OpenShift Origin on VPS like Scaleways(Updated 5/2/18)

Update 5/2/18: Updated to Openshift 3.9.0.

Update 1/4/18: Added longer token life for default users. Did this due to my use of Eclipse Che which would require me to restart everyday after the access token expired.

Update 12/20/17: Replaced incorrect /opt/… folder references with /var/lib/origin/openshift.local.config/master/.. in the password creation process.

Update 12/9/17: Added sed -i “s/router.default.svc.cluster.local/${EXTERNAL_IP}.nip.io/” \
 openshift.local.config/master/master-config.yaml
to change routing suffix.

Added additional hostnames for Openshift nodes via OPENSHIFT_HOSTNAMES.

Update 10/16/17: Had some problems with getting Jenkins to work so I had to update this blog. I needed to specify the DNS address. I figured this out by comparing master config files of Scaleway’s and Linode servers. Linode worked without a problem but I didn’t have to manually configure like I did with Scaleways. Hopefully I did everything correctly. Anyone finds problem please let me know :).

OpenShift Origin on Scaleways is relatively easy. There does need to be some configuration done to the routing and hostname due to how Scaleways sets up it’s network though.

Create a new x86_64 server based on CentOS image. OpenShift Origin does require a Red Hat based Linux OS such as CentOS to work.

Install Docker, add insecure registry required by openshift to Docker, and reload the Docker daemon.

Update 5/2/18:

yum remove docker docker-client docker-client-latest docker-common docker-latest docker-latest-logrotate docker-logrotate docker-selinux docker-engine-selinux docker-engine
yum install -y yum-utils \
device-mapper-persistent-data \
lvm2
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum install -y docker-ce
sed -i "s|ExecStart=/usr/bin/dockerd|ExecStart=/usr/bin/dockerd --insecure-registry 172.30.0.0/16 --exec-opt native.cgroupdriver=systemd|" \
/usr/lib/systemd/system/docker.service
systemctl daemon-reload
systemctl restart docker

Run OpenShift Origin Natively:

Download the latest OpenShift Origin binaries from https://github.com/openshift/origin/releases currently v3.9.0. Extract files and copy file to folder included in PATH environment variable such as /usr/bin directory.

# Download the latest OpenShift Origin binaries from https://github.com/openshift/origin/releases currently 3.9.0. Extract files and copy file to folder included in PATH environment variable such as /usr/bin directory.
export OPENSHIFT_VERSION=3.9.0-191fece
export OPENSHIFT_VERSION_BASE=3.9.0
yum install -y wget 
wget https://github.com/openshift/origin/releases/download/v${OPENSHIFT_VERSION_BASE}/openshift-origin-server-v${OPENSHIFT_VERSION}-linux-64bit.tar.gz
tar -xzf openshift-origin-server-v${OPENSHIFT_VERSION}-linux-64bit.tar.gz
rm -f openshift-origin-server-v${OPENSHIFT_VERSION}-linux-64bit/LICENSE openshift-origin-server-v${OPENSHIFT_VERSION}-linux-64bit/README.md
cp openshift-origin-server-v${OPENSHIFT_VERSION}-linux-64bit/* /usr/bin/

Now the somewhat tricky part. Scaleways network device ip address is not the same as the external ip address.

export EXTERNAL_IP=$(curl -s https://ipinfo.io/ip/)
mkdir -p /var/lib/origin/
cd /var/lib/origin/
openshift start master \
--master="https://${EXTERNAL_IP}:8443" \
--dns="https://0.0.0.0:8053" \
--write-config="/var/lib/origin/openshift.local.config/master"
sed -i "s/router.default.svc.cluster.local/${EXTERNAL_IP}.nip.io/" \
openshift.local.config/master/master-config.yaml

