Setting Up Kubernetes and iSulad

Unless otherwise specified, perform the following steps on both the master and node. This tutorial uses the master as an example.

Before You Start

Prepare NestOS-22.03-date.x86_64.iso and two hosts act as the master and node respectively.

Downloading the Components

Open the repo source file to add the Alibaba Cloud source of Kubernetes.

vi /etc/yum.repos.d/openEuler.repo

Add the following content:

[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg

Downloads the Kubernetes components and the components for synchronizing the system time.

rpm-ostree install kubelet kubeadm kubectl ntp ntpdate wget

Restart the system to use the components.

systemctl reboot

Select the latest version branch and enter the system.

Configuring the Environment

Change the Host Name of the Master

hostnamectl set-hostname k8s-master
sudo -i

Open the /etc/hosts file.

vi /etc/hosts

Add the IP addresses of the hosts.

192.168.237.133 k8s-master
192.168.237.135 k8s-node01

Synchronizing the System Time

ntpdate time.windows.com
systemctl enable ntpd

Disabling the swap Partition, Firewall, and SELinux

By default, the NestOS does not have the swap partition and the firewall is disabled. Run the following command to disable SELinux:

vi /etc/sysconfig/selinux
# Change the value of SELINUX to disabled.

Enabling Forwarding Mechanisms

Create a configuration file.

vi /etc/sysctl.d/k8s.conf

Add the following content:

net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-ip6tables=1
net.ipv4.ip_forward=1

Make the configuration take effect.

modprobe br_netfilter
sysctl -p /etc/sysctl.d/k8s.conf

Configuring iSula

Check the OS image required by Kubernetes. Pay attention to the version number of the pause container.

kubeadm config images list

Modify the daemon.json configuration file.

vi /etc/isulad/daemon.json

## Description of the added items ##
Set registry-mirrors to "docker.io".
Set insecure-registries to "rnd-dockerhub.huawei.com".
Set pod-sandbox-image to "registry.aliyuncs.com/google_containers/pause:3.5". (The Alibaba Cloud source is used. The pause version is obtained in the previous step.)
Set network-plugin to "cni".
Set cni-bin-dir to "/opt/cni/bin".
Set cni-conf-dir to "/etc/cni/net.d".

The modified file is as follows:

{"group": "isula",
"default-runtime": "runc",
"graph": "/var/lib/isulad",
"state": "/var/run/isulad",
"engine": "lcr",
"log-level": "ERROR",
"pidfile": "/var/run/isulad.pid",
"log-opts": {
"log-file-mode": "0600",
"log-path": "/var/lib/isulad",
"max-file": "1",
"max-size": "30KB"
},
"log-driver": "stdout",
"container-log": {
"driver": "json-file"
},
"hook-spec": "/etc/default/isulad/hooks/default.json",
"start-timeout": "2m",
"storage-driver": "overlay2",
"storage-opts": [
"overlay2.override_kernel_check=true"
],
"registry-mirrors": [
"docker.io"
],
"insecure-registries": [
"rnd-dockerhub.huawei.com"
],
"pod-sandbox-image": "registry.aliyuncs.com/google_containers/pause:3.5",
"native.umask": "secure",
"network-plugin": "cni",
"cni-bin-dir": "/opt/cni/bin",
"cni-conf-dir": "/etc/cni/net.d",
"image-layer-check": false,
"use-decrypted-key": true,
"insecure-skip-verify-enforce": false
}

Start the services.

systemctl restart isulad
systemctl enable isulad
systemctl enable kubelet

Perform the preceding steps on both the master and node.

