Hung-Wei Chiu | 77c969e | 2020-10-23 18:13:07 +0000 | [diff] [blame] | 1 | .. |
| 2 | SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org> |
| 3 | SPDX-License-Identifier: Apache-2.0 |
| 4 | |
| 5 | ============= |
| 6 | Bootstrapping |
| 7 | ============= |
| 8 | |
Hyunsun Moon | a79c742 | 2020-11-18 04:52:56 -0800 | [diff] [blame] | 9 | VPN |
| 10 | === |
| 11 | This section walks you through how to set up a VPN between ACE and Aether Central in GCP. |
| 12 | We will be using GitOps based Aether CD pipeline for this, |
| 13 | so we just need to create a patch to **aether-pod-configs** repository. |
| 14 | Note that some of the steps described here are not directly related to setting up a VPN, |
| 15 | but rather are a prerequisite for adding a new ACE. |
| 16 | |
| 17 | Before you begin |
| 18 | ---------------- |
| 19 | * Make sure firewall in front of ACE allows UDP port 500, UDP port 4500, and ESP packets |
| 20 | from **gcpvpn1.infra.aetherproject.net(35.242.47.15)** and **gcpvpn2.infra.aetherproject.net(34.104.68.78)** |
| 21 | * Make sure that the external IP on ACE side is owned by or routed to the management node |
| 22 | |
| 23 | To help your understanding, the following sample ACE environment will be used in the rest of this section. |
| 24 | Make sure to replace the sample values when you actually create a review request. |
| 25 | |
| 26 | +-----------------------------+----------------------------------+ |
| 27 | | Management node external IP | 128.105.144.189 | |
| 28 | +-----------------------------+----------------------------------+ |
| 29 | | ASN | 65003 | |
| 30 | +-----------------------------+----------------------------------+ |
| 31 | | GCP BGP IP address | Tunnel 1: 169.254.0.9/30 | |
| 32 | | +----------------------------------+ |
| 33 | | | Tunnel 2: 169.254.1.9/30 | |
| 34 | +-----------------------------+----------------------------------+ |
| 35 | | ACE BGP IP address | Tunnel 1: 169.254.0.10/30 | |
| 36 | | +----------------------------------+ |
| 37 | | | Tunnel 2: 169.254.1.10/30 | |
| 38 | +-----------------------------+----------------------------------+ |
| 39 | | PSK | UMAoZA7blv6gd3IaArDqgK2s0sDB8mlI | |
| 40 | +-----------------------------+----------------------------------+ |
| 41 | | Management Subnet | 10.91.0.0/24 | |
| 42 | +-----------------------------+----------------------------------+ |
| 43 | | K8S Subnet | Pod IP: 10.66.0.0/17 | |
| 44 | | +----------------------------------+ |
| 45 | | | Cluster IP: 10.66.128.0/17 | |
| 46 | +-----------------------------+----------------------------------+ |
| 47 | |
| 48 | |
| 49 | Download aether-pod-configs repository |
| 50 | -------------------------------------- |
| 51 | .. code-block:: shell |
| 52 | |
| 53 | $ cd $WORKDIR |
| 54 | $ git clone "ssh://[username]@gerrit.opencord.org:29418/aether-pod-configs" |
| 55 | |
Hyunsun Moon | 0e080e4 | 2020-11-18 12:53:13 -0800 | [diff] [blame^] | 56 | .. _update_global_resource: |
| 57 | |
Hyunsun Moon | a79c742 | 2020-11-18 04:52:56 -0800 | [diff] [blame] | 58 | Update global resource maps |
| 59 | --------------------------- |
| 60 | Add a new ACE information at the end of the following global resource maps. |
| 61 | |
| 62 | * user_map.tfvars |
| 63 | * cluster_map.tfvars |
| 64 | * vpn_map.tfvars |
| 65 | |
| 66 | As a note, you can find several other global resource maps under the `production` directory. |
| 67 | Resource definitions that need to be shared among clusters or are better managed in a |
| 68 | single file to avoid configuration conflicts are maintained in this way. |
| 69 | |
| 70 | .. code-block:: diff |
| 71 | |
| 72 | $ cd $WORKDIR/aether-pod-configs/production |
