Ce contenu n'est pas disponible dans la langue sélectionnée.
Chapter 2. Prerequisites
Installer-provisioned installation of OpenShift Container Platform requires:
- One provisioner node with Red Hat Enterprise Linux (RHEL) 9.x installed. The provisioner can be removed after installation.
- Three control plane nodes
- Baseboard management controller (BMC) access to each node
- At least one network: - One required routable network
- One optional provisioning network
- One optional management network
 
Before starting an installer-provisioned installation of OpenShift Container Platform, ensure the hardware environment meets the following requirements.
2.1. Node requirements
Installer-provisioned installation involves a number of hardware node requirements:
- 
						CPU architecture: All nodes must use x86_64oraarch64CPU architecture.
- Similar nodes: Red Hat recommends nodes have an identical configuration per role. That is, Red Hat recommends nodes be the same brand and model with the same CPU, memory, and storage configuration.
- 
						Baseboard Management Controller: The provisionernode must be able to access the baseboard management controller (BMC) of each OpenShift Container Platform cluster node. You may use IPMI, Redfish, or a proprietary protocol.
- 
						Latest generation: Nodes must be of the most recent generation. Installer-provisioned installation relies on BMC protocols, which must be compatible across nodes. Additionally, RHEL 9.x ships with the most recent drivers for RAID controllers. Ensure that the nodes are recent enough to support RHEL 9.x for the provisionernode and RHCOS 9.x for the control plane and worker nodes.
- Registry node: (Optional) If setting up a disconnected mirrored registry, it is recommended the registry reside in its own node.
- 
						Provisioner node: Installer-provisioned installation requires one provisionernode.
- Control plane: Installer-provisioned installation requires three control plane nodes for high availability. You can deploy an OpenShift Container Platform cluster with only three control plane nodes, making the control plane nodes schedulable as worker nodes. Smaller clusters are more resource efficient for administrators and developers during development, production, and testing.
- Worker nodes: While not required, a typical production cluster has two or more worker nodes. Important- Do not deploy a cluster with only one worker node, because the cluster will deploy with routers and ingress traffic in a degraded state. 
- Network interfaces: Each node must have at least one network interface for the routable - baremetalnetwork. Each node must have one network interface for a- provisioningnetwork when using the- provisioningnetwork for deployment. Using the- provisioningnetwork is the default configuration.Note- Only one network card (NIC) on the same subnet can route traffic through the gateway. By default, Address Resolution Protocol (ARP) uses the lowest numbered NIC. Use a single NIC for each node in the same subnet to ensure that network load balancing works as expected. When using multiple NICs for a node in the same subnet, use a single bond or team interface. Then add the other IP addresses to that interface in the form of an alias IP address. If you require fault tolerance or load balancing at the network interface level, use an alias IP address on the bond or team interface. Alternatively, you can disable a secondary NIC on the same subnet or ensure that it has no IP address. 
- Unified Extensible Firmware Interface (UEFI): Installer-provisioned installation requires UEFI boot on all OpenShift Container Platform nodes when using IPv6 addressing on the - provisioningnetwork. In addition, UEFI Device PXE Settings must be set to use the IPv6 protocol on the- provisioningnetwork NIC, but omitting the- provisioningnetwork removes this requirement.Important- When starting the installation from virtual media such as an ISO image, delete all old UEFI boot table entries. If the boot table includes entries that are not generic entries provided by the firmware, the installation might fail. 
- Secure Boot: Many production scenarios require nodes with Secure Boot enabled to verify the node only boots with trusted software, such as UEFI firmware drivers, EFI applications, and the operating system. You may deploy with Secure Boot manually or managed. - Manually: To deploy an OpenShift Container Platform cluster with Secure Boot manually, you must enable UEFI boot mode and Secure Boot on each control plane node and each worker node. Red Hat supports Secure Boot with manually enabled UEFI and Secure Boot only when installer-provisioned installations use Redfish virtual media. See "Configuring nodes for Secure Boot manually" in the "Configuring nodes" section for additional details.
- Managed: To deploy an OpenShift Container Platform cluster with managed Secure Boot, you must set the - bootModevalue to- UEFISecureBootin the- install-config.yamlfile. Red Hat only supports installer-provisioned installation with managed Secure Boot on 10th generation HPE hardware and 13th generation Dell hardware running firmware version- 2.75.75.75or greater. Deploying with managed Secure Boot does not require Redfish virtual media. See "Configuring managed Secure Boot" in the "Setting up the environment for an OpenShift installation" section for details.Note- Red Hat does not support managing self-generated keys, or other keys, for Secure Boot. 
 
