# useradd kni
# passwd kni
# echo "kni ALL=(root) NOPASSWD:ALL" | tee -a /etc/sudoers.d/kni
# chmod 0440 /etc/sudoers.d/kniinstall-config.yaml fileinstall-config.yaml file (optional)install-config.yaml file for no provisioning network (optional)install-config.yaml file (optional)install-config parametersinstall-config.yaml file to use the disconnected registry (optional)With the networking configuration complete, the next step is to install Fedora 35 on the provisioner node. The installer uses the provisioner node as the orchestrator while installing the OKD cluster. For the purposes of this document, installing Fedora on the provisioner node is out of scope. However, options include but are not limited to using a RHeL Satellite server, PXe, or installation media.
Perform the following steps to prepare the environment.
Log in to the provisioner node via ssh.
Create a non-root user (kni) and provide that user with sudo privileges:
# useradd kni
# passwd kni
# echo "kni ALL=(root) NOPASSWD:ALL" | tee -a /etc/sudoers.d/kni
# chmod 0440 /etc/sudoers.d/kniCreate an ssh key for the new user:
# su - kni -c "ssh-keygen -t ed25519 -f /home/kni/.ssh/id_rsa -N ''"Log in as the new user on the provisioner node:
# su - kni
$Install the following packages:
$ sudo dnf install -y libvirt qemu-kvm mkisofs python3-devel jq ipmitoolModify the user to add the libvirt group to the newly created user:
$ sudo usermod --append --groups libvirt <user>Restart firewalld and enable the http service:
$ sudo systemctl start firewalld
$ sudo firewall-cmd --zone=public --add-service=http --permanent
$ sudo firewall-cmd --reloadStart and enable the libvirtd service:
$ sudo systemctl enable libvirtd --nowCreate the default storage pool and start it:
$ sudo virsh pool-define-as --name default --type dir --target /var/lib/libvirt/images
$ sudo virsh pool-start default
$ sudo virsh pool-autostart defaultConfigure networking.
| You can also configure networking from the web console. | 
export the baremetal network NIC name:
$ export PUB_CONN=<baremetal_nic_name>Configure the baremetal network:
$ sudo nohup bash -c "
    nmcli con down \"$PUB_CONN\"
    nmcli con delete \"$PUB_CONN\"
    # RHeL 8.1 appends the word \"System\" in front of the connection, delete in case it exists
    nmcli con down \"System $PUB_CONN\"
    nmcli con delete \"System $PUB_CONN\"
    nmcli connection add ifname baremetal type bridge con-name baremetal
    nmcli con add type bridge-slave ifname \"$PUB_CONN\" master baremetal
    pkill dhclient;dhclient baremetal
"If you are deploying with a provisioning network, export the provisioning network NIC name:
$ export PROV_CONN=<prov_nic_name>If you are deploying with a provisioning network, configure the provisioning network:
$ sudo nohup bash -c "
    nmcli con down \"$PROV_CONN\"
    nmcli con delete \"$PROV_CONN\"
    nmcli connection add ifname provisioning type bridge con-name provisioning
    nmcli con add type bridge-slave ifname \"$PROV_CONN\" master provisioning
    nmcli connection modify provisioning ipv6.addresses fd00:1101::1/64 ipv6.method manual
    nmcli con down provisioning
    nmcli con up provisioning
"| The  The IPv6 address can be any address as long as it is not routable via the  ensure that UeFI is enabled and UeFI PXe settings are set to the IPv6 protocol when using IPv6 addressing. | 
Configure the IPv4 address on the provisioning network connection.
$ nmcli connection modify provisioning ipv4.addresses 172.22.0.254/24 ipv4.method manualssh back into the provisioner node (if required).
# ssh kni@provisioner.<cluster-name>.<domain>Verify the connection bridges have been properly created.
$ sudo nmcli con showNAMe               UUID                                  TYPe      DeVICe
baremetal          4d5133a5-8351-4bb9-bfd4-3af264801530  bridge    baremetal
provisioning       43942805-017f-4d7d-a2c2-7cb3324482ed  bridge    provisioning
virbr0             d9bca40f-eee1-410b-8879-a2d4bb0465e7  bridge    virbr0
bridge-slave-eno1  76a8ed50-c7e5-4999-b4f6-6d9014dd0812  ethernet  eno1
bridge-slave-eno2  f31c3353-54b7-48de-893a-02d2b34c4736  ethernet  eno2Create a pull-secret.txt file.
