Art of Exploitation

How to Install OpenShift 4 SNO ARM Cluster on an M1 MacBook?

Introduction

OpenShift 4 stands as a leading enterprise-grade container orchestration platform, ensuring your application containers run smoothly with advanced features. Installing OpenShift 4 on ARM architecture-based machines like Apple Silicon MacBooks, however, presents unique challenges. This guide will walk you through the process of installing an OpenShift 4 Single Node OpenShift (SNO) ARM-based cluster on an M1 Pro MacBook.

Prerequisites

  • VMware Fusion Pro Installation: Before you start, ensure VMware Fusion Pro is installed on your Mac. If you need detailed steps, refer to our previous post titled VMware Fusion Pro for Apple Silicon for Free.
  • Custom DNS Server for VMware Fusion: For VMware Fusion’s DHCP configuration, a custom DNS server must be in place to answer DNS queries for the OpenShift cluster API URL. Check our previous post titled Custom DNS Nameserver IP for VMware Fusion Pro Networks for detailed steps.
  • Podman: Podman is crucial for creating the final ISO for the SNO cluster virtual machine. We’ll guide you through the Podman installation in the upcoming steps.

Important Links

Installation Details

The base domain used in this installation is example.com, and the cluster name is ayush. This setup will generate a cluster API URL: api.ayush.example.com. Feel free to customize the domain and cluster name as per your preference. Ensure you download the oc and openshift-install binaries from the links provided, as the official documentation primarily offers Linux x86_64 binaries.

Start the Installation!

Video Tutorial for Better Understanding

For those who prefer a visual learning experience, we have a comprehensive video tutorial available on YouTube. The video walks you through each step of installing the OpenShift 4 SNO cluster on an M1 MacBook, from the initial setup to accessing the cluster. This resource is invaluable for those who want to see the process in action.

