Setting up the Bastion host

The bastion host is generically what I call the system that hosts utilities in support of the rest of the lab. It is also configured for password-less SSH into the rest of the lab.

The bastion host serves:

Nginx for hosting RPMs and install files for KVM hosts and guests.
A DNS server for the lab ecosystem.
Sonatype Nexus for the OKD registry mirror, Maven Artifacts, and Container Images.

I recommend using a bare-metal host for your Bastion. It will also run the load-balancer VM and Bootstrap VM for your cluster. I am using a NUC8i3BEK with 32GB of RAM for my Bastion host. This little box with 32GB of RAM is perfect for this purpose, and also very portable for throwing in a bag to take my dev environment with me. My OpenShift build environment is also installed on the Bastion host.

You need to start with a minimal CentOS 8 install. (This tutorial assumes that you are comfortable installing a Linux OS.)

Download the minimal install ISO from: http://isoredirect.centos.org/centos/8/isos/x86_64/

I use balenaEtcher to create a bootable USB key from a CentOS ISO.

You will have to attach monitor, mouse, and keyboard to your NUC for the install. After the install, these machines will be headless. So, no need for a complicated KVM setup… The other, older meaning of KVM… not confusing at all.

Install CentOS: (Choose a Minimal Install)

Network:
- Configure the network interface with a fixed IP address, 10.11.11.10 if you are following this guide exactly.
- Set the system hostname to bastion
Storage:
- Allocate 100GB for the / filesystem
- Do not create a /home filesystem (no users on this system)
- Allocate the remaining disk space for the VM guest filesystem
  - I put my KVM guests in /VirtualMachines

After the installation completes, ensure that you can ssh to your host.

ssh root@10.11.11.10

Create an SSH key pair on your workstation, if you don’t already have one:

ssh-keygen  # Take all the defaults

Enable password-less SSH:

ssh-copy-id root@10.11.11.10

Shutdown the host and disconnect the keyboard, mouse, and display. Your host is now headless.

Power the host back on, log in via SSH, and continue the Bastion host set up.

Install some added packages:

Install the packages that we are going to need.

 dnf -y module install virt
 dnf -y install wget gcc git net-tools bind bind-utils bash-completion rsync ipmitool python3-pip yum-utils libguestfs-tools virt-install createrepo java-11-openjdk.x86_64 epel-release ipxe-bootimgs python36-devel libvirt-devel httpd-tools

Install Virtual BMC:

 pip3.6 install --upgrade pip
 pip install setuptools_rust wheel virtualbmc

Set up VBMC as a systemd controlled service:

cat > /etc/systemd/system/vbmcd.service <<EOF
[Install]
WantedBy = multi-user.target
[Service]
BlockIOAccounting = True
CPUAccounting = True
ExecReload = /bin/kill -1 $MAINPID
ExecStop = /bin/kill -15 $MAINPID
ExecStart = /usr/local/bin/vbmcd --foreground
Group = root
Restart = on-failure
RestartSec = 2
Slice = vbmc.slice
TimeoutSec = 120
Type = simple
User = root
[Unit]
After = libvirtd.service
After = syslog.target
After = network.target
Description = vbmc service
EOF

Enable the vbmcd service:

systemctl enable vbmcd.service --now

Create an SSH key pair: (Take the defaults for all of the prompts, don’t set a key password)
```
 ssh-keygen
 <Enter>
 <Enter>
 <Enter>
```
Now is a good time to update and reboot the bastion host:
```
 dnf -y update
 shutdown -r now
```

Log back into the host

Clone this project:

git clone https://github.com/cgruver/okd4-upi-lab-setup
cd okd4-upi-lab-setup

Copy the utility scripts that I have prepared for you:

mkdir -p ~/bin/lab_bin
cp ./Provisioning/bin/*.sh ~/bin/lab_bin
chmod 700 ~/bin/lab_bin/*.sh

Retrieve the fcct tool, which will be used to manipulate ignition files

wget -O ~/bin/lab_bin/butane https://github.com/coreos/butane/releases/download/v0.7.0/butane-x86_64-unknown-linux-gnu
chmod 700 ~/bin/lab_bin/butane