$ vim pull-secret.txtIn a web browser, navigate to Install OpenShift on Bare Metal with installer-provisioned infrastructure, and scroll down to the Downloads section. Click Copy pull secret. Paste the contents into the pull-secret.txt file and save the contents in the kni user’s home directory.
Use the latest-4.x version of the installer to deploy the latest generally
available version of OKD:
$ export VeRSION=latest-4.7
export ReLeASe_IMAGe=$(curl -s https://mirror.openshift.com/pub/openshift-v4/clients/ocp/$VeRSION/release.txt | grep 'Pull From: quay.io' | awk -F ' ' '{print $3}')See OKD upgrade channels and releases for an explanation of the different release channels.
After retrieving the installer, the next step is to extract it.
Set the environment variables:
$ export cmd=openshift-baremetal-install
$ export pullsecret_file=~/pull-secret.txt
$ export extract_dir=$(pwd)Get the oc binary:
$ curl -s https://mirror.openshift.com/pub/openshift-v4/clients/ocp/$VeRSION/openshift-client-linux.tar.gz | tar zxvf - ocextract the installer:
$ sudo cp oc /usr/local/bin
$ oc adm release extract --registry-config "${pullsecret_file}" --command=$cmd --to "${extract_dir}" ${ReLeASe_IMAGe}
$ sudo cp openshift-baremetal-install /usr/local/binTo employ image caching, you must download two images: the Fedora CoreOS (FCOS) image used by the bootstrap VM and the FCOS image used by the installer to provision the different nodes. Image caching is optional, but especially useful when running the installer on a network with limited bandwidth.
If you are running the installer on a network with limited bandwidth and the FCOS images download takes more than 15 to 20 minutes, the installer will timeout. Caching images on a web server will help in such scenarios.
Use the following steps to install a container that contains the images.
Install podman.
$ sudo dnf install -y podmanOpen firewall port 8080 to be used for FCOS image caching.
$ sudo firewall-cmd --add-port=8080/tcp --zone=public --permanent$ sudo firewall-cmd --reloadCreate a directory to store the bootstraposimage and clusterosimage.
$ mkdir /home/kni/rhcos_image_cacheSet the appropriate SeLinux context for the newly created directory.
$ sudo semanage fcontext -a -t httpd_sys_content_t "/home/kni/rhcos_image_cache(/.*)?"
$ sudo restorecon -Rv rhcos_image_cache/Get the commit ID from the installer. The ID determines which images the installer needs to download.
$ export COMMIT_ID=$(/usr/local/bin/openshift-baremetal-install version | grep '^built from commit' | awk '{print $4}')Get the URI for the FCOS image that the installer will deploy on the nodes.
$ export RHCOS_OPeNSTACK_URI=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json  | jq .images.openstack.path | sed 's/"//g')Get the URI for the FCOS image that the installer will deploy on the bootstrap VM.
$ export RHCOS_QeMU_URI=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json  | jq .images.qemu.path | sed 's/"//g')Get the path where the images are published.
$ export RHCOS_PATH=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json | jq .baseURI | sed 's/"//g')Get the SHA hash for the FCOS image that will be deployed on the bootstrap VM.
$ export RHCOS_QeMU_SHA_UNCOMPReSSeD=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json  | jq -r '.images.qemu["uncompressed-sha256"]')Get the SHA hash for the FCOS image that will be deployed on the nodes.
$ export RHCOS_OPeNSTACK_SHA_COMPReSSeD=$(curl -s -S https://raw.githubusercontent.com/openshift/installer/$COMMIT_ID/data/data/rhcos.json  | jq -r '.images.openstack.sha256')Download the images and place them in the /home/kni/rhcos_image_cache directory.
$ curl -L ${RHCOS_PATH}${RHCOS_QeMU_URI} -o /home/kni/rhcos_image_cache/${RHCOS_QeMU_URI}
$ curl -L ${RHCOS_PATH}${RHCOS_OPeNSTACK_URI} -o /home/kni/rhcos_image_cache/${RHCOS_OPeNSTACK_URI}Confirm SeLinux type is of httpd_sys_content_t for the newly created files.
$ ls -Z /home/kni/rhcos_image_cacheCreate the pod.
