In this post we going prepare the nodes to install a Kubernetes cluster (RKE) for install Rancher server on a production server

Requirements:

  • Linux basic commands knowledge
  • A external computer where from we going to provision the nodes (operator computer)
  • Nano installed (sudo apt install nano) in the operator computer
  • Three computers for the RKE with Linux 64 bits (debian)
  • SSH server installed in the nodes

We need to install Rancher server over a RKE cluster on the nodes for high availability

And I sure I know what you are thinking..

Wait.. so to install Rancher server and be able to install and manage Kubernetes clusters, I need to install a Kubernetes cluster ?

Well the answer is yes and no

The best way to deploy a high available application is inside Kubernetes, that's why we going to install Rancher server over a Kubernetes cluster, but is not going to be the typical Kubernetes cluster installation, we going to do this with the help of RKE

RKE is Kubernetes engine tune up by Rancher, and the installation is going to be easy and fast, once we prepare the nodes, that's what we going to do this post

Hands-On

Generate SSH Key

  1. Generate a key in the operator computer to install in the nodes and save as /home/(your user)/.ssh/rke using ssh-keygen (the use of passphrase is optional, but requires more configuration)
ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/(your user)/.ssh/id_rsa): /home/(your user)/.ssh/rke
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/(your user)/.ssh/rke
Your public key has been saved in /home/(your user)/.ssh/rke.pub
The key fingerprint is:
SHA256:sgdlTKIDjXv7c2X86wcbQ7e0TGeXz5JiWzk4qC61YtY javier@javier-Lenovo-ideapad-330S-15ARR
The key's randomart image is:
+---[RSA 3072]----+
|  .o  . .        |
|  .... +         |
|   .o   +       .|
|  . .. o    . +.+|
|   . .o S. o * Oo|
|    .  +. = O X o|
|     ..o.= o X o |
|      B.E   + .  |
|     o *.  .oo   |
+----[SHA256]-----+

All the next configuration needs to apply to each three nodes (steeps 2 to 33)

2. Copy the key to the nodes, this will allow us to connect to the nodes without put the node password each time we connect via ssh

ssh-copy-id -i ~/.ssh/rke (node user)@(node ip)
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/(your user)/.ssh/rke.pub"
The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.
ECDSA key fingerprint is SHA256:diitN4rOd6j9KdszklTR/QAb5/SiGw3Pwxx5rofnQ6g.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
ubuntu@192.168.1.1's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'ubuntu@192.168.1.1'"
and check to make sure that only the key(s) you wanted were added.

3. Connect to the node with ssh using the user, ip and password of the node

ssh (user)@(node ip)

Change the host name

4. Edit the host name

sudo nano /etc/hostname

5. Add an unique hostname, I'm going to use ubuntu-1, ubuntu-2, ubuntu-3 for the nodes

ubuntu-1

6. Save with control - 0 and exit with Control - X

7. Restart the node

sudo reboot

8. Now connect to the node with the new host name

ssh (user)@ubuntu-1

Uninstall and install a supported version of Docker

9. Uninstall any old docker version

sudo apt-get remove docker docker-engine docker.io containerd
If this fail to unistall docker, try sudo apt-get remove docker-ce docker-ce-cli containerd.io

This will preserve the content in /var/lib/docker/ of any image, volume and configuration of old docker

10. Install docker dependencies

sudo apt update && sudo apt install -y \
apt-transport-https ca-certificates curl \
gnupg-agent software-properties-common

11. Install a docker version supported by Rancher

Docker Version Install Script
19.03 curl https://releases.rancher.com/install-docker/19.03.sh | sh
18.09 curl https://releases.rancher.com/install-docker/18.09.sh | sh
18.06 curl https://releases.rancher.com/install-docker/18.06.sh | sh
17.03 curl https://releases.rancher.com/install-docker/17.03.sh | sh
curl https://releases.rancher.com/install-docker/19.03.sh | sh

12. Check your Docker version

sudo docker version --format '{{.Server.Version}}'
19.03.13

13. Enable the autostart of docker

sudo systemctl enable --now docker

14. Add you user to the docker group

sudo usermod -aG docker $USER

Disable Swap

15. This is security related, to avoid an attacker can read the swap and get sensible information

Edit the /etc/fstab with sudo nano /etc/fstab and comment with # the begining of the swap line