| 73 | $ vi user_map.tfvars |
| 74 | |
| 75 | # Add the new cluster admin user at the end of the map |
| 76 | $ git diff user_map.tfvars |
| 77 | --- a/production/user_map.tfvars |
| 78 | +++ b/production/user_map.tfvars |
| 79 | @@ user_map = { |
| 80 | username = "menlo" |
| 81 | password = "changeme" |
| 82 | global_roles = ["user-base", "catalogs-use"] |
| 83 | + }, |
| 84 | + test_admin = { |
| 85 | + username = "test" |
| 86 | + password = "changeme" |
| 87 | + global_roles = ["user-base", "catalogs-use"] |
| 88 | } |
| 89 | } |
| 90 | |
| 91 | .. code-block:: diff |
| 92 | |
| 93 | $ cd $WORKDIR/aether-pod-configs/production |
| 94 | $ vi cluster_map.tfvars |
| 95 | |
| 96 | # Add the new K8S cluster information at the end of the map |
| 97 | $ git diff cluster_map.tfvars |
| 98 | --- a/production/cluster_map.tfvars |
| 99 | +++ b/production/cluster_map.tfvars |
| 100 | @@ cluster_map = { |
| 101 | kube_dns_cluster_ip = "10.53.128.10" |
| 102 | cluster_domain = "prd.menlo.aetherproject.net" |
| 103 | calico_ip_detect_method = "can-reach=www.google.com" |
| 104 | + }, |
| 105 | + ace-test = { |
| 106 | + cluster_name = "ace-test" |
| 107 | + management_subnets = ["10.91.0.0/24"] |
| 108 | + k8s_version = "v1.18.8-rancher1-1" |
| 109 | + k8s_pod_range = "10.66.0.0/17" |
| 110 | + k8s_cluster_ip_range = "10.66.128.0/17" |
| 111 | + kube_dns_cluster_ip = "10.66.128.10" |
| 112 | + cluster_domain = "prd.test.aetherproject.net" |
| 113 | + calico_ip_detect_method = "can-reach=www.google.com" |
| 114 | } |
| 115 | } |
| 116 | } |
| 117 | |
| 118 | .. code-block:: diff |
| 119 | |
| 120 | $ cd $WORKDIR/aether-pod-configs/production |
| 121 | $ vi vpn_map.tfvars |
| 122 | |
| 123 | # Add VPN and tunnel information at the end of the map |
| 124 | $ git diff vpn_map.tfvars |
| 125 | --- a/production/vpn_map.tfvars |
| 126 | +++ b/production/vpn_map.tfvars |
| 127 | @@ vpn_map = { |
| 128 | bgp_peer_ip_address_1 = "169.254.0.6" |
| 129 | bgp_peer_ip_range_2 = "169.254.1.5/30" |
| 130 | bgp_peer_ip_address_2 = "169.254.1.6" |
| 131 | + }, |
| 132 | + ace-test = { |
| 133 | + peer_name = "production-ace-test" |
| 134 | + peer_vpn_gateway_address = "128.105.144.189" |
| 135 | + tunnel_shared_secret = "UMAoZA7blv6gd3IaArDqgK2s0sDB8mlI" |
| 136 | + bgp_peer_asn = "65003" |
| 137 | + bgp_peer_ip_range_1 = "169.254.0.9/30" |
| 138 | + bgp_peer_ip_address_1 = "169.254.0.10" |
| 139 | + bgp_peer_ip_range_2 = "169.254.1.9/30" |
| 140 | + bgp_peer_ip_address_2 = "169.254.1.10" |
| 141 | } |
| 142 | } |
| 143 | |
| 144 | .. note:: |
| 145 | Unless you have a specific requirement, set ASN and BGP addresses to the next available values in the map. |
| 146 | |
| 147 | |
| 148 | Create ACE specific configurations |
| 149 | ---------------------------------- |
| 150 | In this step, we will create a directory under `production` with the same name as ACE, |
| 151 | and add several Terraform configurations and Ansible inventory needed to configure a VPN connection. |
| 152 | Throughout the deployment procedure, this directory will contain all ACE specific configurations. |
| 153 | |
| 154 | Run the following commands to auto-generate necessary files under the target ACE directory. |
| 155 | |
| 156 | .. code-block:: shell |
| 157 | |
| 158 | $ cd $WORKDIR/aether-pod-configs/tools |
Hyunsun Moon | 0e080e4 | 2020-11-18 12:53:13 -0800 | [diff] [blame^] | 159 | $ cp ace_env /tmp/ace_env |
| 160 | $ vi /tmp/ace_env |
Hyunsun Moon | a79c742 | 2020-11-18 04:52:56 -0800 | [diff] [blame] | 161 | # Set environment variables |
| 162 | |
Hyunsun Moon | 0e080e4 | 2020-11-18 12:53:13 -0800 | [diff] [blame^] | 163 | $ source /tmp/ace_env |
