►
Description
Deploying OKD4 on Libvirt on Bare metal UPI
Charro Gruver (Red Hat)
OKD Live Deployment Marathon
August 17, 2020
Day Zero Kubecon EU Virtual
A
B
A
D
D
D
On
well,
like
diane,
has
said
a
couple
of
times.
These
are
live
demos,
so
we're
fully
expecting
a
a
bill
gates
moment.
It
might
not
be
a
blue
screen,
but
we
might
see
a
stat
trace
of
death
and
all
kinds
of
other
interruptions,
but
I'm
char
groover.
I,
like
I
said
I
I've
been
with
red
hat
for
for
one
week,
but
I've
been
a
consumer
of
red
hat
products
both
upstream
and
subscription,
based
for
most
of
my
20-year
career
in
I.t.
D
This
is
a
user
provision
infrastructure
deployment,
so
the
installer
is
not
going
to
be
provisioning.
The
machines
for
us
these
machines
are
already
provisioned.
If
you
see
in
this
terminal
right
here
I've,
given
you
sort
of
a
verse
list,
view
of
the
machines
that
are
currently
provisioned,
you
can
see,
we've
got
a
bootstrap
node
that
is
not
running.
D
Now,
I'm
using
virtualbmc,
which
is
a
tool
that
comes
out
of
the
openstack
world,
to
simulate
the
ipmi
management
of
these
virtual
bare
metal
machines,
and
these
machines
are
going
to
boot
into
ipixi
and
using
the
mac
address
of
the
machine
as
it
boots.
It's
going
to
pull
the
appropriate
ipixie
boot
configuration
file
that
sets
its
kernel
parameters,
sets
the
fedora
co
core
os,
install
url
and
the
ignition
file
that
it's
going
to
use
to
to
start
from
I'm
using
fixed
ips
for
this
particular
lab
setup.
D
D
D
This
will
take
a
little
bit
with
the
scrolling
logs.
It's
pulling
like,
I
said
it's
pulling
down
the
image
one
other
thing
I'll
point
out,
while
we're
waiting
for
the
bootstrap
node
to
to
complete
its
install.
Is
that
we're
also
doing
a
mirrored
install
today,
which
hopefully
makes
this
go
a
little
bit
faster
than
pulling
all
of
the
images
across
the
wire.
D
D
And
so
the
install
is
actually
going
to
pull
its
images
from
the
sonotype
nexus
right
now
I've
got
quay.io
in
a
dns
sinkhole
so
that
it
can't
it
can't
resolve
and
because
it
can't
resolve
it's
going
to
assume
it's
an
air
gap,
installation
and
it
will
pull
from
the
the
configured
mirror
image
all
right.
Fedora
core
os
is
booting.
Now
it's
going
to
overlay
the
rpm
os
tree
and
when
it
finishes
it
will
boot
one
more
time
and
it
will
start
the.
B
B
D
D
D
Process
and
if
you,
if
you
do
this
at
home-
and
you
monitor
the
logs
like
this,
don't
be
alarmed
by
these
failed-
failed,
failed
entries
that
you
see
coming
out
in
the
logs
this.
This
is
the
bootstrap
process
waiting
for
its
resources
to
go
live,
and
so
it
will
continue
to
loop
until
the
various
resources
come
up
and
you
can
see
the
api
just
came
up
so
so
our
api
is
now
live
and
we're
waiting
for
the
bootstrap
process
to
complete.
D
D
A
D
Yes,
yes,
there's
a
there's,
a
new
branch
called
ipixi
that
when
we're
done
today,
I've
got
a
little
more
cleanup
on
the
documentation
to
do,
but
I'm
going
to
merge
that
branch
into
master
the
the
old
tutorial
that
was
the
centos
7
based
one
I've
branched
master
to
a
centos,
7
branch.
So
anybody
that's
still
running
centos
7
would
want
to
use
the
centos
7
branch.
D
D
A
A
A
I'm
going
to
do
another
pitch
for
people
to
join
the
okd
working
group.