2.2. Minimum resource requirements for cluster installation
Each cluster machine must meet the following minimum requirements:
| Machine | Operating System | CPU [1] | RAM | Storage | Input/Output Per Second (IOPS)[2] | 
|---|---|---|---|---|---|
| Bootstrap | RHEL | 4 | 16 GB | 100 GB | 300 | 
| Control plane | RHCOS | 4 | 16 GB | 100 GB | 300 | 
| Compute | RHCOS | 2 | 8 GB | 100 GB | 300 | 
- One CPU is equivalent to one physical core when simultaneous multithreading (SMT), or Hyper-Threading, is not enabled. When enabled, use the following formula to calculate the corresponding ratio: (threads per core × cores) × sockets = CPUs.
- OpenShift Container Platform and Kubernetes are sensitive to disk performance, and faster storage is recommended, particularly for etcd on the control plane nodes. Note that on many cloud platforms, storage size and IOPS scale together, so you might need to over-allocate storage volume to obtain sufficient performance.
As of OpenShift Container Platform version 4.13, RHCOS is based on RHEL version 9.2, which updates the micro-architecture requirements. The following list contains the minimum instruction set architectures (ISA) that each architecture requires:
- x86-64 architecture requires x86-64-v2 ISA
- ARM64 architecture requires ARMv8.0-A ISA
- IBM Power architecture requires Power 9 ISA
- s390x architecture requires z14 ISA
For more information, see Architectures (RHEL documentation).
If an instance type for your platform meets the minimum requirements for cluster machines, it is supported to use in OpenShift Container Platform.
2.3. Planning a bare metal cluster for OpenShift Virtualization
If you will use OpenShift Virtualization, it is important to be aware of several requirements before you install your bare metal cluster.
- If you want to use live migration features, you must have multiple worker nodes at the time of cluster installation. This is because live migration requires the cluster-level high availability (HA) flag to be set to true. The HA flag is set when a cluster is installed and cannot be changed afterwards. If there are fewer than two worker nodes defined when you install your cluster, the HA flag is set to false for the life of the cluster. Note- You can install OpenShift Virtualization on a single-node cluster, but single-node OpenShift does not support high availability. 
- Live migration requires shared storage. Storage for OpenShift Virtualization must support and use the ReadWriteMany (RWX) access mode.
- If you plan to use Single Root I/O Virtualization (SR-IOV), ensure that your network interface controllers (NICs) are supported by OpenShift Container Platform.
2.4. Firmware requirements for installing with virtual media
The installation program for installer-provisioned OpenShift Container Platform clusters validates the hardware and firmware compatibility with Redfish virtual media. The installation program does not begin installation on a node if the node firmware is not compatible. The following tables list the minimum firmware versions tested and verified to work for installer-provisioned OpenShift Container Platform clusters deployed by using Redfish virtual media.
Red Hat does not test every combination of firmware, hardware, or other third-party components. For further information about third-party support, see Red Hat third-party support policy. For information about updating the firmware, see the hardware documentation for the nodes or contact the hardware vendor.
| Model | Management | Firmware versions | 
|---|---|---|
| 11th Generation | iLO6 | 1.57 or later | 
| 10th Generation | iLO5 | 2.63 or later | 
| Model | Management | Firmware versions | 
|---|---|---|
| 16th Generation | iDRAC 9 | v7.10.70.00 | 
| 15th Generation | iDRAC 9 | v6.10.30.00, v7.10.50.00, and v7.10.70.00 | 
| 14th Generation | iDRAC 9 | v6.10.30.00 | 
| Model | Management | Firmware versions | 
|---|---|---|
| UCS X-Series servers | Intersight Managed Mode | 5.2(2) or later | 
| FI-Attached UCS C-Series servers | Intersight Managed Mode | 4.3 or later | 
| Standalone UCS C-Series servers | Standalone / Intersight | 4.3 or later | 
Always confirm that your server supports Red Hat Enterprise Linux CoreOS (RHCOS) on UCSHCL.
2.5. Network requirements
				Installer-provisioned installation of OpenShift Container Platform involves multiple network requirements. First, installer-provisioned installation involves an optional non-routable provisioning network for provisioning the operating system on each bare-metal node. Second, installer-provisioned installation involves a routable baremetal network.
			
