We are bringing the best of Tectonic to Red Hat OpenShift to build the most secure, hybrid Kubernetes application platform.
The Tectonic Installer creates bare metal Tectonic clusters within networks with PXE infrastructure and the matchbox
service.
Installation requires the following items, which are discussed in more detail below:
ipmitool
or virt-install
will be used to actually boot the machines.Tectonic Installer requires the License and Pull Secret provided with a CoreOS account. To obtain this information and up to 10 free nodes, create a CoreOS account.
Go to https://account.coreos.com/login, and click Sign Up.
Check your inbox for a confirmation email. Click through to accept the terms of the license, activate your account, and be redirected to the Account Overview page.
Click "Free for use up to 10 nodes" under Tectonic. Enter your contact information, and click Get License for 10 nodes.
Once the update has processed, the Overview window will refresh to include links to download the License and Pull Secret.
The Tectonic Installer app runs on a user's laptop as a GUI for creating new clusters and pushing the right configs to matchbox
.
User machines must:
matchbox.example.com
)node3.example.com
)tectonic.com
Bare metal Tectonic clusters are provisioned in a PXE network environment. Cluster nodes will PXE boot from the matchbox
service running on a provisioner node. Familiarity with your network topology is required.
Tectonic bare metal clusters store credentials in user-data
. To restrict access to sensitive information, provision bare metal machines within a trusted network and ensure that a firewall exists between cluster controllers and the public internet.
Ensure DHCP, TFTP and DNS services are available on your network. CoreOS provides a dnsmasq container, if you wish to use rkt or Docker for this.
Familiarize yourself with PXE booting. Cluster nodes should PXE boot from the network and delegate to the matchbox
service which serves configs to provision clusters. At a high level, you must:
matchbox
iPXE HTTP endpoint (e.g. http://matchbox.example.com:8080/boot.ipxe
).For best results, assign DNS names to each node. The following three records are required for Tectonic Installer:
matchbox.example.com
).k8s.example.com
).tectonic.example.com
).Cluster nodes must be able to pull docker images from quay.io and gcr.io. Be sure to whitelist these domains. If you must whitelist by IP, run dig quay.io
to list associated IP addresses.
Tectonic installer will add the installer machine's public SSH key to all machines in the cluster. The key must be on the installing machine's ssh-agent, and it is used to configure nodes.
Check if a key already exists in the ssh-agent using ssh-add -l
. If a key must be added to the agent, use ssh-add Path/ToYour/KeyFile
. Note that on OSX it may be necessary to re-add keys from your keyring to the agent on each login.
A minimum of 3 machines are required to run Tectonic. To configure machines:
node3.example.com
)Tectonic clusters consist of two types of nodes:
etcd
and the control plane of the cluster.Each node should meet the following technical specs:
Requirement | Value |
---|---|
RAM | 8GB / node |
CPU | 2 cores / node |
Storage | 30GB / node |
Configure cluster nodes to favor booting from disk, and use IPMI to request a PXE boot during installation and re-provisioning. Booting from disk allows Container Linux automatic updates to function normally and is the recommended configuration after provisioning.
Sites where cluster nodes always boot from PXE must plan to regularly update the Container Linux image served to clients.
Client machines:
A provisioner node (or Kubernetes cluster) runs the matchbox
network boot and provisioning service, along with PXE services if you don't already run them elsewhere. You may use CoreOS Container Linux or any Linux distribution for this node. It serves provisioning configs to nodes, but does not join Tectonic clusters.
The provisioner must:
matchbox
matchbox.example.com
)