We are bringing the best of Tectonic to Red Hat OpenShift to build the most secure, hybrid Kubernetes application platform.
This guide walks through a bare-metal installation of Tectonic utilizing PXE-based tools. This document will cover:
Step | Description |
---|---|
1. Overview | Review types of machines in the cluster Review networking requirements |
2. Provisioning Infrastructure | Download and install bootcfg Generate TLS assets |
3. Configure Networking | Set up DHCP, TFTP, and DNS services Configure DNS for the cluster |
4. Tectonic Installer | Install Kubernetes and Tectonic |
5. Tectonic Console | You're done! Your cluster is ready! |
A minimum of 3 machines are required to run Tectonic.
Provisioner Node
A provisioner node runs the bootcfg network boot and provisioning service, along with PXE services if you don't already run them elsewhere. You may use CoreOS or any Linux distribution for this node. It provisions nodes, but does not join Tectonic clusters.
A Tectonic cluster consists of two types of nodes:
Controller Nodes
Controller nodes run etcd
and the control plane of the cluster.
Worker Nodes
Worker nodes run your applications. New worker nodes will join the cluster by talking to controller nodes for admission.
This guide requires familiarity with PXE booting, the ability to configure network services, and to add DNS names. These are discussed in detail below.
bootcfg
is a service for network booting and provisioning bare-metal nodes into CoreOS clusters. bootcfg
should be installed on a provisioner node to serve configs during boot.
The commands to set up bootcfg
should be performed on the provisioner node.
Download the latest Tectonic release to the provisioner node and extract it.
wget https://releases.tectonic.com/releases/tectonic_1.5.1-tectonic.1.tar.gz
tar xzvf tectonic-1.5.1-tectonic.1.tar.gz
cd tectonic/coreos-baremetal
Install bootcfg
on the provisioner node.
On an RPM-based provisioner, install the bootcfg
RPM from the Copr repository using dnf
or yum
.
dnf copr enable dghubble/bootcfg
dnf install bootcfg
# requires yum-plugin-copr
yum copr enable dghubble/bootcfg
yum install bootcfg
On a CoreOS provisioner, rkt run bootcfg
image with the provided systemd unit.
$ sudo cp contrib/systemd/bootcfg-for-tectonic.service /etc/systemd/system/bootcfg.service
Pre-built binaries are available for general Linux distributions. Copy the bootcfg
static binary to an appropriate location on the provisioner node.
$ cd tectonic/coreos-baremetal
$ sudo cp bootcfg /usr/local/bin
The bootcfg
service should be run by a non-root user with access to the bootcfg
data directory (/var/lib/bootcfg
). Create a bootcfg
user and group.
$ sudo useradd -U bootcfg
$ sudo mkdir -p /var/lib/bootcfg/assets
$ sudo chown -R bootcfg:bootcfg /var/lib/bootcfg
Copy the provided bootcfg
systemd unit file.
$ sudo cp contrib/systemd/bootcfg.service /etc/systemd/system/
Customize bootcfg
by editing the systemd unit or adding a systemd dropin. Find the complete set of bootcfg
flags and environment variables at config.
sudo systemctl edit bootcfg
By default, the read-only HTTP machine endpoint will be exposed on port 8080. Enable the gRPC API to allow clients with a TLS client certificate to change machine configs. The Tectonic Installer uses this API.
# /etc/systemd/system/bootcfg.service.d/override.conf
[Service]
Environment="BOOTCFG_ADDRESS=0.0.0.0:8080"
Environment="BOOTCFG_RPC_ADDRESS=0.0.0.0:8081"
Environment="BOOTCFG_LOG_LEVEL=debug"
Customize bootcfg
to suit your preferences.
Allow your port choices on the provisioner's firewall so the clients can access the service. Here are the commands for those using firewalld
:
$ sudo firewall-cmd --zone=MYZONE --add-port=8080/tcp --permanent
$ sudo firewall-cmd --zone=MYZONE --add-port=8081/tcp --permanent
The bootcfg
API allows client apps such as the Tectonic Installer to manage how machines are provisioned. TLS credentials are needed for client authentication and to establish a secure communication channel.
If your organization manages public key infrastructure and a certificate authority, create a server certificate and key for the bootcfg
service and a client certificate and key.
Otherwise, generate a self-signed ca.crt
, a server certificate (server.crt
, server.key
), and client credentials (client.crt
, client.key
) with the scripts/tls/cert-gen
script. Export the DNS name or IP (discouraged) of the provisioner node.
$ cd scripts/tls
# DNS or IP Subject Alt Names where bootcfg can be reached
$ export SAN=DNS.1:bootcfg.example.com,IP.1:192.168.1.42
$ ./cert-gen
Place the TLS credentials in the default location:
$ sudo mkdir -p /etc/bootcfg
$ sudo cp ca.crt server.crt server.key /etc/bootcfg/
The client.crt
, client.key
, and ca.crt
will be used by the Tectonic Installer later.