2.5.1. Ensuring required ports are open
Certain ports must be open between cluster nodes for installer-provisioned installations to complete successfully. In certain situations, such as using separate subnets for far edge worker nodes, you must ensure that the nodes in these subnets can communicate with nodes in the other subnets on the following required ports.
| Port | Description | 
|---|---|
| 
									 | 
									When using a provisioning network, cluster nodes access the  | 
| 
									 | 
									When using a provisioning network, cluster nodes communicate with the TFTP server on port  | 
| 
									 | 
									When not using the image caching option or when using virtual media, the provisioner node must have port  | 
| 
									 | 
									The cluster nodes must access the NTP server on port  | 
| 
									 | 
									The Ironic Inspector API runs on the control plane nodes and listens on port  | 
| 
									 | 
									Port  | 
| 
									 | 
									When deploying with virtual media and not using TLS, the provisioner node and the control plane nodes must have port  | 
| 
									 | 
									When deploying with virtual media and using TLS, the provisioner node and the control plane nodes must have port  | 
| 
									 | 
									The Ironic API server runs initially on the bootstrap VM and later on the control plane nodes and listens on port  | 
| 
									 | 
									Port  | 
| 
									 | 
									When using image caching without TLS, port  | 
| 
									 | 
									When using the image caching option with TLS, port  | 
| 
									 | 
									By default, the Ironic Python Agent (IPA) listens on TCP port  | 
2.5.2. Increase the network MTU
Before deploying OpenShift Container Platform, increase the network maximum transmission unit (MTU) to 1500 or more. If the MTU is lower than 1500, the Ironic image that is used to boot the node might fail to communicate with the Ironic inspector pod, and inspection will fail. If this occurs, installation stops because the nodes are not available for installation.
2.5.3. Configuring NICs
OpenShift Container Platform deploys with two networks:
- provisioning: The- provisioningnetwork is an optional non-routable network used for provisioning the underlying operating system on each node that is a part of the OpenShift Container Platform cluster. The network interface for the- provisioningnetwork on each cluster node must have the BIOS or UEFI configured to PXE boot.- The - provisioningNetworkInterfaceconfiguration setting specifies the- provisioningnetwork NIC name on the control plane nodes, which must be identical on the control plane nodes. The- bootMACAddressconfiguration setting provides a means to specify a particular NIC on each node for the- provisioningnetwork.- The - provisioningnetwork is optional, but it is required for PXE booting. If you deploy without a- provisioningnetwork, you must use a virtual media BMC addressing option such as- redfish-virtualmediaor- idrac-virtualmedia.
- 
							baremetal: Thebaremetalnetwork is a routable network. You can use any NIC to interface with thebaremetalnetwork provided the NIC is not configured to use theprovisioningnetwork.
When using a VLAN, each NIC must be on a separate VLAN corresponding to the appropriate network.
2.5.4. DNS requirements
					Clients access the OpenShift Container Platform cluster nodes over the baremetal network. A network administrator must configure a subdomain or subzone where the canonical name extension is the cluster name.
				
