Mirantis Container Cloud Documentation¶
The documentation is intended to help operators understand the core concepts of the product.
The information provided in this documentation set is being constantly improved and amended based on the feedback and kind requests from our software consumers. This documentation set outlines description of the features supported within three latest Container Cloud minor releases and their supported Cluster releases, with a corresponding note Available since <release-version>.
The following table lists the guides included in the documentation set you are reading:
Guide |
Purpose |
|---|---|
Learn the fundamentals of Container Cloud reference architecture to plan your deployment. |
|
Deploy Container Cloud of a preferred configuration using supported deployment profiles tailored to the demands of specific business cases. |
|
Deploy and operate the Container Cloud managed clusters. |
|
Deployment compatibility of the Container Cloud components versions for each product release. |
|
Learn about new features and bug fixes in the current Container Cloud version as well as in the Container Cloud minor releases. |
|
QuickStart Guides |
Easy and lightweight instructions to get started with Container Cloud. |
Intended audience¶
This documentation assumes that the reader is familiar with network and cloud concepts and is intended for the following users:
Infrastructure Operator
Is member of the IT operations team
Has working knowledge of Linux, virtualization, Kubernetes API and CLI, and OpenStack to support the application development team
Accesses Mirantis Container Cloud and Kubernetes through a local machine or web UI
Provides verified artifacts through a central repository to the Tenant DevOps engineers
Tenant DevOps engineer
Is member of the application development team and reports to line-of-business (LOB)
Has working knowledge of Linux, virtualization, Kubernetes API and CLI to support application owners
Accesses Container Cloud and Kubernetes through a local machine or web UI
Consumes artifacts from a central repository approved by the Infrastructure Operator
Conventions¶
This documentation set uses the following conventions in the HTML format:
Convention |
Description |
|---|---|
boldface font |
Inline CLI tools and commands, titles of the procedures and system response examples, table titles. |
|
Files names and paths, Helm charts parameters and their values, names of packages, nodes names and labels, and so on. |
italic font |
Information that distinguishes some concept or term. |
External links and cross-references, footnotes. |
|
Main menu > menu item |
GUI elements that include any part of interactive user interface and menu navigation. |
Superscript |
Some extra, brief information. For example, if a feature is available from a specific release or if a feature is in the Technology Preview development stage. |
Note The Note block |
Messages of a generic meaning that may be useful to the user. |
Caution The Caution block |
Information that prevents a user from mistakes and undesirable consequences when following the procedures. |
Warning The Warning block |
Messages that include details that can be easily missed, but should not be ignored by the user and are valuable before proceeding. |
See also The See also block |
List of references that may be helpful for understanding of some related tools, concepts, and so on. |
Learn more The Learn more block |
Used in the Release Notes to wrap a list of internal references to the reference architecture, deployment and operation procedures specific to a newly implemented product feature. |
Technology Preview features¶
A Technology Preview feature provides early access to upcoming product innovations, allowing customers to experiment with the functionality and provide feedback.
Technology Preview features may be privately or publicly available but neither are intended for production use. While Mirantis will provide assistance with such features through official channels, normal Service Level Agreements do not apply.
As Mirantis considers making future iterations of Technology Preview features generally available, we will do our best to resolve any issues that customers experience when using these features.
During the development of a Technology Preview feature, additional components may become available to the public for evaluation. Mirantis cannot guarantee the stability of such features. As a result, if you are using Technology Preview features, you may not be able to seamlessly update to subsequent product releases, as well as upgrade or migrate to the functionality that has not been announced as full support yet.
Mirantis makes no guarantees that Technology Preview features will graduate to generally available features.
Documentation history¶
The documentation set refers to Mirantis Container Cloud GA as to the latest released GA version of the product. For details about the Container Cloud GA minor releases dates, refer to Container Cloud releases.
Product Overview¶
Mirantis Container Cloud enables you to ship code faster by enabling speed with choice, simplicity, and security. Through a single pane of glass you can deploy, manage, and observe Kubernetes clusters on private clouds or bare metal infrastructure. Container Cloud provides the ability to leverage the following on premises cloud infrastructure: OpenStack, VMware, and bare metal.
The list of the most common use cases includes:
- Multi-cloud
Organizations are increasingly moving toward a multi-cloud strategy, with the goal of enabling the effective placement of workloads over multiple platform providers. Multi-cloud strategies can introduce a lot of complexity and management overhead. Mirantis Container Cloud enables you to effectively deploy and manage container clusters (Kubernetes and Swarm) across multiple cloud provider platforms.
- Hybrid cloud
The challenges of consistently deploying, tracking, and managing hybrid workloads across multiple cloud platforms is compounded by not having a single point that provides information on all available resources. Mirantis Container Cloud enables hybrid cloud workload by providing a central point of management and visibility of all your cloud resources.
- Kubernetes cluster lifecycle management
The consistent lifecycle management of a single Kubernetes cluster is a complex task on its own that is made infinitely more difficult when you have to manage multiple clusters across different platforms spread across the globe. Mirantis Container Cloud provides a single, centralized point from which you can perform full lifecycle management of your container clusters, including automated updates and upgrades.
- Highly regulated industries
Regulated industries need a fine level of access control granularity, high security standards and extensive reporting capabilities to ensure that they can meet and exceed the security standards and requirements. Mirantis Container Cloud provides for a fine-grained Role Based Access Control (RBAC) mechanism and easy integration and federation to existing identity management systems (IDM).
- Logging, monitoring, alerting
A complete operational visibility is required to identify and address issues in the shortest amount of time – before the problem becomes serious. Mirantis StackLight is the proactive monitoring, logging, and alerting solution designed for large-scale container and cloud observability with extensive collectors, dashboards, trend reporting and alerts.
- Storage
Cloud environments require a unified pool of storage that can be scaled up by simply adding storage server nodes. Ceph is a unified, distributed storage system designed for excellent performance, reliability, and scalability. Deploy Ceph utilizing Rook to provide and manage a robust persistent storage that can be used by Kubernetes workloads on the baremetal-based clusters.
- Security
Security is a core concern for all enterprises, especially with more of our systems being exposed to the Internet as a norm. Mirantis Container Cloud provides for a multi-layered security approach that includes effective identity management and role based authentication, secure out of the box defaults and extensive security scanning and monitoring during the development process.
- 5G and Edge
The introduction of 5G technologies and the support of Edge workloads requires an effective multi-tenant solution to manage the underlying container infrastructure. Mirantis Container Cloud provides for a full stack, secure, multi-cloud cluster management and Day-2 operations solution that supports both on premises bare metal and cloud.
Reference Architecture¶
Overview¶
Mirantis Container Cloud is a set of microservices that are deployed using Helm charts and run in a Kubernetes cluster. Container Cloud is based on the Kubernetes Cluster API community initiative.
The following diagram illustrates an overview of Container Cloud and the clusters it manages:
All artifacts used by Kubernetes and workloads are stored on the Container Cloud content delivery network (CDN):
mirror.mirantis.com(Debian packages including the Ubuntu mirrors)binary.mirantis.com(Helm charts and binary artifacts)mirantis.azurecr.io(Docker image registry)
All Container Cloud components are deployed in the Kubernetes clusters. All Container Cloud APIs are implemented using the Kubernetes Custom Resource Definition (CRD) that represents custom objects stored in Kubernetes and allows you to expand Kubernetes API.
The Container Cloud logic is implemented using controllers.
A controller handles the changes in custom resources defined
in the controller CRD.
A custom resource consists of a spec that describes the desired state
of a resource provided by a user.
During every change, a controller reconciles the external state of a custom
resource with the user parameters and stores this external state in the
status subresource of its custom resource.
Container Cloud regions¶
Container Cloud can have several regions. A region is a physical location, for example, a data center, that has access to one or several cloud provider back ends. A separate regional cluster manages a region that can include multiple providers. A region must have a two-way (full) network connectivity between a regional cluster and a cloud provider back end. For example, an OpenStack VM must have access to the related regional cluster. And this regional cluster must have access to the OpenStack floating IPs and load balancers.
The following diagram illustrates the structure of the Container Cloud regions:
Container Cloud cluster types¶
The types of the Container Cloud clusters include:
- Bootstrap cluster
Runs the bootstrap process on a seed node. For the OpenStack or VMware vSphere-based Container Cloud, it can be an operator desktop computer. For the baremetal-based Container Cloud, this is the first temporary data center node.
Requires access to one of the following provider back ends: OpenStack, vSphere, or bare metal.
Contains minimum set of services to deploy the management and regional clusters.
Is destroyed completely after a successful bootstrap.
- Management and regional clusters
Management cluster:
Runs all public APIs and services including the web UIs of Container Cloud.
Does not require access to any provider back end.
Regional cluster:
Is combined with management cluster by default.
Runs the provider-specific services and internal API including LCMMachine and LCMCluster. Also, it runs an LCM controller for orchestrating managed clusters and other controllers for handling different resources.
Requires two-way access to a provider back end. The provider connects to a back end to spawn managed cluster nodes, and the agent running on the nodes accesses the regional cluster to obtain the deployment information.
Requires access to a management cluster to obtain user parameters.
Supports multi-regional deployments. For example, you can deploy a vSphere-based management cluster with vSphere-based and OpenStack-based regional clusters.
Management and regional clusters comprise Container Cloud as product. For deployment details, see Deployment Guide and Deploy an additional regional cluster (optional) sections for the required cloud provider.
- Managed cluster
A Mirantis Kubernetes Engine (MKE) cluster that an end user creates using the Container Cloud web UI.
Requires access to a regional cluster. Each node of a managed cluster runs an LCM Agent that connects to the LCM machine of the regional cluster to obtain the deployment details.
Baremetal-based managed clusters support the Mirantis OpenStack for Kubernetes (MOSK) product. For details, see MOSK documentation.
All types of the Container Cloud clusters except the bootstrap cluster are based on the MKE and Mirantis Container Runtime (MCR) architecture. For details, see MKE and MCR documentation.
The following diagram illustrates the distribution of services between each type of the Container Cloud clusters:
Cloud provider¶
The Mirantis Container Cloud provider is the central component of Container Cloud that provisions a node of a management, regional, or managed cluster and runs the LCM Agent on this node. It runs in a management and regional clusters and requires connection to a provider back end.
The Container Cloud provider interacts with the following types of public API objects:
Public API object name |
Description |
|---|---|
Container Cloud release object |
Contains the following information about clusters:
|
Cluster release object |
|
Cluster object |
|
Machine object |
|
Credentials object |
|
PublicKey object |
Is provided to every machine to obtain an SSH access. |
The following diagram illustrates the Container Cloud provider data flow:
The Container Cloud provider performs the following operations in Container Cloud:
Consumes the below types of data from a management and regional cluster:
Credentials to connect to a provider back end
Deployment instructions from the
KaaSReleaseandClusterReleaseobjectsThe cluster-level parameters from the Cluster objects
The machine-level parameters from the Machine objects
Prepares data for all Container Cloud components:
Creates the
LCMClusterandLCMMachinecustom resources for LCM Controller and LCM Agent. TheLCMMachinecustom resources are created empty to be later handled by the LCM Controller.Creates the
HelmBundlecustom resources for the Helm Controller using data from theKaaSReleaseandClusterReleaseobjects.Creates service accounts for these custom resources.
Creates a scope in Identity and access management (IAM) for a user access to a managed cluster.
Provisions nodes for a managed cluster using the
cloud-initscript that downloads and runs the LCM Agent.Installs Helm Controller as a Helm v3 chart.
Release Controller¶
The Mirantis Container Cloud Release Controller is responsible for the following functionality:
Monitor and control the
KaaSReleaseandClusterReleaseobjects present in a management cluster. If any release object is used in a cluster, the Release Controller prevents the deletion of such an object.Sync the
KaaSReleaseandClusterReleaseobjects published at https://binary.mirantis.com/releases/ with an existing management cluster.Trigger the Container Cloud auto-upgrade procedure if a new
KaaSReleaseobject is found:Search for the managed clusters with old Cluster releases that are not supported by a new Container Cloud release. If any are detected, abort the auto-upgrade and display a corresponding note about an old Cluster release in the Container Cloud web UI for the managed clusters. In this case, a user must update all managed clusters using the Container Cloud web UI. Once all managed clusters are upgraded to the Cluster releases supported by a new Container Cloud release, the Container Cloud auto-upgrade is retriggered by the Release Controller.
Trigger the Container Cloud release upgrade of all Container Cloud components in a management cluster. The upgrade itself is processed by the Container Cloud provider.
Trigger the Cluster release upgrade of a management cluster to the Cluster release version that is indicated in the upgraded Container Cloud release version. The LCMCluster components, such as MKE, are upgraded before the HelmBundle components, such as StackLight or Ceph.
Verify the regional cluster(s) status. If the regional cluster is ready, trigger the Cluster release upgrade of the regional cluster.
Once a management cluster is upgraded, an option to update a managed cluster becomes available in the Container Cloud web UI. During a managed cluster update, all cluster components including Kubernetes are automatically upgraded to newer versions if available. The LCMCluster components, such as MKE, are upgraded before the HelmBundle components, such as StackLight or Ceph.
The Operator can delay the Container Cloud automatic upgrade procedure for a limited amount of time or schedule upgrade to run at desired hours or weekdays. For details, see Schedule Mirantis Container Cloud upgrades.
Container Cloud remains operational during the management and regional clusters upgrade. Managed clusters are not affected during this upgrade. For the list of components that are updated during the Container Cloud upgrade, see the Components versions section of the corresponding Container Cloud release in Release Notes.
When Mirantis announces support of the newest versions of Mirantis Container Runtime (MCR) and Mirantis Kubernetes Engine (MKE), Container Cloud automatically upgrades these components as well. For the maintenance window best practices before upgrade of these components, see MKE Documentation.
See also
Web UI¶
The Mirantis Container Cloud web UI is mainly designed to create and update the managed clusters as well as add or remove machines to or from an existing managed cluster.
You can use the Container Cloud web UI to obtain the management cluster details including endpoints, release version, and so on. The management cluster update occurs automatically with a new release change log available through the Container Cloud web UI.
The Container Cloud web UI is a JavaScript application that is based
on the React framework. The Container Cloud web UI is designed to work
on a client side only. Therefore, it does not require a special back end.
It interacts with the Kubernetes and Keycloak APIs directly.
The Container Cloud web UI uses a Keycloak token
to interact with Container Cloud API and download kubeconfig
for the management and managed clusters.
The Container Cloud web UI uses NGINX that runs on a management cluster and handles the Container Cloud web UI static files. NGINX proxies the Kubernetes and Keycloak APIs for the Container Cloud web UI.
Bare metal¶
The bare metal service provides for the discovery, deployment, and management of bare metal hosts.
The bare metal management in Mirantis Container Cloud is implemented as a set of modular microservices. Each microservice implements a certain requirement or function within the bare metal management system.
Bare metal components¶
The bare metal management solution for Mirantis Container Cloud includes the following components:
Component |
Description |
|---|---|
OpenStack Ironic |
The back-end bare metal manager in a standalone mode with its auxiliary
services that include |
OpenStack Ironic Inspector |
Introspects and discovers the bare metal hosts inventory. Includes OpenStack Ironic Python Agent (IPA) that is used as a provision-time agent for managing bare metal hosts. |
Ironic Operator |
Monitors changes in the external IP addresses of |
Bare Metal Operator |
Manages bare metal hosts through the Ironic API. The Container Cloud bare-metal operator implementation is based on the Metal³ project. |
Bare metal resources manager |
Ensures that the bare metal provisioning artifacts such as the distribution image of the operating system is available and up to date. |
|
The plugin for the Kubernetes Cluster API integrated with Container Cloud.
Container Cloud uses the Metal³ implementation of
|
HAProxy |
Load balancer for external access to the Kubernetes API endpoint. |
LCM Agent |
Used for physical and logical storage, physical and logical network, and control over the life cycle of a bare metal machine resources. |
Ceph |
Distributed shared storage is required by the Container Cloud services to create persistent volumes to store their data. |
MetalLB |
Load balancer for Kubernetes services on bare metal. 1 |
Keepalived |
Monitoring service that ensures availability of the virtual IP for the external load balancer endpoint (HAProxy). 1 |
IPAM |
IP address management services provide consistent IP address space to the machines in bare metal clusters. See details in IP Address Management. |
- 1(1,2)
For details, see Built-in load balancing.
The diagram below summarizes the following components and resource kinds:
Metal³-based bare metal management in Container Cloud (white)
Internal APIs (yellow)
External dependency components (blue)
Bare metal networking¶
This section provides an overview of the networking configuration and the IP address management in the Mirantis Container Cloud on bare metal.
IP Address Management¶
Mirantis Container Cloud on bare metal uses IP Address Management (IPAM) to keep track of the network addresses allocated to bare metal hosts. This is necessary to avoid IP address conflicts and expiration of address leases to machines through DHCP.
Note
Only IPv4 address family is currently supported by Container Cloud and IPAM. IPv6 is not supported and not used in Container Cloud.
IPAM is provided by the kaas-ipam controller. Its functions
include:
Allocation of IP address ranges or subnets to newly created clusters using
SubnetPoolandSubnetresources.Allocation IP addresses to machines and cluster services at the request of
baremetal-providerusing theIpamHostandIPaddrresources.Creation and maintenance of host networking configuration on the bare metal hosts using the
IpamHostresources.
The IPAM service can support different networking topologies and network hardware configurations on the bare metal hosts.
In the most basic network configuration, IPAM uses a single L3 network to assign addresses to all bare metal hosts, as defined in Managed cluster networking.
You can apply complex networking configurations to a bare metal host using the L2 templates. The L2 templates imply multihomed host networking and enable you to create a managed cluster where nodes use separate host networks for different types of traffic. Multihoming is required to ensure the security and performance of a managed cluster.
Caution
Modification of L2 templates in use is allowed with a mandatory validation step from the Infrastructure Operator to prevent accidental cluster failures due to unsafe changes. The list of risks posed by modifying L2 templates includes:
Services running on hosts cannot reconfigure automatically to switch to the new IP addresses and/or interfaces.
Connections between services are interrupted unexpectedly, which can cause data loss.
Incorrect configurations on hosts can lead to irrevocable loss of connectivity between services and unexpected cluster partition or disassembly.
For details, see Modify network configuration on an existing machine.
See also
Management cluster networking¶
The main purpose of networking in a Container Cloud management or regional cluster is to provide access to the Container Cloud Management API that consists of the Kubernetes API of the Container Cloud management and regional clusters and the Container Cloud LCM API. This API allows end users to provision and configure managed clusters and machines. Also, this API is used by LCM Agents in managed clusters to obtain configuration and report status.
The following types of networks are supported for the management and regional clusters in Container Cloud:
- PXE network
Enables PXE boot of all bare metal machines in the Container Cloud region.
- PXE subnet
Provides IP addresses for DHCP and network boot of the bare metal hosts for initial inspection and operating system provisioning. This network may not have the default gateway or a router connected to it. The PXE subnet is defined by the Container Cloud Operator during bootstrap.
Provides IP addresses for the bare metal management services of Container Cloud, such as bare metal provisioning service (Ironic). These addresses are allocated and served by MetalLB.
- Management network
Connects LCM Agents running on the hosts to the Container Cloud LCM API. Serves the external connections to the Container Cloud Management API. The network is also used for communication between
kubeletand the Kubernetes API server inside a Kubernetes cluster. The MKE components use this network for communication inside a swarm cluster.- LCM subnet
Provides IP addresses for the Kubernetes nodes in the management cluster. This network also provides a Virtual IP (VIP) address for the load balancer that enables external access to the Kubernetes API of a management cluster. This VIP is also the endpoint to access the Container Cloud Management API in the management cluster.
Provides IP addresses for the externally accessible services of Container Cloud, such as Keycloak, web UI, StackLight. These addresses are allocated and served by MetalLB.
- Kubernetes workloads network
Technology Preview
Serves the internal traffic between workloads on the management cluster.
- Kubernetes workloads subnet
Provides IP addresses that are assigned to nodes and used by Calico.
- Out-of-Band (OOB) network
Connects to Baseboard Management Controllers of the servers that host the management cluster. The OOB subnet must be accessible from the management network through IP routing. The OOB network is not managed by Container Cloud and is not represented in the IPAM API.
Managed cluster networking¶
A Kubernetes cluster networking is typically focused on connecting pods on different nodes. On bare metal, however, the cluster networking is more complex as it needs to facilitate many different types of traffic.
Kubernetes clusters managed by Mirantis Container Cloud have the following types of traffic:
- PXE network
Enables the PXE boot of all bare metal machines in Container Cloud. This network is not configured on the hosts in a managed cluster. It is used by the bare metal provider to provision additional hosts in managed clusters and is disabled on the hosts after provisioning is done.
