In this post we going prepare the nodes to install a Kubernetes cluster (RKE) for install Rancher server on a production server
Requirements:
- Linux basic commands knowledge
- A external computer where from we going to provision the nodes (operator computer)
- Nano installed (sudo apt install nano) in the operator computer
- Three computers for the RKE with Linux 64 bits (debian)
- SSH server installed in the nodes
We need to install Rancher server over a RKE cluster on the nodes for high availability
And I sure I know what you are thinking..
Wait.. so to install Rancher server and be able to install and manage Kubernetes clusters, I need to install a Kubernetes cluster ?
Well the answer is yes and no
The best way to deploy a high available application is inside Kubernetes, that's why we going to install Rancher server over a Kubernetes cluster, but is not going to be the typical Kubernetes cluster installation, we going to do this with the help of RKE
RKE is Kubernetes engine tune up by Rancher, and the installation is going to be easy and fast, once we prepare the nodes, that's what we going to do this post
Hands-On
Generate SSH Key
- Generate a key in the operator computer to install in the nodes and save as /home/(your user)/.ssh/rke using
ssh-keygen
(the use of passphrase is optional, but requires more configuration)
ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/(your user)/.ssh/id_rsa): /home/(your user)/.ssh/rke
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/(your user)/.ssh/rke
Your public key has been saved in /home/(your user)/.ssh/rke.pub
The key fingerprint is:
SHA256:sgdlTKIDjXv7c2X86wcbQ7e0TGeXz5JiWzk4qC61YtY javier@javier-Lenovo-ideapad-330S-15ARR
The key's randomart image is:
+---[RSA 3072]----+
| .o . . |
| .... + |
| .o + .|
| . .. o . +.+|
| . .o S. o * Oo|
| . +. = O X o|
| ..o.= o X o |
| B.E + . |
| o *. .oo |
+----[SHA256]-----+
All the next configuration needs to apply to each three nodes (steeps 2 to 33)
2. Copy the key to the nodes, this will allow us to connect to the nodes without put the node password each time we connect via ssh
ssh-copy-id -i ~/.ssh/rke (node user)@(node ip)
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/(your user)/.ssh/rke.pub"
The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.
ECDSA key fingerprint is SHA256:diitN4rOd6j9KdszklTR/QAb5/SiGw3Pwxx5rofnQ6g.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
ubuntu@192.168.1.1's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'ubuntu@192.168.1.1'"
and check to make sure that only the key(s) you wanted were added.
3. Connect to the node with ssh
using the user, ip and password of the node
ssh (user)@(node ip)
Change the host name
4. Edit the host name
sudo nano /etc/hostname
5. Add an unique hostname, I'm going to use ubuntu-1, ubuntu-2, ubuntu-3 for the nodes
ubuntu-1
6. Save with control - 0 and exit with Control - X
7. Restart the node
sudo reboot
8. Now connect to the node with the new host name
ssh (user)@ubuntu-1
Uninstall and install a supported version of Docker
9. Uninstall any old docker version
sudo apt-get remove docker docker-engine docker.io containerd
This will preserve the content in /var/lib/docker/ of any image, volume and configuration of old docker
10. Install docker dependencies
sudo apt update && sudo apt install -y \
apt-transport-https ca-certificates curl \
gnupg-agent software-properties-common
11. Install a docker version supported by Rancher
Docker Version | Install Script |
---|---|
19.03 | curl https://releases.rancher.com/install-docker/19.03.sh | sh |
18.09 | curl https://releases.rancher.com/install-docker/18.09.sh | sh |
18.06 | curl https://releases.rancher.com/install-docker/18.06.sh | sh |
17.03 | curl https://releases.rancher.com/install-docker/17.03.sh | sh |
curl https://releases.rancher.com/install-docker/19.03.sh | sh
12. Check your Docker version
sudo docker version --format '{{.Server.Version}}'
19.03.13
13. Enable the autostart of docker
sudo systemctl enable --now docker
14. Add you user to the docker group
sudo usermod -aG docker $USER
Disable Swap
15. This is security related, to avoid an attacker can read the swap and get sensible information
Edit the /etc/fstab with sudo nano /etc/fstab
and comment with # the begining of the swap line
GNU nano 4.8 /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
# / was on /dev/sda5 during installation
UUID=5be72ab8-47e4-4826-8437-624da4b296df / ext4 errors=remount-ro 0 1
# /boot/efi was on /dev/sda1 during installation
UUID=8060-E869 /boot/efi vfat umask=0077 0 1
#/swapfile none swap sw 0 0
16. Save with control + O and control - X to exit
17. This change is going to take effect after we restart, but for keep working disable the swap with command line
sudo swapoff -a
18. Check that you are not using swap with free -h
free -h
total used free shared buff/cache available
Mem: 7.6Gi 263Mi 6.8Gi 3.0Mi 580Mi 7.3Gi
Swap: 0B 0B 0B
Enable port forwarding
19. Enable port forwarding
sudo tee -a /etc/sysctl.d/99-kubernetes.conf <<EOF
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-ip6tables = 1
EOF
20. Load the new configuration
sudo sysctl --system
Open ports and enable firewall.