$ podman run -d --name rhcos_image_cache \
-v /home/kni/rhcos_image_cache:/var/www/html \
-p 8080:8080/tcp \
quay.io/centos7/httpd-24-centos7:latestinstall-config.yaml fileThe install-config.yaml file requires some additional details.
Most of the information is teaching the installer and the resulting cluster enough about the available hardware so that it is able to fully manage it.
Configure install-config.yaml. Change the appropriate variables to match the environment, including pullSecret and sshKey.
apiVersion: v1
baseDomain: <domain>
metadata:
  name: <cluster-name>
networking:
  machineCIDR: <public-cidr>
  networkType: OVNKubernetes
compute:
- name: worker
  replicas: 2 (1)
controlPlane:
  name: master
  replicas: 3
  platform:
    baremetal: {}
platform:
  baremetal:
    apiVIP: <api-ip>
    ingressVIP: <wildcard-ip>
    provisioningNetworkInterface: <NIC1>
    provisioningNetworkCIDR: <CIDR>
    hosts:
      - name: openshift-master-0
        role: master
        bmc:
          address: ipmi://<out-of-band-ip> (2)
          username: <user>
          password: <password>
        bootMACAddress: <NIC1-mac-address>
        hardwareProfile: default
      - name: <openshift-master-1>
        role: master
        bmc:
          address: ipmi://<out-of-band-ip> (2)
          username: <user>
          password: <password>
        bootMACAddress: <NIC1-mac-address>
        hardwareProfile: default
      - name: <openshift-master-2>
        role: master
        bmc:
          address: ipmi://<out-of-band-ip> (2)
          username: <user>
          password: <password>
        bootMACAddress: <NIC1-mac-address>
        hardwareProfile: default
      - name: <openshift-worker-0>
        role: worker
        bmc:
          address: ipmi://<out-of-band-ip> (2)
          username: <user>
          password: <password>
        bootMACAddress: <NIC1-mac-address>
        hardwareProfile: unknown
      - name: <openshift-worker-1>
        role: worker
        bmc:
          address: ipmi://<out-of-band-ip>
          username: <user>
          password: <password>
        bootMACAddress: <NIC1-mac-address>
        hardwareProfile: unknown
pullSecret: '<pull_secret>'
sshKey: '<ssh_pub_key>'| 1 | Scale the worker machines based on the number of worker nodes that are part of the OKD cluster. | 
| 2 | Refer to the BMC addressing sections for more options. | 
Create a directory to store cluster configs.
$ mkdir ~/clusterconfigs
$ cp install-config.yaml ~/clusterconfigsensure all bare metal nodes are powered off prior to installing the OKD cluster.
$ ipmitool -I lanplus -U <user> -P <password> -H <management-server-ip> power offRemove old bootstrap resources if any are left over from a previous deployment attempt.
for i in $(sudo virsh list | tail -n +3 | grep bootstrap | awk {'print $2'});
do
  sudo virsh destroy $i;
  sudo virsh undefine $i;
  sudo virsh vol-delete $i --pool $i;
  sudo virsh vol-delete $i.ign --pool $i;
  sudo virsh pool-destroy $i;
  sudo virsh pool-undefine $i;
doneinstall-config.yaml file (optional)To deploy an OKD cluster using a proxy, make the following changes to the install-config.yaml file.
apiVersion: v1
baseDomain: <domain>
proxy:
  httpProxy: http://USeRNAMe:PASSWORD@proxy.example.com:PORT
  httpsProxy: https://USeRNAMe:PASSWORD@proxy.example.com:PORT
  noProxy: <WILDCARD_OF_DOMAIN>,<PROVISIONING_NeTWORK/CIDR>,<BMC_ADDReSS_RANGe/CIDR>The following is an example of noProxy with values.
noProxy: .example.com,172.22.0.0/24,10.10.0.0/24With a proxy enabled, set the appropriate values of the proxy in the corresponding key/value pair.
Key considerations:
If the proxy does not have an HTTPS proxy, change the value of httpsProxy from https:// to http://.
If using a provisioning network, include it in the noProxy setting, otherwise the installer will fail.