- Life-cycle management (LCM) network
Connects LCM Agents running on the hosts to the Container Cloud LCM API. The LCM API is provided by the regional or management cluster. The LCM network is also used for communication between
kubeletand the Kubernetes API server inside a Kubernetes cluster. The MKE components use this network for communication inside a swarm cluster.When using the BGP announcement of the IP address for the cluster API load balancer, which is available as Technology Preview since Container Cloud 2.24.4, no segment stretching is required between Kubernetes master nodes. Also, in this scenario, the load balancer IP address is not required to match the LCM subnet CIDR address.
- LCM subnet(s)
Provides IP addresses that are statically allocated by the IPAM service to bare metal hosts. This network must be connected to the Kubernetes API endpoint of the regional cluster through an IP router. LCM Agents running on managed clusters will connect to the regional cluster API through this router. LCM subnets may be different per managed cluster as long as this connection requirement is satisfied. The Virtual IP (VIP) address for load balancer that enables access to the Kubernetes API of the managed cluster must be allocated from the LCM subnet.
- Cluster API subnet
Technology Preview
Provides a load balancer IP address for external access to the cluster API. Mirantis recommends that this subnet stays unique per managed cluster.
- Kubernetes workloads network
Serves as an underlay network for traffic between pods in the managed cluster. Do not share this network between clusters.
- Kubernetes workloads subnet(s)
Provides IP addresses that are statically allocated by the IPAM service to all nodes and that are used by Calico for cross-node communication inside a cluster. By default, VXLAN overlay is used for Calico cross-node communication.
- Kubernetes external network
Serves ingress traffic to the managed cluster from the outside world. You can share this network between clusters, but with dedicated subnets per cluster. Several or all cluster nodes must be connected to this network. Traffic from external users to the externally available Kubernetes load-balanced services comes through the nodes that are connected to this network.
- Services subnet(s)
Provides IP addresses for externally available Kubernetes load-balanced services. The address ranges for MetalLB are assigned from this subnet. There can be several subnets per managed cluster that define the address ranges or address pools for MetalLB.
- External subnet(s)
Provides IP addresses that are statically allocated by the IPAM service to nodes. The IP gateway in this network is used as the default route on all nodes that are connected to this network. This network allows external users to connect to the cluster services exposed as Kubernetes load-balanced services. MetalLB speakers must run on the same nodes. For details, see Configure node selector for MetalLB speaker.
- Storage network
Serves storage access and replication traffic from and to Ceph OSD services. The storage network does not need to be connected to any IP routers and does not require external access, unless you want to use Ceph from outside of a Kubernetes cluster. To use a dedicated storage network, define and configure both subnets listed below.
- Storage access subnet(s)
Provides IP addresses that are statically allocated by the IPAM service to Ceph nodes. The Ceph OSD services bind to these addresses on their respective nodes. Serves Ceph access traffic from and to storage clients. This is a public network in Ceph terms. 1
- Storage replication subnet(s)
Provides IP addresses that are statically allocated by the IPAM service to Ceph nodes. The Ceph OSD services bind to these addresses on their respective nodes. Serves Ceph internal replication traffic. This is a cluster network in Ceph terms. 1
- Out-of-Band (OOB) network
Connects baseboard management controllers (BMCs) of the bare metal hosts. This network must not be accessible from the managed clusters.
The following diagram illustrates the networking schema of the Container Cloud deployment on bare metal with a managed cluster:
- 1(1,2)
For more details about Ceph networks, see Ceph Network Configuration Reference.
Host networking¶
The following network roles are defined for all Mirantis Container Cloud clusters nodes on bare metal including the bootstrap, management, regional, and managed cluster nodes:
- Out-of-band (OOB) network
Connects the Baseboard Management Controllers (BMCs) of the hosts in the network to Ironic. This network is out of band for the host operating system.
- PXE network
Enables remote booting of servers through the PXE protocol. In management or regional clusters, DHCP server listens on this network for hosts discovery and inspection. In managed clusters, hosts use this network for the initial PXE boot and provisioning.
- LCM network
Connects LCM Agents running on the node to the LCM API of the management or regional cluster. It is also used for communication between
kubeletand the Kubernetes API server inside a Kubernetes cluster. The MKE components use this network for communication inside a swarm cluster. In management or regional clusters, it is replaced by the management network.
- Kubernetes workloads (pods) network
Technology Preview
Serves connections between Kubernetes pods. Each host has an address on this network, and this address is used by Calico as an endpoint to the underlay network.
- Kubernetes external network
Technology Preview
Serves external connection to the Kubernetes API and the user services exposed by the cluster. In management or regional clusters, it is replaced by the management network.
- Management network
Serves external connections to the Container Cloud Management API and services of the management or regional cluster. Not available in a managed cluster.
- Storage access network
Connects Ceph nodes to the storage clients. The Ceph OSD service is bound to the address on this network. This is a public network in Ceph terms. 0
- Storage replication network
Connects Ceph nodes to each other. Serves internal replication traffic. This is a cluster network in Ceph terms. 0
Each network is represented on the host by a virtual Linux bridge. Physical interfaces may be connected to one of the bridges directly, or through a logical VLAN subinterface, or combined into a bond interface that is in turn connected to a bridge.
The following table summarizes the default names used for the bridges connected to the networks listed above:
Network type |
Bridge name |
Assignment method TechPreview |
|---|---|---|
OOB network |
N/A |
N/A |
PXE network |
|
By a static interface name |
Management network |
|
By a subnet label |
Kubernetes workloads network |
|
By a static interface name |
Network type |
Bridge name |
Assignment method |
|---|---|---|
OOB network |
N/A |
N/A |
PXE network |
N/A |
N/A |
LCM network |
|
By a subnet label |
Kubernetes workloads network |
|
By a static interface name |
Kubernetes external network |
|
By a static interface name |
Storage access (public) network |
|
By the subnet label |
Storage replication (cluster) network |
|
By the subnet label |
Storage¶
The baremetal-based Mirantis Container Cloud uses Ceph as a distributed storage system for file, block, and object storage. This section provides an overview of a Ceph cluster deployed by Container Cloud.
Overview¶
Mirantis Container Cloud deploys Ceph on baremetal-based managed clusters using Helm charts with the following components:
- Rook Ceph Operator
A storage orchestrator that deploys Ceph on top of a Kubernetes cluster. Also known as
RookorRook Operator. Rook operations include:Deploying and managing a Ceph cluster based on provided Rook CRs such as
CephCluster,CephBlockPool,CephObjectStore, and so on.Orchestrating the state of the Ceph cluster and all its daemons.
KaaSCephClustercustom resource (CR)Represents the customization of a Kubernetes installation and allows you to define the required Ceph configuration through the Container Cloud web UI before deployment. For example, you can define the failure domain, Ceph pools, Ceph node roles, number of Ceph components such as Ceph OSDs, and so on. The
ceph-kcc-controllercontroller on the Container Cloud management cluster manages theKaaSCephClusterCR.- Ceph Controller
A Kubernetes controller that obtains the parameters from Container Cloud through a CR, creates CRs for Rook and updates its CR status based on the Ceph cluster deployment progress. It creates users, pools, and keys for OpenStack and Kubernetes and provides Ceph configurations and keys to access them. Also, Ceph Controller eventually obtains the data from the OpenStack Controller for the Keystone integration and updates the RADOS Gateway services configurations to use Kubernetes for user authentication. Ceph Controller operations include:
Transforming user parameters from the Container Cloud Ceph CR into Rook CRs and deploying a Ceph cluster using Rook.
Providing integration of the Ceph cluster with Kubernetes.
Providing data for OpenStack to integrate with the deployed Ceph cluster.
- Ceph Status Controller
A Kubernetes controller that collects all valuable parameters from the current Ceph cluster, its daemons, and entities and exposes them into the
KaaSCephClusterstatus. Ceph Status Controller operations include:Collecting all statuses from a Ceph cluster and corresponding Rook CRs.
Collecting additional information on the health of Ceph daemons.
Provides information to the
statussection of theKaaSCephClusterCR.
- Ceph Request Controller
A Kubernetes controller that obtains the parameters from Container Cloud through a CR and manages Ceph OSD lifecycle management (LCM) operations. It allows for a safe Ceph OSD removal from the Ceph cluster. Ceph Request Controller operations include:
Providing an ability to perform Ceph OSD LCM operations.
Obtaining specific CRs to remove Ceph OSDs and executing them.
Pausing the regular Ceph Controller reconcile until all requests are completed.
A typical Ceph cluster consists of the following components:
Ceph Monitors - three or, in rare cases, five Ceph Monitors.
Ceph Managers:
Before Container Cloud 2.22.0, one Ceph Manager.
Since Container Cloud 2.22.0, two Ceph Managers.
RADOS Gateway services - Mirantis recommends having three or more RADOS Gateway instances for HA.
Ceph OSDs - the number of Ceph OSDs may vary according to the deployment needs.
Warning
A Ceph cluster with 3 Ceph nodes does not provide hardware fault tolerance and is not eligible for recovery operations, such as a disk or an entire Ceph node replacement.
A Ceph cluster uses the replication factor that equals 3. If the number of Ceph OSDs is less than 3, a Ceph cluster moves to the degraded state with the write operations restriction until the number of alive Ceph OSDs equals the replication factor again.
The placement of Ceph Monitors and Ceph Managers is defined in the
KaaSCephCluster CR.
The following diagram illustrates the way a Ceph cluster is deployed in Container Cloud:
The following diagram illustrates the processes within a deployed Ceph cluster:
See also
Limitations¶
A Ceph cluster configuration in Mirantis Container Cloud includes but is not limited to the following limitations:
Only one Ceph Controller per a managed cluster and only one Ceph cluster per Ceph Controller are supported.
The replication size for any Ceph pool must be set to more than 1.
Only one CRUSH tree per cluster. The separation of devices per Ceph pool is supported through device classes with only one pool of each type for a device class.
Only the following types of CRUSH buckets are supported:
topology.kubernetes.io/regiontopology.kubernetes.io/zonetopology.rook.io/datacentertopology.rook.io/roomtopology.rook.io/podtopology.rook.io/pdutopology.rook.io/rowtopology.rook.io/racktopology.rook.io/chassis
Only IPv4 is supported.
If two or more Ceph OSDs are located on the same device, there must be no dedicated WAL or DB for this class.
Only a full collocation or dedicated WAL and DB configurations are supported.
The minimum size of any defined Ceph OSD device is 5 GB.
Reducing the number of Ceph Monitors is not supported and causes the Ceph Monitor daemons removal from random nodes.
Removal of the
mgrrole in thenodessection of theKaaSCephClusterCR does not remove Ceph Managers. To remove a Ceph Manager from a node, remove it from thenodesspec and manually delete themgrpod in the Rook namespace.When adding a Ceph node with the Ceph Monitor role, if any issues occur with the Ceph Monitor,
rook-cephremoves it and adds a new Ceph Monitor instead, named using the next alphabetic character in order. Therefore, the Ceph Monitor names may not follow the alphabetical order. For example,a,b,d, instead ofa,b,c.Ceph cluster does not support removable devices (with hotplug enabled) for deploying Ceph OSDs. This limitation has been lifted since Cluster releases 14.0.1 and 15.0.1 delivered in Container Cloud 2.24.2.
Ceph OSDs support only raw disks as data devices meaning that no
dmorlvmdevices are allowed.
Extended hardware configuration¶
Mirantis Container Cloud provides APIs that enable you to define hardware configurations that extend the reference architecture:
Bare Metal Host Profile API
Enables for quick configuration of host boot and storage devices and assigning of custom configuration profiles to individual machines. See Create a custom bare metal host profile.
IP Address Management API
Enables for quick configuration of host network interfaces and IP addresses and setting up of IP addresses ranges for automatic allocation. See Create L2 templates.
Typically, operations with the extended hardware configurations are available through the API and CLI, but not the web UI.
Automatic upgrade of a host operating system¶
To keep operating system on a bare metal host up to date with the latest security updates, the operating system requires periodic software packages upgrade that may or may not require the host reboot.
Mirantis Container Cloud uses life cycle management tools to update the operating system packages on the bare metal hosts. Container Cloud may also trigger restart of bare metal hosts to apply the updates.
In the management cluster of Container Cloud, software package upgrade and host restart is applied automatically when a new Container Cloud version with available kernel or software packages upgrade is released.
In managed clusters, package upgrade and host restart is applied as part of usual cluster upgrade using the Update cluster option in the Container Cloud web UI.
Operating system upgrade and host restart are applied to cluster nodes one by one. If Ceph is installed in the cluster, the Container Cloud orchestration securely pauses the Ceph OSDs on the node before restart. This allows avoiding degradation of the storage service.
Caution
Depending on the cluster configuration, applying security updates and host restart can increase the update time for each node to up to 1 hour.
Cluster nodes are updated one by one. Therefore, for large clusters, the update may take several days to complete.
See also
Built-in load balancing¶
The Mirantis Container Cloud managed clusters that are based on vSphere or bare metal use MetalLB for load balancing of services and HAProxy with VIP managed by Virtual Router Redundancy Protocol (VRRP) with Keepalived for the Kubernetes API load balancer.
Kubernetes API load balancing¶
Every control plane node of each Kubernetes cluster runs the kube-api
service in a container. This service provides a Kubernetes API endpoint.
Every control plane node also runs the haproxy server that provides
load balancing with back-end health checking for all kube-api endpoints as
back ends.
The default load balancing method is least_conn. With this method,
a request is sent to the server with the least number of active
connections. The default load balancing method cannot be changed
using the Container Cloud API.
Only one of the control plane nodes at any given time serves as a front end for Kubernetes API. To ensure this, the Kubernetes clients use a virtual IP (VIP) address for accessing Kubernetes API. This VIP is assigned to one node at a time using VRRP. Keepalived running on each control plane node provides health checking and failover of the VIP.
Keepalived is configured in multicast mode.
Note
The use of VIP address for load balancing of Kubernetes API requires that all control plane nodes of a Kubernetes cluster are connected to a shared L2 segment. This limitation prevents from installing full L3 topologies where control plane nodes are split between different L2 segments and L3 networks.
Caution
External load balancers for services are not supported by the current version of the Container Cloud vSphere provider. The built-in load balancing described in this section is the only supported option and cannot be disabled.
Services load balancing¶
The services provided by the Kubernetes clusters, including
Container Cloud and user services, are balanced by MetalLB.
The metallb-speaker service runs on every worker node in
the cluster and handles connections to the service IP addresses.
MetalLB runs in the MAC-based (L2) mode. It means that all control plane nodes must be connected to a shared L2 segment. This is a limitation that does not allow installing full L3 cluster topologies.
Caution
External load balancers for services are not supported by the current version of the Container Cloud vSphere provider. The built-in load balancing described in this section is the only supported option and cannot be disabled.
VMware vSphere network objects and IPAM recommendations¶
The VMware vSphere provider of Mirantis Container Cloud supports the following types of vSphere network objects:
- Virtual network
A network of virtual machines running on a hypervisor(s) that are logically connected to each other so that they can exchange data. Virtual machines can be connected to virtual networks that you create when you add a network.
- Distributed port group
A port group associated with a vSphere distributed switch that specifies port configuration options for each member port. Distributed port groups define how connection is established through the vSphere distributed switch to the network.
A Container Cloud cluster can be deployed using one of these network objects with or without a DHCP server in the network:
- Non-DHCP
Container Cloud uses IPAM service to manage IP addresses assignment to machines. You must provide additional network parameters, such as CIDR, gateway, IP ranges, and nameservers. Container Cloud processes this data to the
cloud-initmetadata and passes the data to machines during their bootstrap.
- DHCP
Container Cloud relies on a DHCP server to assign IP addresses to virtual machines.
Mirantis recommends using IP address management (IPAM) for cluster machines provided by Container Cloud. IPAM must be enabled for deployment in the non-DHCP vSphere networks. But Mirantis recommends enabling IPAM in the DHCP-based networks as well. In this case, the dedicated IPAM range should not intersect with the IP range used in the DHCP server configuration for the provided vSphere network. Such configuration prevents issues with accidental IP address change for machines. For the issue details, see vSphere troubleshooting.
Note
To obtain IPAM parameters for the selected vSphere network, contact your vSphere administrator who provides you with IP ranges dedicated to your environment only.
The following parameters are required to enable IPAM:
Network CIDR.
Network gateway address.
Minimum 1 DNS server.
IP address include range to be allocated for cluster machines. Make sure that this range is not part of the DHCP range if the network has a DHCP server.
Minimal number of addresses in the range:
3 IPs for management or regional cluster
3+N IPs for a managed cluster, where N is the number of worker nodes
Optional. IP address exclude range that is the list of IPs not to be assigned to machines from the include ranges.
A dedicated Container Cloud network must not contain any virtual machines
with the keepalived instance running inside them as this may lead to the
vrouter_id conflict. By default, the Container Cloud management or
regional cluster is deployed with vrouter_id set to 1.
Managed clusters are deployed with the vrouter_id value starting from
2 and upper.
Kubernetes lifecycle management¶
The Kubernetes lifecycle management (LCM) engine in Mirantis Container Cloud consists of the following components:
- LCM Controller
Responsible for all LCM operations. Consumes the LCMCluster object and orchestrates actions through LCM Agent.
- LCM Agent
Runs on the target host. Executes Ansible playbooks in headless mode.
- Helm Controller
Responsible for the Helm charts life cycle, is installed by a cloud provider as a Helm v3 chart.
The Kubernetes LCM components handle the following custom resources:
LCMCluster
LCMMachine
HelmBundle
The following diagram illustrates handling of the LCM custom resources by
the Kubernetes LCM components. On a managed cluster,
apiserver handles multiple Kubernetes objects,
for example, deployments, nodes, RBAC, and so on.
LCM custom resources¶
The Kubernetes LCM components handle the following custom resources (CRs):
LCMMachine
LCMCluster
HelmBundle
- LCMMachine
Describes a machine that is located on a cluster. It contains the machine
type,controlorworker,StateItemsthat correspond to Ansible playbooks and miscellaneous actions, for example, downloading a file or executing a shell command. LCMMachine reflects the current state of the machine, for example, a node IP address, and eachStateItemthrough its status. Multiple LCMMachine CRs can correspond to a single cluster.- LCMCluster
Describes a managed cluster. In its
spec, LCMCluster contains a set ofStateItemsfor each type of LCMMachine, which describe the actions that must be performed to deploy the cluster. LCMCluster is created by the provider, usingmachineTypesof the Release object. Thestatusfield of LCMCluster reflects the status of the cluster, for example, the number of ready or requested nodes.- HelmBundle
Wrapper for Helm charts that is handled by Helm Controller. HelmBundle tracks what Helm charts must be installed on a managed cluster.
LCM Controller¶
LCM Controller runs on the management and regional cluster and orchestrates
the LCMMachine objects according to their type and their LCMCluster
object.
Once the LCMCluster and LCMMachine objects are created, LCM Controller
starts monitoring them to modify the spec fields and update
the status fields of the LCMMachine objects when required.
The status field of LCMMachine is updated by LCM Agent
running on a node of a management, regional, or managed cluster.
Each LCMMachine has the following lifecycle states:
Uninitialized - the machine is not yet assigned to an
LCMCluster.Pending - the agent reports a node IP address and host name.
Prepare - the machine executes
StateItemsthat correspond to thepreparephase. This phase usually involves downloading the necessary archives and packages.Deploy - the machine executes
StateItemsthat correspond to thedeployphase that is becoming a Mirantis Kubernetes Engine (MKE) node.Ready - the machine is being deployed.
Upgrade - the machine is being upgraded to the new MKE version.
Reconfigure - the machine executes
StateItemsthat correspond to thereconfigurephase. The machine configuration is being updated without affecting workloads running on the machine.
The templates for StateItems are stored in the machineTypes
field of an LCMCluster object, with separate lists
for the MKE manager and worker nodes.
Each StateItem has the execution phase field for a management,
regional, and managed cluster:
The
preparephase is executed for all machines for which it was not executed yet. This phase comprises downloading the files necessary for the cluster deployment, installing the required packages, and so on.During the
deployphase, a node is added to the cluster. LCM Controller applies thedeployphase to the nodes in the following order:First manager node is deployed.
The remaining manager nodes are deployed one by one and the worker nodes are deployed in batches (by default, up to 50 worker nodes at the same time).
LCM Controller deploys and upgrades a Mirantis Container Cloud cluster
by setting StateItems of LCMMachine objects following the corresponding
StateItems phases described above. The Container Cloud cluster upgrade
process follows the same logic that is used for a new deployment,
that is applying a new set of StateItems to the LCMMachines after
updating the LCMCluster object. But if the existing worker node is being
upgraded, LCM Controller performs draining and cordoning on this node honoring
the Pod Disruption Budgets.
This operation prevents unexpected disruptions of the workloads.
LCM Agent¶
LCM Agent handles a single machine that belongs to a management, regional, or
managed cluster.
It runs on the machine operating system but communicates with apiserver
of the regional cluster. LCM Agent is deployed as a systemd unit using
cloud-init. LCM Agent has a built-in self-upgrade mechanism.