export OPENSHIFT_HOSTNAMES=kubernetes.default.svc.cluster.local,localhost,openshift.default.svc.cluster.local,127.0.0.1,172.17.0.1,172.18.0.1,172.19.0.1,172.30.0.1,192.168.122.1,192.168.42.1,$HOSTNAME,$EXTERNAL_IP
oc adm create-node-config \
--dns-ip='172.30.0.1' \
--node-dir=/var/lib/origin/openshift.local.config/node-localhost \
--node=localhost --hostnames=$OPENSHIFT_HOSTNAMES
#Should setup authentication before running the following 
#but for a quick demonstration you can. Shut it down quickly though.
rm -Rf ~/.kube
oc cluster up --use-existing-config --public-hostname="${EXTERNAL_IP}"

Once the server is up and running you can test from your browser at https://EXTERNAL_IP:8443/console/ . Use username ‘developer’ and anyword password.

The default master configuration file should be revised to override the default non-secure login method which allows user ‘developer’ to use any password to login. This should be done ASAP as it exposes your server to anyone. I use htpasswd to do this.

yum install -y httpd-tools
htpasswd -c /var/lib/origin/openshift.local.config/master/users.htpasswd developer

Once the htpasswd has be generated, the master configuration file needs to be updated to use it instead of the default authentication. REPLACE the existing identityProviders section in master config file /var/lib/origin/openshift.local.config/master/master-config.yaml with the following.

identityProviders:
- name: my_htpasswd_provider
challenge: true
login: true
mappingMethod: add
provider:
apiVersion: v1
kind: HTPasswdPasswordIdentityProvider
file: /var/lib/origin/openshift.local.config/master/users.htpasswd

Run the following:

perl -0777 -i.original -pe 's|- challenge: true\n    login: true\n    mappingMethod: claim\n    name: anypassword\n    provider:\n      apiVersion: v1\n      kind: AllowAllPasswordIdentityProvider|- name: my_htpasswd_provider\n    challenge: true\n    login: true\n    mappingMethod: add\n    provider:\n      apiVersion: v1\n      kind: HTPasswdPasswordIdentityProvider\n      file: /var/lib/origin/openshift.local.config/master/users.htpasswd|igs' /var/lib/origin/openshift.local.config/master/master-config.yaml

Restart the OpenShift Origin server.

export EXTERNAL_IP=$(curl -s https://ipinfo.io/ip/)
oc cluster down
oc cluster up --use-existing-config --public-hostname="${EXTERNAL_IP}"

Make sure that you cannot login by entering a random password for user “developer” at https://EXTERNAL_IP:8443/console/ . You should be presented an error message.

Run OpenShift inside a Docker Container:

For anyone interested OpenShift Origins can be run inside a Docker container too. I have not confirmed this but I believe the native OS has to be Red Hat based like CentOS we are on. Using Docker to run OpenShift Origins is preferred for me as I like to contain all applications through docker.

Run the following to setup the configuration files at /opt/origin on the native/host OS file system. I picked a different folder than the default /var/lib/origin to keep native and container based separate since I used the same host/machine for this example and the native example above. However, you can use /var/lib/origin instead wherever I use /opt/origin below.

