node.

On this machine do the following:

$ yum install -y ansible git
$ git clone https://gitlab.com/gbraad/ansible-playbook-kubernetes.git
$ cd ansible-playbook-kubernetes
$ ansible-galaxy install -r roles.txt

This will install the Ansible playbook and the required roles:

gbraad.docker
gbraad.docker-registry
gbraad.kubernetes-master
gbraad.kubernetes-node
gbraad.kubernetes-client

Each of the roles take care of the installation and/or configuration of the environment. Do take note that the Docker and Kubernetes roles do not install packages on the Atomic hosts as these already come with the needed software.

Configure the deployment

If you look at the files deploy-kubernetes.yml you will see three tasks for a different group of hosts. As mentioned before, they will each take care of the installation when needed.

- name: Deploy kubernetes Master
  hosts: k8s-master
  remote_user: centos
  become: true
  roles:
  - gbraad.docker
  - gbraad.kubernetes-master

- name: Deploy kubernetes Nodes
  hosts: k8s-nodes
  remote_user: centos
  become: true
  roles:
  - gbraad.docker
  - gbraad.kubernetes-node

- name: Install kubernetes client
  hosts: k8s-client
  remote_user: centos
  become: true
  roles:
  - gbraad.kubernetes-client

Take notice of the setting of remote_user. On an Atomic host this is a passwordless sudo user, which can also login with SSH using a passwordless key-based authentication. If you use CentOS, please configure a user and allow add an entry with echo "username ALL=(root) NOPASSWD:ALL" > /etc/sudoers.d/username.

Change the inventory

Ansible targets a playbook against a single or group of nodes that you specify in an inventory file. This file is named hosts in this playbook repository. When you open it you will see the same set of names as specified above in the hosts entry in the deploy-kubernetes.yml playbook. For our purposes you will always have to deploy a master and a node. If you do not specify the master node, the installation will fail as some of the deployment variables will be used for configuration of the nodes.

$ vi hosts

[k8s-master]
atomic-01 ansible_ssh_host=10.5.0.11

[k8s-nodes]
atomic-02 ansible_ssh_host=10.5.0.14
atomic-03 ansible_ssh_host=10.5.0.13
atomic-04 ansible_ssh_host=10.5.0.12

Group variables

At the moment the roles are not very configurable as they are mainly targeting a simple test environment. Inside the folder group_vars you will find the configration for the Kubernetes nodes. These are as follows

skydns_enable: true
dns_server: 10.254.0.10
dns_domain: kubernetes.local

Perform the deployment

After changing the variables in the hosts inventory file and the group variables, you are actually all set to perform the deployment. We will start with the following.

$ ansible-playbook -i hosts deploy-docker-registry.yml

This first step will install Docker on the master node and pull the Docker Registry container. This is needed to provide a local cache of container images that you have pulled.

After this we can install the Kubernetes environment with:

$ ansible-playbook -i hosts deploy-kubernetes.yml

Below I will describe what each part of the playbook does and some information about the functionality.

Playbook and role description

Below I will give a short description of what each part of the playbook and role does.

Role gbraad.docker

Each node in the playbook will be targeted with the following role: gbraad.docker. This role determines if the node is an Atomic Host or not. This check is performed in the tasks/main.yml file. It the node is not an Atomic Host, it will include install.yml to perform additional installation tasks. At the moment this is a simple package installation for docker. After this step, the role will set state started and enabled for the services; docker.

Source

Role: gbraad.kubernetes-master

As part of the playbook, first we will configure the master node. For this, the role gbraad.kubernetes-master is used. Just like in the previous role, file tasks/main.yml will perform a simple check to determine if an Atomic Host is used or not. If not, some packages will be installed:

• kubernetes-master
• flannel
• etcd

Source

Configure Kubernetes

After this step Kubernetes will be configured on this hosts. Tasks are described in the file tasks/configure_k8s.yml, source.

Role

Congfigure Kubernetes: etcd

This role will create a single 'etcd' server on the master. For simplicty all IP address will be allowed by using 0.0.0.0 as the endpoint. The port used for etcd clients is 2379, but since 4001 is also widely used we will also configure to use this.

Tasks:

• Configure etcd LISTEN CLIENTS
• Configure etcd ADVERTISE CLIENTS

Configure Kubernetes: common services

After this the role will set an entry in the file /etc/kubernetes/config. This is a general configuration file used by all the services. It sets the local IP address, identified as default_ipv4_address as etcd server and the kubernetes master nodes.

Tasks:

• Configure k8s common services

Configure Kubernetes: apiserver

For the apiserer the file /etc/kubernetes/apiserver is used. We will configure it to listen on all IP address. An admission control plug-in is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object. For this role we removed ServiceAccount which is normally used to limit the creation requests of Pods based on the service account.

Restart services

After this the services of the master node are started and enabled. These are:

• etcd
• kube-apiserver
• kube-controller-manager
• kube-scheduler

Configure flannel

For this environment we will use flannel to provide an overlay network. An overlay network exists on top of another network to provide a virtual path between nodes who use this overlay network. The steps for this are specified in tasks/configure_flannel.yml source.

