[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Installation of HA w/o LB supported



Hi

I configured ip failover using infra nodes:

https://docs.openshift.com/container-platform/3.11/admin_guide/high_availability.html#configuring-ip-failover

Then, you can choose a floating IP in your DNS server for your *.apps.example.com .

The same approach cannot be used to master nodes because ip failover is configured by an openshift cluster running, and masters are not running yet after a full cluster reboot.
Maybe you can configure manually a ip failover using keepalived in masters.

El 2019-05-03 02:16, Wolf Noble escribió:



I'd be keen to see this described as well.
Initially I had a total of 6 nodes in my lab but I've grown it a bit since I tried the initial (unsuccessful) deployment. I now have 8 physical hosts, and am nearly ready to try again

The issues I encountered were mostly around internal vs external certs, but having some guidance on what architecture configurations are expected / supposed to work (for some reasonable value of work) would be helpful.

On May 2, 2019, at 17:50, Brigman, Larry <Larry Brigman arris com> wrote:

I'm looking for the proper way to configure OpenShift HA without a LB.  
The inventory file says it can be done but nothing I try actually gets
the cluster into a state that allows logins or API responses from
anything other than the first node the cluster.

Note: It is prompted by this comment in the sample inventory files from 3.6 through 3.11.
# openshift_master_cluster_hostname must resolve to the load balancer
# or to one or all of the masters defined in the inventory if no load
# balancer is present.
#openshift_master_cluster_hostname=openshift-ansible.test.example.com

Cluster:
oc get nodes
NAME                   STATUS    ROLES                  AGE       VERSION
host-t1.example.com   Ready     compute,infra,master   29m       v1.11.0+d4cacc0
host-t2.example.com   Ready     compute,infra,master   29m       v1.11.0+d4cacc0
host-t3.example.com   Ready     compute,infra,master   29m       v1.11.0+d4cacc0

Details login message:
oc -v=10 login -u system:admin host-t2.example.com:8443
I0502 16:25:42.809795   29979 loader.go:359] Config loaded from file /root/.kube/config
I0502 16:25:42.811040   29979 loader.go:359] Config loaded from file /root/.kube/config
I0502 16:25:42.811446   29979 round_trippers.go:386] curl -k -v -XHEAD  'https://host-t2.example.com:8443/'
I0502 16:25:42.846243   29979 round_trippers.go:405] HEAD https://host-t2.example.com:8443/  in 34 milliseconds
I0502 16:25:42.846297   29979 round_trippers.go:411] Response Headers:
The server uses a certificate signed by an unknown authority.
You can bypass the certificate check, but any data you send to the server could be intercepted by others.
Use insecure connections? (y/n): yes

I0502 16:25:52.654386   29979 round_trippers.go:386] curl -k -v -XGET  -H "X-Csrf-Token: 1" 'https://host-t2.example.com:8443/.well-known/oauth-authorization-server'
I0502 16:25:52.666730   29979 round_trippers.go:405] GET https://host-t2.example.com:8443/.well-known/oauth-authorization-server 200 OK in 12 milliseconds
I0502 16:25:52.666763   29979 round_trippers.go:411] Response Headers:
I0502 16:25:52.666775   29979 round_trippers.go:414]     Date: Thu, 02 May 2019 23:25:52 GMT
I0502 16:25:52.666785   29979 round_trippers.go:414]     Cache-Control: no-store
I0502 16:25:52.666811   29979 round_trippers.go:414]     Content-Type: application/json
I0502 16:25:52.666821   29979 round_trippers.go:414]     Content-Length: 552
I0502 16:25:52.667136   29979 round_trippers.go:386] curl -k -v -XGET  -H "X-Csrf-Token: 1" 'https://host-t2.example.com:8443/oauth/authorize?client_id=openshift-challenging-client&code_challenge=hI54jRyrYTj2Q7yGi1RGupr47z03hnEY2bwz7GjpBYc&code_challenge_method=S256&redirect_uri=https%3A%2F%2Fhost-t2.example.com%3A8443%2Foauth%2Ftoken%2Fimplicit&response_type=code'
I0502 16:25:52.670384   29979 round_trippers.go:405] GET https://host-t2.example.com:8443/oauth/authorize?client_id=openshift-challenging-client&code_challenge=hI54jRyrYTj2Q7yGi1RGupr47z03hnEY2bwz7GjpBYc&code_challenge_method=S256&redirect_uri=https%3A%2F%2Fhost-t2.example.com%3A8443%2Foauth%2Ftoken%2Fimplicit&response_type=code 400 Bad Request in 3 milliseconds
I0502 16:25:52.670418   29979 round_trippers.go:411] Response Headers:
I0502 16:25:52.670525   29979 round_trippers.go:414]     Content-Length: 196
I0502 16:25:52.670539   29979 round_trippers.go:414]     Date: Thu, 02 May 2019 23:25:52 GMT
I0502 16:25:52.670549   29979 round_trippers.go:414]     Cache-Control: no-cache, no-store, max-age=0, must-revalidate
I0502 16:25:52.670564   29979 round_trippers.go:414]     Content-Type: application/json
I0502 16:25:52.670574   29979 round_trippers.go:414]     Expires: Fri, 01 Jan 1990 00:00:00 GMT
I0502 16:25:52.670698   29979 round_trippers.go:414]     Pragma: no-cache
I0502 16:25:52.670972   29979 helpers.go:201] server response object: [{
 "metadata": {},
 "status": "Failure",
 "message": "Internal error occurred: unexpected response: 400",
 "reason": "InternalError",
 "details": {
   "causes": [
     {
       "message": "unexpected response: 400"
     }
   ]
 },
 "code": 500
}]
F0502 16:25:52.671034   29979 helpers.go:119] Error from server (InternalError): Internal error occurred: unexpected response: 400


Providing a Round-Robin DNS address that resolves to all hosts seemed the most likely to work
but things still only get routed to the first host.

At one point either in 3.7 or 3.9, I tested this and it seemed to work correctly but it has been too long
ago to replicate to prove that point.

_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]