  GNU nano 4.8                                      /etc/fstab                                                 
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
# / was on /dev/sda5 during installation
UUID=5be72ab8-47e4-4826-8437-624da4b296df /               ext4    errors=remount-ro 0       1
# /boot/efi was on /dev/sda1 during installation
UUID=8060-E869  /boot/efi       vfat    umask=0077      0       1
#/swapfile                                 none            swap    sw              0       0

16. Save with control + O and control - X to exit

17. This change is going to take effect after we restart, but for keep working disable the swap with command line

sudo swapoff -a

18. Check that you are not using swap with free -h

free -h
              total        used        free      shared  buff/cache   available
Mem:          7.6Gi       263Mi       6.8Gi       3.0Mi       580Mi       7.3Gi
Swap:            0B          0B          0B

Enable port forwarding

19. Enable port forwarding

sudo tee -a /etc/sysctl.d/99-kubernetes.conf <<EOF
net.bridge.bridge-nf-call-iptables  = 1
net.ipv4.ip_forward                 = 1
net.bridge.bridge-nf-call-ip6tables = 1
EOF

20. Load the new configuration

sudo sysctl --system

Open ports and enable firewall.

21. Your firewall ufw must be disabled by default, you can check it with sudo ufw status

sudo ufw status
Status: inactive

We going to activate first the port 22, is important to take this with caution, if you enable the firewall before enable the ports to connect with it, is posibble that you can't communicate with the host again and you will need to connect phisically

22. Allow port 22 (ssh)

sudo ufw allow 22/tcp
Rules updated
Rules updated (v6)

23. Make a script to allow all the tcp ports required by Rancher server, the complete list can be found here

nano allowtcp.sh

24. And add this information

#!/bin/bash
for i in 80 443 179 5473 6443 8472 2376 8472 2379:2380 9099 10250 10251 10252 10254 30000:32767; do
    sudo ufw allow ${i}/tcp;
    echo "${i}/tcp port enabled"
done

25. Save with control + O and control - X to exit

26. Add execute permissions

chmod +x allowtcp.sh

27. Execute the file with super user permissions

sudo ./allowtcp.sh
Rules updated
Rules updated (v6)
80/tcp port enabled
Rules updated
Rules updated (v6)
443/tcp port enabled
Rules updated
Rules updated (v6)
179/tcp port enabled
Rules updated
Rules updated (v6)
5473/tcp port enabled
Rules updated
Rules updated (v6)
6443/tcp port enabled
Rules updated
Rules updated (v6)
8472/tcp port enabled
Rules updated
Rules updated (v6)
2376/tcp port enabled
Skipping adding existing rule
Skipping adding existing rule (v6)
8472/tcp port enabled
Rules updated
Rules updated (v6)
2379:2380/tcp port enabled
Rules updated
Rules updated (v6)
9099/tcp port enabled
Rules updated
Rules updated (v6)
10250/tcp port enabled
Rules updated
Rules updated (v6)
10251/tcp port enabled
Rules updated
Rules updated (v6)
10252/tcp port enabled
Rules updated
Rules updated (v6)
10254/tcp port enabled
Rules updated
Rules updated (v6)
30000:32767/tcp port enabled

28. Now lets add the udp ports needed by Rancher

Create another script.

nano allowudp.sh

29. Add the next information

#!/bin/bash
for i in 8285 8472 4789 30000:32767; do
   sudo ufw allow ${i}/udp
   echo "${i}/udp port enabled"
done

30. Add execute permissions to the file

sudo chmod +x allowudp.sh

31. Execute the udp script

sudo ./allowudp.sh
Rules updated
Rules updated (v6)
8285/udp port enabled
Rules updated
Rules updated (v6)
8472/udp port enabled
Rules updated
Rules updated (v6)
4789/udp port enabled
Rules updated
Rules updated (v6)
30000:32767/udp port enabed

32. Enable the firewall

sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

33. Enable SHH tcp forwating, edit the file /etc/ssh/ssh_config

sudo nano /etc/ssh/ssh_config

Add this at the end of the file

AllowTcpForwarding yes

Save with Control + O and Control + X to save and exit

Restart the ssh server

sudo systemctl restart ssh

Well done! we prepare the nodes, for the Kubernetes cluster for production

In the next post we going to deploy the RKE cluster and install Rancher server

References: