Background
Deploying OpenShift 4.6 through the assisted installer method requires dynamic IP address assignment through a DHCP server.
In this design, we will keep the cluster nodes in a private network exposing only the API and ingress endpoints. To provide the cluster with access to the public domain, we will also require a proxy server
Before getting started:
- Provision a private subnet on the IBM Cloud; this will provide the installer with a pool of IP addresses to assign to each node
As a best practice, you should configure your DHCP and Proxy servers as two separate servers. In this guidance document, I will be configuring both services on a single server.
Server Specs
- CPU: 2 vCPU
- Memmory: 4GB RAM
- Storage: 100GB
If you are provisioning your proxy server as a RHEL8 / Centos8 machine on existing VMWare infrastructure with public network connectivity:
Note: The installation of RHEL 8 requires that the machine be registered during the installation process. To ensure connectivity to the public network during the installation process, only configure the ethernet adapter that was has connectivity to the public distributed virtual switch
Server with GUI
- Debugging Tools
- Performance Tools
- System Tools
- Security Tools
- Graphical Administration Tools
- Configure a regular user account on the system, even if you remove it later. The root user can only log in via the console. To log remotely into a new system, you'll need a user account set up as an administrator that can issue the sudo command or su to root
You may also provision a RHEL 8 server through the IBM Cloud: https://cloud.ibm.com/gen1/infrastructure/provision/vs
Using either method, I follow the following procedure when the server first boots up:
- Enable the firewall if it is not already enabled, and create separate firewall zones for my public (WAN) and private (LAN) network interfaces:
Note: find the names of your network interfaces:
ifconfig
systemctl enable firewalld --now;
firewall-cmd --change-interface=eth1 --zone=external --permanent;
firewall-cmd --change-interface=eth0 --zone=internal --permanent;
firewall-cmd --set-default-zone=internal;
systemctl restart firewalld;
- To manage the machine through my browser (this includes a browser-based shell window!) I also like to activate the cockpit web console:
dnf install cockpit -y;
firewall-cmd --add-service=cockpit --permanent --zone=external;
systemctl enable --now cockpit.socket;
Once enabled, the cockpit user interface can be accessed at https://PROV_NODE_IP:9090/
- Install the DHCP service
dnf -y install dhcp-server;
- Use the dhcp.conf.template file as a refence to update service's the dhcpd.conf file:
vi /etc/dhcp/dhcpd.conf
Note: See the dhcpd.conf man page for the full list of configuration options
Update the firewall and enable the service
systemctl enable --now dhcpd
firewall-cmd --add-service=dhcp --zone=internal --permanent
firewall-cmd --reload
Save the updated system settings in a new configuration file. Update this file with the contents of the included ip_forward.conf.template template file.
vi /etc/sysctl.d/ip_forward.conf;
sysctl -p /etc/sysctl.d/ip_forward.conf
sysctl -w net.ipv4.ip_forward=1;
sysctl -w net.ipv4.conf.all.rp_filter=2;
Create an environment variables that points to this machines's private IP address
export YOURPROXYPRIVADDR=
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o eth1 -j MASQUERADE;
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i eth0 -o eth1 -j ACCEPT;
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT;
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -d 0.0.0.0/0 -j ACCEPT;
firewall-cmd --permanent --zone=internal --add-forward-port=port=80:proto=tcp:toport=3128:toaddr=$YOURPROXYPRIVADDR;
firewall-cmd --permanent --zone=internal --add-service=http;
firewall-cmd --permanent --zone=external --add-service=http;
firewall-cmd --permanent --zone=internal --add-service=https;
firewall-cmd --permanent --zone=external --add-service=https;
- Install squid
dnf install squid -y
- Backup the default forward proxy configuration file
cp /etc/squid/squid.conf /etc/squid/squid.conf.original
- Update the configuration file with our settings - see the included template file
vi /etc/squid/squid.conf
- Update the firewall
sudo firewall-cmd --add-service=squid --permanent
sudo firewall-cmd --reload
- Enable and start Squid
systemctl enable --now squid
- Test your proxy, modify your listening port if different from 3128
curl -O -L "https://www.redhat.com/index.html" -x "$YOURPROXYPRIVADDR:3128"
systemctl --system daemon-reload;
squid -k reconfigure
systemctl reload squid;
systemctl restart squid;