<cluster_name>.<base_domain>
<cluster_name>.<base_domain>For example:
test-cluster.example.com
test-cluster.example.comOpenShift Container Platform includes functionality that uses cluster membership information to generate A/AAAA records. This resolves the node names to their IP addresses. After the nodes are registered with the API, the cluster can disperse node information without using CoreDNS-mDNS. This eliminates the network traffic associated with multicast DNS.
CoreDNS requires both TCP and UDP connections to the upstream DNS server to function correctly. Ensure the upstream DNS server can receive both TCP and UDP connections from OpenShift Container Platform cluster nodes.
In OpenShift Container Platform deployments, DNS name resolution is required for the following components:
- The Kubernetes API
- The OpenShift Container Platform application wildcard ingress API
A/AAAA records are used for name resolution and PTR records are used for reverse name resolution. Red Hat Enterprise Linux CoreOS (RHCOS) uses the reverse records or DHCP to set the hostnames for all the nodes.
					Installer-provisioned installation includes functionality that uses cluster membership information to generate A/AAAA records. This resolves the node names to their IP addresses. In each record, <cluster_name> is the cluster name and <base_domain> is the base domain that you specify in the install-config.yaml file. A complete DNS record takes the form: <component>.<cluster_name>.<base_domain>..
				
| Component | Record | Description | 
|---|---|---|
| Kubernetes API | 
									 | An A/AAAA record and a PTR record identify the API load balancer. These records must be resolvable by both clients external to the cluster and from all the nodes within the cluster. | 
| Routes | 
									 | The wildcard A/AAAA record refers to the application ingress load balancer. The application ingress load balancer targets the nodes that run the Ingress Controller pods. The Ingress Controller pods run on the worker nodes by default. These records must be resolvable by both clients external to the cluster and from all the nodes within the cluster. 
									For example,  | 
					You can use the dig command to verify DNS resolution.
				
2.5.5. Dynamic Host Configuration Protocol (DHCP) requirements
					By default, installer-provisioned installation deploys ironic-dnsmasq with DHCP enabled for the provisioning network. No other DHCP servers should be running on the provisioning network when the provisioningNetwork configuration setting is set to managed, which is the default value. If you have a DHCP server running on the provisioning network, you must set the provisioningNetwork configuration setting to unmanaged in the install-config.yaml file.
				
					Network administrators must reserve IP addresses for each node in the OpenShift Container Platform cluster for the baremetal network on an external DHCP server.
				
2.5.6. Reserving IP addresses for nodes with the DHCP server
					For the baremetal network, a network administrator must reserve several IP addresses, including:
				
- Two unique virtual IP addresses. - One virtual IP address for the API endpoint.
- One virtual IP address for the wildcard ingress endpoint.
 
- One IP address for the provisioner node.
- One IP address for each control plane node.
- One IP address for each worker node, if applicable.
Some administrators prefer to use static IP addresses so that each node’s IP address remains constant in the absence of a DHCP server. To configure static IP addresses with NMState, see "(Optional) Configuring node network interfaces" in the "Setting up the environment for an OpenShift installation" section.
External load balancing services and the control plane nodes must run on the same L2 network, and on the same VLAN when using VLANs to route traffic between the load balancing services and the control plane nodes.
The storage interface requires a DHCP reservation or a static IP.
The following table provides an exemplary embodiment of fully qualified domain names. The API and name server addresses begin with canonical name extensions. The hostnames of the control plane and worker nodes are exemplary, so you can use any host naming convention you prefer.
| Usage | Host Name | IP | 
|---|---|---|
| API | 
									 | 
									 | 
| Ingress LB (apps) | 
									 | 
									 | 
| Provisioner node | 
									 | 
									 | 
| Control-plane-0 | 
									 | 
									 | 
| Control-plane-1 | 
									 | 
									 | 
| Control-plane-2 | 
									 | 
									 | 
| Worker-0 | 
									 | 
									 | 
| Worker-1 | 
									 | 
									 | 
| Worker-n | 
									 | 
									 | 
If you do not create DHCP reservations, the installation program requires reverse DNS resolution to set the hostnames for the Kubernetes API node, the provisioner node, the control plane nodes, and the worker nodes.
2.5.7. Provisioner node requirements
					You must specify the MAC address for the provisioner node in your installation configuration. The bootMacAddress specification is typically associated with PXE network booting. However, the Ironic provisioning service also requires the bootMacAddress specification to identify nodes during the inspection of the cluster, or during node redeployment in the cluster.
				