Start the bootcfg
service and enable it if you'd like it to start on every boot.
$ sudo systemctl daemon-reload
$ sudo systemctl start bootcfg
$ sudo systemctl enable bootcfg
Verify the bootcfg service is running and can be reached by nodes (those being provisioned). It is recommended that you define a DNS name for this purpose (see Networking).
$ systemctl status bootcfg
$ dig bootcfg.example.com
Verify you receive a response from the HTTP and API endpoints.
$ curl http://bootcfg.example.com:8080
bootcfg
$ cd tectonic/coreos-baremetal
$ openssl s_client -connect bootcfg.example.com:8081 -CAfile /etc/bootcfg/ca.crt -cert scripts/tls/client.crt -key scripts/tls/client.key
CONNECTED(00000003)
depth=1 CN = fake-ca
verify return:1
depth=0 CN = fake-server
verify return:1
---
Certificate chain
0 s:/CN=fake-server
i:/CN=fake-ca
---
....
bootcfg
can serve CoreOS images to reduce bandwidth usage and increase the speed of CoreOS PXE boots and installs to disk. Tectonic Installer will use this feature.
Download a recent CoreOS stable release with signatures.
$ ./scripts/get-coreos stable 1185.3.0 . # note the "." 3rd argument
Move the images to /var/lib/bootcfg/assets
,
$ sudo cp -r coreos /var/lib/bootcfg/assets
$ tree /var/lib/bootcfg/assets
/var/lib/bootcfg/assets/
├── coreos
│ └── 1185.3.0
│ ├── CoreOS_Image_Signing_Key.asc
│ ├── coreos_production_image.bin.bz2
│ ├── coreos_production_image.bin.bz2.sig
│ ├── coreos_production_pxe_image.cpio.gz
│ ├── coreos_production_pxe_image.cpio.gz.sig
│ ├── coreos_production_pxe.vmlinuz
│ └── coreos_production_pxe.vmlinuz.sig
and verify the images are acessible.
$ curl http://bootcfg.example.com:8080/assets/coreos/SOME-VERSION/
<pre>...
A bare-metal Tectonic cluster requires PXE infrastructure, which we'll setup next.
Set up DHCP, TFTP, and DNS services with your network administrator. Review network setup to find the right approach for your PXE environment. At a high level, your goals are to:
bootcfg
iPXE HTTP endpoint (e.g. http://bootcfg.example.com:8080/boot.ipxe
)CoreOS provides a dnsmasq container, if you wish to use rkt or Docker.
The Tectonic Installer will prompt for "Controller" and "Tectonic" DNS names. For the controller DNS name, add a record which resolves to the node you plan to use as a controller.
By default, Tectonic Ingress runs as a Kubernetes Daemon Set across workers. For the Tectonic DNS name, add a record which resolves to any node(s) you plan to use as workers.
For example,
bootcfg.example.com
resolves to your bootcfg
deploymentcontrollers.example.com
resolves to any controller nodetectonic.example.com
resolves to any worker nodesThe Tectonic Installer is a graphical application run on your laptop to create Tectonic clusters. It authenticates to bootcfg
via its API.
Your laptop running the Tectonic installer app must be able to access your bootcfg
instance. You will need the client.crt
and client.key
credentials created when setting up bootcfg
to complete the flow, as well as the ca.crt
.
The commands to run the Tectonic Installer should be performed on your laptop.
Download the latest Tectonic release to your laptop and and extract it.
wget https://releases.tectonic.com/releases/tectonic_1.5.1-tectonic.1.tar.gz
tar xzvf tectonic-1.5.1-tectonic.1.tar.gz
cd tectonic
Make sure a current version of either the Google Chrome or Mozilla Firefox web browser is set as the default browser on the workstation where Installer will run.
Run the Tectonic Installer that matches your platform (linux
, darwin
, windows
):
$ ./tectonic-installer/linux/installer
A tab should open in your browser. Follow the instructions to enter information needed for provisioning. You will need to enter machine MAC addresses, domain names, and your SSH public key.
Then, you'll be prompted to power on your machines via IPMI or by pressing the power button and guided through the rest of the bring-up. If needed, you can use the generated assets bundle kubeconfig to troubleshoot.
After the installer is complete, you'll have a Tectonic cluster and be able to access the Tectonic console. You are ready to deploy your first application on to the cluster!
You can remove all Tectonic components if you'd like to perform a fresh installation to the same cluster.
WARNING: these actions are irreversable.
Delete all components in the tectonic-system
namespace.
$ kubectl delete ns tectonic-system
namespace "tectonic-system" deleted
Re-run the bootkube-start
script from a controller. This should re-create Tectonic components.