A series of operations are necessary to get a running Flocker cluster:
- Install the
flocker-cautility to generate certificates. - Generate the authority certificate.
- Generate the control node certificate.
- Generate the node certificates, one per node.
- Generate the flocker plugin certificate.
- Generate the client certificate.
- Install some software from packages.
- Distribute certificates to the Flocker cluster.
- Configure the installation, adding the main configuration file,
agent.yml. - Configure the packet filter on hosts.
- Start and restart system services.
You can execute them manually on a small cluster, but they are repetitive and tedious, so we'll illustrate the procedure using some self-explanatory Ansible playbooks published to https://github.com/fsoppelsa/ansible-flocker.
These plays are trivial and probably not production ready. There are also the official ClusterHQ playbooks for Flocker roles (refer to https://github.com/ClusterHQ/ansible-role-flocker), but for the linearity of the explanation, we'll use the first repository, so let's clone it:
git clone [email protected]:fsoppelsa/ansible-flocker.git
For certificate generation, the flocker-ca utility is required. Instructions on how to install it are available at https://docs.clusterhq.com/en/latest/flocker-standalone/install-client.html. For Linux distributions, it's a matter of installing a package. On Mac OS X, instead, the tool can be pulled using Python's pip utility.
On Ubuntu:
sudo apt-get -y install --force-yes clusterhq-flocker-cli
On Mac OS X:
pip install https://clusterhq-
archive.s3.amazonaws.com/python/Flocker-1.15.0-py2-none-any.whl
Once in possess of this tool, we generate the required certificates. To make the things simple, we'll create the following certificate structure:
A directory certs/ including all certificates and keys:
cluster.crtand.keyare the authority certificate and keycontrol-service.crtand.keyare the control node certificate and keyplugin.crtand.keyare the Docker Flocker plugin certificate and keyclient.crtand.keyare the Flocker client certificate and key- From
node-aws-101.crtand.keytonode-aws-110.crtand.keyare the node certificates and keys, one per node
The following are the steps:
- Generate the authority certificate:
flocker-ca initialize cluster - Once in possess of the authority certificate and key, generate the control node certificate in the same directory:
flocker-ca create-control-certificate aws-101 - Then generate the plugin certificate:
flocker-ca create-api-certificate plugin - Then generate the client certificate:
flocker-ca create-api-certificate client - Finally, generate each nodes' certificate:
flocker-ca create-node-certificate node-aws-X
Of course, we must cheat and use the utility/generate_certs.sh script available in the ansible-flocker repository, which will do the work for us:
cd utils ./generate_certs.sh
After this script execution, we now have all our certificates available in certs/:
On each Flocker node, we must perform the following steps:
- Add the ClusterHQ Ubuntu repository to the APT source list.
- Update the packages cache.
- Install these packages:
clusterhq-python-flockerclusterhq-flocker-nodeclusterhq-flocker-docker-plugin
- Create a directory
/etc/flocker. - Copy the Flocker configuration file
agent.ymlto/etc/flocker. - Copy the certificates appropriate for that node to
/etc/flocker. - Configure security by enabling ufw, and opening TCP ports
2376,2377,4523,4524. - Start the system services.
- Restart the docker daemon.
Once again, we love the machines to work for us, so let's setup this with Ansible while we have a coffee.
But, before, we must specify who will be the Flocker control node and who the bare nodes, so we fill in the inventory file with the host IPs of nodes. The file is in .ini format, and what's required is just to specify the list of nodes:
Then, we create the directory from where Ansible will take files, certificates, and configurations to copy to the nodes:
mkdir files/
We now copy all our certificates we created previously, from the certs/ directory to files/:
cp certs/* files/
Finally, we define the Flocker configuration file in files/agent.yml with the following content, adapting the AWS region and modifying hostname, access_key_id,and secret_access_key:
control-service: hostname: "<Control node IP>" port: 4524 dataset: backend: "aws" region: "us-east-1" zone: "us-east-1a" access_key_id: "<AWS-KEY>" secret_access_key: "<AWS-ACCESS-KEY>" version: 1
This is the core Flocker configuration file, which will be in /etc/flocker on every node. Here, you specify and configure the credentials of the backend of choice. In our case, we go with the basic AWS option, EBS, so we include our AWS credentials.
With inventory, agent.yml and all certificates ready in files/, we can proceed.
The playbook to install the control node is flocker_control_install.yml. This play executes a software installation script, copies the cluster certificate, the control node certificate and key, the node certificate and key, the client certificate and key, the plugin certificate and key, configures the firewall opening ports for SSH, Docker and Flocker, and starts these system services:
flocker-controlflocker-dataset-agentflocker-container-agentflocker-docker-plugin
Finally, it refreshes the docker service, restarting it.
Let's run it:
$ export ANSIBLE_HOST_KEY_CHECKING=False $ ansible-playbook -i inventory --private-key keys/flocker playbooks/flocker_control_install.yml
Similarly, we install the other nodes with another playbook, flocker_nodes_install.yml:
$ ansible-playbook -i inventory --private-key keys/flocker playbooks/flocker_nodes_install.yml
The steps are more or less the same as before, except that this playbook doesn't copy some certificates and doesn't start the flocker-control service. Only the Flocker agent and Flocker Docker plugin services run there. We wait for some time until Ansible exits.
To check that Flocker is installed correctly, we now log in to the control node, check that the Flocker plugin is running (alas, it has the .sock file), and then we install the flockerctl utility (refer to https://docs.clusterhq.com/en/latest/flocker-features/flockerctl.html) with the curl command:
$ docker-machine ssh aws-104 $ sudo su - # ls /var/run/docker/plugins/flocker/ flocker.sock flocker.sock.lock # curl -sSL https://get.flocker.io |sh
We now set some environment variables used by flockerctl:
export FLOCKER_USER=client export FLOCKER_CONTROL_SERVICE=54.84.176.7 export FLOCKER_CERTS_PATH=/etc/flocker
We can now list the nodes and volumes (we still have no volumes yet, of course):
flockerctl status flockerctl list
Now, we can go to another node of the cluster to check the connectivity of the Flocker cluster (especially if the plugin and the agent can reach and authenticate to the control node), say aws-108, create a volume and write some data into it:
$ docker-machine ssh aws-108 $ sudo su - # docker run -v test:/data --volume-driver flocker busybox sh -c "echo example > /data/test.txt" # docker run -v test:/data --volume-driver flocker busybox sh -c "cat /data/test.txt" example
If we go back to the control node, aws-104, we can verify that volumes with persistent data got created by listing them with the docker and flockerctl commands:
docker volume ls flockerctl list
Excellent! So now we can remove the exited containers, delete the test volume dataset from Flocker, and then we are ready to install a Swarm:
# docker rm -v ba7884944577 # docker rm -v 7293a156e199 # flockerctl destroy -d 8577ed21-25a0-4c68-bafa-640f664e774e