  • Begin by installing the Homebrew package manager on your Mac. Once installed, use it to install and configure Podman, which will help you generate the required ISO for the SNO cluster.
$ /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
$ brew install podman
$ podman machine init
$ podman machine start
  • Ensure your DNS server is correctly configured to answer the DNS query for your cluster API URL (e.g., api.<cluster-name>.<base-domain>). Also, configure the reverse lookup so that the virtual machine hostname is set up automatically. The links provided in the prerequisites section offer detailed guidance on this configuration.
// The DNS server must be configured to answer the dns queries for 
   - api.<cluster-name>.<base-domain>
   - api-int.<cluster-name>.<base-domain> 
   - *.apps.<cluster-name>.<base-domain> i.e. the forward dns lookup. 
   The reverse dns lookup also needs to be configured so that the VM can get a hostname.
// Forward Zone
$ cat /etc/dnsmasq.conf
user=dnsmasq
group=dnsmasq
interface=ens160
listen-address=::1,127.0.0.1,192.168.117.129
local-service=host
expand-hosts
domain=example.com
server=8.8.8.8
server=8.8.4.4
address=/api.ayush.example.com/192.168.117.131
address=/api-int.ayush.example.com/192.168.117.131
address=/.apps.ayush.example.com/192.168.117.131
conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig
// Reverse Zone
$ cat /etc/hosts
192.168.117.131		api.ayush.example.com
// Verify the DNS resolution.
$ nslookup api.ayush.example.com
Server:		127.0.0.1
Address:	127.0.0.1#53
Name:	api.ayush.example.com
Address: 192.168.117.131
$ nslookup api-int.ayush.example.com 192.168.117.129
Server:		192.168.117.129
Address:	192.168.117.129#53
Name:	api-int.ayush.example.com
Address: 192.168.117.131
$ nslookup test.apps.ayush.example.com
Server:		192.168.117.129
Address:	192.168.117.129#53
Name:	test.apps.ayush.example.com
Address: 192.168.117.131
$ nslookup 192.168.117.131
131.117.168.192.in-addr.arpa	name = api.ayush.example.com.
  • On your Apple Silicon MacBook, create a new directory and follow the steps to generate the SNO cluster VM ISO.
$ mkdir SNO-OCP
$ cd SNO-OCP
// Export the environment variables with correct details to download the required binaries.
$ OCP_VERSION=latest-4.16
$ ARCH=aarch64
// Download the oc client TAR file, extract the contents and verify the oc binary version.
$ curl -k https://mirror.openshift.com/pub/openshift-v4/aarch64/clients/ocp/$OCP_VERSION/openshift-client-mac-arm64.tar.gz -o oc.tar.gz
$ tar zxf oc.tar.gz && rm -rf kubectl oc.tar.gz README.md
$ chmod +x oc
$ ./oc version
Client Version: 4.16.8
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
// Download the openshift-install TAR file, extract the contents and verify the version and architecture.
$ curl -k https://mirror.openshift.com/pub/openshift-v4/aarch64/clients/ocp/$OCP_VERSION/openshift-install-mac-arm64.tar.gz -o openshift-install-mac.tar.gz
$ tar zxf openshift-install-mac.tar.gz && rm -rf openshift-install-mac.tar.gz README.md
$ chmod +x openshift-install
$ ./openshift-install version
./openshift-install 4.16.8
built from commit 4f78aec1c86c5f51f560f56193f7be1843ab2cd2
release image quay.io/openshift-release-dev/ocp-release@sha256:0a99ef4f95dee2d0f4865e32bb8e9649a7f7b0241a7d7312200f39d1a0120e9d
release architecture arm64
// Download the ISO file.
$ ISO_URL=$(./openshift-install coreos print-stream-json | grep location | grep $ARCH | grep iso | cut -d\" -f4)
$ curl -L $ISO_URL -o rhcos-live.iso
// Create the install-config.yaml file and specify the correct values for baseDomain, cluster name, installationDisk, pullSecret and sshKey.
$ vi install-config.yaml
apiVersion: v1
baseDomain: example.com
compute:
- name: worker
  replicas: 0
controlPlane:
  name: master
  replicas: 1
metadata:
  name: ayush
networking:
  clusterNetwork:
  - cidr: 10.128.0.0/14
    hostPrefix: 23
  machineNetwork:
  - cidr: 10.0.0.0/16
  networkType: OVNKubernetes
  serviceNetwork:
  - 172.30.0.0/16
platform:
  none: {}
bootstrapInPlace:
  installationDisk: /dev/disk/by-id/<disk_id> 
pullSecret: '<pull_secret>' 
sshKey: |
  <ssh_key>
// Generate the ignition for SNO and embed it to the previously downloaded the ISO file.
$ mkdir ocp
$ cp install-config.yaml ocp
$ ./openshift-install --dir=ocp create single-node-ignition-config
$ alias coreos-installer='podman run --privileged --pull always --rm -v /dev:/dev -v /run/udev:/run/udev -v $PWD:/data -w /data quay.io/coreos/coreos-installer:release'
$ coreos-installer iso ignition embed -fi ocp/bootstrap-in-place-for-live-iso.ign rhcos-live.iso
  • Then, create a virtual machine using the rhcos-live.iso, allocating at least 16 GB of memory, 4 processor cores, and 50 GB of disk storage, based on the Red Hat Enterprise Linux 9 64-bit ARM operating system.
  • Allow 40-45 minutes for the cluster installation to complete. Be patient; this step takes time.
  • To interact with the cluster using the oc command from your Mac, add the necessary entries in the /etc/hosts file for the cluster API URL, console, and OAuth routes, all pointing to the SNO virtual machine’s IP address.
$ cat /etc/hosts
##
192.168.117.131		api.ayush.example.com
192.168.117.131		console-openshift-console.apps.ayush.example.com	
192.168.117.131		oauth-openshift.apps.ayush.example.com
  • Finally, the cluster can be accessed from the CLI by exporting the kubeconfig file.
$ export KUBECONFIG=ocp/auth/kubeconfig
$ ./oc get nodes
NAME                    STATUS   ROLES                         AGE    VERSION
api.ayush.example.com   Ready    control-plane,master,worker   6h4m   v1.29.7+4510e9c
$ ./oc get co
NAME                                       VERSION   AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
authentication                             4.16.8    True        False         False      5h16m
baremetal                                  4.16.8    True        False         False      5h33m
cloud-controller-manager                   4.16.8    True        False         False      5h30m
cloud-credential                           4.16.8    True        False         False      5h46m
cluster-autoscaler                         4.16.8    True        False         False      5h31m
config-operator                            4.16.8    True        False         False      5h34m
console                                    4.16.8    True        False         False      5h16m
control-plane-machine-set                  4.16.8    True        False         False      5h31m
csi-snapshot-controller                    4.16.8    True        False         False      5h34m
dns                                        4.16.8    True        False         False      5h31m
etcd                                       4.16.8    True        False         False      5h27m
image-registry                             4.16.8    True        False         False      5h15m
ingress                                    4.16.8    True        False         False      5h33m
insights                                   4.16.8    True        False         False      5h33m
kube-apiserver                             4.16.8    True        False         False      5h20m
kube-controller-manager                    4.16.8    True        False         False      5h19m
kube-scheduler                             4.16.8    True        False         False      5h30m
kube-storage-version-migrator              4.16.8    True        False         False      5h34m
machine-api                                4.16.8    True        False         False      5h30m
machine-approver                           4.16.8    True        False         False      5h31m
machine-config                             4.16.8    True        False         False      5h33m
marketplace                                4.16.8    True        False         False      5h33m
monitoring                                 4.16.8    True        False         False      5h16m
network                                    4.16.8    True        False         False      5h34m
node-tuning                                4.16.8    True        False         False      5h34m
openshift-apiserver                        4.16.8    True        False         False      5h20m
openshift-controller-manager               4.16.8    True        False         False      5h18m
openshift-samples                          4.16.8    True        False         False      5h15m
operator-lifecycle-manager                 4.16.8    True        False         False      5h33m
operator-lifecycle-manager-catalog         4.16.8    True        False         False      5h31m
operator-lifecycle-manager-packageserver   4.16.8    True        False         False      5h20m
service-ca                                 4.16.8    True        False         False      5h34m
storage                                    4.16.8    True        False         False      5h31m
  • Access the OpenShift 4 web console via your browser using the console route located in the openshift-console namespace. The username is kubeadmin, and the password can be found in the ocp/auth/kubeadmin-password file.
  • If requests to any public URLs from the pods on the cluster fail, such as the Insights Operator or an application pod pulling code from GitHub, then the routingViaHost option needs to be enabled in the cluster network configuration. During my troubleshooting, I identified that this issue occurs due to improper packet fragmentation.
$ oc patch network.operator/cluster --type merge -p '{"spec":{"defaultNetwork":{"ovnKubernetesConfig":{"gatewayConfig":{"routingViaHost":true}}}}}'

Conclusion

This guide covers the essential steps to install and access an OpenShift 4 SNO ARM cluster on an M1 MacBook. Follow the instructions carefully, and you’ll have your cluster up and running in no time. For a visual guide, check out the comprehensive video tutorial on YouTube.

Leave a Reply

Discover more from Art of Exploitation

Subscribe now to keep reading and get access to the full archive.

Continue reading