LCM Agent monitors the spec of a particular LCMMachine object
to reconcile the machine state with the object StateItems and update
the LCMMachine status accordingly. The actions that LCM Agent performs
while handling the StateItems are as follows:
Download configuration files
Run shell commands
Run Ansible playbooks in headless mode
LCM Agent provides the IP address and hostname of the machine
for the LCMMachine status parameter.
Helm Controller¶
Helm Controller is used by Mirantis Container Cloud to handle management, regional, and managed clusters core addons such as StackLight and the application addons such as the OpenStack components.
Helm Controller is installed as a separate Helm v3 chart by the Container
Cloud provider. Its Pods are created using Deployment.
The Helm release information is stored in the KaaSRelease object for
the management and regional clusters and in the ClusterRelease object
for all types of the Container Cloud clusters.
These objects are used by the Container Cloud provider.
The Container Cloud provider uses the information from the
ClusterRelease object together with the Container Cloud API
Cluster spec. In Cluster spec, the operator can specify
the Helm release name and charts to use.
By combining the information from the Cluster providerSpec parameter
and its ClusterRelease object, the cluster actuator generates
the LCMCluster objects. These objects are further handled by LCM Controller
and the HelmBundle object handled by Helm Controller.
HelmBundle must have the same name as the LCMCluster object
for the cluster that HelmBundle applies to.
Although a cluster actuator can only create a single HelmBundle per cluster, Helm Controller can handle multiple HelmBundle objects per cluster.
Helm Controller handles the HelmBundle objects and reconciles them with the state of Helm in its cluster.
Helm Controller can also be used by the management cluster with corresponding HelmBundle objects created as part of the initial management cluster setup.
Identity and access management¶
Identity and access management (IAM) provides a central point of users and permissions management of the Mirantis Container Cloud cluster resources in a granular and unified manner. Also, IAM provides infrastructure for single sign-on user experience across all Container Cloud web portals.
IAM for Container Cloud consists of the following components:
- Keycloak
Provides the OpenID Connect endpoint
Integrates with an external identity provider (IdP), for example, existing LDAP or Google Open Authorization (OAuth)
Stores roles mapping for users
- IAM Controller
Provides IAM API with data about Container Cloud projects
Handles all role-based access control (RBAC) components in Kubernetes API
- IAM API
Provides an abstraction API for creating user scopes and roles
External identity provider integration¶
To be consistent and keep the integrity of a user database and user permissions, in Mirantis Container Cloud, IAM stores the user identity information internally. However in real deployments, the identity provider usually already exists.
Out of the box, in Container Cloud, IAM supports integration with LDAP and Google Open Authorization (OAuth). If LDAP is configured as an external identity provider, IAM performs one-way synchronization by mapping attributes according to configuration.
In the case of the Google Open Authorization (OAuth) integration, the user is automatically registered and their credentials are stored in the internal database according to the user template configuration. The Google OAuth registration workflow is as follows:
The user requests a Container Cloud web UI resource.
The user is redirected to the IAM login page and logs in using the Log in with Google account option.
IAM creates a new user with the default access rights that are defined in the user template configuration.
The user can access the Container Cloud web UI resource.
The following diagram illustrates the external IdP integration to IAM:
You can configure simultaneous integration with both external IdPs with the user identity matching feature enabled.
Authentication and authorization¶
Mirantis IAM uses the OpenID Connect (OIDC) protocol for handling authentication.
Implementation flow¶
Mirantis IAM performs as an OpenID Connect (OIDC) provider, it issues a token and exposes discovery endpoints.
The credentials can be handled by IAM itself or delegated to an external identity provider (IdP).
The issued JSON Web Token (JWT) is sufficient to perform operations across Mirantis Container Cloud according to the scope and role defined in it. Mirantis recommends using asymmetric cryptography for token signing (RS256) to minimize the dependency between IAM and managed components.
When Container Cloud calls Mirantis Kubernetes Engine (MKE), the user in Keycloak is created automatically with a JWT issued by Keycloak on behalf of the end user. MKE, in its turn, verifies whether the JWT is issued by Keycloak. If the user retrieved from the token does not exist in the MKE database, the user is automatically created in the MKE database based on the information from the token.
The authorization implementation is out of the scope of IAM in Container Cloud. This functionality is delegated to the component level. IAM interacts with a Container Cloud component using the OIDC token content that is processed by a component itself and required authorization is enforced. Such an approach enables you to have any underlying authorization that is not dependent on IAM and still to provide a unified user experience across all Container Cloud components.
Kubernetes CLI authentication flow¶
The following diagram illustrates the Kubernetes CLI authentication flow. The authentication flow for Helm and other Kubernetes-oriented CLI utilities is identical to the Kubernetes CLI flow, but JSON Web Tokens (JWT) must be pre-provisioned.
See also
Monitoring¶
Mirantis Container Cloud uses StackLight, the logging, monitoring, and alerting solution that provides a single pane of glass for cloud maintenance and day-to-day operations as well as offers critical insights into cloud health including operational information about the components deployed in management, regional, and managed clusters. StackLight is based on Prometheus, an open-source monitoring solution and a time series database.
Deployment architecture¶
Mirantis Container Cloud deploys the StackLight stack
as a release of a Helm chart that contains the helm-controller
and helmbundles.lcm.mirantis.com (HelmBundle) custom resources.
The StackLight HelmBundle consists of a set of Helm charts
with the StackLight components that include:
StackLight component |
Description |
|---|---|
Alerta |
Receives, consolidates, and deduplicates the alerts sent by Alertmanager and visually represents them through a simple web UI. Using the Alerta web UI, you can view the most recent or watched alerts, group, and filter alerts. |
Alertmanager |
Handles the alerts sent by client applications such as Prometheus,
deduplicates, groups, and routes alerts to receiver integrations.
Using the Alertmanager web UI, you can view the most recent |
Elasticsearch Curator |
Maintains the data (indexes) in OpenSearch by performing such operations as creating, closing, or opening an index as well as deleting a snapshot. Also, manages the data retention policy in OpenSearch. |
Elasticsearch Exporter Compatible with OpenSearch |
The Prometheus exporter that gathers internal OpenSearch metrics. |
Grafana |
Builds and visually represents metric graphs based on time series databases. Grafana supports querying of Prometheus using the PromQL language. |
Database back ends |
StackLight uses PostgreSQL for Alerta and Grafana. PostgreSQL reduces the data storage fragmentation while enabling high availability. High availability is achieved using Patroni, the PostgreSQL cluster manager that monitors for node failures and manages failover of the primary node. StackLight also uses Patroni to manage major version upgrades of PostgreSQL clusters, which allows leveraging the database engine functionality and improvements as they are introduced upstream in new releases, maintaining functional continuity without version lock-in. |
Logging stack |
Responsible for collecting, processing, and persisting logs and Kubernetes events. By default, when deploying through the Container Cloud web UI, only the metrics stack is enabled on managed clusters. To enable StackLight to gather managed cluster logs, enable the logging stack during deployment. On management clusters, the logging stack is enabled by default. The logging stack components include:
Note The logging mechanism performance depends on the cluster log load. In
case of a high load, you may need to increase the default resource requests
and limits for |
Metric collector |
Collects telemetry data (CPU or memory usage, number of active alerts, and so on) from Prometheus and sends the data to centralized cloud storage for further processing and analysis. Metric collector runs on the management cluster. Note This component is designated for internal StackLight use only. |
Prometheus |
Gathers metrics. Automatically discovers and monitors the endpoints. Using the Prometheus web UI, you can view simple visualizations and debug. By default, the Prometheus database stores metrics of the past 15 days or up to 15 GB of data depending on the limit that is reached first. |
Prometheus Blackbox Exporter |
Allows monitoring endpoints over HTTP, HTTPS, DNS, TCP, and ICMP. |
Prometheus-es-exporter |
Presents the OpenSearch data as Prometheus metrics by periodically sending configured queries to the OpenSearch cluster and exposing the results to a scrapable HTTP endpoint like other Prometheus targets. |
Prometheus Node Exporter |
Gathers hardware and operating system metrics exposed by kernel. |
Prometheus Relay |
Adds a proxy layer to Prometheus to merge the results from underlay Prometheus servers to prevent gaps in case some data is missing on some servers. Is available only in the HA StackLight mode. |
Reference Application Available since 2.21.0 |
Enables workload monitoring on non-MOSK managed clusters. Mimics a classical microservice application and provides metrics that describe the likely behavior of user workloads. Note For the feature support on MOSK deployments, refer to MOSK documentation: Deploy RefApp using automation tools. |
Salesforce notifier |
Enables sending Alertmanager notifications to Salesforce to allow creating Salesforce cases and closing them once the alerts are resolved. Disabled by default. |
Salesforce reporter |
Queries Prometheus for the data about the amount of vCPU, vRAM, and vStorage used and available, combines the data, and sends it to Salesforce daily. Mirantis uses the collected data for further analysis and reports to improve the quality of customer support. Disabled by default. |
Telegraf |
Collects metrics from the system. Telegraf is plugin-driven and has the concept of two distinct set of plugins: input plugins collect metrics from the system, services, or third-party APIs; output plugins write and expose metrics to various destinations. The Telegraf agents used in Container Cloud include:
|
Telemeter |
Enables a multi-cluster view through a Grafana dashboard of the management cluster. Telemeter includes a Prometheus federation push server and clients to enable isolated Prometheus instances, which cannot be scraped from a central Prometheus instance, to push metrics to the central location. The Telemeter services are distributed as follows:
The metrics from managed clusters are aggregated on regional clusters. Then both regional and managed clusters metrics are sent from regional clusters to the management cluster. Note This component is designated for internal StackLight use only. |
Every Helm chart contains a default values.yml file. These default values
are partially overridden by custom values defined in the StackLight Helm chart.
Before deploying a managed cluster, you can select the HA or non-HA StackLight architecture type. The non-HA mode is set by default. On the management and regional clusters, StackLight is deployed in the HA mode only. The following table lists the differences between the HA and non-HA modes:
Non-HA StackLight mode default |
HA StackLight mode |
|---|---|
One persistent volume is provided for storing data. In case of a service or node failure, a new pod is redeployed and the volume is reattached to provide the existing data. Such setup has a reduced hardware footprint but provides less performance. |
Local Volume Provisioner is used to provide local host storage. In case
of a service or node failure, the traffic is automatically redirected to
any other running Prometheus or OpenSearch server. For better
performance, Mirantis recommends that you deploy StackLight in the HA
mode. Two |
Note
Before Container Cloud 2.24.0, Alertmanager has 2 replicas in the non-HA mode.
Depending on the Container Cloud cluster type and selected StackLight database mode, StackLight is deployed on the following number of nodes:
Cluster |
StackLight database mode |
Target nodes |
|---|---|---|
Management and regional |
HA mode |
All Kubernetes master nodes |
Managed |
Non-HA mode |
|
HA mode |
All nodes with the |
Authentication flow¶
StackLight provides five web UIs including Prometheus, Alertmanager, Alerta, OpenSearch Dashboards, and Grafana. Access to StackLight web UIs is protected by Keycloak-based Identity and access management (IAM). All web UIs except Alerta are exposed to IAM through the IAM proxy middleware. The Alerta configuration provides direct integration with IAM.
The following diagram illustrates accessing the IAM-proxied StackLight web UIs, for example, Prometheus web UI:
Authentication flow for the IAM-proxied StackLight web UIs:
A user enters the public IP of a StackLight web UI, for example, Prometheus web UI.
The public IP leads to IAM proxy, deployed as a Kubernetes LoadBalancer, which protects the Prometheus web UI.
LoadBalancer routes the HTTP request to Kubernetes internal IAM proxy service endpoints, specified in the X-Forwarded-Proto or X-Forwarded-Host headers.
The Keycloak login form opens (the
login_urlfield in the IAM proxy configuration, which points to Keycloak realm) and the user enters the user name and password.Keycloak validates the user name and password.
The user obtains access to the Prometheus web UI (the
upstreamsfield in the IAM proxy configuration).
Note
The discovery URL is the URL of the IAM service.
The upstream URL is the hidden endpoint of a web UI (Prometheus web UI in the example above).
The following diagram illustrates accessing the Alerta web UI:
Authentication flow for the Alerta web UI:
A user enters the public IP of the Alerta web UI.
The public IP leads to Alerta deployed as a Kubernetes LoadBalancer type.
LoadBalancer routes the HTTP request to the Kubernetes internal Alerta service endpoint.
The Keycloak login form opens (Alerta refers to the IAM realm) and the user enters the user name and password.
Keycloak validates the user name and password.
The user obtains access to the Alerta web UI.
Supported features¶
Using the Mirantis Container Cloud web UI, on the pre-deployment stage of a managed cluster, you can view, enable or disable, or tune the following StackLight features available:
StackLight HA mode.
Database retention size and time for Prometheus.
Tunable index retention period for OpenSearch.
Tunable
PersistentVolumeClaim(PVC) size for Prometheus and OpenSearch set to 16 GB for Prometheus and 30 GB for OpenSearch by default. The PVC size must be logically aligned with the retention periods or sizes for these components.Email and Slack receivers for the Alertmanager notifications.
Predefined set of dashboards.
Predefined set of alerts and capability to add new custom alerts for Prometheus in the following exemplary format:
- alert: HighErrorRate expr: job:request_latency_seconds:mean5m{job="myjob"} > 0.5 for: 10m labels: severity: page annotations: summary: High request latency
Monitored components¶
StackLight measures, analyzes, and reports in a timely manner about failures that may occur in the following Mirantis Container Cloud components and their sub-components, if any:
Ceph
Ironic (Container Cloud bare-metal provider)
Kubernetes services:
Calico
etcd
Kubernetes cluster
Kubernetes containers
Kubernetes deployments
Kubernetes nodes
NGINX
Node hardware and operating system
PostgreSQL
StackLight:
Alertmanager
OpenSearch
Grafana
Prometheus
Prometheus Relay
Salesforce notifier
Telemeter
SSL certificates
Mirantis Kubernetes Engine (MKE)
Docker/Swarm metrics (through Telegraf)
Built-in MKE metrics
Outbound cluster metrics¶
The data collected and transmitted through an encrypted channel back to Mirantis provides our Customer Success Organization information to better understand the operational usage patterns our customers are experiencing as well as to provide feedback on product usage statistics to enable our product teams to enhance our products and services for our customers.
Since Container Cloud 2.21.0, the summary of all deployed Container Cloud configurations is also collected. The data is anonymized from all sensitive information, such as IDs, IP addresses, passwords, private keys, and so on. Mirantis collects information about the following Container Cloud objects, if any:
|
|
|
The node-level resource data are broken down into three broad categories: Cluster, Node, and Namespace. The telemetry data tracks Allocatable, Capacity, Limits, Requests, and actual Usage of node-level resources.
Term |
Definition |
|---|---|
Allocatable |
On a Kubernetes Node, the amount of compute resources that are available for pods |
Capacity |
The total number of available resources regardless of current consumption |
Limits |
Constraints imposed by Administrators |
Requests |
The resources that a given container application is requesting |
Usage |
The actual usage or consumption of a given resource |
The full list of the outbound data includes:
From all Container Cloud managed clusters
cluster_alerts_firingSince 2.23.0cluster_filesystem_size_bytescluster_filesystem_usage_bytescluster_filesystem_usage_ratiocluster_master_nodes_totalcluster_nodes_totalcluster_persistentvolumeclaim_requests_storage_bytescluster_total_alerts_triggeredcluster_capacity_cpu_corescluster_capacity_memory_bytescluster_usage_cpu_corescluster_usage_memory_bytescluster_usage_per_capacity_cpu_ratiocluster_usage_per_capacity_memory_ratiocluster_worker_nodes_totalcluster_workload_pods_totalSince 2.22.0cluster_workload_containers_totalSince 2.22.0kaas_infokaas_cluster_machines_ready_totalkaas_cluster_machines_requested_totalkaas_clusterskaas_cluster_updatingSince 2.21.0kaas_license_expirykaas_machines_readykaas_machines_requestedkubernetes_api_availabilitynode_labelsSince 2.24.0mke_api_availabilitymke_cluster_nodes_totalmke_cluster_containers_totalmke_cluster_vcpu_freemke_cluster_vcpu_usedmke_cluster_vram_freemke_cluster_vram_usedmke_cluster_vstorage_freemke_cluster_vstorage_used
From Mirantis OpenStack for Kubernetes (MOSK) clusters only
openstack_cinder_api_latency_90openstack_cinder_api_latency_99openstack_cinder_api_statusopenstack_cinder_availabilityopenstack_cinder_volumes_totalopenstack_glance_api_statusopenstack_glance_availabilityopenstack_glance_images_totalopenstack_glance_snapshots_totalopenstack_heat_availabilityopenstack_heat_stacks_totalopenstack_host_aggregate_instancesRemoved in 2.24.0openstack_host_aggregate_memory_used_ratioRemoved in 2.24.0openstack_host_aggregate_memory_utilisation_ratioRemoved in 2.24.0openstack_host_aggregate_cpu_utilisation_ratioRemoved in 2.24.0openstack_host_aggregate_vcpu_used_ratioRemoved in 2.24.0openstack_instance_availabilityopenstack_instance_create_endopenstack_instance_create_erroropenstack_instance_create_startopenstack_keystone_api_latency_90openstack_keystone_api_latency_99openstack_keystone_api_statusopenstack_keystone_availabilityopenstack_keystone_tenants_totalopenstack_keystone_users_totalopenstack_kpi_provisioningopenstack_lbaas_availabilityopenstack_mysql_flow_controlopenstack_neutron_api_latency_90openstack_neutron_api_latency_99openstack_neutron_api_statusopenstack_neutron_availabilityopenstack_neutron_lbaas_loadbalancers_totalopenstack_neutron_networks_totalopenstack_neutron_ports_totalopenstack_neutron_routers_totalopenstack_neutron_subnets_totalopenstack_nova_all_compute_cpu_utilisationSince MOSK 22.4openstack_nova_all_compute_mem_utilisationSince MOSK 22.4openstack_nova_all_computes_totalSince MOSK 22.4openstack_nova_all_vcpus_totalSince MOSK 22.4openstack_nova_all_used_vcpus_totalSince MOSK 22.4openstack_nova_all_ram_total_gbSince MOSK 22.4openstack_nova_all_used_ram_total_gbSince MOSK 22.4openstack_nova_all_disk_total_gbSince MOSK 22.4openstack_nova_all_used_disk_total_gbSince MOSK 22.4openstack_nova_api_statusopenstack_nova_availabilityopenstack_nova_compute_cpu_utilisationopenstack_nova_compute_mem_utilisationopenstack_nova_computes_totalopenstack_nova_disk_total_gbopenstack_nova_instances_active_totalopenstack_nova_ram_total_gbopenstack_nova_used_disk_total_gbopenstack_nova_used_ram_total_gbopenstack_nova_used_vcpus_totalopenstack_nova_vcpus_totalopenstack_rmq_message_derivopenstack_quota_instancesopenstack_quota_ram_gbopenstack_quota_vcpusopenstack_quota_volume_storage_gbopenstack_usage_instancesopenstack_usage_ram_gbopenstack_usage_vcpusopenstack_usage_volume_storage_gb
StackLight proxy¶
StackLight components, which require external access, automatically use the same proxy that is configured for Mirantis Container Cloud clusters. Therefore, you only need to configure proxy during deployment of your management, regional, or managed clusters. No additional actions are required to set up proxy for StackLight. For more details about implementation of proxy support in Container Cloud, see Proxy and cache support.
Note
Proxy handles only the HTTP and HTTPS traffic. Therefore, for clusters with limited or no Internet access, it is not possible to set up Alertmanager email notifications, which use SMTP, when proxy is used.
Proxy is used for the following StackLight components:
Component |
Cluster type |
Usage |
|---|---|---|
Alertmanager |
Any |
As a default http_config
for all HTTP-based receivers except the predefined HTTP-alerta and
HTTP-salesforce. For these receivers, |
Metric Collector |
Management |
To send outbound cluster metrics to Mirantis. |
Salesforce notifier |
Any |
To send notifications to the Salesforce instance. |
Salesforce reporter |
Any |
To send metric reports to the Salesforce instance. |
Telemeter client |
Regional |
To send all metrics from the clusters of a region, including the managed and regional clusters, to the management cluster. Proxy is not used for the Telemeter client on managed clusters because managed clusters must have a direct access to their regional cluster. |
Reference Application for workload monitoring¶
Available since 2.21.0 for non-MOSK managed clusters
Note
For the feature support on MOSK deployments, refer to MOSK documentation: Deploy RefApp using automation tools.
Reference Application is a small microservice application that enables workload monitoring on non-MOSK managed clusters. It mimics a classical microservice application and provides metrics that describe the likely behavior of user workloads.