Next, we need to set up some environment variables that we will use to set up the rest of the lab. You need to make some decisions at this point, fill in the following information, and then edit ~/bin/lab_bin/setLabEnv.sh accordingly:

Variable	Example Value	Description
`LAB_DOMAIN`	`your.domain.org`	The domain that you want for your lab. This will be part of your DNS setup
`BASTION_HOST`	`10.11.11.10`	The IP address of your bastion host.
`INSTALL_HOST`	`10.11.11.10`	The IP address of your Nginx Server, likely your bastion host.
`PXE_HOST`	`10.11.11.10`	The IP address of your iPXE server, either your OpenWRT router, or your bastion host.
`LAB_NAMESERVER`	`10.11.11.10`	The IP address of your Name Server, likely your bastion host.
`LAB_GATEWAY`	`10.11.11.1`	The IP address of your router
`LAB_NETMASK`	`255.255.255.0`	The netmask of your router
`INSTALL_ROOT`	`/usr/share/nginx/html/install`	The directory that will hold CentOS install images
`REPO_PATH`	`/usr/share/nginx/html/repos`	The directory on your Nginx server that will hold an RPM repository mirror
`OKD4_LAB_PATH`	`~/okd4-lab`	The path from which we will build our OKD4 cluster
`OKD_REGISTRY`	`registry.svc.ci.openshift.org/origin/release`	This is where we will get our OKD 4 images from to populate our local mirror
`LOCAL_REGISTRY`	`nexus.${LAB_DOMAIN}:5001`	The URL that we will use for our local mirror of the OKD registry images
`LOCAL_REPOSITORY`	`origin`	The repository where the local OKD image mirror will be pushed
`LOCAL_SECRET_JSON`	`${OKD4_LAB_PATH}/pull_secret.json`	The path to the pull secret that we will need for mirroring OKD images

After you have edited ~/bin/lab_bin/setLabEnv.sh to reflect the values above, configure bash to execute this script on login:

echo ". /root/bin/lab_bin/setLabEnv.sh" >> ~/.bashrc

Log out, then log back in to ensure that the environment is set correctly.

exit
ssh root@10.11.11.10

Now, enable this host to be a time server for the rest of your lab: (adjust the network value if you are using a different IP range)

echo "allow 10.11.11.0/24" >> /etc/chrony.conf

Create a network bridge that will be used by our HA Proxy server and the OKD bootstrap node:

You need to identify the NIC that you configured when you installed this host. It will be something like eno1, or enp108s0u1

ip addr

You will see out put like:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
   valid_lft forever preferred_lft forever
inet6 ::1/128 scope host 
   valid_lft forever preferred_lft forever

....

15: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 1c:69:7a:03:21:e9 brd ff:ff:ff:ff:ff:ff
inet 10.11.11.10/24 brd 10.11.11.255 scope global noprefixroute br0
   valid_lft forever preferred_lft forever
inet6 fe80::1e69:7aff:fe03:21e9/64 scope link 
   valid_lft forever preferred_lft forever

Somewhere in the output will be the interface that you configured with your bastion IP address. Find it and set a variable with that value:

PRIMARY_NIC="eno1"

Create a network bridge device named br0

nmcli connection add type bridge ifname br0 con-name br0 ipv4.method manual ipv4.address "${BASTION_HOST}/24" ipv4.gateway "${LAB_GATEWAY}" ipv4.dns "${LAB_NAMESERVER}" ipv4.dns-search "${LAB_DOMAIN}" ipv4.never-default no connection.autoconnect yes bridge.stp no ipv6.method ignore 

Create a slave device for your primary NIC

nmcli con add type ethernet con-name br0-slave-1 ifname ${PRIMARY_NIC} master br0

Delete the configuration of the primary NIC
```
nmcli con del ${PRIMARY_NIC}
```

Put it back disabled

nmcli con add type ethernet con-name ${PRIMARY_NIC} ifname ${PRIMARY_NIC} connection.autoconnect no ipv4.method disabled ipv6.method ignore

For the rest of this setup, unless otherwise specified, it is assumed that you are working from the Bastion Host. You will need the environment variables that we just set up for some of the commands that you will be executing.

Now we are ready to set up DNS: Go to DNS Setup