While
we
are
waiting
here
because
that's
what
I'm
charged
with
is
getting
more
folks
in
so
if
you're
liking,
what
you're
seeing
here
or
if
there's
features
missing
or
other
platforms
that
we
should
be
demoing
to
or
testing
on,
or
that
you're
using
okd
on
or
wishing
to
do
so.
A
Please
join
the
okd
working
group.
The
mailing
list
is
here:
I
just
put
it
in
the
chat
and
it
is
in
open
google
group
and
we
have
a
lot
of
meetings
every,
but
we
meet
bi-weekly
and
we
have
a
meeting
tomorrow
and
I'll,
throw
the
fedora
for
os
and
a
chef
thanks
for
joining
us,
and
we
will
do
the
azure
one
that
you
requested
earlier.
That
is
our
second
to
last
demo.
I
think
today
is
azure,
deploy
the
fedora
calendar
link
here.
D
D
D
Sure,
well,
actually
it
wasn't.
It
turned
out
not
to
be
much
work
at
all
and
in
fact,
if,
if
we
end
up
with
enough
time,
I
can
I
can
deploy
a
hyper-converged
ceph
instance
into
this
cluster
to
give
us
a
storage
provisioner,
because
that's
really,
I
think
I
think
the
folks
that
might
have
struggled
with
getting
eclipse
che
up
and
running
is
that
it
does
need
persistent
volumes
both
for
postgres.
D
D
D
D
C
D
D
So
here
I'll
I'll
walk
you
through
a
few
of
the
things
that
that
were
prepared
ahead
of
time.
I
I
said
a
lot
of
words
to
describe
it.
One
of
the
especially
the
the
way
I'm
I'm
doing
this
with
with
fixed
ip
addresses.
One
of
the
things
that
you
have
to
provision
are
dns
records.
A
few
key
dns
records.
D
You
can
see.
I've
got
in
here
the
provisioning
for
several
different
clusters
that
I
run.
But
this
is
this
is
the
one
that
we're
presently
looking
at
right
here.
So
each
of
the
master
nodes
worker
nodes
and
the
etcd
nodes
requires
an
a
record,
the
the
master
and
the
etsyd
obviously
are
sharing
the
same
node.
D
So
so
they're
going
to
have
a
records
with
the
with
the
same
ip
address.
You
also
need
three
server
records
for
the
etsy
b
and
then
you
need
a
pointer
record
for
reverse
lookup
for
each
of
the
of
the
physical
nodes.
So
your
masters
and
your
worker
nodes
you'll
need
pointer
records
for
those,
but
the
as
you
can
see,
the
dns
setup
is
not
onerous,
but
it
is.
D
D
B
D
D
So
how
did
you
come
up
with
this
setup,
for
I
mean
you're
doing
the
bare
metal
right,
so
yeah
how'd
you?
How
did
you
come
up
with
it?
Oh
gosh,
because,
like
I,
I
remember
that
that
bare
metal
is
like
the
least
fleshed
out
deployment
method
of
them
all.
So
the
fact
that
you
came
up
with
something
is
impressive.
All
on
its
own,
so
that's
worth
the
story,
I'm
sure
yeah.
D
And
then
I
stumbled
across
this
thing
called
nested
virtualization
with
libert
and
well
I
don't
do
openstack.
I
had
a
curiosity
about
it
and
that's
how
I
came
across
virtual
bmc
and
and
so
decided
to
basically
bump
it
up
a
level
and
used
lib
virtual
machines
with
virtual
bmc
to
simulate
bare
metal,
and
then
it
was
just
sort
of.
D
I
want
to
make
this
work,
so
I
powered
through
making
it
work
to
get
bare
metal
install
of
okd
up
and
running,
submitted
a
few
tickets
to
the
fedora
core
os
team
that
they
were
very,
very,
very
gracious
to
help
out
somebody
that
didn't
know
what
they
were
doing.