The application consists of the following API and database services that allow putting simple records into the database through the API and retrieving them:
- Reference Application API
Runs on StackLight nodes and provides API access to the database. Runs three API instances for high availability.
- PostgreSQL Since Container Cloud 2.22.0
Runs on worker nodes and stores the data on an attached PersistentVolumeClaim (PVC). Runs three database instances for high availability.
Note
Before version 2.22.0, Container Cloud used MariaDB as the database management system instead of PostgreSQL.
StackLight queries the API measuring response times for each query. No caching is being done, so each API request must go to the database, allowing to verify the availability of a stateful workload on the cluster.
Reference Application requires the following resources on top of the main product requirements:
Up to 1 GiB of RAM per cluster
Up to 3 GiB of storage per cluster
The feature is disabled by default and can be enabled using the StackLight configuration manifest as described in StackLight configuration parameters: Reference Application.
Hardware and system requirements¶
Using Mirantis Container Cloud, you can deploy a Mirantis Kubernetes Engine (MKE) cluster on bare metal, OpenStack, or VMware vSphere cloud providers. Each cloud provider requires corresponding resources.
Note
Using the free Mirantis license, you can create up to three Container Cloud managed clusters with three worker nodes on each cluster. If you need to increase this quota, contact Mirantis support for further details.
Requirements for a bootstrap node¶
A bootstrap node is necessary only to deploy the management cluster. When the bootstrap is complete, the bootstrap node can be redeployed and its resources can be reused for the managed cluster workloads.
The minimum reference system requirements of a baremetal-based bootstrap seed node are described in System requirements for the seed node. The minimum reference system requirements a bootstrap node for other supported Container Cloud providers are as follows:
Any local machine on Ubuntu 20.04 that requires access to the provider API with the following configuration:
2 vCPUs
4 GB of RAM
5 GB of available storage
Docker version currently available for Ubuntu 20.04
Internet access for downloading of all required artifacts
Note
For the vSphere cloud provider, you can use RHEL 7.9 as the operating system for the bootstrap node. The system requirements are the same as for Ubuntu.
Requirements for a baremetal-based cluster¶
If you use a firewall or proxy, make sure that the bootstrap, management, and regional clusters have access to the following IP ranges and domain names required for the Container Cloud content delivery network and alerting:
IP ranges:
Microsoft Azure (only IPs for
MicrosoftContainerRegistry)Amazon AWS (only IPs for
"service": "CLOUDFRONT")
Domain names:
mirror.mirantis.com and repos.mirantis.com for packages
binary.mirantis.com for binaries and Helm charts
mirantis.azurecr.io and *.blob.core.windows.net for Docker images
mcc-metrics-prod-ns.servicebus.windows.net:9093 for Telemetry (port 443 if proxy is enabled)
mirantis.my.salesforce.com and login.salesforce.com for Salesforce alerts
Note
Access to Salesforce is required from any Container Cloud cluster type.
If any additional Alertmanager notification receiver is enabled, for example, Slack, its endpoint must also be accessible from the cluster.
Reference hardware configuration¶
The following hardware configuration is used as a reference to deploy Mirantis Container Cloud with bare metal Container Cloud clusters with Mirantis Kubernetes Engine.
Server role |
Management cluster |
Managed cluster |
|---|---|---|
# of servers 0 |
3 1 |
6 2 |
CPU sockets |
1 |
1 |
RAM, GB |
128 |
128 |
SSD system, GB 3 |
1x 960 |
1x 960 |
SSD/HDD storage, GB 4 |
1x 1900 |
2x 1900 |
Onboard LAN ports |
2 |
2 |
Discrete NICs |
2 |
2 |
Total LAN ports 5 |
6 |
6 |
- 0
The Container Cloud reference architecture uses the following hardware models:
Server - Supermicro 1U SYS-6018R-TDW
CPU - Intel Xeon E5-2620v4
Discrete NICs - Intel X520-DA2
- 1
Adding more than 3 nodes to a management or regional cluster is not supported.
- 2
Three
managernodes for HA and threeworker storagenodes for a minimal Ceph cluster. For more details about Ceph requirements, see Management cluster storage.- 3
A management cluster requires 2 volumes for Container Cloud (total 50 GB) and 5 volumes for StackLight (total 60 GB). A managed cluster requires 5 volumes for StackLight.
- 4
In total, at least 2 disks are required:
sda- minimum 120 GB for systemsdb- minimum 120 GB forLocalVolumeProvisioner
For the default storage schema, see Default configuration of the host system storage
- 5
Only one PXE port per node is allowed. OOB management (IPMI) port is not included.
See also
System requirements for the seed node¶
The seed node is necessary only to deploy the management cluster. When the bootstrap is complete, the bootstrap node can be redeployed and its resources can be reused for the managed cluster workloads.
The minimum reference system requirements for a baremetal-based bootstrap seed node are as follows:
Basic server on Ubuntu 20.04 with the following configuration:
Kernel version 4.15.0-76.86 or later
8 GB of RAM
4 CPU
10 GB of free disk space for the bootstrap cluster cache
No DHCP or TFTP servers on any NIC networks
Routable access IPMI network for the hardware servers. For more details, see Host networking.
Internet access for downloading of all required artifacts
Network fabric¶
The following diagram illustrates the physical and virtual L2 underlay networking schema for the final state of the Mirantis Container Cloud bare metal deployment.
The network fabric reference configuration is a spine/leaf with 2 leaf ToR switches and one out-of-band (OOB) switch per rack.
Reference configuration uses the following switches for ToR and OOB:
Cisco WS-C3560E-24TD has 24 of 1 GbE ports. Used in OOB network segment.
Dell Force 10 S4810P has 48 of 1/10GbE ports. Used as ToR in Common/PXE network segment.
In the reference configuration, all odd interfaces from NIC0 are connected
to TOR Switch 1, and all even interfaces from NIC0 are connected
to TOR Switch 2. The Baseboard Management Controller (BMC) interfaces
of the servers are connected to OOB Switch 1.
The following recommendations apply to all types of nodes:
Use the Link Aggregation Control Protocol (LACP) bonding mode with MC-LAG domains configured on leaf switches. This corresponds to the
802.3adbond mode on hosts.Use ports from different multi-port NICs when creating bonds. This makes network connections redundant if failure of a single NIC occurs.
Configure the ports that connect servers to the PXE network with PXE VLAN as native or untagged. On these ports, configure LACP fallback to ensure that the servers can reach DHCP server and boot over network.
See also
Management cluster storage¶
The management cluster requires minimum two storage devices per node. Each device is used for different type of storage.
The first device is always used for boot partitions and the root file system. SSD is recommended. RAID device is not supported.
One storage device per server is reserved for local persistent volumes. These volumes are served by the Local Storage Static Provisioner (
local-volume-provisioner) and used by many services of Container Cloud.
You can configure host storage devices using the BareMetalHostProfile
resources. For details, see Customize the default bare metal host profile.
Requirements for an OpenStack-based cluster¶
While planning the deployment of an OpenStack-based Mirantis Container Cloud cluster with Mirantis Kubernetes Engine (MKE), consider the following general requirements:
Kubernetes on OpenStack requires the Cinder API V3 and Octavia API availability.
Mirantis supports deployments based on OpenStack Victoria or Yoga with Open vSwitch (OVS) or Tungsten Fabric (TF) on top of Mirantis OpenStack for Kubernetes (MOSK) Victoria or Yoga with TF.
For system requirements for a bootstrap node, see Requirements for a bootstrap node.
If you use a firewall or proxy, make sure that the bootstrap, management, and regional clusters have access to the following IP ranges and domain names required for the Container Cloud content delivery network and alerting:
IP ranges:
Microsoft Azure (only IPs for
MicrosoftContainerRegistry)Amazon AWS (only IPs for
"service": "CLOUDFRONT")
Domain names:
mirror.mirantis.com and repos.mirantis.com for packages
binary.mirantis.com for binaries and Helm charts
mirantis.azurecr.io and *.blob.core.windows.net for Docker images
mcc-metrics-prod-ns.servicebus.windows.net:9093 for Telemetry (port 443 if proxy is enabled)
mirantis.my.salesforce.com and login.salesforce.com for Salesforce alerts
Note
Access to Salesforce is required from any Container Cloud cluster type.
If any additional Alertmanager notification receiver is enabled, for example, Slack, its endpoint must also be accessible from the cluster.
Note
The requirements in this section apply to the latest supported Container Cloud release.
Resource |
Management or regional cluster |
Managed cluster |
Comments |
|---|---|---|---|
# of nodes |
3 (HA) + 1 (Bastion) |
5 (6 with StackLight HA) |
|
# of vCPUs per node |
8 |
8 |
|
RAM in GB per node |
24 |
16 |
To prevent issues with low RAM, Mirantis recommends the following types of instances for a managed cluster with 50-200 nodes:
The Bastion node requires 1 GB of RAM. |
Storage in GB per node |
120 |
120 |
|
Operating system |
Ubuntu 20.04
CentOS 7.9 0
|
Ubuntu 20.04
CentOS 7.9 0
|
For management, regional, and managed clusters, a base Ubuntu 20.04 or CentOS 7.9 image must be present in Glance. |
MCR |
20.10.17 Since 2.24.0
20.10.13 Before 2.24.0
|
20.10.17 Since 2.24.0
20.10.13 Before 2.24.0
|
Mirantis Container Runtime (MCR) is deployed by Container Cloud as a Container Runtime Interface (CRI) instead of Docker Engine. |
OpenStack version |
Queens, Victoria, Yoga |
Queens, Victoria, Yoga |
OpenStack Victoria and Yoga are supported on top of MOSK clusters. |
Obligatory OpenStack components |
Octavia, Cinder, OVS/TF |
Octavia, Cinder, OVS/TF |
|
# of Cinder volumes |
7 (total 110 GB) |
5 (total 60 GB) |
|
# of load balancers |
10 (management) + 7 (regional) |
6 |
|
# of floating IPs |
11 (management) + 8 (regional) |
11 |
|
Requirements for a VMware vSphere-based cluster¶
Note
Container Cloud is developed and tested on VMware vSphere 7.0 and 6.7.
For system requirements for a bootstrap node, see Requirements for a bootstrap node.
If you use a firewall or proxy, make sure that the bootstrap, management, and regional clusters have access to the following IP ranges and domain names required for the Container Cloud content delivery network and alerting:
IP ranges:
Microsoft Azure (only IPs for
MicrosoftContainerRegistry)Amazon AWS (only IPs for
"service": "CLOUDFRONT")
Domain names:
mirror.mirantis.com and repos.mirantis.com for packages
binary.mirantis.com for binaries and Helm charts
mirantis.azurecr.io and *.blob.core.windows.net for Docker images
mcc-metrics-prod-ns.servicebus.windows.net:9093 for Telemetry (port 443 if proxy is enabled)
mirantis.my.salesforce.com and login.salesforce.com for Salesforce alerts
Note
Access to Salesforce is required from any Container Cloud cluster type.
If any additional Alertmanager notification receiver is enabled, for example, Slack, its endpoint must also be accessible from the cluster.
Note
The requirements in this section apply to the latest supported Container Cloud release.
Resource |
Management cluster |
Managed cluster |
Comments |
|---|---|---|---|
# of nodes |
3 (HA) |
5 (6 with StackLight HA) |
|
# of vCPUs per node |
8 |
8 |
Refer to the RAM recommendations described below to plan resources for different types of nodes. |
RAM in GB per node |
32 |
16 |
To prevent issues with low RAM, Mirantis recommends the following VM templates for a managed cluster with 50-200 nodes:
|
Storage in GB per node |
120 |
120 |
The listed amount of disk space must be available as a shared datastore of any type, for example, NFS or vSAN, mounted on all hosts of the vCenter cluster. |
Operating system |
For a management and managed cluster, a base OS VM template must be present in the VMware VM templates folder available to Container Cloud. For details about the template, see Prepare the virtual machine template. |
||
RHEL license
(for RHEL deployments only)
|
This license type allows running unlimited guests inside one hypervisor. The amount of licenses is equal to the amount of hypervisors in vCenter Server, which will be used to host RHEL-based machines. Container Cloud will schedule machines according to scheduling rules applied to vCenter Server. Therefore, make sure that your RedHat Customer portal account has enough licenses for allowed hypervisors. |
||
MCR |
20.10.17
|
20.10.17
|
Mirantis Container Runtime (MCR) is deployed by Container Cloud as a Container Runtime Interface (CRI) instead of Docker Engine. |
VMware vSphere version |
7.0, 6.7 |
7.0, 6.7 |
|
cloud-init version |
19.4 for RHEL/CentOS 7.9
20.3 for RHEL 8.7 TechPreview
|
19.4 for RHEL/CentOS 7.9
20.3 for RHEL 8.7 TechPreview
|
The minimal |
VMware Tools version |
11.0.5 |
11.0.5 |
The minimal |
Obligatory vSphere capabilities |
DRS,
Shared datastore
|
DRS,
Shared datastore
|
A shared datastore must be mounted on all hosts of the vCenter cluster. Combined with Distributed Resources Scheduler (DRS), it ensures that the VMs are dynamically scheduled to the cluster hosts. |
IP subnet size |
/24 |
/24 |
Consider the supported VMware vSphere network objects and IPAM recommendations. Minimal IP addresses distribution:
|
- 1(1,2)
RHEL 7.8 deployment is possible with allowed access to the
rhel-7-server-rpmsrepository provided by the Red Hat Enterprise Linux Server 7 x86_64. Verify that your RHEL license or activation key meets this requirement.- 2(1,2,3,4,5,6)
CentOS 7.9 and RHEL 8.7 deployments are available as Technology Preview. Use this configuration for testing and evaluation purposes only.
A Container Cloud cluster based on mixed operating systems, such as RHEL and CentOS, or on mixed versions of RHEL, such as RHEL 7.9 and 8.7, is not supported.
See also
Proxy and cache support¶
Proxy support¶
If you require all Internet access to go through a proxy server for security and audit purposes, you can bootstrap management and regional clusters using proxy. The proxy server settings consist of three standard environment variables that are set prior to the bootstrap process:
HTTP_PROXYHTTPS_PROXYNO_PROXY
These settings are not propagated to managed clusters. However, you can enable a separate proxy access on a managed cluster using the Container Cloud web UI. This proxy is intended for the end user needs and is not used for a managed cluster deployment or for access to the Mirantis resources.
Caution
Since Container Cloud uses the OpenID Connect (OIDC) protocol for IAM authentication, management clusters require a direct non-proxy access from regional and managed clusters.
StackLight components, which require external access, automatically use the same proxy that is configured for Container Cloud clusters.
On the managed clusters with limited Internet access, a proxy is required for StackLight components that use HTTP and HTTPS and are disabled by default but need external access if enabled, for example, for the Salesforce integration and Alertmanager notifications external rules. For more details about proxy implementation in StackLight, see StackLight proxy.
For the list of Mirantis resources and IP addresses to be accessible from the Container Cloud clusters, see Hardware and system requirements.
After enabling proxy support on regional and managed clusters, proxy is used for:
Docker and CDN traffic on regional clusters
Docker traffic on managed clusters
StackLight
OpenStack on MOSK-based clusters
Artifacts caching¶
The Container Cloud managed clusters are deployed without direct Internet access in order to consume less Internet traffic in your cloud. The Mirantis artifacts used during managed clusters deployment are downloaded through a cache running on a regional cluster. The feature is enabled by default on new managed clusters and will be automatically enabled on existing clusters during upgrade to the latest version.
Caution
IAM operations require a direct non-proxy access of a managed cluster to a management cluster.
Firewall configuration¶
This section includes the details about ports and protocols used in a Container Cloud deployment.
Container Cloud¶
Component |
Network |
Protocol |
Port |
Consumers |
|---|---|---|---|---|
Web UI, cache, Kubernetes API, and others |
LCM API/Mgmt |
TCP |
443, 6443 |
External clients |
Squid Proxy |
LCM API/Mgmt |
TCP |
3128 |
Applicable to the vSphere provider only. All nodes in management and managed clusters. |
SSH |
LCM API/Mgmt |
TCP |
22 |
External clients |
Chrony |
LCM_API/Mgmt |
TCP |
323 |
All nodes in management and managed clusters. |
NTP |
LCM_API/Mgmt |
UDP |
123 |
All nodes in management and managed clusters. |
LDAP |
LCM API/Mgmt |
UDP |
389 |
|
LDAPs |
LCM API/Mgmt |
TCP/UDP |
686 |
Component |
Network |
Protocol |
Port |
|---|---|---|---|
Ironic |
LCM 0 |
TCP/UDP |
|
Ironic syslog |
PXE |
TCP/UDP |
|
Ironic image repo |
PXE |
TCP |
80 |
MKE/Kubernetes API |
LCM 0 |
TCP/UDP |
|
BOOTP |
PXE |
UDP |
68 |
DHCP server |
PXE |
UDP |
67 |
IPMI |
PXE/LCM 0 |
TCP/UDP |
|
SSH |
PXE/LCM |
TCP |
22 |
DNS |
LCM 0 |
TCP/UDP |
53 |
NTP |
LCM 0 |
TCP/UDP |
123 |
TFTP |
PXE |
UDP |
69 |
Squid Proxy |
LCM 0 |
TCP |
3128 |
LDAP |
LCM 0 |
TCP |
636 |
HTTPS |
LCM 0 |
TCP |
443 |
StackLight |
LCM 0 |
TCP |
9091, 9100, 9126 |
Mirantis Kubernetes Engine¶
For available Mirantis Kubernetes Engine (MKE) ports, refer to MKE Documentation: Open ports to incoming traffic.
StackLight¶
The tables below contain the details about ports and protocols used by different StackLight components.
Warning
This section does not describe communications within the cluster network.
User interfaces¶
Component |
Network |
Direction |
Port/Protocol |
Consumer |
Comments |
|---|---|---|---|---|---|
Alerta UI |
External network (LB service) |
Inbound |
443/TCP/HTTPS |
Cluster users |
Add the assigned external IP to the |
Alertmanager UI |
External network (LB service) |
Inbound |
443/TCP/HTTPS |
Cluster users |
Add the assigned external IP to the |
Grafana UI |
External network (LB service) |
Inbound |
443/TCP/HTTPS |
Cluster users |
Add the assigned external IP to the |
OpenSearch Dashboards UI |
External network (LB service) |
Inbound |
443/TCP/HTTPS |
Cluster users |
Only when the StackLight logging stack
is enabled. Add the assigned external IP to the |
Prometheus UI |
External network (LB service) |
Inbound |
443/TCP/HTTPS |
Cluster users |
Add the assigned external IP to the |
Alertmanager notifications receivers¶
Component |
Network |
Direction |
Port/Protocol |
Destination |
Comments |
|---|---|---|---|---|---|
Alertmanager Email notifications integration |
Cluster network |
Outbound |
TCP/SMTP |
Depends on the configuration, see the comment. |
Only when email notifications
are enabled. Add an SMTP host URL to the |
Alertmanager Microsoft Teams notifications integration |
Cluster network |
Outbound |
TCP/HTTPS |
Depends on the configuration, see the comment. |
Only when Microsoft Teams notifications
are enabled. Add a webhook URL to the |
Alertmanager Salesforce notifications integration |
Cluster network |
Outbound |
TCP/HTTPS |
For Mirantis support mirantis.my.salesforce.com and login.salesforce.com. Depends on the configuration, see the comment. |
Only when Salesforce notifications
are enabled. Add an SF instance URL and an SF login URL to the |
Alertmanager ServiceNow notifications integration |
Cluster network |
Outbound |
TCP/HTTPS |
Depends on the configuration, see the comment. |
Only when notifications to ServiceNow
are enabled. Add a configured ServiceNow URL to the |
Alertmanager Slack notifications integration |
Cluster network |
Outbound |
TCP/HTTPS |
Depends on the configuration, see the comment. |
Only when notifications to Slack
are enabled. Add a configured Slack URL to the |
Notification integration of Alertmanager generic receivers |
Cluster network |
Outbound |
Customizable, see the comment |
Depends on the configuration, see the comment. |
Only when any custom Alertmanager integration
is enabled. Depending on the integration type, add the corresponding URL to the |
External integrations¶
Component |
Network |
Direction |
Port/Protocol |
Destination |
Comments |
|---|---|---|---|---|---|
Salesforce reporter |
Cluster network |
Outbound |
TCP/HTTPS |
For Mirantis support mirantis.my.salesforce.com and login.salesforce.com. Depends on the configuration, see the comment. |
Only when the
Salesforce reporter
is enabled. Add a SF instance URL and SF login URL to the |
Prometheus Remote Write |
Cluster network |
Outbound |
TCP |
Depends on the configuration, see the comment. |
Only when the
Prometheus Remote Write
feature is enabled. Add a configured remote write destination URL to the |
Prometheus custom scrapes |
Cluster network |
Outbound |
TCP |
Depends on the configuration, see the comment. |
Only when the
Custom Prometheus scrapes
feature is enabled. Add configured scrape targets to the |
Fluentd remote syslog output |
Cluster network |
Outbound |
TCP or UDP (protocol and port are configurable) |
Depends on the configuration, see the comment. |
Only when the
Logging to remote Syslog
feature is enabled. Add a configured remote syslog URL to the |
Metric Collector |
Cluster network |
Outbound |
9093/443/TCP |
Applicable to management clusters only. Add a specific URL from Microsoft Azure to the |
|
External Endpoint monitoring |
Cluster network |
Outbound |
TCP/HTTP(S) |
Depends on the configuration, see the comment. |
Only when the
External endpoint monitoring
feature is enabled. Add configured monitored URLs to the |
SSL certificate monitoring |
Cluster network |
Outbound |
TCP/HTTP(S) |
Depends on the configuration, see the comment. |
Only when SSL certificates monitoring feature is enabled. Add configured monitored URLs to the allowlist. |
Metrics exporters¶
Component |
Network |
Direction |
Port/Protocol |
Consumer |
Comments |
|---|---|---|---|---|---|
Prometheus Node Exporter |
Host network |
Inbound (from cluster network) |
9100/TCP |
Prometheus from the |
Prometheus from Cluster network scrape metrics from all nodes. |
Fluentd (Prometheus metrics endpoint) |
Host network |
Inbound (from cluster network) |
24231/TCP |
Prometheus from the |
Only when the StackLight logging stack is enabled. Prometheus from the cluster network scrapes metrics from all nodes. |
Calico node |
Host network |
Inbound (from cluster network) |
9091/TCP |
Prometheus from the |
Prometheus from cluster network scrape metrics from all nodes. |
Telegraf SMART plugin |
Host network |
Inbound (from cluster network) |
9126/TCP |
Prometheus from the |
Applicable to the bare metal provider obly. Prometheus from scrapes metrics of the cluster network from all nodes. |
MKE Manager API |
Host network |
Inbound (from cluster network) |
4443/TCP, 6443/TCP |
Blackbox exporter from the |
Applicable to the master node only. Blackbox exporter from cluster network probes all master nodes.