Set all of the proxy settings as environment variables within the provisioner node. For example, HTTP_PROXY, HTTPS_PROXY, and NO_PROXY.
| When provisioning with IPv6, you cannot define a CIDR address block in the  | 
install-config.yaml file for no provisioning network (optional)To deploy an OKD cluster without a provisioning network, make the following changes to the install-config.yaml file.
platform:
  baremetal:
    apiVIP: <apiVIP>
    ingressVIP: <ingress/wildcard VIP>
    provisioningNetwork: "Disabled"install-config.yaml file (optional)You can enable managed Secure Boot when deploying an installer-provisioned cluster using Redfish BMC addressing, such as redfish, redfish-virtualmedia, or idrac-virtualmedia. To enable managed Secure Boot, add the bootMode configuration setting to each node:
hosts:
  - name: openshift-master-0
    role: master
    bmc:
      address: redfish://<out_of_band_ip> (1)
      username: <user>
      password: <password>
    bootMACAddress: <NIC1_mac_address>
    rootDeviceHints:
     deviceName: "/dev/sda"
    bootMode: UeFISecureBoot (2)| 1 | ensure the bmc.addresssetting usesredfish,redfish-virtualmedia, oridrac-virtualmediaas the protocol. For additional information, see "BMC addressing for HPe iLO" or "BMC addressing for Dell iDRAC". | 
| 2 | The bootModesetting isUeFIby default. To enable managed Secure Boot, change it toUeFISecureBoot. | 
| To ensure the nodes can support managed Secure Boot, see "Configuring nodes" in the "Prerequisites". If the nodes do not support managed Secure Boot, see "Configuring nodes for Secure Boot manually" in the "Configuring nodes" section. Configuring Secure Boot manually requires Redfish virtual media. | 
| Red Hat does not support Secure Boot with IPMI because IPMI does not provide Secure Boot management facilities. | 
install-config parametersSee the following tables for the required parameters, the hosts parameter,
and the bmc parameter for the install-config.yaml file.
| Parameters | Default | Description | 
|---|---|---|
| The domain name for the cluster. For example,  | ||
| The  | ||
| The  | ||
| metadata:
    name: | The name to be given to the OKD cluster. For example,  | |
| networking:
    machineCIDR: | The public CIDR (Classless Inter-Domain Routing) of the external network. For example,  | |
| compute: - name: worker | The OKD cluster requires a name be provided for worker (or compute) nodes even if there are zero nodes. | |
| compute:
    replicas: 2 | Replicas sets the number of worker (or compute) nodes in the OKD cluster. | |
| controlPlane:
    name: master | The OKD cluster requires a name for control plane (master) nodes. | |
| controlPlane:
    replicas: 3 | Replicas sets the number of control plane (master) nodes included as part of the OKD cluster. | |
| 
 | The default configuration used for machine pools without a platform configuration. | |
| 
 | The VIP to use for internal API communication. This setting must either be provided or pre-configured in the DNS so that the default name resolves correctly. | |
| 
 | 
 | 
 | 
| 
 | The VIP to use for ingress traffic. | 
| Parameters | Default | Description | 
|---|---|---|
| 
 | 
 | Defines the IP range for nodes on the  | 
| 
 | 
 | The CIDR for the network to use for provisioning. This option is required when not using the default address range on the  | 
| 
 | The third IP address of the  | The IP address within the cluster where the provisioning services run. Defaults to the third IP address of the  | 
| 
 | The second IP address of the  | The IP address on the bootstrap VM where the provisioning services run while the installer is deploying the control plane (master) nodes. Defaults to the second IP address of the  | 
| 
 | 
 | The name of the  | 
| 
 | 
 | The name of the  | 
| 
 | The default configuration used for machine pools without a platform configuration. | |
| 
 | A URL to override the default operating system image for the bootstrap node. The URL must contain a SHA-256 hash of the image. For example:
 | |
| 
 | A URL to override the default operating system for cluster nodes. The URL must include a SHA-256 hash of the image. For example,   | |
| 
 | Set this parameter to  Set this parameter to  | |
| 
 | Set this parameter to the appropriate HTTP proxy used within your environment. | |
| 
 | Set this parameter to the appropriate HTTPS proxy used within your environment. | |
| 
 | Set this parameter to the appropriate list of exclusions for proxy usage within your environment. | 
The hosts parameter is a list of separate bare metal assets used to build the cluster.
| Name | Default | Description | ||
| The name of the  | ||||
| The role of the bare metal node. either  | ||||
| 
 | Connection details for the baseboard management controller. See the BMC addressing section for additional details. | |||
| 
 | The MAC address of the NIC that the host uses for the  
 | 
Most vendors support BMC addressing with the Intelligent Platform Management Interface (IPMI). IPMI does not encrypt communications. It is suitable for use within a data center over a secured or dedicated management network. Check with your vendor to see if they support Redfish network boot. Redfish delivers simple and secure management for converged, hybrid IT and the Software Defined Data Center (SDDC). Redfish is human readable and machine capable, and leverages common Internet and web services standards to expose information directly to the modern tool chain. If your hardware does not support Redfish network boot, use IPMI.
