NOMAD Prod Kubernetes Reinstall

Reinstalling the Kubernetes Production Cluster

The main reason for this is a critical Kubernetes bug. Here is a bit a log of what I did (to hopefully help me next time). This is mostly taken from kubernetes doc (1, 2) and tweaks I added.

Master node:

Basically the same as the Visualization Setup minus the tainting and coredns editing:

# disable swap:
swapoff -a
# comment out swap lines (the command should do it, but I prefer manual edit)
# sudo sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab
vi /etc/fstab

# clean old installation, disable docker
kubeadm reset
systemctl stop kubelet
systemctl disable kubelet
systemctl stop docker
systemctl disable docker

# sources for new version of kubernetes
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
exclude=kube*
EOF

# Set SELinux in permissive mode (effectively disabling it)
setenforce 0
sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config

# ensure ip tables function
if ! sysctl --system | grep "net.bridge.bridge-nf-call-ip6tables = 1" > /dev/null ; then
   cat <<EOF >  /etc/sysctl.d/90-k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
fi
sysctl --system

# update & install kubernetes
yum install -y docker-ce kubelet kubeadm kubectl --disableexcludes=kubernetes
kubeadm reset # new version might reset better
reboot

systemctl enable docker && systemctl start docker
systemctl enable kubelet && systemctl start kubelet
kubeadm init --pod-network-cidr=10.244.0.0/16

Ideally after a node is up and added to the cluster, and coredns works

# get & install flannel
curl https://raw.githubusercontent.com/coreos/flannel/bc79dd1505b0c8681ece4de4c0d86c5cd2643275/Documentation/kube-flannel.yml > kube-flannel.yml
kubectl create -f kube-flannel.yml

Worker Nodes

For the normal worker nodes the setup operations are

# disable swap:
swapoff -a
# comment out swap lines (the command should do it, but I prefer manual edit)
# sudo sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab
vi /etc/fstab

# clean old installation, disable docker
kubeadm reset
systemctl stop kubelet
systemctl disable kubelet
systemctl stop docker
systemctl disable docker

# sources for new version of kubernetes
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
exclude=kube*
EOF

# Set SELinux in permissive mode (effectively disabling it)
setenforce 0
sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config

# ensure ip tables function
if ! sysctl --system | grep "net.bridge.bridge-nf-call-ip6tables = 1" > /dev/null ; then
   cat <<EOF >  /etc/sysctl.d/90-k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
fi
sysctl --system

# update & install kubernetes
yum install -y docker-ce kubelet kubeadm kubectl --disableexcludes=kubernetes
kubeadm reset # new version might reset better
reboot

systemctl enable docker && systemctl start docker
systemctl enable kubelet && systemctl start kubelet
kubeadm join <serviceAddr> --token <token> --discovery-token-ca-cert-hash <hash

Important notes to the above:

  1. disable docker before the update, otherwise it might become unresponsive (pro2 node cough, chough)
  2. reboot is safer after kubeadm reset and ip table fixes (flink-03 node I suspect)
  3. avoid yum update it does update the kernel, and then we lose the gpfs kernel module and thus gpfs (ehm prod1, prod2, flink-01, flink-03):
systemctl status -l gpfs.service
● gpfs.service - General Parallel File System
   Loaded: loaded (/usr/lpp/mmfs/lib/systemd/gpfs.service; enabled; vendor preset: disabled)
   Active: active (exited) since Mon 2018-12-17 16:05:33 CET; 21h ago
 Main PID: 25305 (code=exited, status=0/SUCCESS)
    Tasks: 36
   Memory: 66.8M
   CGroup: /system.slice/gpfs.service
           ├─ 6177 /usr/lpp/mmfs/bin/mmksh /usr/lpp/mmfs/bin/mmccrmonitor 15
           ├─25687 /usr/lpp/mmfs/bin/mmksh /usr/lpp/mmfs/bin/mmccrmonitor 15
           ├─26595 /usr/lpp/mmfs/bin/mmsdrserv 1191 10 10 /var/adm/ras/mmsdrserv.log 128 yes no
           └─29399 python /usr/lpp/mmfs/bin/mmsysmon.py

Dec 17 16:05:30 nomad-toolkit-prod1 systemd[1]: Starting General Parallel File System...
Dec 17 16:05:33 nomad-toolkit-prod1 systemd[1]: Started General Parallel File System.
Dec 17 16:05:53 nomad-toolkit-prod1 mmsysmon[29399]: [I] Event raised: The IBM Spectrum Scale monitoring service has been started
Dec 17 16:05:55 nomad-toolkit-prod1 mmsysmon[29399]: [E] Event raised: The Spectrum Scale service process not running on this node. Normal operation cannot be done
Dec 17 16:05:55 nomad-toolkit-prod1 mmsysmon[29399]: [E] Event raised: The node is not able to form a quorum with the other available nodes.
Dec 17 16:05:55 nomad-toolkit-prod1 mmsysmon[29399]: [I] Event raised: All quorum nodes are reachable PC_QUORUM_NODES
Dec 17 16:05:56 nomad-toolkit-prod1 mmsysmon[29399]: [W] Event raised: The filesystem rzg_nomad1 is probably needed, but not mounted
  1. When reinstalling gpfs: use the latest /usr/lpp, reinstall with
for p in $(rpm -qa | grep gpfs); do
  rpm -e $p
done
rpm -ihv *.rpm

might be better than rpm -Uhv *.rpm , and /usr/lpp/mmfs/mmbuildgpl rebuilds the kernel module. More info in IBM’s doc. Thanks Florian for installing the latest patches and make it work on flink-01.

Leave a comment

Comments are moderated. Your email address is neither published nor stored, only an md5 hash of it. Required fields are marked with *

Loading...