I
I
had
never,
you
know
touched
four
os
before
so
so
that
was
quite
a
bit
of
a
learning
experience
and
thanks.
D
From
from
that
point,
the
the
latest
iteration
of
it
now
uses
the
the
fcct
tool
to
inject
some
customization
into
the
machines.
Actually,
while
we're,
while
we're
still
waiting
for
that.
Oh
there,
hey,
quick
here,
here's
the
reset
I
was
talking
about,
see
how
we
went
back
to
zero
percent.
Complete,
don't
panic!
D
D
Actually,
it
looks
like
it
resets
after
it
downloads
an
update,
so
it
probably
loses
all
of
its
state
when
it
does
that
yeah
that
that
that's
my
suspicion,
because
it
does
go
through
several
iterations
of
updating
some
operators
yeah.
So
it's
just
probably
losing
its
state
every
time
that
happens,
which
is
unfortunate
and
I'm
not
sure
that
makes
sense,
but
the
best
I
got
it
still
works.
D
D
D
D
I
want
it.
I
want
it
to
be
more
than
predictable.
I
want
it
to
be
predictable
and
known,
and
so
I'm
using
the
mac
address
of
the
machine
to
explicitly
name
that
network
interconnect
device
as
nik
0.,
and
that
way
I
always
know
what
it's
going
to
be
and
where
it's
going
to
be,
and
then
I
inject
into
that.
It's
specific
configuration,
so
I'm
setting
you
know
it's.
It's
name
server.
It's
domain,
it's
ip
address
with
the
netmask
and
a
gateway,
then
I'm
also
injecting
its
host
name
so
that
it
persists
its
host
name.
D
D
D
D
D
And
then
it's
going
to
go
through
the
same
process,
except
that
it
will
retrieve
its
ignition
file
once
it
once
it
processes
the
initial
ignition
overlays
the
the
os
tree
and
starts
its
process
to
join
the
cluster.
It's
going
to
get
its
ign
its
ignition
file
from
the
cluster
that
will
give
it
the
personality
of
a
worker
node.
D
B
D
It's
okay,
self-signed
certs
are
fine
all
right
now.
It
creates
a
temporary
cluster
administrator
for
you
and
that
it
dumps
that
password
at
the
end
of
the
install
process
that
you
can
use
to
gain
access
to
your
cluster
and
there
we
are
now
there
will
still
be
some
operator
updating
things
going
on
and
your
control
plane
will
still
be
settling
out.
D
If
you
will
indulge
me
for
a
few
minutes,
we'll
go
ahead
and
finish
adding
the
worker
nodes
and
then
we'll
do
a
couple
of
housekeeping
things
on
our
cluster.
So
you
see,
we've
got
some
pending
certificate.
Signing
requests.
That
is
also
an
artifact
of
the
way
we're
doing
this
user
provision.
Infrastructure
install
is
that
it's
not
automatically
going
to
approve
those
search
because
it
doesn't
necessarily
trust
anybody
that
wants
to
join
the
cluster.
D
And
I'm
going
to
do
a
couple
of
house
cleaning
things
here:
one
is
I'm
going
to
remove
the
samples
operator
because
it
unless
something
has
changed
recently.
Unfortunately,
christian
isn't
here,
we
can
ask
him
later
the
samples
operator,
because
you
don't
have
an
official
red
hat
secret
at
this
point
it
won't
be
fully
functional
and
can
in
fact
impede
updates
to
your
cluster.
D
So
I'm
patching
its
configuration
with
an
empty
dir
specification
for
a
persistent
volume
and
I'm
going
to
create
an
image
pruner
to
run
it
midnight
every
night,
because
the
the
console
will
gripe
at
you.
If
you
don't
have
an
image
pruner
configured
until
you
do
so
anything
older
than
60
minutes,
it's
going
to
prune
at
midnight
every
night
or
60
days,
rather
60
minutes
would
be
aggressive.