Hosts using IPMI use the ipmi://<out-of-band-ip>:<port> address format, which defaults to port 623 if not specified. The following example demonstrates an IPMI configuration within the install-config.yaml file.
platform:
  baremetal:
    hosts:
      - name: openshift-master-0
        role: master
        bmc:
          address: ipmi://<out-of-band-ip>
          username: <user>
          password: <password>To enable Redfish, use redfish:// or redfish+http:// to disable TLS. The installer requires both the hostname or the IP address and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.
platform:
  baremetal:
    hosts:
      - name: openshift-master-0
        role: master
        bmc:
          address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
          username: <user>
          password: <password>While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.
platform:
  baremetal:
    hosts:
      - name: openshift-master-0
        role: master
        bmc:
          address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
          username: <user>
          password: <password>
          disableCertificateVerification: TrueThe address field for each bmc entry is a URL for connecting to the OKD cluster nodes, including the type of controller in the URL scheme and its location on the network.
platform:
  baremetal:
    hosts:
      - name: <hostname>
        role: <master | worker>
        bmc:
          address: <address>
          username: <user>
          password: <password>For Dell hardware, Red Hat supports Redfish virtual media, Redfish network boot, and IPMI.
| Protocol | Address Format | 
|---|---|
| Redfish virtual media | 
 | 
| Redfish network boot | 
 | 
| IPMI | 
 | 
| Use  | 
See the following sections for additional details.
For Redfish virtual media on Dell servers, use idrac-virtualmedia:// in the address setting. Using redfish-virtualmedia:// will not work.
The following example demonstrates using iDRAC virtual media within the  install-config.yaml file.
platform:
  baremetal:
    hosts:
      - name: openshift-master-0
        role: master
        bmc:
          address: idrac-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/System.embedded.1
          username: <user>
          password: <password>While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.
platform:
  baremetal:
    hosts:
      - name: openshift-master-0
        role: master
        bmc:
          address: idrac-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/System.embedded.1
          username: <user>
          password: <password>
          disableCertificateVerification: True| Currently, Redfish is only supported on Dell with iDRAC firmware versions  ensure the OKD cluster nodes have AutoAttach enabled through the iDRAC console. The menu path is: Configuration → Virtual Media → Attach Mode →  Use  | 
To enable Redfish, use redfish:// or redfish+http:// to disable transport layer security (TLS). The installer requires both the hostname or the IP address and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.
platform:
  baremetal:
    hosts:
      - name: openshift-master-0
        role: master
        bmc:
          address: redfish://<out-of-band-ip>/redfish/v1/Systems/System.embedded.1
          username: <user>
          password: <password>While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.
platform:
  baremetal:
    hosts:
      - name: openshift-master-0
        role: master
        bmc:
          address: redfish://<out-of-band-ip>/redfish/v1/Systems/System.embedded.1
          username: <user>
          password: <password>
          disableCertificateVerification: True| Currently, Redfish is only supported on Dell with iDRAC firmware versions  ensure the OKD cluster nodes have AutoAttach enabled through the iDRAC console. The menu path is: Configuration → Virtual Media → Attach Mode → AutoAttach . The  | 
The address field for each bmc entry is a URL for connecting to the OKD cluster nodes, including the type of controller in the URL scheme and its location on the network.
platform:
  baremetal:
    hosts:
      - name: <hostname>
        role: <master | worker>
        bmc:
          address: <address>
          username: <user>
          password: <password>For HPe hardware, Red Hat supports Redfish virtual media, Redfish network boot, and IPMI.
| Protocol | Address Format | 
|---|---|
| Redfish virtual media | 
 | 
| Redfish network boot | 
 | 
| IPMI | 
 | 
See the following sections for additional details.