|
MKE Metrics Engine |
Host network |
Inbound (from cluster network) |
12376/TCP |
Prometheus from the |
Prometheus from cluster network scrape metrics from all nodes. |
Kubernetes Master API |
Host network |
Inbound (from cluster network) |
443/TCP, 5443/TCP |
Blackbox exporter from the |
Applicable to the master node only. Blackbox exporter from cluster network probes all master nodes.
|
Container Cloud telemetry¶
Component |
Network |
Direction |
Port/Protocol |
Consumer |
Destination |
Comments |
|---|---|---|---|---|---|---|
Telemeter client |
Cluster network (managed cluster) |
Outbound (to regional cluster external LB) |
443/TCP |
n/a |
Telemeter server on a regional cluster (Telemeter server external
IP from the |
Applicable to managed clusters only. The Telemeter client on a managed cluster pushes metrics to the Telemeter server on a regional cluster. |
Cluster network (regional cluster) |
Outbound (to management cluster external LB) |
443/TCP |
n/a |
Telemeter server on a management cluster (Telemeter server external
IP from the |
Applicable to regional clusters only. The Telemeter client on a regional cluster pushes metrics to the Telemeter server on a management cluster. |
|
Telemeter server |
External network (LB service) |
Inbound (from regional cluster network) |
443/TCP |
Telemeter client on regional clusters |
n/a |
Applicable to management clusters only. The Telemeter client on the regional cluster pushes metrics to the Telemeter server on the management cluster. |
External network (LB service) |
Inbound (from managed cluster network) |
443/TCP |
Telemeter client on managed clusters |
n/a |
Applicable to regional clusters only. The Telemeter client on a managed cluster pushes metrics to the Telemeter server on the regional cluster. |
Ceph¶
Ceph monitors use their node host networks to interact with Ceph daemons. Ceph daemons communicate with each other over a specified cluster network and provide endpoints over the public network.
The messenger V2 (msgr2) or earlier V1 (msgr) protocols are used for
communication between Ceph daemons.
Ceph daemon |
Network |
Protocol |
Port |
Description |
Consumers |
|---|---|---|---|---|---|
Manager ( |
Cluster network |
msgr/msgr2 |
6800 |
Listens on the first available port of the 6800-7300 range |
csi-rbdplugin,csi-rbdprovisioner,rook-ceph-mon |
Metadata server ( |
Cluster network |
msgr/msgr2 |
6800 |
Listens on the first available port of the 6800-7300 range |
csi-cephfsplugin,csi-cephfsprovisioner |
Monitor ( |
LCM host network |
msgr/msgr2 |
msgr:3300,
msgr2:6789
|
Monitor has separate ports for |
Ceph clients
rook-ceph-osd,rook-ceph-rgw |
Ceph OSD ( |
Cluster network |
msgr/msgr2 |
6800-7300 |
Binds to the first available port from the 6800-7300 range |
rook-ceph-mon,rook-ceph-mgr,rook-ceph-mds |
Mirantis Kubernetes Engine API limitations¶
To ensure the Mirantis Container Cloud stability in managing the Container Cloud-based Mirantis Kubernetes Engine (MKE) clusters, the following MKE API functionality is not available for the Container Cloud-based MKE clusters as compared to the MKE clusters that are deployed not by Container Cloud. Use the Container Cloud web UI or CLI for this functionality instead.
API endpoint |
Limitation |
|---|---|
|
Swarm Join Tokens are filtered out for all users, including admins. |
|
All requests are forbidden. |
|
Requests for the following changes are forbidden:
|
|
All requests are forbidden. |
Deployment Guide¶
Deploy a baremetal-based management cluster¶
This section describes how to bootstrap a baremetal-based Mirantis Container Cloud management cluster.
Workflow overview¶
The bare metal management system enables the Infrastructure Operator to deploy Mirantis Container Cloud on a set of bare metal servers. It also enables Container Cloud to deploy managed clusters on bare metal servers without a pre-provisioned operating system.
The Infrastructure Operator performs the following steps to install Container Cloud in a bare metal environment:
Install and connect hardware servers as described in Requirements for a baremetal-based cluster.
Caution
The baremetal-based Container Cloud does not manage the underlay networking fabric but requires specific network configuration to operate.
Install Ubuntu 20.04 on one of the bare metal machines to create a seed node and copy the bootstrap tarball to this node.
Obtain the Mirantis license file that will be required during the bootstrap.
Create the deployment configuration files that include the bare metal hosts metadata.
Validate the deployment templates using fast preflight.
Run the bootstrap script for the fully automated installation of the management cluster onto the selected bare metal hosts.
Using the bootstrap script, the Container Cloud bare metal management system prepares the seed node for the management cluster and starts the deployment of Container Cloud itself. The bootstrap script performs all necessary operations to perform the automated management cluster setup. The deployment diagram below illustrates the bootstrap workflow of a baremetal-based management cluster.
Bootstrap a management cluster¶
This section describes how to prepare and bootstrap a baremetal-based management cluster. The procedure includes:
A runbook that describes how to create a seed node that is a temporary server used to run the management cluster bootstrap scripts.
A step-by-step instruction how to prepare metadata for the bootstrap scripts and how to run them.
Prepare the seed node¶
Before installing Mirantis Container Cloud on a bare metal environment, complete the following preparation steps:
Verify that the hardware allocated for the installation meets the minimal requirements described in Requirements for a baremetal-based cluster.
Install basic Ubuntu 20.04 server using standard installation images of the operating system on the bare metal seed node.
Log in to the seed node that is running Ubuntu 20.04.
Prepare the system and network configuration:
Create a virtual bridge to connect to your PXE network on the seed node. Use the following
netplan-based configuration file as an example:# cat /etc/netplan/config.yaml network: version: 2 renderer: networkd ethernets: ens3: dhcp4: false dhcp6: false bridges: br0: addresses: # Please, adjust for your environment - 10.0.0.15/24 dhcp4: false dhcp6: false # Please, adjust for your environment gateway4: 10.0.0.1 interfaces: # Interface name may be different in your environment - ens3 nameservers: addresses: # Please, adjust for your environment - 8.8.8.8 parameters: forward-delay: 4 stp: false
Apply the new network configuration using
netplan:sudo netplan apply
Verify the new network configuration:
sudo apt update && sudo apt install -y bridge-utils sudo brctl show
Example of system response:
bridge name bridge id STP enabled interfaces br0 8000.fa163e72f146 no ens3
Verify that the interface connected to the PXE network belongs to the previously configured bridge.
Install the current Docker version available for Ubuntu 20.04:
sudo apt-get update sudo apt-get install docker.io
Verify that your logged
USERhas access to the Docker daemon:sudo usermod -aG docker $USER
Log out and log in again to the seed node to apply the changes.
Verify that Docker is configured correctly and has access to Container Cloud CDN. For example:
docker run --rm alpine sh -c "apk add --no-cache curl; \ curl https://binary.mirantis.com"
The system output must contain a
jsonfile with no error messages. In case of errors, follow the steps provided in Troubleshooting.Note
If you require all Internet access to go through a proxy server for security and audit purposes, configure Docker proxy settings as described in the official Docker documentation.
Verify that the seed node has direct access to the Baseboard Management Controller (BMC) of each bare metal host. All target hardware nodes must be in the
power offstate.For example, using the IPMI tool:
apt install ipmitool ipmitool -I lanplus -H 'IPMI IP' -U 'IPMI Login' -P 'IPMI password' \ chassis power status
Example of system response:
Chassis Power is off
Configure BIOS on a bare metal host¶
Before adding new BareMetalHost objects, configure hardware hosts to
correctly load them over the PXE network.
Important
Consider the following common requirements for hardware hosts configuration:
Update firmware for BIOS and Baseboard Management Controller (BMC) to the latest available version, especially if you are going to apply the UEFI configuration.
Container Cloud uses the
ipxe.efibinary loader that might be not compatible with old firmware and have vendor-related issues with UEFI booting. For example, the Supermicro issue. In this case, we recommend using thelegacybooting format.Configure all or at least the
PXENIC on switches.If the hardware host has more than one PXE NIC to boot, we strongly recommend setting up only one in the boot order. It speeds up the provisioning phase significantly.
Some hardware vendors require a host to be rebooted during BIOS configuration changes from
legacytoUEFIor vice versa for the extra option with NIC settings to appear in the menu.Connect only one Ethernet port on a host to the PXE network at any given time. Collect the physical address (MAC) of this interface and use it to configure the
BareMetalHostobject describing the host.
To configure BIOS on a bare metal host:
Enable the global BIOS mode using BIOS > Boot > boot mode select > legacy. Reboot the host if required.
Enable the
LAN-PXE-OPROMsupport using the following menus:BIOS > Advanced > PCI/PCIe Configuration > LAB OPROM TYPE > legacy
BIOS > Advanced > PCI/PCIe Configuration > Network Stack > enabled
BIOS > Advanced > PCI/PCIe Configuration > IPv4 PXE Support > enabled
Set up the configured boot order:
BIOS > Boot > Legacy-Boot-Order#1 > Hard Disk
BIOS > Boot > Legacy-Boot-Order#2 > NIC
Save changes and power off the host.
Enable the global BIOS mode using BIOS > Boot > boot mode select > UEFI. Reboot the host if required.
Enable the
LAN-PXE-OPROMsupport using the following menus:BIOS > Advanced > PCI/PCIe Configuration > LAB OPROM TYPE > uefi
BIOS > Advanced > PCI/PCIe Configuration > Network Stack > enabled
BIOS > Advanced > PCI/PCIe Configuration > IPv4 PXE Support > enabled
Note
UEFI support might not apply to all NICs. But at least built-in network interfaces should support it.
Set up the configured boot order:
BIOS > Boot > UEFI-Boot-Order#1 > UEFI Hard Disk
BIOS > Boot > UEFI-Boot-Order#1 > UEFI Network
Save changes and power off the host.
Prepare metadata and deploy the management cluster since 2.24.0¶
This section describes how to prepare cluster metadata and deploy the management cluster since Container Cloud 2.24.0. For description of changes applied as compared to previous Container Cloud releases, see Release Notes: MetalLB configuration changes.
Using the example procedure below, replace the addresses and credentials in the configuration YAML files with the data corresponding to your environment. Keep everything else as is, including the file names and YAML structure.
To prepare metadata and deploy the management cluster:
Log in to the seed node that you configured as described in Prepare the seed node.
Change to your preferred work directory, for example:
cd $HOME
Prepare the bootstrap script:
Download and run the Container Cloud bootstrap script:
sudo apt-get update sudo apt-get install wget wget https://binary.mirantis.com/releases/get_container_cloud.sh chmod 0755 get_container_cloud.sh ./get_container_cloud.sh
Change the directory to the
kaas-bootstrapfolder created by the script.
Obtain your license file that will be required during the bootstrap:
Create a user account at www.mirantis.com.
Log in to your account and download the
mirantis.liclicense file.Save the license file as
mirantis.licunder thekaas-bootstrapdirectory on the bootstrap node.Verify that
mirantis.liccontains the exact Container Cloud license previously downloaded from www.mirantis.com by decoding the license JWT token, for example, using jwt.io.Example of a valid decoded Container Cloud license data with the mandatory
licensefield:{ "exp": 1652304773, "iat": 1636669973, "sub": "demo", "license": { "dev": false, "limits": { "clusters": 10, "workers_per_cluster": 10 }, "openstack": null } }
Warning
The MKE license does not apply to
mirantis.lic. For details about MKE license, see MKE documentation.
Prepare the deployment templates:
Create a copy of the current
templatesdirectory for future reference:mkdir templates.backup cp -r templates/* templates.backup/
Inspect the default bare metal host profile definition in
templates/bm/baremetalhostprofiles.yaml.templateand adjust it to fit your hardware configuration. For details, see Customize the default bare metal host profile.Warning
All data will be wiped during cluster deployment on devices defined directly or indirectly in the
fileSystemslist ofBareMetalHostProfile. For example:A raw device partition with a file system on it
A device partition in a volume group with a logical volume that has a file system on it
An mdadm RAID device with a file system on it
An LVM RAID device with a file system on it
The
wipefield is always consideredtruefor these devices. Thefalsevalue is ignored.Therefore, to prevent data loss, move the necessary data from these file systems to another server beforehand, if required.
Update the bare metal hosts definition template in
templates/bm/baremetalhosts.yaml.templateaccording to your environment configuration. Use the table below for reference. Manually set all parameters that start withSET_.Bare metal hosts template mandatory parameters¶ Parameter
Description
Example value
SET_MACHINE_0_IPMI_USERNAMEThe IPMI user name to access the BMC. 0
userSET_MACHINE_0_IPMI_PASSWORDThe IPMI password to access the BMC. 0
passwordSET_MACHINE_0_MACThe MAC address of the first master node in the PXE network.
ac:1f:6b:02:84:71SET_MACHINE_0_BMC_ADDRESSThe IP address of the BMC endpoint for the first master node in the cluster. Must be an address from the OOB network that is accessible through the management network gateway.
192.168.100.11SET_MACHINE_1_IPMI_USERNAMEThe IPMI user name to access the BMC. 0
userSET_MACHINE_1_IPMI_PASSWORDThe IPMI password to access the BMC. 0
passwordSET_MACHINE_1_MACThe MAC address of the second master node in the PXE network.
ac:1f:6b:02:84:72SET_MACHINE_1_BMC_ADDRESSThe IP address of the BMC endpoint for the second master node in the cluster. Must be an address from the OOB network that is accessible through the management network gateway.
192.168.100.12SET_MACHINE_2_IPMI_USERNAMEThe IPMI user name to access the BMC. 0
userSET_MACHINE_2_IPMI_PASSWORDThe IPMI password to access the BMC. 0
passwordSET_MACHINE_2_MACThe MAC address of the third master node in the PXE network.
ac:1f:6b:02:84:73SET_MACHINE_2_BMC_ADDRESSThe IP address of the BMC endpoint for the third master node in the cluster. Must be an address from the OOB network that is accessible through the management network gateway.
192.168.100.13Configure cluster network:
Important
Mirantis recommends separating the PXE and management networks.
To ensure successful bootstrap, enable asymmetric routing on the interfaces of the management cluster nodes. This is required because the seed node relies on one network by default, which can potentially cause traffic asymmetry.
In the
kernelParameterssection ofbm/baremetalhostprofiles.yaml.template, setrp_filterto2. This enables loose mode as defined in RFC3704.Example configuration of asymmetric routing
... kernelParameters: ... sysctl: # Enables the "Loose mode" for the "k8s-lcm" interface (management network) net.ipv4.conf.k8s-lcm.rp_filter: "2" # Enables the "Loose mode" for the "bond0" interface (PXE network) net.ipv4.conf.bond0.rp_filter: "2" ...
Note
More complicated solutions that are not described in this manual include getting rid of traffic asymmetry, for example:
Configure source routing on management cluster nodes.
Plug the seed node into the same networks as the management cluster nodes, which requires custom configuration of the seed node.
Update the network objects definition in
templates/bm/ipam-objects.yaml.templateaccording to the environment configuration. By default, this template implies the use of separate PXE and management networks.Manually set all parameters that start with
SET_.
Example of the default L2 template snippet for a management cluster:
bonds: bond0: interfaces: - {{ nic 0 }} - {{ nic 1 }} parameters: mode: active-backup primary: {{ nic 0 }} dhcp4: false dhcp6: false addresses: - {{ ip "bond0:mgmt-pxe" }} vlans: k8s-lcm: id: SET_VLAN_ID link: bond0 addresses: - {{ ip "k8s-lcm:kaas-mgmt" }} nameservers: addresses: {{ nameservers_from_subnet "kaas-mgmt" }} routes: - to: 0.0.0.0/0 via: {{ gateway_from_subnet "kaas-mgmt" }}
In this example, the following configuration applies:
A bond of two NIC interfaces
A static address in the PXE network set on the bond
An isolated L2 segment for the management network is configured using the
k8s-lcmVLAN with the static address in the management networkThe default gateway address is in the management network
For general concepts of configuring separate PXE and management networks for a management cluster, see Separate PXE and management networks. For the latest object templates and variable names to use since Container Cloud 2.24.0, use the following tables.
Network parameters mapping overview¶ Deployment file name
Parameters list to update manually
ipam-objects.yaml.templateSET_LB_HOSTSET_MGMT_ADDR_RANGESET_MGMT_CIDRSET_MGMT_DNSSET_MGMT_NW_GWSET_MGMT_SVC_POOLSET_PXE_ADDR_POOLSET_PXE_ADDR_RANGESET_PXE_CIDRSET_PXE_SVC_POOLSET_VLAN_ID
bootstrap.envKAAS_BM_PXE_IPKAAS_BM_PXE_MASKKAAS_BM_PXE_BRIDGE
The below table contains examples of mandatory parameter values to set in
templates/bm/ipam-objects.yaml.templatefor the network scheme that has the following networks:172.16.59.0/24- PXE network172.16.61.0/25- management network
Mandatory network parameters of the IPAM objects template¶ Parameter
Description
Example value
SET_PXE_CIDRThe IP address of the PXE network in the CIDR notation. The minimum recommended network size is 256 addresses (
/24prefix length).172.16.59.0/24SET_PXE_SVC_POOLThe IP address range to use for endpoints of load balancers in the PXE network for the Container Cloud services: Ironic-API, DHCP server, HTTP server, and caching server. The minimum required range size is 5 addresses.
172.16.59.6-172.16.59.15SET_PXE_ADDR_POOLThe IP address range in the PXE network to use for dynamic address allocation for hosts during inspection and provisioning.
The minimum recommended range size is 30 addresses for management cluster nodes if it is located in a separate PXE network segment. Otherwise, it depends on the number of managed cluster nodes to deploy in the same PXE network segment as the management cluster nodes.
172.16.59.51-172.16.59.200SET_PXE_ADDR_RANGEThe IP address range in the PXE network to use for static address allocation on each management cluster node. The minimum recommended range size is 6 addresses.
172.16.59.41-172.16.59.50SET_MGMT_CIDRThe address of a management network for the management cluster in the CIDR notation. If managed clusters will have their separate LCM networks, those networks must be routable to the management network. The minimum recommended network size is 128 addresses (
/25prefix length).172.16.61.0/25SET_MGMT_NW_GWThe default gateway address in the management network. This gateway must provide access to the OOB network of the Container Cloud cluster and to the Internet to download the Mirantis artifacts.
172.16.61.1SET_LB_HOSTThe IP address of the externally accessible MKE API endpoint of the cluster in the CIDR notation. This address must be within the management
SET_MGMT_CIDRnetwork but must NOT overlap with any other addresses or address ranges within this network. External load balancers are not supported.172.16.61.5/32SET_MGMT_DNSAn external (non-Kubernetes) DNS server accessible from the management network.
8.8.8.8SET_MGMT_ADDR_RANGEThe IP address range that includes addresses to be allocated to bare metal hosts in the management network for the management cluster.