Initializing the Master

Perform this step only on the master. Run the following command and wait for the host to pull the image. You can also manually pull the image before performing this step.

kubeadm init --kubernetes-version=1.22.2 --apiserver-advertise-
address=192.168.237.133 --cri-socket=/var/run/isulad.sock --image-repository
registry.aliyuncs.com/google_containers --service-cidr=10.10.0.0/16 --pod-
network-cidr=10.122.0.0/16

## Description of initialization parameters ##
kubernetes-version indicates the version to be installed.
apiserver-advertise-address indicates the IP address of the master.
cri-socket specifies the iSulad engine.
image-repository specifies that the image source is Alibaba Cloud. You do not need to modify the tag.
service-cidr specifies the IP address range allocated to the service.
pod-network-cidr specifies the IP address range allocated to the Pod network.

After the initialization is successful, copy the kubeadm join command that is output by kubeadm init for subsequent node joining.

kubeadm join 192.168.237.133:6443 --token j7kufw.yl1gte0v9qgxjzjw --discovery-
token-ca-cert-hash
sha256:73d337f5edd79dd4db997d98d329bd98020b712f8d7833c33a85d8fe44d0a4f5 --cri-
socket=/var/run/isulad.sock

Note: --cri-socket=/var/run/isulad.sock specifies that iSulad is used as the container engine.
View the downloaded image.

isula images

Configure the cluster based on the output of the initialization command.

mkdir -p $HOME/.kube
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
chown $(id -u):$(id -g) $HOME/.kube/config
export KUBECONFIG=/etc/kubernetes/admin.conf
source /etc/profile

Check the health status.

kubectl get cs

The status of controller-manager and scheduler may be unhealthy. To rectify the fault, perform the following steps:
Edit the configuration file.

vi /etc/kubernetes/manifests/kube-controller-manager.yaml

Comment out the following content: --port=0 Modify hostpath: Change all /usr/libexec/kubernetes/kubelet-plugins/volume/exec to /opt/libexec/...

vi /etc/kubernetes/manifests/kube-scheduler.yaml

Comment out the following content: --port=0

After the modification is complete, check the health status again.

Configuring the Network Plugin

Configure the network plugin only on the master. However, you need to pull images on all hosts in advance. The commands for pulling images are as follows:

isula pull calico/node:v3.19.3
isula pull calico/cni:v3.19.3
isula pull calico/kube-controllers:v3.19.3
isula pull calico/pod2daemon-flexvol:v3.19.3

Perform the following steps only on the master.
Obtain the configuration file.

wget https://docs.projectcalico.org/v3.19/manifests/calico.yaml

Edit calico.yaml and change all /usr/libexec/... to /opt/libexec/.... Run the following command to install Calico:

kubectl apply -f calico.yaml

Run the kubectl get pod -n kube-system command to check whether Calico is successfully installed. Run the kubectl get pod -n kube-system command to check whether all Pods are in therunning status.

Joining the Node to the Cluster

Run the following command on the node to join the node to the cluster:

kubeadm join 192.168.237.133:6443 --token j7kufw.yl1gte0v9qgxjzjw --discovery-
token-ca-cert-hash
sha256:73d337f5edd79dd4db997d98d329bd98020b712f8d7833c33a85d8fe44d0a4f5 --cri-
socket=/var/run/isulad.sock

Run the kubectl get node command to check whether the master and node statuses are ready.

If yes, Kubernetes is successfully deployed.

Using rpm-ostree

Installing Software Packages Using rpm-ostree

Install wget.

rpm-ostree install wget

Restart the system. During the startup, use the up and down arrow keys on the keyboard to enter system before or after the RPM package installation. ostree:0 indicates the version after the installation.

systemctl reboot

Check whether wget is successfully installed.

rpm -qa | grep wget

Manually Upgrading NestOS Using rpm-ostree

Run the following command in NestOS to view the current rpm-ostree status and version:

rpm-ostree status

Run the check command to check whether a new version is available.

rpm-ostree upgrade --check

Preview the differences between the versions.

rpm-ostree upgrade --preview

In the latest version, the nano package is imported. Run the following command to download the latest ostree and RPM data without performing the deployment.

rpm-ostree upgrade --download-only

Restart NestOS. After the restart, the old and new versions of the system are available. Enter the latest version.

rpm-ostree upgrade --reboot

Comparing NestOS Versions

Check the status. Ensure that two versions of ostree exist: LTS.20210927.dev.0 and LTS.20210928.dev.0.

rpm-ostree status

Compare the ostree versions based on commit IDs.

rpm-ostree db diff 55eed9bfc5ec fe2408e34148

Rolling Back the System

When a system upgrade is complete, the previous NestOS deployment is still stored on the disk. If the upgrade causes system problems, you can roll back to the previous deployment.