D
D
D
So
so
the
key
the
key
here
is
either
to
span
your
load,
balancer,
which
I
don't
really
want
to
do,
because
that's
a
lot
of
extra
cruft
in
the
the
load,
balancer
configuration
or
designate
some
infrastructure
nodes
and
that's
the
path
that
that
I
chose
to
take.
So
what
I'm
going
to
do?
Real
quick
is
I'm
going
to
designate
my
master
nodes
to
also
be
infrastructure
nodes?
D
D
D
I
don't
know
good,
okay,
just
making
sure,
because,
like
I've,
seen
these
recommendations
listed
in
the
documentation,
but
there
doesn't
seem
to
be
any
particular
reasoning
to
back
them
up,
like,
historically
speaking,
I've
seen
clusters
typically
do
the
masters
as
in
for
nodes,
because
that
way
they
handle
essentially
the
stuff
that
keeps
the
cluster
itself
running
and
the
worker
nodes
are
free
to
work
on
developer
user
workloads
yeah.
I
think
one
of
the
things
you
need
to
consider
is
how
how
beefy
you
make
your
masternodes.
You
know
if
you've
got
heavy
heavy
heavy
ingress
operations.
D
You
know,
given
everything
else,
that
the
masternodes
are
doing,
that
that
might
be
a
little
overwhelming
for
them.
In
my
particular
lab
environment,
the
the
master
nodes
are
heavyweight
enough.
Each
of
them
has
30
gig
of
ram
and
six
vcpus,
so
so
I
feel
pretty
confident
designating
them
as
infra
nodes.
So
what
you
do
once
you
once
you
run
this
label
on
them,
then
you
need
to
patch
the
scheduler
so
that
the
master
nodes
are
no
longer
schedulable.
You'll
see
right
now
they
are
infra
master
and
worker
nodes.
D
When
I
run
this
now,
they're
just
infra
and
master
nodes
now
at
this
point,
nothing
got
evicted
off
of
them.
So
if
you
want
to
boot
things
off
of
them
that
you
don't
want
running
on
there
anymore,
you
do
need
to
either
go
through
and
evict
all
the
pods
that
are
running
on
each
of
those
nodes
manually
or
reboot,
your
master
nodes,
which
is
a
bit
more
of
an
aggressive
way
of
doing
it.
D
Now,
I'm
going
to
patch
the
ingress
operator
to
tell
it
that
it's
okay
for
it
to
run
on
those
master
nodes,
and
if
you
can
read
the
eye
chart
here,
I'll,
explain
what
it's
doing.
It's
setting
a
node
placement
policy,
giving
it
a
match
label
of
infra
node.
It's
also
that's
not
enough!
You
also
have
to
set
some
tolerations
because
the
master
node
is
now
tainted.
D
Not
in
a
ready
state,
yet
as
soon
as
this
one
is
in
a
running
state,
the
second
one
will
begin
terminating.
Don't
panic
that
your
other
one
sits
in
a
pending
state
for
a
while,
because
it
has
an
anti-affinity
rule
that
it
won't
run
on
a
node
that
already
has
an
ingress
pod
running
on
it.
So
it
has
to
wait
for
one
of
those
terminating
pods
to
complete
terminating
before
it
will
schedule
on
the
master.
D
D
D
E
D
Ask
are
we
just
do
you
have
to
make
sure
you
you
save
that
output
text,
or
will
it
actually
be
somewhere
where
you
can
get
to
it?
Yeah,
if
you,
if
you
look
at
the
the
directory
that
you
used
for
the
installation,
so
there's
you
know,
there's
the
boot,
the
the
ignition
files
that
it
created
and
the
metadata
it
creates
an
auth
directory.
D
D
D
D
D
D
So
there
we
go.
I
just
logged
in
with
my
new,
somewhat
more
secure
cluster
admin
account
and
you
can
see
our
four
green
check
boxes.
We've
got
a
happy
cluster.
It
will
complain
about
alerts
until
you
like
set
up
a
slack
channel
or
something
to
send
your
alerts
to
it's
actually
pretty
easy
to
do.