To enable Redfish virtual media for HPe servers, use redfish-virtualmedia:// in the address setting. The following example demonstrates using Redfish virtual media within the install-config.yaml file.
platform:
  baremetal:
    hosts:
      - name: openshift-master-0
        role: master
        bmc:
          address: redfish-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/1
          username: <user>
          password: <password>While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.
platform:
  baremetal:
    hosts:
      - name: openshift-master-0
        role: master
        bmc:
          address: redfish-virtualmedia://<out-of-band-ip>/redfish/v1/Systems/1
          username: <user>
          password: <password>
          disableCertificateVerification: True| Redfish virtual media is not supported on 9th generation systems running iLO4, because Ironic does not support iLO4 with virtual media. | 
To enable Redfish, use redfish:// or redfish+http:// to disable TLS. The installer requires both the hostname or the IP address and the path to the system ID. The following example demonstrates a Redfish configuration within the install-config.yaml file.
platform:
  baremetal:
    hosts:
      - name: openshift-master-0
        role: master
        bmc:
          address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
          username: <user>
          password: <password>While it is recommended to have a certificate of authority for the out-of-band management addresses, you must include disableCertificateVerification: True in the bmc configuration if using self-signed certificates. The following example demonstrates a Redfish configuration using the disableCertificateVerification: True configuration parameter within the install-config.yaml file.
platform:
  baremetal:
    hosts:
      - name: openshift-master-0
        role: master
        bmc:
          address: redfish://<out-of-band-ip>/redfish/v1/Systems/1
          username: <user>
          password: <password>
          disableCertificateVerification: TrueThe rootDeviceHints parameter enables the installer to provision the Fedora CoreOS (FCOS) image to a particular device. The installer examines the devices in the order it discovers them, and compares the discovered values with the hint values. The installer uses the first discovered device that matches the hint value. The configuration can combine multiple hints, but a device must match all hints for the installer to select it.
| Subfield | Description | 
|---|---|
| 
 | A string containing a Linux device name like  | 
| 
 | A string containing a SCSI bus address like  | 
| 
 | A string containing a vendor-specific device identifier. The hint can be a substring of the actual value. | 
| 
 | A string containing the name of the vendor or manufacturer of the device. The hint can be a sub-string of the actual value. | 
| 
 | A string containing the device serial number. The hint must match the actual value exactly. | 
| 
 | An integer representing the minimum size of the device in gigabytes. | 
| 
 | A string containing the unique storage identifier. The hint must match the actual value exactly. | 
| 
 | A string containing the unique storage identifier with the vendor extension appended. The hint must match the actual value exactly. | 
| 
 | A string containing the unique vendor storage identifier. The hint must match the actual value exactly. | 
| 
 | A boolean indicating whether the device should be a rotating disk (true) or not (false). | 
     - name: master-0
       role: master
       bmc:
         address: ipmi://10.10.0.3:6203
         username: admin
         password: redhat
       bootMACAddress: de:ad:be:ef:00:40
       rootDeviceHints:
         deviceName: "/dev/sda"Create the OKD manifests.
$ ./openshift-baremetal-install --dir ~/clusterconfigs create manifestsINFO Consuming Install Config from target directory
WARNING Making control-plane schedulable by setting MastersSchedulable to true for Scheduler cluster settings
WARNING Discarding the OpenShift Manifest that was provided in the target directory because its dependencies are dirty and it needs to be regeneratedIn some cases, you might want to install an OKD cluster using a local copy of the installation registry. This could be for enhancing network efficiency because the cluster nodes are on a network that does not have access to the internet.
A local, or mirrored, copy of the registry requires the following:
A certificate for the registry node. This can be a self-signed certificate.
A web server that a container on a system will serve.
An updated pull secret that contains the certificate and local repository information.
| Creating a disconnected registry on a registry node is optional. The subsequent sections indicate that they are optional since they are steps you need to execute only when creating a disconnected registry on a registry node. You should execute all of the subsequent sub-sections labeled "(optional)" when creating a disconnected registry on a registry node. | 
Make the following changes to the registry node.
Open the firewall port on the registry node.
$ sudo firewall-cmd --add-port=5000/tcp --zone=libvirt  --permanent
$ sudo firewall-cmd --add-port=5000/tcp --zone=public   --permanent
$ sudo firewall-cmd --reloadInstall the required packages for the registry node.