Temporary Rollback

To temporarily roll back to the previous OS deployment, hold down Shift during system startup. When the boot load menu is displayed, select the corresponding branch from the menu.

Permanent Rollback

To permanently roll back to the previous OS deployment, log in to the target node and run the rpm-ostree rollback command. This operation sets the previous OS deployment as the default deployment to boot into. Run the following command to roll back to the system before the upgrade:

rpm-ostree rollback

Switching Versions

NestOS is rolled back to an older version. You can run the following command to switch the rpm-ostree version used by NestOS to a newer version.

rpm-ostree deploy -r 22.03.20220325.dev.0

After the restart, check whether NestOS uses the latest ostree version.

Using Zincati for Automatic Update

Zincati automatically updates NestOS. Zincati uses the Cincinnati backend to check whether a new version is available. If a new version is available, Zincati downloads it using rpm-ostree.

Currently, the Zincati automatic update service is disabled by default. You can modify the configuration file to set the automatic startup upon system startup for Zincati.

vi /etc/zincati/config.d/95-disable-on-dev.toml

Set updates.enabled to true. Create a configuration file to specify the address of the Cincinnati backend.

vi /etc/zincati/config.d/update-cincinnati.toml

Add the following content:

[cincinnati]
base_url="http://nestos.org.cn:8080"

Restart the Zincati service.

systemctl restart zincati.service

When a new version is available, Zincati automatically detects the new version. Check the rpm-ostree status. If the status is busy, the system is being upgraded.

After a period of time, NestOS automatically restarts. Log in to NestOS again and check the rpm-ostree status. If the status changes to idle and the current version is 20220325, rpm-ostree has been upgraded.

View the zincati service logs to check the upgrade process and system restart logs. In addition, the information "auto-updates logic enabled" in the logs indicates that the update is automatic.

Customizing NestOS

You can use the nestos-installer tool to customize the original NestOS ISO file and package the Ignition file to generate a customized NestOS ISO file. The customized NestOS ISO file can be used to automatically install NestOS after the system is started for easy installation.

Before customizing NestOS, make the following preparations:

• Downloading the NestOS ISO.
• Preparing a config.ign File.

Generating a Customized NestOS ISO File

Setting Parameter Variables

export COREOS_ISO_ORIGIN_FILE=nestos-22.03.20220324.x86_64.iso
export COREOS_ISO_CUSTOMIZED_FILE=my-nestos.iso
export IGN_FILE=config.ign

Checking the ISO File

Ensure that the original NestOS ISO file does not contain the Ignition configuration.

$ nestos-installer iso ignition show $COREOS_ISO_ORIGIN_FILE 

Error: No embedded Ignition config.

Generating a Customized NestOS ISO File

Package the Ignition file into the original NestOS ISO file to generate a customized NestOS ISO file.

nestos-installer iso ignition embed $COREOS_ISO_ORIGIN_FILE --ignition-file $IGN_FILE $COREOS_ISO_ORIGIN_FILE --output $COREOS_ISO_CUSTOMIZED_FILE

Checking the ISO File

Ensure that the customized NestOS ISO file contains the Ignition configuration.

nestos-installer iso ignition show $COREOS_ISO_CUSTOMIZED_FILE

The previous command displays the Ignition configuration.

Installing the Customized NestOS ISO File

The customized NestOS ISO file can be used to directly boot the installation. NestOS is automatically installed based on the Ignition configuration. After the installation is complete, you can use nest/password to log in to NestOS on the VM console.