Hyunsun Moon | a79c742 | 2020-11-18 04:52:56 -0800 | [diff] [blame] | 164 | $ make vpn |
| 165 | Created ../production/ace-test |
| 166 | Created ../production/ace-test/main.tf |
| 167 | Created ../production/ace-test/variables.tf |
| 168 | Created ../production/ace-test/gcp_fw.tf |
| 169 | Created ../production/ace-test/gcp_ha_vpn.tf |
| 170 | Created ../production/ace-test/ansible |
| 171 | Created ../production/ace-test/backend.tf |
| 172 | Created ../production/ace-test/cluster_val.tfvars |
| 173 | Created ../production/ace-test/ansible/hosts.ini |
| 174 | Created ../production/ace-test/ansible/extra_vars.yml |
| 175 | |
| 176 | .. attention:: |
| 177 | The predefined templates are tailored to Pronto BOM. You'll need to fix `cluster_val.tfvars` and `ansible/extra_vars.yml` |
| 178 | when using a different BOM. |
| 179 | |
| 180 | Create a review request |
| 181 | ----------------------- |
| 182 | .. code-block:: shell |
| 183 | |
| 184 | $ cd $WORKDIR/aether-pod-configs/production |
| 185 | $ git status |
| 186 | On branch tools |
| 187 | Changes not staged for commit: |
| 188 | |
| 189 | modified: cluster_map.tfvars |
| 190 | modified: user_map.tfvars |
| 191 | modified: vpn_map.tfvars |
| 192 | |
| 193 | Untracked files: |
| 194 | (use "git add <file>..." to include in what will be committed) |
| 195 | |
| 196 | ace-test/ |
| 197 | |
| 198 | $ git add . |
| 199 | $ git commit -m "Add test ACE" |
| 200 | $ git review |
| 201 | |
| 202 | Once the review request is accepted and merged, |
| 203 | CD pipeline will create VPN tunnels on both GCP and the management node. |
| 204 | |
| 205 | Verify VPN connection |
| 206 | --------------------- |
| 207 | You can verify the VPN connections after successful post-merge job |
| 208 | by checking the routing table on the management node and trying to ping to one of the central cluster VMs. |
| 209 | Make sure two tunnel interfaces, `gcp_tunnel1` and `gcp_tunnel2`, exist |
| 210 | and three additional routing entries via one of the tunnel interfaces. |
| 211 | |
| 212 | .. code-block:: shell |
| 213 | |
| 214 | $ netstat -rn |
| 215 | Kernel IP routing table |
| 216 | Destination Gateway Genmask Flags MSS Window irtt Iface |
| 217 | 0.0.0.0 128.105.144.1 0.0.0.0 UG 0 0 0 eno1 |
| 218 | 10.45.128.0 169.254.0.9 255.255.128.0 UG 0 0 0 gcp_tunnel1 |
| 219 | 10.52.128.0 169.254.0.9 255.255.128.0 UG 0 0 0 gcp_tunnel1 |
| 220 | 10.66.128.0 10.91.0.8 255.255.128.0 UG 0 0 0 eno1 |
| 221 | 10.91.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eno1 |
| 222 | 10.168.0.0 169.254.0.9 255.255.240.0 UG 0 0 0 gcp_tunnel1 |
| 223 | 128.105.144.0 0.0.0.0 255.255.252.0 U 0 0 0 eno1 |
| 224 | 169.254.0.8 0.0.0.0 255.255.255.252 U 0 0 0 gcp_tunnel1 |
| 225 | 169.254.1.8 0.0.0.0 255.255.255.252 U 0 0 0 gcp_tunnel2 |
| 226 | |
| 227 | $ ping 10.168.0.6 -c 3 |
| 228 | PING 10.168.0.6 (10.168.0.6) 56(84) bytes of data. |
| 229 | 64 bytes from 35.235.67.169: icmp_seq=1 ttl=56 time=67.9 ms |
| 230 | 64 bytes from 35.235.67.169: icmp_seq=2 ttl=56 time=67.4 ms |
| 231 | 64 bytes from 35.235.67.169: icmp_seq=3 ttl=56 time=67.1 ms |
| 232 | |
| 233 | --- 10.168.0.6 ping statistics --- |
| 234 | 3 packets transmitted, 3 received, 0% packet loss, time 2002ms |
| 235 | rtt min/avg/max/mdev = 67.107/67.502/67.989/0.422 ms |
| 236 | |
| 237 | Post VPN setup |
| 238 | -------------- |
| 239 | Once you verify the VPN connections, please update `ansible` directory name to `_ansible` to prevent |
| 240 | the ansible playbook from running again. |
| 241 | Note that it is no harm to re-run the ansible playbook but not recommended. |
| 242 | |
| 243 | .. code-block:: shell |
| 244 | |