export EXTERNAL_IP=$(curl -s https://ipinfo.io/ip/)
docker run -ti --rm --name "origin" \
--privileged --pid=host --net=host \
-v /:/rootfs:ro -v /var/run:/var/run:rw -v /sys:/sys \
-v /sys/fs/cgroup:/sys/fs/cgroup:rw \
-v /var/lib/docker:/var/lib/docker:rw \
-v /opt/origin/openshift.local.config:/var/lib/origin/openshift.local.config \
-v /opt/origin/openshift.local.volumes:/var/lib/origin/openshift.local.volumes:rslave \
openshift/origin start master \
--master="https://${EXTERNAL_IP}:8443" \
--dns="https://${EXTERNAL_IP}:8053" \
--write-config='/var/lib/origin/openshift.local.config/master'
docker run -ti --rm --name "origin" \
--entrypoint=/usr/bin/sed \
-v /opt/origin/openshift.local.config:/var/lib/origin/openshift.local.config \
openshift/origin -i \
"s/router.default.svc.cluster.local/${EXTERNAL_IP}.nip.io/" \
/var/lib/origin/openshift.local.config/master/master-config.yaml
export OPENSHIFT_HOSTNAMES=kubernetes.default.svc.cluster.local,localhost,openshift.default.svc.cluster.local,127.0.0.1,172.17.0.1,172.18.0.1,172.19.0.1,172.30.0.1,192.168.122.1,192.168.42.1,$HOSTNAME,$EXTERNAL_IP
docker run -ti --rm --name "origin" \
--entrypoint=/usr/bin/oc adm \
-v /opt/origin/openshift.local.config:/var/lib/origin/openshift.local.config \
openshift/origin create-node-config \
--node-dir=openshift.local.config/node-localhost \
--node=localhost --hostnames=$OPENSHIFT_HOSTNAMES

Before starting our server lets add authentication as default is NOT secure. In true Docker fashion let’s install and run htpasswd in a container instead of natively to generate our password file.

docker run -ti --rm -v /var/lib/origin/openshift.local.config/master/users.htpasswd:/var/lib/origin/openshift.local.config/master/users.htpasswd --entrypoint=/bin/bash --net=host openshift/origin
yum install -y httpd-tools
htpasswd -c /var/lib/origin/openshift.local.config/master/users.htpasswd developer
exit

REPLACE the existing identityProviders section in master config file /var/lib/origin/openshift.local.config/master/master-config.yaml with the following.

identityProviders:
- name: my_htpasswd_provider
challenge: true
login: true
mappingMethod: add
provider:
apiVersion: v1
kind: HTPasswdPasswordIdentityProvider
file: /var/lib/origin/openshift.local.config/master/users.htpasswd

Run the following:

perl -0777 -i.original -pe 's|- challenge: true\n    login: true\n    mappingMethod: claim\n    name: anypassword\n    provider:\n      apiVersion: v1\n      kind: AllowAllPasswordIdentityProvider|- name: my_htpasswd_provider\n    challenge: true\n    login: true\n    mappingMethod: add\n    provider:\n      apiVersion: v1\n      kind: HTPasswdPasswordIdentityProvider\n      file: /var/lib/origin/openshift.local.config/master/users.htpasswd|igs' /var/lib/origin/openshift.local.config/master/master-config.yaml
#Updated 1/4/18
perl -0777 -i.original -pe 's|accessTokenMaxAgeSeconds: 86400|accessTokenMaxAgeSeconds: 8640000|igs' /var/lib/origin/openshift.local.config/master/master-config.yaml

Now start the server with our new configuration files.

docker run -d --name "origin" \
--privileged --pid=host --net=host \
-v /:/rootfs:ro -v /var/run:/var/run:rw -v /sys:/sys \
-v /sys/fs/cgroup:/sys/fs/cgroup:rw \
-v /var/lib/docker:/var/lib/docker:rw \
-v /opt/origin/openshift.local.config:/var/lib/origin/openshift.local.config \
-v /opt/origin/openshift.local.volumes:/var/lib/origin/openshift.local.volumes:rslave \
openshift/origin start \
--master-config='/var/lib/origin/openshift.local.config/master/master-config.yaml' \
--node-config='/var/lib/origin/openshift.local.config/node-localhost/node-config.yaml'

Make sure that you cannot login by entering a random password for user “developer” at https://EXTERNAL_IP:8443/console/ .

Openshift on VPS like Scaleways with Hostname (Added 9/20/17):

See my article on how to setup Openshift on VPS like Scaleways with Hostname at https://medium.com/@james_devcomb/openshift-on-vps-like-scaleways-with-hostname-4b3ef8942f83 .

Additional Resources/References:

https://docs.openshift.org/latest/getting_started/administrators.html#getting-started-administrators