When this network is shared with managed clusters, the size of this range limits the number of hosts that can be deployed in all clusters sharing this network.
When this network is solely used by a management cluster, the range must include at least 6 addresses for bare metal hosts of the management cluster.
172.16.61.30-172.16.61.40SET_MGMT_SVC_POOLThe IP address range to use for the externally accessible endpoints of load balancers in the management network for the Container Cloud services, such as Keycloak, web UI, and so on. The minimum required range size is 19 addresses.
172.16.61.10-172.16.61.29SET_VLAN_IDThe VLAN ID used for isolation of management network. The bootstrap.sh process and the seed node must have routable access to the network in this VLAN.
3975When using separate PXE and management networks, the management cluster services are exposed in different networks using two separate MetalLB address pools:
Services exposed through the PXE network are as follows:
Ironic API as a bare metal provisioning server
HTTP server that provides images for network boot and server provisioning
Caching server for accessing the Container Cloud artifacts deployed on hosts
Services exposed through the management network are all other Container Cloud services, such as Keycloak, web UI, and so on.
The default MetalLB configuration described in the
MetalLBConfigTemplateobject template oftemplates/bm/ipam-objects.yaml.templateuses two separate MetalLB address pools. Also, it uses theinterfacesselector in itsl2Advertisementstemplate.Caution
When you change the
L2Templateobject template intemplates/bm/ipam-objects.yaml.template, ensure that interfaces listed in theinterfacesfield of theMetalLBConfigTemplate.spec.templates.l2Advertisementssection match those used in yourL2Template. For details about theinterfacesselector, see API Reference: MetalLBConfigTemplate spec.See Configure MetalLB for details on MetalLB configuration.
If you require all Internet traffic to go through a proxy server, in
bootstrap.env, add the following environment variables to bootstrap the cluster using proxy:HTTP_PROXYHTTPS_PROXYNO_PROXYPROXY_CA_CERTIFICATE_PATH
Example snippet:
export HTTP_PROXY=http://proxy.example.com:3128 export HTTPS_PROXY=http://user:pass@proxy.example.com:3128 export NO_PROXY=172.18.10.0,registry.internal.lan export PROXY_CA_CERTIFICATE_PATH="/home/ubuntu/.mitmproxy/mitmproxy-ca-cert.cer"
The following formats of variables are accepted:
Proxy configuration data¶ Variable
Format
HTTP_PROXYHTTPS_PROXYhttp://proxy.example.com:port- for anonymous access.http://user:password@proxy.example.com:port- for restricted access.
NO_PROXYComma-separated list of IP addresses or domain names.
PROXY_CA_CERTIFICATE_PATHOptional. Absolute path to the proxy CA certificate for man-in-the-middle (MITM) proxies. Must be placed on the bootstrap node to be trusted. For details, see Install a CA certificate for a MITM proxy on a bootstrap node.
Warning
If you require Internet access to go through a MITM proxy, ensure that the proxy has streaming enabled as described in Enable streaming for MITM.
Note
For MOSK-based deployments, the parameter is generally available since MOSK 22.4.
For implementation details, see Proxy and cache support.
For the requirements on Mirantis resources and IP ranges that must be accessible from the bootstrap, management, and regional clusters, see Requirements for a baremetal-based cluster.
For the default network addresses used by Swarm, see Default network addresses.
In
templates/bm/cluster.yaml.template, update the cluster-related settings to fit your deployment.Configure NTP server.
You can optionally disable NTP that is enabled by default. This option disables the management of
chronyconfiguration by Container Cloud to use your own system forchronymanagement. Otherwise, configure the regional NTP server parameters as described below.NTP configuration
Configure the regional NTP server parameters to be applied to all machines of regional and managed clusters in the specified region.
In
templates/bm/cluster.yaml.template, add thentp:serverssection with the list of required server names:spec: ... providerSpec: value: kaas: ... ntpEnabled: true regional: - helmReleases: - name: <providerName>-provider values: config: lcm: ... ntp: servers: - 0.pool.ntp.org ... provider: <providerName> ...
To disable NTP:
spec: ... providerSpec: value: ... ntpEnabled: false ...
Verify that the
kaas-bootstrapdirectory contains the following files:# tree ~/kaas-bootstrap ~/kaas-bootstrap/ .... ├── bootstrap.sh ├── kaas ├── mirantis.lic ├── releases ... ├── templates .... │ ├── bm │ │ ├── baremetalhostprofiles.yaml.template │ │ ├── baremetalhosts.yaml.template │ │ ├── cluster.yaml.template │ │ ├── ipam-objects.yaml.template │ │ └── machines.yaml.template │ │ └── metallbconfig.yaml.template .... ├── templates.backup ....
Export the following mandatory parameters using the commands and table below:
export KAAS_BM_ENABLED="true" # export KAAS_BM_PXE_IP="172.16.59.5" export KAAS_BM_PXE_MASK="24" export KAAS_BM_PXE_BRIDGE="br0" # unset KAAS_BM_FULL_PREFLIGHT
Bare metal prerequisites data¶ Parameter
Description
Example value
KAAS_BM_PXE_IPThe provisioning IP address in the PXE network. This address will be assigned on the seed node to the interface defined by the
KAAS_BM_PXE_BRIDGEparameter described below. The PXE service of the bootstrap cluster uses this address to network boot bare metal hosts.172.16.59.5KAAS_BM_PXE_MASKThe PXE network address prefix length to be used with the
KAAS_BM_PXE_IPaddress when assigning it to the seed node interface.24KAAS_BM_PXE_BRIDGEThe PXE network bridge name that must match the name of the bridge created on the seed node during the Prepare the seed node stage.
br0Optional. Enable the Linux Audit daemon auditd to monitor activity of cluster processes and prevent potential malicious activity.
Configuration for auditd
In
templates/bm/cluster.yaml.template, add the auditd parameters:spec: providerSpec: value: audit: auditd: enabled: <bool> enabledAtBoot: <bool> backlogLimit: <int> maxLogFile: <int> maxLogFileAction: <string> maxLogFileKeep: <int> mayHaltSystem: <bool> presetRules: <string> customRules: <string> customRulesX32: <text> customRulesX64: <text>
Configuration parameters for auditd:
enabledBoolean, default -
false. Enables theauditdrole to install the auditd packages and configure rules. CIS rules: 4.1.1.1, 4.1.1.2.enabledAtBootBoolean, default -
false. Configures grub to audit processes that can be audited even if they start up prior to auditd startup. CIS rule: 4.1.1.3.backlogLimitInteger, default - none. Configures the backlog to hold records. If during boot
audit=1is configured, the backlog holds 64 records. If more than 64 records are created during boot, auditd records will be lost with a potential malicious activity being undetected. CIS rule: 4.1.1.4.maxLogFileInteger, default - none. Configures the maximum size of the audit log file. Once the log reaches the maximum size, it is rotated and a new log file is created. CIS rule: 4.1.2.1.
maxLogFileActionString, default - none. Defines handling of the audit log file reaching the maximum file size. Allowed values:
keep_logs- rotate logs but never delete themrotate- add a cron job to compress rotated log files and keep maximum 5 compressed files.compress- compress log files and keep them under the/var/log/auditd/directory. Requiresauditd_max_log_file_keepto be enabled.
CIS rule: 4.1.2.2.
maxLogFileKeepInteger, default -
5. Defines the number of compressed log files to keep under the/var/log/auditd/directory. Requiresauditd_max_log_file_action=compress. CIS rules - none.mayHaltSystemBoolean, default -
false. Halts the system when the audit logs are full. Applies the following configuration:space_left_action = emailaction_mail_acct = rootadmin_space_left_action = halt
CIS rule: 4.1.2.3.
customRulesString, default - none. Base64-encoded content of the
60-custom.rulesfile for any architecture. CIS rules - none.customRulesX32String, default - none. Base64-encoded content of the
60-custom.rulesfile for thei386architecture. CIS rules - none.customRulesX64String, default - none. Base64-encoded content of the
60-custom.rulesfile for thex86_64architecture. CIS rules - none.presetRulesString, default - none. Comma-separated list of the following built-in preset rules:
accessactionsdeletedocker
identityimmutableloginsmac-policy
modulesmountsperm-modprivileged
scopesessionsystem-localetime-change
You can use two keywords for these rules:
none- disables all built-in rules.all- enables all built-in rules. With this key, you can add the!prefix to a rule name to exclude some rules. You can use the!prefix for rules only if you add theallkeyword as the first rule. Place a rule with the!prefix only after theallkeyword.
Example configurations:
presetRules: none- disable all preset rulespresetRules: docker- enable only thedockerrulespresetRules: access,actions,logins- enable only theaccess,actions, andloginsrulespresetRules: all- enable all preset rulespresetRules: all,!immutable,!sessions- enable all preset rules exceptimmutableandsessions
CIS controls
4.1.3 (time-change)4.1.4 (identity)4.1.5 (system-locale)4.1.6 (mac-policy)4.1.7 (logins)4.1.8 (session)4.1.9 (perm-mod)4.1.10 (access)4.1.11 (privileged)4.1.12 (mounts)4.1.13 (delete)4.1.14 (scope)4.1.15 (actions)4.1.16 (modules)4.1.17 (immutable)Docker CIS controls
1.1.41.1.81.1.101.1.121.1.131.1.151.1.161.1.171.1.181.2.31.2.41.2.51.2.61.2.71.2.101.2.11
Optional. Enable WireGuard for traffic encryption on the Kubernetes workloads network.
WireGuard configuration
Ensure that the Calico MTU size is at least 60 bytes smaller than the interface MTU size of the workload network. IPv4 WireGuard uses a 60-byte header. For details, see Set the MTU size for Calico.
In
templates/bm/cluster.yaml.template, enable WireGuard by adding thesecureOverlayparameter:spec: ... providerSpec: value: ... secureOverlay: true
Caution
Changing this parameter on a running cluster causes a downtime that can vary depending on the cluster size.
For more details about WireGuard, see Calico documentation: Encrypt in-cluster pod traffic.
Optional. Enable custom host names for cluster machines. When enabled, any machine host name in a particular region matches the related
Machineobject name. For example, instead of the defaultkaas-node-<UID>, a machine host name will bemaster-0. The custom naming format is more convenient and easier to operate with.To enable the feature on the management or regional and its future managed clusters, add the following environment variable:
export CUSTOM_HOSTNAMES=true
Optional. Configure external identity provider for IAM.
Optional. Enable infinite timeout for all bootstrap stages by exporting the following environment variable or adding it to
bootstrap.env:export KAAS_BOOTSTRAP_INFINITE_TIMEOUT=true
Infinite timeout prevents the bootstrap failure due to timeout. This option is useful in the following cases:
The network speed is slow for artifacts downloading
An infrastructure configuration does not allow booting fast
A bare-metal node inspecting presupposes more than two HDDSATA disks to attach to a machine
Optional. Available since Container Cloud 2.23.0. Customize the cluster and region name by exporting the following environment variables or adding them to
bootstrap.env:export REGION=<customRegionName> export CLUSTER_NAME=<customClusterName>
By default, the system uses
region-onefor the region name andkaas-mgmtfor the management cluster name.
Run the bootstrap script:
./bootstrap.sh allIn case of deployment issues, refer to Troubleshooting and inspect logs.
If the script fails for an unknown reason:
Run the cleanup script:
./bootstrap.sh cleanupRerun the bootstrap script.
Warning
During the bootstrap process, do not manually restart or power off any of the bare metal hosts.
When the bootstrap is complete, collect and save the following management cluster details in a secure location:
The
kubeconfigfile located in the same directory as the bootstrap script. This file contains the admin credentials for the management cluster.The private
ssh_keyfor access to the management cluster nodes that is located in the same directory as the bootstrap script.Note
If the initial version of your Container Cloud management cluster was earlier than 2.6.0,
ssh_keyis namedopenstack_tmpand is located at~/.ssh/.The URL for the Container Cloud web UI.
To create users with permissions required for accessing the Container Cloud web UI, see Create initial users after a management cluster bootstrap.
The StackLight endpoints. For details, see Access StackLight web UIs.
The Keycloak URL that the system outputs when the bootstrap completes. The admin password for Keycloak is located in
kaas-bootstrap/passwords.ymlalong with other IAM passwords.
Note
The Container Cloud web UI and StackLight endpoints are available through Transport Layer Security (TLS) and communicate with Keycloak to authenticate users. Keycloak is exposed using HTTPS and self-signed TLS certificates that are not trusted by web browsers.
To use your own TLS certificates for Keycloak, refer to Configure TLS certificates for cluster applications.
Note
When the bootstrap is complete, the bootstrap cluster resources are freed up.
Verify that network addresses used on your clusters do not overlap with the following default MKE network addresses for Swarm and MCR:
10.0.0.0/16is used for Swarm networks. IP addresses from this network are virtual.10.99.0.0/16is used for MCR networks. IP addresses from this network are allocated on hosts.
Verification of Swarm and MCR network addresses
To verify Swarm and MCR network addresses, run on any master node:
docker infoExample of system response:
Server: ... Swarm: ... Default Address Pool: 10.0.0.0/16 SubnetSize: 24 ... Default Address Pools: Base: 10.99.0.0/16, Size: 20 ...
Not all of Swarm and MCR addresses are usually in use. One Swarm Ingress network is created by default and occupies the
10.0.0.0/24address block. Also, three MCR networks are created by default and occupy three address blocks:10.99.0.0/20,10.99.16.0/20,10.99.32.0/20.To verify the actual networks state and addresses in use, run:
docker network ls docker network inspect <networkName>
Optional. If you plan to use multiple L2 segments for provisioning of managed cluster nodes, consider the requirements specified in Configure multiple DHCP ranges using Subnet resources.
Optional. Deploy an additional regional cluster of a different provider type as described in Deploy an additional regional cluster (optional).
Prepare metadata and deploy the management cluster before 2.24.0¶
This section describes how to prepare cluster metadata and deploy the management cluster before Container Cloud 2.24.0. The section also contains instructions on additional advanced configuration that you may require to customize your cluster.
This section describes how to prepare cluster metadata and deploy the management cluster before Container Cloud 2.24.0. For the procedure that applies since 2.24.0, refer to Prepare metadata and deploy the management cluster since 2.24.0.
Using the example procedure below, replace the addresses and credentials in the configuration YAML files with the data from your environment. Keep everything else as is, including the file names and YAML structure.
The overall network mapping scheme with all L2/L3 parameters, for example,
for a single 10.0.0.0/24 network, is described in the following table.
The configuration of each parameter included in this table is described
in the procedure below.
Deployment file name |
Parameters and values |
|---|---|
|
|
|
|
|
|
To prepare metadata and deploy the management cluster:
Log in to the seed node that you configured as described in Prepare the seed node.
Change to your preferred work directory, for example, your home directory:
cd $HOME
Prepare the bootstrap script:
Download and run the Container Cloud bootstrap script:
sudo apt-get update sudo apt-get install wget wget https://binary.mirantis.com/releases/get_container_cloud.sh chmod 0755 get_container_cloud.sh ./get_container_cloud.sh
Change the directory to the
kaas-bootstrapfolder created by the script.
Obtain your license file that will be required during the bootstrap:
Create a user account at www.mirantis.com.
Log in to your account and download the
mirantis.liclicense file.Save the license file as
mirantis.licunder thekaas-bootstrapdirectory on the bootstrap node.Verify that
mirantis.liccontains the exact Container Cloud license previously downloaded from www.mirantis.com by decoding the license JWT token, for example, using jwt.io.Example of a valid decoded Container Cloud license data with the mandatory
licensefield:{ "exp": 1652304773, "iat": 1636669973, "sub": "demo", "license": { "dev": false, "limits": { "clusters": 10, "workers_per_cluster": 10 }, "openstack": null } }
Warning
The MKE license does not apply to
mirantis.lic. For details about MKE license, see MKE documentation.
Prepare the deployment templates:
Create a copy of the current
templatesdirectory for future reference.mkdir templates.backup cp -r templates/* templates.backup/
Update the cluster definition template in
templates/bm/cluster.yaml.templateaccording to the environment configuration. Use the table below. Manually set all parameters that start withSET_. For example,SET_METALLB_ADDR_POOL.Cluster template mandatory parameters¶ Parameter
Description
Example value
SET_LB_HOSTThe IP address of the externally accessible API endpoint of the cluster. This address must NOT be within the
SET_METALLB_ADDR_POOLrange but must be within the PXE/Management network. External load balancers are not supported.10.0.0.90SET_METALLB_ADDR_POOLThe IP range to be used as external load balancers for the Kubernetes services with the
LoadBalancertype. This range must be within the PXE/Management network. The minimum required range is 19 IP addresses.10.0.0.61-10.0.0.80Configure NTP server.
Before Container Cloud 2.23.0, optional if servers from the Ubuntu NTP pool (
*.ubuntu.pool.ntp.org) are accessible from the node where your cluster is being provisioned. Otherwise, configure the regional NTP server parameters as described below.Since Container Cloud 2.23.0, optionally disable NTP that is enabled by default. This option disables the management of
chronyconfiguration by Container Cloud to use your own system forchronymanagement. Otherwise, configure the regional NTP server parameters as described below.NTP configuration
Configure the regional NTP server parameters to be applied to all machines of regional and managed clusters in the specified region.
In
templates/bm/cluster.yaml.template, add thentp:serverssection with the list of required server names:spec: ... providerSpec: value: kaas: ... ntpEnabled: true regional: - helmReleases: - name: <providerName>-provider values: config: lcm: ... ntp: servers: - 0.pool.ntp.org ... provider: <providerName> ...
To disable NTP:
spec: ... providerSpec: value: ... ntpEnabled: false ...
Inspect the default bare metal host profile definition in
templates/bm/baremetalhostprofiles.yaml.template. If your hardware configuration differs from the reference, adjust the default profile to match. For details, see Customize the default bare metal host profile.Warning
All data will be wiped during cluster deployment on devices defined directly or indirectly in the
fileSystemslist ofBareMetalHostProfile. For example:A raw device partition with a file system on it
A device partition in a volume group with a logical volume that has a file system on it
An mdadm RAID device with a file system on it
An LVM RAID device with a file system on it
The
wipefield is always consideredtruefor these devices. Thefalsevalue is ignored.Therefore, to prevent data loss, move the necessary data from these file systems to another server beforehand, if required.
Update the bare metal hosts definition template in
templates/bm/baremetalhosts.yaml.templateaccording to the environment configuration. Use the table below. Manually set all parameters that start withSET_.Bare metal hosts template mandatory parameters¶ Parameter
Description
Example value
SET_MACHINE_0_IPMI_USERNAMEThe IPMI user name to access the BMC. 0
userSET_MACHINE_0_IPMI_PASSWORDThe IPMI password to access the BMC. 0
passwordSET_MACHINE_0_MACThe MAC address of the first master node in the PXE network.
ac:1f:6b:02:84:71SET_MACHINE_0_BMC_ADDRESSThe IP address of the BMC endpoint for the first master node in the cluster. Must be an address from the OOB network that is accessible through the PXE network default gateway.
192.168.100.11SET_MACHINE_1_IPMI_USERNAMEThe IPMI user name to access the BMC. 0
userSET_MACHINE_1_IPMI_PASSWORDThe IPMI password to access the BMC. 0
passwordSET_MACHINE_1_MACThe MAC address of the second master node in the PXE network.
ac:1f:6b:02:84:72SET_MACHINE_1_BMC_ADDRESSThe IP address of the BMC endpoint for the second master node in the cluster. Must be an address from the OOB network that is accessible through the PXE network default gateway.
192.168.100.12SET_MACHINE_2_IPMI_USERNAMEThe IPMI user name to access the BMC. 0
userSET_MACHINE_2_IPMI_PASSWORDThe IPMI password to access the BMC. 0
passwordSET_MACHINE_2_MACThe MAC address of the third master node in the PXE network.
ac:1f:6b:02:84:73SET_MACHINE_2_BMC_ADDRESSThe IP address of the BMC endpoint for the third master node in the cluster. Must be an address from the OOB network that is accessible through the PXE network default gateway.
192.168.100.13- 0(1,2,3,4,5,6)
Since Container Cloud 2.21.0, a user name and password in plain text are required.
Before Container Cloud 2.21.0, the Base64 encoding of a user name and password is required. You can obtain the Base64-encoded user name and password using the following command in your Linux console:
$ echo -n <username|password> | base64
Update the Subnet objects definition template in
templates/bm/ipam-objects.yaml.templateaccording to the environment configuration. Use the table below. Manually set all parameters that start withSET_. For example,SET_IPAM_POOL_RANGE.IP address pools template mandatory parameters¶ Parameter
Description
Example value
SET_IPAM_CIDRThe address of PXE network in CIDR notation. Must be minimum in the
/24network.10.0.0.0/24SET_PXE_NW_GWThe default gateway in the PXE network. Since this is the only network that cluster will use by default, this gateway must provide access to:
The Internet to download the Mirantis artifacts
The OOB network of the Container Cloud cluster
10.0.0.1SET_PXE_NW_DNSAn external (non-Kubernetes) DNS server accessible from the PXE network.