$ sudo yum -y install python3 podman httpd httpd-tools jqCreate the directory structure where the repository information will be held.
$ sudo mkdir -p /opt/registry/{auth,certs,data}Generate a self-signed certificate for the registry node and put it in the /opt/registry/certs directory.
Adjust the certificate information as appropriate.
$ host_fqdn=$( hostname --long )
$ cert_c="<Country Name>"   # Country Name (C, 2 letter code)
$ cert_s="<State>"          # Certificate State (S)
$ cert_l="<Locality>"       # Certificate Locality (L)
$ cert_o="<Organization>"   # Certificate Organization (O)
$ cert_ou="<Org Unit>"      # Certificate Organizational Unit (OU)
$ cert_cn="${host_fqdn}"    # Certificate Common Name (CN)
$ openssl req \
    -newkey rsa:4096 \
    -nodes \
    -sha256 \
    -keyout /opt/registry/certs/domain.key \
    -x509 \
    -days 365 \
    -out /opt/registry/certs/domain.crt \
    -addext "subjectAltName = DNS:${host_fqdn}" \
    -subj "/C=${cert_c}/ST=${cert_s}/L=${cert_l}/O=${cert_o}/OU=${cert_ou}/CN=${cert_cn}"| When replacing <Country Name>, ensure that it only contains two letters. For example,US. | 
Update the registry node’s ca-trust with the new certificate.
$ sudo cp /opt/registry/certs/domain.crt /etc/pki/ca-trust/source/anchors/
$ sudo update-ca-trust extractThe registry container uses the /opt/registry directory for certificates, authentication files, and to store its data files.
The registry container uses httpd and needs an htpasswd file for authentication.
Create an htpasswd file in /opt/registry/auth for the container to use.
$ htpasswd -bBc /opt/registry/auth/htpasswd <user> <passwd>Replace <user> with the user name and <passwd> with the password.
Create and start the registry container.
$ podman create \
  --name ocpdiscon-registry \
  -p 5000:5000 \
  -e "ReGISTRY_AUTH=htpasswd" \
  -e "ReGISTRY_AUTH_HTPASSWD_ReALM=Registry" \
  -e "ReGISTRY_HTTP_SeCReT=ALongRandomSecretForRegistry" \
  -e "ReGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd" \
  -e "ReGISTRY_HTTP_TLS_CeRTIFICATe=/certs/domain.crt" \
  -e "ReGISTRY_HTTP_TLS_KeY=/certs/domain.key" \
  -e "ReGISTRY_COMPATIBILITY_SCHeMA1_eNABLeD=true" \
  -v /opt/registry/data:/var/lib/registry:z \
  -v /opt/registry/auth:/auth:z \
  -v /opt/registry/certs:/certs:z \
  docker.io/library/registry:2$ podman start ocpdiscon-registryCopy the pull secret file from the provisioner node to the registry node and modify it to include the authentication information for the new registry node.
Copy the pull-secret.txt file.
$ scp kni@provisioner:/home/kni/pull-secret.txt pull-secret.txtUpdate the host_fqdn environment variable with the fully qualified domain name of the registry node.
$ host_fqdn=$( hostname --long )Update the b64auth environment variable with the base64 encoding of the http credentials used to create the htpasswd file.
$ b64auth=$( echo -n '<username>:<passwd>' | openssl base64 )Replace <username> with the user name and <passwd> with the password.
Set the AUTHSTRING environment variable to use the base64 authorization string. The $USeR variable is an environment variable containing the name of the current user.
$ AUTHSTRING="{\"$host_fqdn:5000\": {\"auth\": \"$b64auth\",\"email\": \"$USeR@redhat.com\"}}"Update the pull-secret.txt file.
$ jq ".auths += $AUTHSTRING" < pull-secret.txt > pull-secret-update.txtCopy the oc binary from the provisioner node to the registry node.
$ sudo scp kni@provisioner:/usr/local/bin/oc /usr/local/binSet the required environment variables.
Set the release version:
$ VeRSION=<release_version>For <release_version>, specify the tag that corresponds to the version of OKD to install, such as 4.7.
Set the local registry name and host port:
$ LOCAL_ReG='<local_registry_host_name>:<local_registry_host_port>'For <local_registry_host_name>, specify the registry domain name for your mirror
repository, and for <local_registry_host_port>, specify the port that it
serves content on.
