Load balancing of OpenShift HA Routers Mind the GARP

OpenShift HA Routing uses haproxy application routers to get traffic into the cluster. These application routers are made redundant by running ipfailover (keepalived) pods to maintain a set of Virtual IPs on each infrastructure node where the application routers run. These VIPs are then referenced by round robin DNS records to enable a measure of load balancing.

OK, so now you are load balancing at the network layer, but what about the link layer? Did you know that even if you somehow manage to perfectly balance traffic among the VIPs using RR DNS you could still be using only one of your application routers? Well you could be!

Continue reading

Installing OpenShift on OpenStack

This is a work in progress

The OpenShift Container Platform (OCP) can run on many types of infrastructure; from a Docker contrainer, to a single VM, to a fleet of baremetal or VMs on an infrastructure provider such as RHV, VMware, Amazon EC2, Google Compute Engine, or OpenStack Platform (OSP). This post is to document my experimentation with setting up OCP on OSP.

Doc Overview

So where are the docs?

Continue reading

Configuring OpenShift with Multiple Sharded Routers

I needed to host a service that would be consumed by a closed client that insists on speaking HTTPS on port 50,000. To solve this, I added a 2nd router deployment and used the OpenShift router sharding feature to selectively enable routes on the 2nd router by way of selectors.

To summarize:

Existing HA router:

• HTTP 80
• HTTPS 443
• Haproxy Stats 1,936

Added HA router:

• HTTP 49,999
• HTTPS 50,000
• Haproxy Stats 51,936

How To

Open infra node firewalls

• Open firewall on infra nodes where router will run to allow new http and https port

 iptables -A OS_FIREWALL_ALLOW -m tcp -p tcp --dport 49999 -j ACCEPT
 iptables -A OS_FIREWALL_ALLOW -m tcp -p tcp --dport 50000 -j ACCEPT

• This can also be done with Ansible and the os_firewall role in your playbook. (untested)

- hosts: infra-nodes

  vars:
    os_firewall_use_firewalld: False
    os_firewall_allow:
      - service: teradici-http
        port: 49999/tcp
      - service: teradici-https
        port: 50000/tcp

  roles:
    - os_firewall

Create a router

• Create a router called ha-router-teradici with oa adm router or oadm router on these ports and also make sure the stats port does not clash with existing router on port 1936

[root@ose-test-master-01 ~]# oc get nodes --show-labels
NAME                           STATUS    AGE       LABELS
ose-test-master-01.example.com   Ready     180d      kubernetes.io/hostname=ose-test-master-01.example.com,region=master,zone=rhev
ose-test-master-02.example.com   Ready     180d      kubernetes.io/hostname=ose-test-master-02.example.com,region=master,zone=rhev
ose-test-node-01.example.com     Ready     180d      ha-router=primary,kubernetes.io/hostname=ose-test-node-01.example.com,region=infra,zone=rhev
ose-test-node-02.example.com     Ready     180d      ha-router=primary,kubernetes.io/hostname=ose-test-node-02.example.com,region=infra,zone=rhev
ose-test-node-03.example.com     Ready     180d      kubernetes.io/hostname=ose-test-node-03.example.com,region=primary,zone=rhev
ose-test-node-04.example.com     Ready     180d      kubernetes.io/hostname=ose-test-node-04.example.com,region=primary,zone=rhev

[root@ose-test-master-01 ~]#  oadm router ha-router-teradici \
    --ports='49999:49999,50000:50000' \
    --stats-port=51936 \
    --replicas=2 \
    --selector="ha-router=primary" \
    --selector="region=infra" \
    --labels="ha-router=teradici" \
    --default-cert=201602_router_wildcard.os.example.com.pem \
    --service-account=router

GOOD: I see that the ports are set properly in the haproxy.config and the service objects

Continue reading

OpenShift Cluster Metrics and Cassandra Troubleshooting

OpenShift gathers cluster metrics such as CPU, memory, and network bandwidth per pod which can assist in troubleshooting and capacity planning. The metrics are also used to support horizontal pod autoscaling, which makes the metrics service not just helpful, but critical to operation.