| 245 | $ cd $WORKDIR/aether-pod-configs/production/$ACE_NAME |
| 246 | $ mv ansible _ansible |
| 247 | $ git add . |
| 248 | $ git commit -m "Mark ansible done for test ACE" |
| 249 | $ git review |
| 250 | |
| 251 | |
Charles Chan | 4a10722 | 2020-10-30 17:23:48 -0700 | [diff] [blame] | 252 | OS Installation - Switches |
| 253 | ========================== |
| 254 | |
| 255 | .. note:: |
| 256 | |
| 257 | This part will be done automatically once we have a DHCP and HTTP server set up in the infrastructure. |
| 258 | For now, we need to download and install the ONL image manually. |
| 259 | |
| 260 | Install ONL with Docker |
| 261 | ----------------------- |
| 262 | First, enter **ONIE rescue mode**. |
| 263 | |
| 264 | Set up IP and route |
| 265 | ^^^^^^^^^^^^^^^^^^^ |
| 266 | .. code-block:: console |
| 267 | |
| 268 | # ip addr add 10.92.1.81/24 dev eth0 |
| 269 | # ip route add default via 10.92.1.1 |
| 270 | |
| 271 | - `10.92.1.81/24` should be replaced by the actual IP and subnet of the ONL. |
| 272 | - `10.92.1.1` should be replaced by the actual default gateway. |
| 273 | |
| 274 | Download and install ONL |
| 275 | ^^^^^^^^^^^^^^^^^^^^^^^^ |
| 276 | |
| 277 | .. code-block:: console |
| 278 | |
| 279 | # wget https://github.com/opennetworkinglab/OpenNetworkLinux/releases/download/v1.3.2/ONL-onf-ONLPv2_ONL-OS_2020-10-09.1741-f7428f2_AMD64_INSTALLED_INSTALLER |
| 280 | # sh ONL-onf-ONLPv2_ONL-OS_2020-10-09.1741-f7428f2_AMD64_INSTALLED_INSTALLER |
| 281 | |
| 282 | The switch will reboot automatically once the installer is done. |
| 283 | |
| 284 | .. note:: |
| 285 | |
| 286 | Alternatively, we can `scp` the ONL installer into ONIE manually. |
| 287 | |
| 288 | Setup BMC for remote console access |
| 289 | ----------------------------------- |
| 290 | Log in to the BMC from ONL by |
| 291 | |
| 292 | .. code-block:: console |
| 293 | |
| 294 | # ssh root@192.168.0.1 # pass: 0penBmc |
| 295 | |
| 296 | on `usb0` interface. |
| 297 | |
| 298 | Once you are in the BMC, run the following commands to setup IP and route (or offer a fixed IP with DHCP) |
| 299 | |
| 300 | .. code-block:: console |
| 301 | |
| 302 | # ip addr add 10.92.1.85/24 dev eth0 |
| 303 | # ip route add default via 10.92.1.1 |
| 304 | |
| 305 | - `10.92.1.85/24` should be replaced by the actual IP and subnet of the BMC. |
| 306 | Note that it should be different from the ONL IP. |
| 307 | - `10.92.1.1` should be replaced by the actual default gateway. |
| 308 | |
| 309 | BMC uses the same ethernet port as ONL management so you should give it an IP address in the same subnet. |
| 310 | BMC address will preserve during ONL reboot, but won’t be preserved during power outage. |
| 311 | |
| 312 | To log in to ONL console from BMC, run |
| 313 | |
| 314 | .. code-block:: console |
| 315 | |
| 316 | # /usr/local/bin/sol.sh |
| 317 | |
| 318 | If `sol.sh` is unresponsive, please try to restart the mainboard with |
| 319 | |
| 320 | .. code-block:: console |
| 321 | |
| 322 | # wedge_power.sh restart |
| 323 | |
| 324 | Setup network and host name for ONL |
| 325 | ----------------------------------- |
| 326 | |
| 327 | .. code-block:: console |
| 328 | |
| 329 | # hostnamectl set-hostname <host-name> |
| 330 | |
| 331 | # vim.tiny /etc/hosts # update accordingly |
| 332 | # cat /etc/hosts # example |
| 333 | 127.0.0.1 localhost |
| 334 | 10.92.1.81 menlo-staging-spine-1 |
| 335 | |
| 336 | # vim.tiny /etc/network/interfaces.d/ma1 # update accordingly |
| 337 | # cat /etc/network/interfaces.d/ma1 # example |
| 338 | auto ma1 |
| 339 | iface ma1 inet static |
| 340 | address 10.92.1.81 |
| 341 | netmask 255.255.255.0 |
| 342 | gateway 10.92.1.1 |
| 343 | dns-nameservers 8.8.8.8 |