You
create
a
receiver
and
walk
through
it,
but
I
have
used
up
most
of
my
allotted
time
so
I'll
stop
playing
now
and
I
think.
D
B
D
Operator
hub
operator
might
not
actually
be
up
yet
yeah
because
it
does
it
does
take
a
while
after
you
know
that
that
initial
install
took
us
another
23
minutes,
it
does
take
things
a
while
to
settle
down.
Let
me,
let
me
show
you
what
it
does
look
like,
because
I
have
another
cluster
that
I
stood
up
this
morning.
D
D
D
D
Okay,
and
unless
you
want
to
do
something
different
about
it,
you
install
and
we're
going
to
keep
the
stable.
It
is
going
to
create
the
eclipse,
che
namespace
and
we're
gonna.
Let
it
have
an
automatic
strategy
for
its
approval.
If
you
switch
that
to
manual,
then,
when
the
installer
installs
you
you
have
to
go
to
the
installer
and
then
say
yes,
you
can
actually
install.
D
D
So
when
you
install
this
operator
as
an
as
a
cluster
admin,
does
that
mean
that
anybody
who,
logs
in
with
an
account,
can
then
instantiate
it
afterwards?
Absolutely?
Yes,
absolutely
the
workspaces
people
will
be
able
to
get
in
and
create
workspaces
again.
You
know
it's
got
lots
of
role-based
access
control
so
so
that
you
can
control
who
can
do
what?
But,
yes,
anybody
that
you've
got
created.
D
D
D
And
when
we
create
our
cluster,
I'm
going
to
tell
it
to
use
that
for
postgrass,
and
I'm
going
to
tell
it
to
use
that.
For
the
workspaces
also
note,
each
workspace
is
going
to
get
a
gigabyte
of
provision.
Storage
that
may
or
may
not
be
enough,
depending
on
the
type
of
development
that
you're
doing
that's
pretty
minimal.
D
This
will
take
this
takes
a
couple
of
minutes
and
then
key
cloak
is
going
to
provision
itself
after
postgres
is
done
so
now.
Key
cloak
is
provisioning
and
key
cloak
actually
goes
through
a
couple
of
phases.
It
has
an
init
phase
that
it
that
it
runs
through
so
you'll
see
that
pod
come
up
and
then
terminate
and
then
and
be
replaced
by
another
key
color
pod.
That
will
be
your
your
final
configuration
and
you
won't
see
the
the
che
controller
come
up
until
both
postgres
and
key
cloak
have
completed
their
provisioning.
A
D
D
D
A
A
D
D
Programming
skills
yeah,
yes,
indeed,
so
so
the
the
first
key
cloak
instance.
You
see
it
terminating
now,
so
it's
getting
itself
out
of
the
way
the
plug-in
registry
is
fired
up.
Now
you
see
other
activity.
There's
our
che
controller
right
here.
That
is
creating
we've
got
a
dev
file
registry.
We've
got
a
plug-in
registry.
D
A
D
D
D
Create
a
folder
here
for
you
guys,
so
you
don't
have
to
see
all
the
craft
on
my
screen,
I'm
going
to
go
here
and
show
the
certificate.
This
is
safari,
specific,
obviously
so
follow
the
instructions
for
your
favorite
browser.
Safari
is
not
my
favorite,
but
here
it
is
grab
that
and
then
what
you're
going
to
do
is
once
you've
got
that
certificate.
You
need
to
add
it
to
the
trust
store
of
your
operating
system.
D
D
D
D
And
I'm
gonna
say:
yeah
allow
these
permissions,
and
now
it's
gonna.
It's
gonna
ask
you
to
create
an
account
now
another
important
safety
tip.
If
you
do
what
I
did,
there
is
an
admin
account
that
che
creates.
Well,
I
named
my
cluster
administrator
admin,
so
I
need
to
give
this
a
different
name
or
I
will
cause
some
pain
for.