The provisioner node requires layer 2 connectivity for network booting, DHCP and DNS resolution, and local network communication. The provisioner node requires layer 3 connectivity for virtual media booting.
2.5.8. Network Time Protocol (NTP)
Each OpenShift Container Platform node in the cluster must have access to an NTP server. OpenShift Container Platform nodes use NTP to synchronize their clocks. For example, cluster nodes use SSL/TLS certificates that require validation, which might fail if the date and time between the nodes are not in sync.
Define a consistent clock date and time format in each cluster node’s BIOS settings, or installation might fail.
You can reconfigure the control plane nodes to act as NTP servers on disconnected clusters, and reconfigure worker nodes to retrieve time from the control plane nodes.
2.5.9. Port access for the out-of-band management IP address
					The out-of-band management IP address is on a separate network from the node. To ensure that the out-of-band management can communicate with the provisioner node during installation, the out-of-band management IP address must be granted access to port 6180 on the provisioner node and on the OpenShift Container Platform control plane nodes. TLS port 6183 is required for virtual media installation, for example, by using Redfish.
				
2.6. Configuring nodes
2.6.1. Configuring nodes when using the provisioning network
Each node in the cluster requires the following configuration for proper installation.
A mismatch between nodes will cause an installation failure.
					While the cluster nodes can contain more than two NICs, the installation process only focuses on the first two NICs. In the following table, NIC1 is a non-routable network (provisioning) that is only used for the installation of the OpenShift Container Platform cluster.
				
| NIC | Network | VLAN | 
|---|---|---|
| NIC1 | 
									 | 
									 | 
| NIC2 | 
									 | 
									 | 
The Red Hat Enterprise Linux (RHEL) 9.x installation process on the provisioner node might vary. To install Red Hat Enterprise Linux (RHEL) 9.x using a local Satellite server or a PXE server, PXE-enable NIC2.
| PXE | Boot order | 
|---|---|
| 
									NIC1 PXE-enabled  | 1 | 
| 
									NIC2  | 2 | 
Ensure PXE is disabled on all other NICs.
Configure the control plane and worker nodes as follows:
| PXE | Boot order | 
|---|---|
| NIC1 PXE-enabled (provisioning network) | 1 | 
2.6.2. Configuring nodes without the provisioning network
The installation process requires one NIC:
| NIC | Network | VLAN | 
|---|---|---|
| NICx | 
									 | 
									 | 
					NICx is a routable network (baremetal) that is used for the installation of the OpenShift Container Platform cluster, and routable to the internet.
				
						The provisioning network is optional, but it is required for PXE booting. If you deploy without a provisioning network, you must use a virtual media BMC addressing option such as redfish-virtualmedia or idrac-virtualmedia.
					
2.6.3. Configuring nodes for Secure Boot manually
Secure Boot prevents a node from booting unless it verifies the node is using only trusted software, such as UEFI firmware drivers, EFI applications, and the operating system.
Red Hat only supports manually configured Secure Boot when deploying with Redfish virtual media.
To enable Secure Boot manually, refer to the hardware guide for the node and execute the following:
Procedure
- Boot the node and enter the BIOS menu.
- 
							Set the node’s boot mode to UEFI Enabled.
- Enable Secure Boot.
Red Hat does not support Secure Boot with self-generated keys.
2.7. Out-of-band management
Nodes typically have an additional NIC used by the baseboard management controllers (BMCs). These BMCs must be accessible from the provisioner node.
Each node must be accessible via out-of-band management. When using an out-of-band management network, the provisioner node requires access to the out-of-band management network for a successful OpenShift Container Platform installation.
The out-of-band management setup is out of scope for this document. Using a separate management network for out-of-band management can enhance performance and improve security. However, using the provisioning network or the bare metal network are valid options.
The bootstrap VM features a maximum of two network interfaces. If you configure a separate management network for out-of-band management, and you are using a provisioning network, the bootstrap VM requires routing access to the management network through one of the network interfaces. In this scenario, the bootstrap VM can then access three networks:
- the bare metal network
- the provisioning network
- the management network routed through one of the network interfaces
2.8. Required data for installation
Prior to the installation of the OpenShift Container Platform cluster, gather the following information from all cluster nodes:
- Out-of-band management IP - Examples - Dell (iDRAC) IP
- HP (iLO) IP
- Fujitsu (iRMC) IP
 