8.8.8.8SET_IPAM_POOL_RANGEThis IP address range includes addresses that will be allocated in the PXE/Management network to bare metal hosts of the cluster.
10.0.0.100-10.0.0.252SET_LB_HOST1The IP address of the externally accessible API endpoint of the cluster. This address must NOT be within the
SET_METALLB_ADDR_POOLrange but must be within the PXE/Management network. External load balancers are not supported.10.0.0.90SET_METALLB_ADDR_POOL1The IP address range to be used as external load balancers for the Kubernetes services with the
LoadBalancertype. This range must be within the PXE/Management network. The minimum required range is 19 IP addresses.10.0.0.61-10.0.0.80Optional. To configure the separated PXE and management networks instead of one PXE/management network, proceed to Separate PXE and management networks.
Optional. To connect the cluster hosts to the PXE/Management network using bond interfaces, proceed to Configure NIC bonding.
If you require all Internet access to go through a proxy server, in
bootstrap.env, add the following environment variables to bootstrap the cluster using proxy:HTTP_PROXYHTTPS_PROXYNO_PROXYPROXY_CA_CERTIFICATE_PATH
Example snippet:
export HTTP_PROXY=http://proxy.example.com:3128 export HTTPS_PROXY=http://user:pass@proxy.example.com:3128 export NO_PROXY=172.18.10.0,registry.internal.lan export PROXY_CA_CERTIFICATE_PATH="/home/ubuntu/.mitmproxy/mitmproxy-ca-cert.cer"
The following formats of variables are accepted:
Proxy configuration data¶ Variable
Format
HTTP_PROXYHTTPS_PROXYhttp://proxy.example.com:port- for anonymous access.http://user:password@proxy.example.com:port- for restricted access.
NO_PROXYComma-separated list of IP addresses or domain names.
PROXY_CA_CERTIFICATE_PATHOptional. Absolute path to the proxy CA certificate for man-in-the-middle (MITM) proxies. Must be placed on the bootstrap node to be trusted. For details, see Install a CA certificate for a MITM proxy on a bootstrap node.
Warning
If you require Internet access to go through a MITM proxy, ensure that the proxy has streaming enabled as described in Enable streaming for MITM.
Note
For MOSK-based deployments, the parameter is generally available since MOSK 22.4.
For implementation details, see Proxy and cache support.
For the list of Mirantis resources and IP addresses to be accessible from the Container Cloud clusters, see Requirements for a baremetal-based cluster.
Available as TechPreview since Container Cloud 2.24.0 and 2.24.2 for MOSK 23.2. Optional. Enable the Linux Audit daemon auditd to monitor activity of cluster processes and prevent potential malicious activity.
Configuration for auditd
In
templates/bm/cluster.yaml.template, add the auditd parameters:spec: providerSpec: value: audit: auditd: enabled: <bool> enabledAtBoot: <bool> backlogLimit: <int> maxLogFile: <int> maxLogFileAction: <string> maxLogFileKeep: <int> mayHaltSystem: <bool> presetRules: <string> customRules: <string> customRulesX32: <text> customRulesX64: <text>
Configuration parameters for auditd:
enabledBoolean, default -
false. Enables theauditdrole to install the auditd packages and configure rules. CIS rules: 4.1.1.1, 4.1.1.2.enabledAtBootBoolean, default -
false. Configures grub to audit processes that can be audited even if they start up prior to auditd startup. CIS rule: 4.1.1.3.backlogLimitInteger, default - none. Configures the backlog to hold records. If during boot
audit=1is configured, the backlog holds 64 records. If more than 64 records are created during boot, auditd records will be lost with a potential malicious activity being undetected. CIS rule: 4.1.1.4.maxLogFileInteger, default - none. Configures the maximum size of the audit log file. Once the log reaches the maximum size, it is rotated and a new log file is created. CIS rule: 4.1.2.1.
maxLogFileActionString, default - none. Defines handling of the audit log file reaching the maximum file size. Allowed values:
keep_logs- rotate logs but never delete themrotate- add a cron job to compress rotated log files and keep maximum 5 compressed files.compress- compress log files and keep them under the/var/log/auditd/directory. Requiresauditd_max_log_file_keepto be enabled.
CIS rule: 4.1.2.2.
maxLogFileKeepInteger, default -
5. Defines the number of compressed log files to keep under the/var/log/auditd/directory. Requiresauditd_max_log_file_action=compress. CIS rules - none.mayHaltSystemBoolean, default -
false. Halts the system when the audit logs are full. Applies the following configuration:space_left_action = emailaction_mail_acct = rootadmin_space_left_action = halt
CIS rule: 4.1.2.3.
customRulesString, default - none. Base64-encoded content of the
60-custom.rulesfile for any architecture. CIS rules - none.customRulesX32String, default - none. Base64-encoded content of the
60-custom.rulesfile for thei386architecture. CIS rules - none.customRulesX64String, default - none. Base64-encoded content of the
60-custom.rulesfile for thex86_64architecture. CIS rules - none.presetRulesString, default - none. Comma-separated list of the following built-in preset rules:
accessactionsdeletedocker
identityimmutableloginsmac-policy
modulesmountsperm-modprivileged
scopesessionsystem-localetime-change
You can use two keywords for these rules:
none- disables all built-in rules.all- enables all built-in rules. With this key, you can add the!prefix to a rule name to exclude some rules. You can use the!prefix for rules only if you add theallkeyword as the first rule. Place a rule with the!prefix only after theallkeyword.
Example configurations:
presetRules: none- disable all preset rulespresetRules: docker- enable only thedockerrulespresetRules: access,actions,logins- enable only theaccess,actions, andloginsrulespresetRules: all- enable all preset rulespresetRules: all,!immutable,!sessions- enable all preset rules exceptimmutableandsessions
CIS controls
4.1.3 (time-change)4.1.4 (identity)4.1.5 (system-locale)4.1.6 (mac-policy)4.1.7 (logins)4.1.8 (session)4.1.9 (perm-mod)4.1.10 (access)4.1.11 (privileged)4.1.12 (mounts)4.1.13 (delete)4.1.14 (scope)4.1.15 (actions)4.1.16 (modules)4.1.17 (immutable)Docker CIS controls
1.1.41.1.81.1.101.1.121.1.131.1.151.1.161.1.171.1.181.2.31.2.41.2.51.2.61.2.71.2.101.2.11
Available as Technology Preview since 2.24.0 and 2.24.2 for MOSK 23.2. Optional. Enable WireGuard for traffic encryption on the Kubernetes workloads network.
WireGuard configuration
Ensure that the Calico MTU size is at least 60 bytes smaller than the interface MTU size of the workload network. IPv4 WireGuard uses a 60-byte header. For details, see Set the MTU size for Calico.
In
templates/bm/cluster.yaml.template, enable WireGuard by adding thesecureOverlayparameter:spec: ... providerSpec: value: ... secureOverlay: true
Caution
Changing this parameter on a running cluster causes a downtime that can vary depending on the cluster size.
For more details about WireGuard, see Calico documentation: Encrypt in-cluster pod traffic.
Available since Container Cloud 2.24.0 as Technology Preview. Optional. Enable custom host names for cluster machines. When enabled, any machine host name in a particular region matches the related
Machineobject name. For example, instead of the defaultkaas-node-<UID>, a machine host name will bemaster-0. The custom naming format is more convenient and easier to operate with.To enable the feature on the management or regional and its future managed clusters, add the following environment variable:
export CUSTOM_HOSTNAMES=true
Verify that the
kaas-bootstrapdirectory contains the following files:# tree ~/kaas-bootstrap ~/kaas-bootstrap/ .... ├── bootstrap.sh ├── kaas ├── mirantis.lic ├── releases ... ├── templates .... │ ├── bm │ │ ├── baremetalhostprofiles.yaml.template │ │ ├── baremetalhosts.yaml.template │ │ ├── cluster.yaml.template │ │ ├── ipam-objects.yaml.template │ │ └── machines.yaml.template .... ├── templates.backup ....
Export all required parameters using the table below.
export KAAS_BM_ENABLED="true" # export KAAS_BM_PXE_IP="10.0.0.20" export KAAS_BM_PXE_MASK="24" export KAAS_BM_PXE_BRIDGE="br0" # export KAAS_BM_BM_DHCP_RANGE="10.0.0.30,10.0.0.49,255.255.255.0" export BOOTSTRAP_METALLB_ADDRESS_POOL="10.0.0.61-10.0.0.80" # unset KAAS_BM_FULL_PREFLIGHT
Bare metal prerequisites data¶ Parameter
Description
Example value
KAAS_BM_PXE_IPThe provisioning IP address. This address will be assigned to the interface of the seed node defined by the
KAAS_BM_PXE_BRIDGEparameter (see below). The PXE service of the bootstrap cluster will use this address to network boot the bare metal hosts for the cluster.10.0.0.20KAAS_BM_PXE_MASKThe CIDR prefix for the PXE network. It will be used with
KAAS_BM_PXE_IPaddress when assigning it to network interface.24KAAS_BM_PXE_BRIDGEThe PXE network bridge name. The name must match the name of the bridge created on the seed node during the Prepare the seed node stage.
br0KAAS_BM_BM_DHCP_RANGEThe
start_ipandend_ipaddresses must be within the PXE network. This range will be used by dnsmasq to provide IP addresses for nodes during provisioning.10.0.0.30,10.0.0.49,255.255.255.0BOOTSTRAP_METALLB_ADDRESS_POOLThe pool of IP addresses that will be used by services in the bootstrap cluster. Can be the same as the
SET_METALLB_ADDR_POOLrange for the cluster, or a different range.10.0.0.61-10.0.0.80Run the verification
preflightscript to validate the deployment templates configuration:./bootstrap.sh preflightThe command outputs a human-readable report with the verification details. The report includes the list of verified bare metal nodes and their
Chassis Powerstatus. This status is based on the deployment templates configuration used during the verification.Caution
If the report contains information about missing dependencies or incorrect configuration, fix the issues before proceeding to the next step.
Optional. Configure external identity provider for IAM.
Optional. Enable infinite timeout for all bootstrap stages by exporting the following environment variable or adding it to
bootstrap.env:export KAAS_BOOTSTRAP_INFINITE_TIMEOUT=true
Infinite timeout prevents the bootstrap failure due to timeout. This option is useful in the following cases:
The network speed is slow for artifacts downloading
An infrastructure configuration does not allow booting fast
A bare-metal node inspecting presupposes more than two HDDSATA disks to attach to a machine
Optional. Available since Container Cloud 2.23.0. Customize the cluster and region name by exporting the following environment variables or adding them to
bootstrap.env:export REGION=<customRegionName> export CLUSTER_NAME=<customClusterName>
By default, the system uses
region-onefor the region name andkaas-mgmtfor the management cluster name.Run the bootstrap script:
./bootstrap.sh allIn case of deployment issues, refer to Troubleshooting and inspect logs.
If the script fails for an unknown reason:
Run the cleanup script:
./bootstrap.sh cleanupRerun the bootstrap script.
Warning
During the bootstrap process, do not manually restart or power off any of the bare metal hosts.
When the bootstrap is complete, collect and save the following management cluster details in a secure location:
The
kubeconfigfile located in the same directory as the bootstrap script. This file contains the admin credentials for the management cluster.The private
ssh_keyfor access to the management cluster nodes that is located in the same directory as the bootstrap script.Note
If the initial version of your Container Cloud management cluster was earlier than 2.6.0,
ssh_keyis namedopenstack_tmpand is located at~/.ssh/.The URL for the Container Cloud web UI.
To create users with permissions required for accessing the Container Cloud web UI, see Create initial users after a management cluster bootstrap.
The StackLight endpoints. For details, see Access StackLight web UIs.
The Keycloak URL that the system outputs when the bootstrap completes. The admin password for Keycloak is located in
kaas-bootstrap/passwords.ymlalong with other IAM passwords.
Note
The Container Cloud web UI and StackLight endpoints are available through Transport Layer Security (TLS) and communicate with Keycloak to authenticate users. Keycloak is exposed using HTTPS and self-signed TLS certificates that are not trusted by web browsers.
To use your own TLS certificates for Keycloak, refer to Configure TLS certificates for cluster applications.
Note
When the bootstrap is complete, the bootstrap cluster resources are freed up.
Verify that network addresses used on your clusters do not overlap with the following default MKE network addresses for Swarm and MCR:
10.0.0.0/16is used for Swarm networks. IP addresses from this network are virtual.10.99.0.0/16is used for MCR networks. IP addresses from this network are allocated on hosts.
Verification of Swarm and MCR network addresses
To verify Swarm and MCR network addresses, run on any master node:
docker infoExample of system response:
Server: ... Swarm: ... Default Address Pool: 10.0.0.0/16 SubnetSize: 24 ... Default Address Pools: Base: 10.99.0.0/16, Size: 20 ...
Not all of Swarm and MCR addresses are usually in use. One Swarm Ingress network is created by default and occupies the
10.0.0.0/24address block. Also, three MCR networks are created by default and occupy three address blocks:10.99.0.0/20,10.99.16.0/20,10.99.32.0/20.To verify the actual networks state and addresses in use, run:
docker network ls docker network inspect <networkName>
Optional. If you plan to use multiple L2 segments for provisioning of managed cluster nodes, consider the requirements specified in Configure multiple DHCP ranges using Subnet resources.
Optional. Deploy an additional regional cluster of a different provider type as described in Deploy an additional regional cluster (optional).
You can configure L2 templates for the management cluster to set up a bond network interface for the PXE/management network.
This configuration must be applied to the bootstrap templates, before you run the bootstrap script to deploy the management cluster.
Caution
This configuration requires each host in your management cluster to have at least two physical interfaces.
Connect at least two interfaces per host to an Ethernet switch that supports Link Aggregation Control Protocol (LACP) port groups and LACP fallback.
Configure an LACP group on the ports connected to the NICs of a host.
Configure the LACP fallback on the port group to ensure that the host can boot over the PXE network before the bond interface is set up on the host operating system.
Configure server BIOS for both NICs of a bond to be PXE-enabled.
If the server does not support booting from multiple NICs, configure the port of the LACP group that is connected to the PXE-enabled NIC of a server to be primary port. With this setting, the port becomes active in the fallback mode.
To configure a bond interface that aggregates two interfaces for the PXE/Management network:
In
kaas-bootstrap/templates/bm/ipam-objects.yaml.template:Configure only the following parameters for the declaration of
{{nic 0}}, as shown in the example below:dhcp4dhcp6
matchset-name
Remove other parameters.
Add the declaration of the second NIC
{{nic 1}}to be added to the bond interface:Specify
match:macaddress: {{mac 1}}to match the MAC of the desired NIC.Specify
set-name: {{nic 1}}to ensure the correct name of the NIC.
Add the declaration of the bond interface
bond0. It must have theinterfacesparameter listing both Ethernet interfaces.Set the
interfacesparameter of the management network bridge (k8s-lcmin the example below) to includebond0.Since Container Cloud 2.20.0 and 2.20.1 for MOSK 22.4, each node of every cluster must have only one IP address in the LCM network that is allocated from one of the
Subnetobjects having theipam/SVC-k8s-lcmlabel defined. Therefore, allSubnetobjects used for LCM networks must have theipam/SVC-k8s-lcmlabel defined.Before Container Cloud 2.20.0 and since MOSK 22.2, you can use any interface name for the LCM network traffic. The
Subnetobjects for the LCM network must have theipam/SVC-k8s-lcmlabel. For details, see Service labels and their life cycle.Set the
addresses,gateway4, andnameserversfields of the management network bridge to fetch data from thekaas-mgmtsubnet.Configure bonding options using the
parametersfield. The only mandatory option ismode. See the example below for details.Note
You can set any mode supported by netplan and your hardware.
Verify your configuration using the following example:
kind: L2Template metadata: name: kaas-mgmt ... spec: ... l3Layout: - subnetName: kaas-mgmt scope: namespace npTemplate: | version: 2 ethernets: {{nic 0}}: dhcp4: false dhcp6: false match: macaddress: {{mac 0}} set-name: {{nic 0}} {{nic 1}}: dhcp4: false dhcp6: false match: macaddress: {{mac 1}} set-name: {{nic 1}} bonds: bond0: interfaces: - {{nic 0}} - {{nic 1}} parameters: mode: 802.3ad dhcp4: false dhcp6: false bridges: k8s-lcm: interfaces: [bond0] addresses: - {{ip "k8s-lcm:kaas-mgmt"}} gateway4: {{gateway_from_subnet "kaas-mgmt"}} nameservers: addresses: {{nameservers_from_subnet "kaas-mgmt"}} ...
Proceed to bootstrap your management cluster as described in Bootstrap a management cluster.
This section describes how to configure a dedicated PXE network for a management or regional bare metal cluster. A separate PXE network allows isolating sensitive bare metal provisioning process from the end users. The users still have access to Container Cloud services, such as Keycloak, to authenticate workloads in managed clusters, such as Horizon in a Mirantis OpenStack for Kubernetes cluster.
Note
This additional configuration procedure must be completed as part of the Prepare metadata and deploy the management cluster before 2.24.0 steps. It substitutes or appends some configuration parameters and templates that are used in Prepare metadata and deploy the management cluster before 2.24.0 for the management cluster to use two networks, PXE and management, instead of one PXE/management network. We recommend considering the Prepare metadata and deploy the management cluster before 2.24.0 procedure first.
The following table describes the overall network mapping scheme with all
L2/L3 parameters, for example, for two networks, PXE (CIDR 10.0.0.0/24)
and management (CIDR 10.0.11.0/24):
Deployment file name |
Network |
Parameters and values |
|---|---|---|
|
Management |
|
|
PXE |
|
|
Management |
|
|
PXE |
|
When using separate PXE and management networks, the management cluster services are exposed in different networks using two separate MetalLB address pools:
Services exposed through the PXE network are as follows:
Ironic API as a bare metal provisioning server
HTTP server that provides images for network boot and server provisioning
Caching server for accessing the Container Cloud artifacts deployed on hosts
Services exposed through the management network are all other Container Cloud services, such as Keycloak, web UI, and so on.
To configure separate PXE and management networks:
Inspect guidelines to follow during configuration of the
Subnetobject as a MetalLB address pool as described MetalLB configuration guidelines for subnets.To ensure successful bootstrap, enable asymmetric routing on the interfaces of the management cluster nodes. This is required because the seed node relies on one network by default, which can potentially cause traffic asymmetry.
In the
kernelParameterssection ofbm/baremetalhostprofiles.yaml.template, setrp_filterto2. This enables loose mode as defined in RFC3704.Example configuration of asymmetric routing
... kernelParameters: ... sysctl: # Enables the "Loose mode" for the "k8s-lcm" interface (management network) net.ipv4.conf.k8s-lcm.rp_filter: "2" # Enables the "Loose mode" for the "bond0" interface (PXE network) net.ipv4.conf.bond0.rp_filter: "2" ...
Note
More complicated solutions that are not described in this manual include getting rid of traffic asymmetry, for example:
Configure source routing on management cluster nodes.
Plug the seed node into the same networks as the management cluster nodes, which requires custom configuration of the seed node.