Missing Liveness Probes

There are 3 major components in the metrics collection process. Heapster gathers stats from Docker and feeds them to Hawkular Metrics to tuck away for safe keeping in Cassandra.

Continue reading

Deploy Hawkular Metrics in CDK 2.1 OpenShift 3.2

Update! I failed with CDK 2.0, but CDK 2.1 works with some fiddling.

In my last post I installed Red Hat Container Developer Kit to deploy OpenShift Enterprise using Vagrant. But now I want to add Hawkular Metrics to that deployment.

Deploy Metrics

Refer to the docs for deploying metrics in OSE.

Login to the vagrant CDK VM before continuing

$ cd ~/cdk/components/rhel/rhel-ose/
$ vagrant ssh

$ oc login
Authentication required for https://127.0.0.1:8443 (openshift)
Username: admin
Password: admin
Login successful.

$ oc project openshift-infra

$ oc get sa
NAME                        SECRETS   AGE
build-controller            2         10m
builder                     2         10m
daemonset-controller        2         10m
default                     2         10m
deployer                    2         10m
deployment-controller       2         10m
gc-controller               2         10m
hpa-controller              2         10m
job-controller              2         10m
namespace-controller        2         10m
pv-binder-controller        2         10m
pv-provisioner-controller   2         10m
pv-recycler-controller      2         10m
replication-controller      2         10m

$ oc create -f - <<API
apiVersion: v1
kind: ServiceAccount
metadata:
  name: metrics-deployer
  secrets:
  - name: metrics-deployer
API

$ oc secrets new metrics-deployer nothing=/dev/null

$ oadm policy add-role-to-user         edit           system:serviceaccount:openshift-infra:metrics-deployer
$ oadm policy add-cluster-role-to-user cluster-reader system:serviceaccount:openshift-infra:heapster

From your OSE server grab /usr/share/openshift/examples/infrastructure-templates/enterprise/metrics-deployer.yaml or from here

Continue reading

Getting Started With RedHat Container Development Kit

The RedHat Container Developer Kit allows you to deploy OpenShift on your laptop for easier testing and development. Here is how to deploy it.

Register as a RedHat Developer

• Obtain a RH login

• Place credentials in ~/.vagrant.d/Vagrantfile to enable updates for VMs by automatically registering with RedHat Subscription Manager

Vagrant.configure('2') do |config|
 config.registration.username = '<your Red Hat username>'
 config.registration.password = '<your Red Hat password>'
end

Mac OS X Prereqs

• Install pre-reqs:

  Continue reading

Upgrading OpenShift Enterprise from 3.1 to 3.2

Upgrading from OSE 3.1 to 3.2 using the playbook went quite well for me, but there were a few issues to sort out.

The issues were related to:

• ip failover had to be updated manually
• there was about 5 minutes downtime during the upgrade
• updates to image streams
• docker error messages
• updated policy and role bindings build strategy Source is not allowed
• hawkular metrics

Upgrade Process

Following the directions is pretty straight forward.

Continue reading

Changing the SSL Certificate for OpenShift Console

OpenShift has an internal CA for generating certificates to authenticate intra-cluster communication, but your browser doesn’t trust this CA. Perhaps you want to fix that without mucking with the internal SSL communication? I did. Here is how.

This OpenShift doc explains how to do this, but it isn’t very clear, to me at least.

Overview

An outline of the steps:

• Only make changes to the public URLs and not any internal URLs.
• Create a namedCertificates section in both /servingInfo and /assetConfig/servingInfo sections of /etc/origin/master/master-config.yaml.
• In those repeated sections:
  • identify a certificate and key
  • identify the hostname(s) to match with that cert/key pair

Your installation may include the following hosts:

Continue reading

OpenShift High Availability - Routing

Highly availabile containers in OpenShift are baked into the cake thanks to replication controllers and service load balancing, but there are plenty of other single points of failure. Here is how to eliminate many of those.

Single Points of Failure

The components of OpenShift include:

• Master controller manager server and API endpoint
• Etcd configuration and state storage
• Docker Registry
• Router haproxy

This post is mostly about adding high availability to the routing layer.

Continue reading