 
When using the provisioning network
- 
						NIC (provisioning) MAC address
- 
						NIC (baremetal) MAC address
When omitting the provisioning network
- 
						NIC (baremetal) MAC address
2.9. Validation checklist for nodes
When using the provisioning network
- 
						❏ NIC1 VLAN is configured for the provisioningnetwork.
- 
						❏ NIC1 for the provisioningnetwork is PXE-enabled on the provisioner, control plane, and worker nodes.
- 
						❏ NIC2 VLAN is configured for the baremetalnetwork.
- ❏ PXE has been disabled on all other NICs.
- ❏ DNS is configured with API and Ingress endpoints.
- ❏ Control plane and worker nodes are configured.
- ❏ All nodes accessible via out-of-band management.
- ❏ (Optional) A separate management network has been created.
- ❏ Required data for installation.
When omitting the provisioning network
- 
						❏ NIC1 VLAN is configured for the baremetalnetwork.
- ❏ DNS is configured with API and Ingress endpoints.
- ❏ Control plane and worker nodes are configured.
- ❏ All nodes accessible via out-of-band management.
- ❏ (Optional) A separate management network has been created.
- ❏ Required data for installation.
2.10. Installation overview
				The installation program supports interactive mode. However, you can prepare an install-config.yaml file containing the provisioning details for all of the bare-metal hosts, and the relevant cluster details, in advance.
			
				The installation program loads the install-config.yaml file and the administrator generates the manifests and verifies all prerequisites.
			
The installation program performs the following tasks:
- Enrolls all nodes in the cluster
- Starts the bootstrap virtual machine (VM)
- Starts the metal platform components as - systemdservices, which have the following containers:- Ironic-dnsmasq: The DHCP server responsible for handing over the IP addresses to the provisioning interface of various nodes on the provisioning network. Ironic-dnsmasq is only enabled when you deploy an OpenShift Container Platform cluster with a provisioning network.
- Ironic-httpd: The HTTP server that is used to ship the images to the nodes.
- Image-customization
- Ironic
- Ironic-inspector (available in OpenShift Container Platform 4.16 and earlier)
- Ironic-ramdisk-logs
- Extract-machine-os
- Provisioning-interface
- Metal3-baremetal-operator
 
The nodes enter the validation phase, where each node moves to a manageable state after Ironic validates the credentials to access the Baseboard Management Controller (BMC).
When the node is in the manageable state, the inspection phase starts. The inspection phase ensures that the hardware meets the minimum requirements needed for a successful deployment of OpenShift Container Platform.
				The install-config.yaml file details the provisioning network. On the bootstrap VM, the installation program uses the Pre-Boot Execution Environment (PXE) to push a live image to every node with the Ironic Python Agent (IPA) loaded. When using virtual media, it connects directly to the BMC of each node to virtually attach the image.
			
When using PXE boot, all nodes reboot to start the process:
- 
						The ironic-dnsmasqservice running on the bootstrap VM provides the IP address of the node and the TFTP boot server.
- The first-boot software loads the root file system over HTTP.
- 
						The ironicservice on the bootstrap VM receives the hardware information from each node.
The nodes enter the cleaning state, where each node must clean all the disks before continuing with the configuration.
After the cleaning state finishes, the nodes enter the available state and the installation program moves the nodes to the deploying state.
				IPA runs the coreos-installer command to install the Red Hat Enterprise Linux CoreOS (RHCOS) image on the disk defined by the rootDeviceHints parameter in the install-config.yaml file. The node boots by using RHCOS.
			
After the installation program configures the control plane nodes, it moves control from the bootstrap VM to the control plane nodes and deletes the bootstrap VM.
The Bare-Metal Operator continues the deployment of the workers, storage, and infra nodes.
After the installation completes, the nodes move to the active state. You can then proceed with postinstallation configuration and other Day 2 tasks.