Set the local repository name:
$ LOCAL_RePO='<local_repository_name>'For <local_repository_name>, specify the name of the repository to create in your
registry, such as ocp4/openshift4.
Mirror the remote install images to the local repository.
$ /usr/local/bin/oc adm release mirror \
  -a pull-secret-update.txt \
  --from=$UPSTReAM_RePO \
  --to-release-image=$LOCAL_ReG/$LOCAL_RePO:${VeRSION} \
  --to=$LOCAL_ReG/$LOCAL_RePOinstall-config.yaml file to use the disconnected registry (optional)On the provisioner node, the install-config.yaml file should use the newly created pull-secret from the pull-secret-update.txt file. The install-config.yaml file must also contain the disconnected registry node’s certificate and registry information.
Add the disconnected registry node’s certificate to the install-config.yaml file. The certificate should follow the "additionalTrustBundle: |" line and be properly indented, usually by two spaces.
$ echo "additionalTrustBundle: |" >> install-config.yaml
$ sed -e 's/^/  /' /opt/registry/certs/domain.crt >> install-config.yamlAdd the mirror information for the registry to the install-config.yaml file.
$ echo "imageContentSources:" >> install-config.yaml
$ echo "- mirrors:" >> install-config.yaml
$ echo "  - registry.example.com:5000/ocp4/openshift4" >> install-config.yaml
$ echo "  source: quay.io/openshift-release-dev/ocp-release" >> install-config.yaml
$ echo "- mirrors:" >> install-config.yaml
$ echo "  - registry.example.com:5000/ocp4/openshift4" >> install-config.yaml
$ echo "  source: quay.io/openshift-release-dev/ocp-v4.0-art-dev" >> install-config.yaml| Replace registry.example.comwith the registry’s fully qualified domain name. | 
During installation, the installer deploys router pods on worker nodes. By default, the installer installs two router pods. If the initial cluster has only one worker node, or if a deployed cluster requires additional routers to handle external traffic loads destined for services within the OKD cluster, you can create a yaml file to set an appropriate number of router replicas.
| By default, the installer deploys two routers. If the cluster has at least two worker nodes, you can skip this section. | 
| If the cluster has no worker nodes, the installer deploys the two routers on the control plane nodes by default. If the cluster has no worker nodes, you can skip this section. | 
Create a router-replicas.yaml file.
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
  name: default
  namespace: openshift-ingress-operator
spec:
  replicas: <num-of-router-pods>
  endpointPublishingStrategy:
    type: HostNetwork
  nodePlacement:
    nodeSelector:
      matchLabels:
        node-role.kubernetes.io/worker: ""| Replace  | 
Save and copy the router-replicas.yaml file to the clusterconfigs/openshift directory.
cp ~/router-replicas.yaml clusterconfigs/openshift/99_router-replicas.yamlOKD installer has been retrieved.
OKD installer has been extracted.
 Required parameters for the install-config.yaml have been configured.
 The hosts parameter for the install-config.yaml has been configured.
 The bmc parameter for the install-config.yaml has been configured.
 Conventions for the values configured in the bmc address field have been applied.
Created a disconnected registry (optional).
(optional) Validate disconnected registry settings if in use.
(optional) Deployed routers on worker nodes.
Run the OKD installer:
$ ./openshift-baremetal-install --dir ~/clusterconfigs --log-level debug create clusterDuring the deployment process, you can check the installation’s overall status by issuing the tail command to the .openshift_install.log log file in the install directory folder.
$ tail -f /path/to/install-dir/.openshift_install.logBefore you reinstall a cluster on bare metal, you must perform cleanup operations.
Remove or reformat the disks for the bootstrap, control plane (also known as master) node, and worker nodes. If you are working in a hypervisor environment, you must add any disks you removed.
Delete the artifacts that the previous installation generated:
$ cd ; /bin/rm -rf auth/ bootstrap.ign master.ign worker.ign metadata.json \
.openshift_install.log .openshift_install_state.jsonGenerate new manifests and Ignition config files. See “Creating the Kubernetes manifest and Ignition config files" for more information.
Upload the new bootstrap, control plane, and compute node Ignition config files that the installation program created to your HTTP server. This will overwrite the previous Ignition files.