21. Your firewall ufw must be disabled by default, you can check it with sudo ufw status
sudo ufw status
Status: inactive
We going to activate first the port 22, is important to take this with caution, if you enable the firewall before enable the ports to connect with it, is posibble that you can't communicate with the host again and you will need to connect phisically
22. Allow port 22 (ssh)
sudo ufw allow 22/tcp
Rules updated
Rules updated (v6)
23. Make a script to allow all the tcp ports required by Rancher server, the complete list can be found here
nano allowtcp.sh
24. And add this information
#!/bin/bash
for i in 80 443 179 5473 6443 8472 2376 8472 2379:2380 9099 10250 10251 10252 10254 30000:32767; do
sudo ufw allow ${i}/tcp;
echo "${i}/tcp port enabled"
done
25. Save with control + O and control - X to exit
26. Add execute permissions
chmod +x allowtcp.sh
27. Execute the file with super user permissions
sudo ./allowtcp.sh
Rules updated
Rules updated (v6)
80/tcp port enabled
Rules updated
Rules updated (v6)
443/tcp port enabled
Rules updated
Rules updated (v6)
179/tcp port enabled
Rules updated
Rules updated (v6)
5473/tcp port enabled
Rules updated
Rules updated (v6)
6443/tcp port enabled
Rules updated
Rules updated (v6)
8472/tcp port enabled
Rules updated
Rules updated (v6)
2376/tcp port enabled
Skipping adding existing rule
Skipping adding existing rule (v6)
8472/tcp port enabled
Rules updated
Rules updated (v6)
2379:2380/tcp port enabled
Rules updated
Rules updated (v6)
9099/tcp port enabled
Rules updated
Rules updated (v6)
10250/tcp port enabled
Rules updated
Rules updated (v6)
10251/tcp port enabled
Rules updated
Rules updated (v6)
10252/tcp port enabled
Rules updated
Rules updated (v6)
10254/tcp port enabled
Rules updated
Rules updated (v6)
30000:32767/tcp port enabled
28. Now lets add the udp ports needed by Rancher
Create another script.
nano allowudp.sh
29. Add the next information
#!/bin/bash
for i in 8285 8472 4789 30000:32767; do
sudo ufw allow ${i}/udp
echo "${i}/udp port enabled"
done
30. Add execute permissions to the file
sudo chmod +x allowudp.sh
31. Execute the udp script
sudo ./allowudp.sh
Rules updated
Rules updated (v6)
8285/udp port enabled
Rules updated
Rules updated (v6)
8472/udp port enabled
Rules updated
Rules updated (v6)
4789/udp port enabled
Rules updated
Rules updated (v6)
30000:32767/udp port enabed
32. Enable the firewall
sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
33. Enable SHH tcp forwating, edit the file /etc/ssh/ssh_config
sudo nano /etc/ssh/ssh_config
Add this at the end of the file
AllowTcpForwarding yes
Save with Control + O and Control + X to save and exit
Restart the ssh server
sudo systemctl restart ssh
Well done! we prepare the nodes, for the Kubernetes cluster for production
In the next post we going to deploy the RKE cluster and install Rancher server