The configuration of flannel is controller by etcd. We will copy a file to the master node containing:

{
  "Network": "172.16.0.0/12",
  "SubnetLen": 24,
  "Backend": {
    "Type": "vxlan"
  }
}

This file is located in the role as files/flanneld-conf.json. Using curl we will post this file to etcd on the master.

Tasks:

• Copy json with network config
• Configure subnet

After these steps the Kubernetes master is configured.

Role: gbraad.kubernetes-node

For the configuration of a Kubernetes node we use the role gbraad.kubernetes-node. Just like in the previous roles we determine in tasks/main.yml to install packages or not. For all the nodes we will configure:

• SELinux
• flannel
• kubernetes specific settings

Source, Role

Configure SELinux

Because I use persistent storage using NFS with Docker, I configure SELinux to set the boolean virt_use_nfs.

Configure flannel

In the tasks:

• Overlay | configure etcd url
• Overlay | configure etcd config key
• Flannel systemd | create service.d
• Flannel systemd | deploy unit file

We configure all the nodes to use the etcd instance on k8s-master as the endpoint for flannel configuration. These tasks configure the networking to use the flanneld provided bridge IP and MTU settings. Using the last two tasks we configure systemd to start the service.

After this change we will restart the flanneld service.

Configure Kubernetes

In the file tasks/configure_k8s.yml we do final configuration of the Kubernetes node to point it to the master node.

In the tasks:

• k8s client configuration
• k8s client configuration | KUBELET_HOSTNAME
• k8s client configuration | KUBELET_ARGS

we configure how the node is identified.

In the tasks:

• k8s client configuration | KUBELET_API_SERVER
• Configure k8s master on client | KUBE_MASTER

we set the location of the API server and the master node. Both of these will point to the IP address of the k8s-master.

After this change we will restart the kubelet and kube-proxy service.

After deployment

If all these tasks succeeded, you should have a working Kubernetes deployment. In the next steps we will perform some simple commands to verify if the environment works.

Deploy client and verify environment

As you have noticed from the hosts inventory file, there is a possibility to specify a client host:

[k8s-client]
controller ansible_ssh_host=10.5.0.3

You do not have to deploy a kubernetes client using this playbook. It will install a single package, but you could also just use the statically compiled Go binary that is provided from the Kubernetes releases:

$ wget http://storage.googleapis.com/kubernetes-release/release/v1.3.4/bin/linux/amd64/kubectl
$ chmod +x kubectl

Verify nodes

Oncae all the nodes have been deployed using the playbook, you canb verify communication. From a client node you can perform the following command:

$ kubectl --server=10.5.0.11:8080 get node`

NAME             LABELS    STATUS
10.5.0.12        <none>    Ready
10.5.0.13        <none>    Ready
10.5.0.14        <none>    Ready

Schedule workload

If all looks good, you can schedule a workload on the environment. The following commands will create a simple nginx instance.

$ vi kube-nginx.yml

apiVersion: v1
kind: Pod
metadata:
  name: www
spec:
  containers:
    - name: nginx
      image: nginx
      ports:
        - containerPort: 80
          hostPort: 8080

This file described a Pod with a container called nginx using the 'nginx' image. To schedule it, do:

$ kubectl --server=10.5.0.11:8080 create -f kube-nginx.yml

pods/www

Using the following command you can check the status:

$ kubectl --server=192.168.124.40:8080 get pods

POD       IP            CONTAINER(S)   IMAGE(S)   HOST                            LABELS    STATUS    CREATED      MESSAGE
www       172.16.59.2                             10.5.0.12/10.5.0.12             <none>    Running   52 seconds
                        nginx          nginx                                                Running   24 seconds

If you now open a browser pointing to the node Kubernetes used to create it (http://10.5.0.12:8080/), you will see an nginx welcome page.

Conclusion

Setting up Kubernetes can be a daunting task as there are many different components involved. Kelsey Hightower has a very good guide, called Kubernetes The Hard Way that will teach you how to deploy kubernetes manually on different cloud providers, such as AWS and the Google Compute Engine. After gaining some experience, it is advised to look at automation to deploy an environment, such as the the Ansible scripts that can be found in the contrib repository of Kubernetes. this allows you to stand up an environment with High Availability. The scripts described in this article should only serve as an introduction to gain understanding what is needed for a Kubernetes environment.

If you want a production-ready environment, please have a look at OpenShift. OpenShift deals with setting up a cluster of kubernetes nodes, scheduling workload and most important, how to set up images for deployment. This is done using what is called 'source to image'. This and OpenShift itself will be the topic of future articles.

More information

• Knowledge-base article about Kubernetes on Atomic
• Knowledge-base article about Kubernestes
• Hands-on-Lab: Kubernetes on OpenStack (Not all material published yet)
• Deploying Kubernetes on Atomic hosts