In
kaas-bootstrap/templates/bm/ipam-objects.yaml.template:Substitute all the
Subnetobject templates with the new ones as described in the example template belowUpdate the L2 template
spec.l3Layoutandspec.npTemplatefields as described in the example template below
Example of the
Subnetobject templates# Subnet object that provides IP addresses for bare metal hosts of # management cluster in the PXE network. apiVersion: "ipam.mirantis.com/v1alpha1" kind: Subnet metadata: name: mgmt-pxe namespace: default labels: kaas.mirantis.com/provider: baremetal kaas.mirantis.com/region: region-one kaas-mgmt-pxe-subnet: "" spec: cidr: SET_IPAM_CIDR gateway: SET_PXE_NW_GW nameservers: - SET_PXE_NW_DNS includeRanges: - SET_IPAM_POOL_RANGE excludeRanges: - SET_METALLB_PXE_ADDR_POOL --- # Subnet object that provides IP addresses for bare metal hosts of # management cluster in the management network. apiVersion: "ipam.mirantis.com/v1alpha1" kind: Subnet metadata: name: mgmt-lcm namespace: default labels: kaas.mirantis.com/provider: baremetal kaas.mirantis.com/region: region-one kaas-mgmt-lcm-subnet: "" ipam/SVC-k8s-lcm: "1" ipam/SVC-ceph-cluster: "1" ipam/SVC-ceph-public: "1" cluster.sigs.k8s.io/cluster-name: CLUSTER_NAME spec: cidr: {{ SET_LCM_CIDR }} includeRanges: - {{ SET_LCM_RANGE }} excludeRanges: - SET_LB_HOST - SET_METALLB_ADDR_POOL --- # Subnet object that provides configuration for "services-pxe" MetalLB # address pool that will be used to expose services LB endpoints in the # PXE network. apiVersion: "ipam.mirantis.com/v1alpha1" kind: Subnet metadata: name: mgmt-pxe-lb namespace: default labels: kaas.mirantis.com/provider: baremetal kaas.mirantis.com/region: region-one ipam/SVC-MetalLB: "" metallb/address-pool-name: services-pxe metallb/address-pool-protocol: layer2 metallb/address-pool-auto-assign: "false" cluster.sigs.k8s.io/cluster-name: CLUSTER_NAME spec: cidr: SET_IPAM_CIDR includeRanges: - SET_METALLB_PXE_ADDR_POOL
Example of the L2 template
speckind: L2Template ... spec: ... l3Layout: - scope: namespace subnetName: kaas-mgmt-pxe labelSelector: kaas.mirantis.com/provider: baremetal kaas-mgmt-pxe-subnet: "" - scope: namespace subnetName: kaas-mgmt-lcm labelSelector: kaas.mirantis.com/provider: baremetal kaas-mgmt-lcm-subnet: "" npTemplate: | version: 2 renderer: networkd ethernets: {{nic 0}}: dhcp4: false dhcp6: false match: macaddress: {{mac 0}} set-name: {{nic 0}} {{nic 1}}: dhcp4: false dhcp6: false match: macaddress: {{mac 1}} set-name: {{nic 1}} bridges: bm-pxe: interfaces: - {{ nic 0 }} dhcp4: false dhcp6: false addresses: - {{ ip "bm-pxe:kaas-mgmt-pxe" }} nameservers: addresses: {{ nameservers_from_subnet "kaas-mgmt-pxe" }} routes: - to: 0.0.0.0/0 via: {{ gateway_from_subnet "kaas-mgmt-pxe" }} k8s-lcm: interfaces: - {{ nic 1 }} dhcp4: false dhcp6: false addresses: - {{ ip "k8s-lcm:kaas-mgmt-lcm" }} nameservers: addresses: {{ nameservers_from_subnet "kaas-mgmt-lcm" }}
The last
Subnettemplate namedmgmt-pxe-lbin the example above will be used to configure the MetalLB address pool in the PXE network. The bare metal provider will automatically configure MetalLB with address pools using theSubnetobjects identified by specific labels.Warning
The
bm-pxeaddress must have a separate interface with only one address on this interface.Verify the current MetalLB configuration:
The MetalLB configuration is stored in
MetalLBobjects:kubectl -n metallb-system get ipaddresspools,l2advertisements
For the example configuration described above, the system outputs a similar content:
NAME AGE ipaddresspool.metallb.io/default 129m ipaddresspool.metallb.io/services-pxe 129m NAME AGE l2advertisement.metallb.io/default 129m l2advertisement.metallb.io/services-pxe 129m
Verify the
MetalLBobjects:kubectl -n metallb-system get <object> -o json | jq '.spec'
For the example configuration described above, the system outputs a similar content for
ipaddresspoolobjects:{ "addresses": [ "10.0.11.61-10.0.11.80" ], "autoAssign": true, "avoidBuggyIPs": false } $ kubectl -n metallb-system get ipaddresspool.metallb.io/services-pxe -o json | jq '.spec' { "addresses": [ "10.0.0.61-10.0.0.70" ], "autoAssign": false, "avoidBuggyIPs": false }
The MetalLB configuration is stored in the
ConfigMapobject:kubectl -n metallb-system get cm metallb -o jsonpath={.data.config}
For the example configuration described above, a successful output is as follows:
address-pools: - name: default protocol: layer2 addresses: - 10.0.11.61-10.0.11.80 - name: services-pxe protocol: layer2 auto-assign: false addresses: - 10.0.0.61-10.0.0.70
The
auto-assignparameter will be set tofalsefor all address pools except thedefaultone. So, a particular service will get an address from such an address pool only if theServiceobject has a specialmetallb.universe.tf/address-poolannotation that points to the specific address pool name.Note
It is expected that every Container Cloud service on a management and regional cluster will be assigned to one of the address pools. Current consideration is to have two MetalLB address pools:
services-pxeis a reserved address pool name to use for the Container Cloud services in the PXE network (Ironic API, HTTP server, caching server).The bootstrap cluster also uses the
services-pxeaddress pool for its provision services for management or regional cluster nodes to be provisioned from the bootstrap cluster. After the management or regional cluster is deployed, the bootstrap cluster is deleted and that address pool is solely used by the newly deployed cluster.defaultis an address pool to use for all other Container Cloud services in the management network. No annotation is required on theServiceobjects in this case.
In
kaas-bootstrap/templates/bm/cluster.yaml.template, add thededicatedMetallbPoolsflag and set it totrue.Note
Since Container Cloud 2.24.0, this flag is set to
trueby default.spec: ... providerSpec: value: apiVersion: baremetal.k8s.io/v1alpha1 kind: BaremetalClusterProviderSpec ... dedicatedMetallbPools: true ...
User sets this flag to enable splitting of LB endpoints for the Container Cloud services. The
metallb.universe.tf/address-poolannotations on theServiceobjects are configured by the bare metal provider automatically when thededicatedMetallbPoolsflag is set totrue.Example
Serviceobject configured by thebaremetal-operatorHelm release:apiVersion: v1 kind: Service metadata: name: ironic-api annotations: metallb.universe.tf/address-pool: services-pxe spec: ports: - port: 443 targetPort: 443 type: LoadBalancer
The
metallb.universe.tf/address-poolannotation on theServiceobject is set toservices-pxeby the baremetal provider, so theironic-apiservice will be assigned an LB address from the corresponding MetalLB address pool.In addition to the network parameters defined in Prepare metadata and deploy the management cluster before 2.24.0, configure the following ones by replacing them in
templates/bm/ipam-objects.yaml.template:New subnet template parameters¶ Parameter
Description
Example value
SET_LCM_CIDRAddress of a management network for the management cluster in the CIDR notation. You can later share this network with managed clusters where it will act as the LCM network. If managed clusters have their separate LCM networks, those networks must be routable to the management network.
10.0.11.0/24SET_LCM_RANGEAddress range that includes addresses to be allocated to bare metal hosts in the management network for the management cluster. When this network is shared with managed clusters, the size of this range limits the number of hosts that can be deployed in all clusters that share this network. When this network is solely used by a management cluster, the range should include at least 3 IP addresses for bare metal hosts of the management cluster.
10.0.11.100-10.0.11.109SET_METALLB_PXE_ADDR_POOLAddress range to be used for LB endpoints of the Container Cloud services: Ironic-API, HTTP server, and caching server. This range must be within the PXE network. The minimum required range is 5 IP addresses.
10.0.0.61-10.0.0.70The following parameters will now be tied to the management network while their meaning remains the same as described in Prepare metadata and deploy the management cluster before 2.24.0:
Subnet template parameters migrated to management network¶ Parameter
Description
Example value
SET_LB_HOSTIP address of the externally accessible API endpoint of the management cluster. This address must NOT be within the
SET_METALLB_ADDR_POOLrange but within the management network. External load balancers are not supported.10.0.11.90SET_METALLB_ADDR_POOLThe address range to be used for the externally accessible LB endpoints of the Container Cloud services, such as Keycloak, web UI, and so on. This range must be within the management network. The minimum required range is 19 IP addresses.
10.0.11.61-10.0.11.80Proceed to further steps in Prepare metadata and deploy the management cluster before 2.24.0.
Caution
Since Container Cloud 2.21.0, this section applies to existing
management clusters only. If you configured multiple DHCP ranges before
Container Cloud 2.21.0 during the management cluster bootstrap, the DHCP
configuration will automatically migrate to Subnet objects after cluster
upgrade to 2.21.0.
To facilitate multi-rack and other types of distributed bare metal datacenter topologies, the dnsmasq DHCP server used for host provisioning in Container Cloud supports working with multiple L2 segments through network routers that support DHCP relay.
Container Cloud has its own DHCP relay running on one of the management cluster nodes. That DHCP relay serves for proxying DHCP requests in the same L2 domain where the management cluster nodes are located.
Caution
Networks used for hosts provisioning of a managed cluster must have routes to the PXE network (when a dedicated PXE network is configured) or to the combined PXE/management network of the management cluster. This configuration enables hosts to have access to the management cluster services that are used during host provisioning.
Management cluster nodes must have routes through the PXE network to PXE network segments used on a managed cluster. The following example contains L2 template fragments for a management cluster node:
l3Layout:
# PXE/static subnet for a management cluster
- scope: namespace
subnetName: kaas-mgmt-pxe
labelSelector:
kaas-mgmt-pxe-subnet: "1"
# management (LCM) subnet for a management cluster
- scope: namespace
subnetName: kaas-mgmt-lcm
labelSelector:
kaas-mgmt-lcm-subnet: "1"
# PXE/dhcp subnets for a managed cluster
- scope: namespace
subnetName: managed-dhcp-rack-1-region-one
- scope: namespace
subnetName: managed-dhcp-rack-2-region-one
- scope: namespace
subnetName: managed-dhcp-rack-3-region-one
...
npTemplate: |
...
bonds:
bond0:
interfaces:
- {{ nic 0 }}
- {{ nic 1 }}
parameters:
mode: active-backup
primary: {{ nic 0 }}
dhcp4: false
dhcp6: false
addresses:
# static address on management node in the PXE network
- {{ ip "bond0:kaas-mgmt-pxe" }}
routes:
# routes to managed PXE network segments
- to: {{ cidr_from_subnet "managed-dhcp-rack-1-region-one" }}
via: {{ gateway_from_subnet "kaas-mgmt-pxe" }}
- to: {{ cidr_from_subnet "managed-dhcp-rack-2-region-one" }}
via: {{ gateway_from_subnet "kaas-mgmt-pxe" }}
- to: {{ cidr_from_subnet "managed-dhcp-rack-3-region-one" }}
via: {{ gateway_from_subnet "kaas-mgmt-pxe" }}
...
To configure DHCP ranges for dnsmasq, create the Subnet objects
tagged with the ipam/SVC-dhcp-range label while setting up subnets
for a managed cluster using CLI.
For every dhcp-range record, Container Cloud also configures the
dhcp-option record to pass the default route through the default gateway
from the corresponding subnet to all hosts that obtain addresses
from that DHCP range. They will be configured by Container Cloud using another
dhcp-option record.
Caution
Support of multiple DHCP ranges has the following imitations:
Using of custom DNS server addresses for servers that boot over PXE is not supported.
The
Subnetobjects for DHCP ranges should not reference any specific cluster, as DHCP server configuration is only applicable to the management or regional cluster. Thekaas.mirantis.com/regionlabel that specifies the region will be used to determine where to apply the DHCP ranges from the givenSubnetobject. TheClusterreference will be ignored.
Note
Usage of multiple and single DHCP ranges is as follows:
The
baremetal-operatorchart allows using multiple DHCP ranges in the generateddnsmasq.conffile. The chart iterates over a list of thedhcp-rangeparameters from its values and adds all items from the list to the dnsmasq configuration.The
baremetal-operatorchart allows using single DHCP range for backwards compatibility. By default, theKAAS_BM_BM_DHCP_RANGEenvironment variable is still used to define the DHCP range for a management or regional cluster nodes during provisioning.
Caution
Since Container Cloud 2.24.0, you can only remove the deprecated
dnsmasq.dhcp_range values from the cluster spec. The Admission
Controller does not accept any other changes in these values. This
configuration is completely superseded by the Subnet object usage.
The dnsmasq configuration options dhcp-option=3 and dhcp-option=6
are absent in the default configuration. So, by default, dnsmasq
will send the DNS server and default route to DHCP clients as defined in the
dnsmasq official documentation:
The netmask and broadcast address are the same as on the host running dnsmasq.
The DNS server and default route are set to the address of the host running dnsmasq.
If the domain name option is set, this name is sent to DHCP clients.
If such default behavior is not desirable during deployment of managed clusters:
Open the management cluster spec for editing.
In the
baremetal-operatorrelease values, remove thednsmasq.dhcp_rangeparameter:regional: - helmReleases: - name: baremetal-operator values: dnsmasq: dhcp_range: 10.204.1.0,10.204.5.255,255.255.255.0
Set the desired DHCP ranges and options using the
Subnetobjects as described in Configure DHCP ranges for dnsmasq.
Caution
Since Container Cloud 2.21.0, the dnsmasq.dhcp_range
parameter of the baremetal-operator Helm chart values in the Cluster
spec is deprecated and will be removed in one of the following releases.
Therefore, migrate to the Subnet objects configuration and manually
remove dnsmasq.dhcp_range from the cluster spec.
Create the
Subnetobjects tagged with theipam/SVC-dhcp-rangelabel.Caution
For cluster-specific subnets, create
Subnetobjects in the same namespace as the relatedClusterobject project. For shared subnets, createSubnetobjects in thedefaultnamespace.To create the
Subnetobjects, refer to Create subnets.Use the following
Subnetobject example to specify DHCP ranges and DHCP options to pass the default route address:apiVersion: "ipam.mirantis.com/v1alpha1" kind: Subnet metadata: name: mgmt-dhcp-range namespace: default labels: ipam/SVC-dhcp-range: "" kaas.mirantis.com/provider: baremetal kaas.mirantis.com/region: region-one spec: cidr: 10.0.0.0/24 gateway: 10.0.0.1 includeRanges: - 10.0.0.121-10.0.0.125 - 10.0.0.191-10.0.0.199
Note
Setting of custom nameservers for the PXE subnet is not supported.
After creation of the above
Subnetobject, the provided data will be utilized to render theDnsmasqobject used for configuration of the dnsmasq deployment. You do not have to manually edit theDnsmasqobject.Verify that the changes are applied to the
Dnsmasqobject:kubectl --kubeconfig <pathToMgmtOrRegionalClusterKubeconfig> \ -n kaas get dnsmasq dnsmasq-dynamic-config -o json
For servers to access the DHCP server across the L2 segment boundaries, for example, from another rack with a different VLAN for PXE network, you must configure DHCP relay (agent) service on the border switch of the segment. For example, on a top-of-rack (ToR) or leaf (distribution) switch, depending on the data center network topology.
Warning
To ensure predictable routing for the relay of DHCP packets, Mirantis strongly advises against the use of chained DHCP relay configurations. This precaution limits the number of hops for DHCP packets, with an optimal scenario being a single hop.
This approach is justified by the unpredictable nature of chained relay configurations and potential incompatibilities between software and hardware relay implementations.
The dnsmasq server listens on the PXE network of the management
cluster by using the dhcp-lb Kubernetes Service.
To configure the DHCP relay service, specify the external address of the
dhcp-lb Kubernetes Service as an upstream address for the relayed DHCP
requests, which is the IP helper address for DHCP. There is the dnsmasq
deployment behind this service that can only accept relayed DHCP requests.
Container Cloud has its own DHCP relay running on one of the management cluster nodes. That DHCP relay serves for proxying DHCP requests in the same L2 domain where the management cluster nodes are located.
The dnsmasq server listens on the PXE interface of one management
cluster node.
To configure DHCP relay service, specify the management cluster node addresses in the PXE network as upstream addresses for the relayed DHCP requests, which are IP helper addresses for DHCP.
Depending on the PXE network setup, select from the following options:
If the PXE network is combined with the management network, identify LCM addresses of the management cluster nodes:
kubectl -n default get lcmmachine -o wide
In the output, select the addresses from the
INTERNALIPcolumn to use as the DHCP helper addresses.If you use a dedicated PXE network, identify the addresses assigned to your nodes using the corresponding
IpamHostobjects:kubectl -n default get ipamhost -o yaml
In
status.netconfigV2of each management cluster host, obtain the interface name used for PXE network and collect associated addresses to use as the DHCP helper addresses. For example:status: ... netconfigV2: ... bridges: ... k8s-pxe: addresses: - 10.0.1.4/24 dhcp4: false dhcp6: false interfaces: - ens3
In this example,
k8s-pxeis the PXE interface name and10.0.1.4is the address to use as one of the DHCP helper addresses.Caution
The following fields of the
ipamHoststatus are renamed since Container Cloud 2.22.0 in the scope of theL2TemplateandIpamHostobjects refactoring:netconfigV2tonetconfigCandidatenetconfigV2statetonetconfigCandidateStatenetconfigFilesStatetonetconfigFilesStates(per file)
No user actions are required after renaming.
The format of
netconfigFilesStatechanged after renaming. ThenetconfigFilesStatesfield contains a dictionary of statuses of network configuration files stored innetconfigFiles. The dictionary contains the keys that are file paths and values that have the same meaning for each file thatnetconfigFilesStatehad:For a successfully rendered configuration file:
OK: <timestamp> <sha256-hash-of-rendered-file>, where a timestamp is in the RFC 3339 format.For a failed rendering:
ERR: <error-message>.
Customize the default bare metal host profile¶
This section describes the bare metal host profile settings and instructs how to configure this profile before deploying Mirantis Container Cloud on physical servers.
The bare metal host profile is a Kubernetes custom resource. It allows the Infrastructure Operator to define how the storage devices and the operating system are provisioned and configured.
The bootstrap templates for a bare metal deployment include the template for
the default BareMetalHostProfile object in the following file
that defines the default bare metal host profile:
templates/bm/baremetalhostprofiles.yaml.template
Note
Using BareMetalHostProfile, you can configure LVM or mdadm-based
software RAID support during a management or managed cluster
creation. For details, see Configure RAID support.
This feature is available as Technology Preview. Use such configuration for testing and evaluation purposes only. For the Technology Preview feature definition, refer to Technology Preview features.
Warning
All data will be wiped during cluster deployment on devices
defined directly or indirectly in the fileSystems list of
BareMetalHostProfile. For example:
A raw device partition with a file system on it
A device partition in a volume group with a logical volume that has a file system on it
An mdadm RAID device with a file system on it
An LVM RAID device with a file system on it
The wipe field is always considered true for these devices.
The false value is ignored.
Therefore, to prevent data loss, move the necessary data from these file systems to another server beforehand, if required.
The customization procedure of BareMetalHostProfile is almost the same for
the management and managed clusters, with the following differences:
For a management cluster, the customization automatically applies to machines during bootstrap. And for a managed cluster, you apply the changes using
kubectlbefore creating a managed cluster.For a management cluster, you edit the default
baremetalhostprofiles.yaml.template. And for a managed cluster, you create a newBareMetalHostProfilewith the necessary configuration.
For the procedure details, see Create a custom bare metal host profile. Use this procedure for both types of clusters considering the differences described above.
Deploy an OpenStack-based management cluster¶
This section describes how to bootstrap an OpenStack-based Mirantis Container Cloud management cluster.
Workflow overview¶
The Infrastructure Operator performs the following steps to install Mirantis Container Cloud on an OpenStack-based environment:
Prepare an OpenStack environment that meets the Requirements for an OpenStack-based cluster.
Prepare the bootstrap node using Prerequisites.
Obtain the Mirantis license file that will be required during the bootstrap.
Prepare the OpenStack
clouds.yamlfile.Create and configure the deployment configuration files that include the cluster and machines metadata.
Run the bootstrap script for the fully automated installation of the management cluster.
For more details, see Bootstrap a management cluster.
Prerequisites¶
Before you start with bootstrapping the OpenStack-based management cluster, complete the following prerequisite steps:
Verify that your planned cloud meets the reference hardware bill of material and software requirements as described in Requirements for an OpenStack-based cluster.
Configure the bootstrap node:
Log in to any personal computer or VM running Ubuntu 20.04 that you will be using as the bootstrap node.
If you use a newly created VM, run:
sudo apt-get update
Install the current Docker version available for Ubuntu 20.04:
sudo apt install docker.io
Grant your
USERaccess to the Docker daemon:sudo usermod -aG docker $USER
Log off and log in again to the bootstrap node to apply the changes.
Verify that Docker is configured correctly and has access to Container Cloud CDN. For example:
docker run --rm alpine sh -c "apk add --no-cache curl; \ curl https://binary.mirantis.com"
The system output must contain no error records. In case of issues, follow the steps provided in Troubleshooting.
Note
If you require all Internet access to go through a proxy server for security and audit purposes, configure Docker proxy settings as described in the official Docker documentation.
Proceed to Bootstrap a management cluster.
Bootstrap a management cluster¶
After you complete the prerequisite steps described in Prerequisites, proceed with bootstrapping your OpenStack-based Mirantis Container Cloud management cluster.
To bootstrap an OpenStack-based management cluster:
Log in to the bootstrap node running Ubuntu 20.04 that is configured as described in Prerequisites.
Prepare the bootstrap script:
Download and run the Container Cloud bootstrap script:
sudo apt-get update sudo apt-get install wget wget https://binary.mirantis.com/releases/get_container_cloud.sh chmod 0755 get_container_cloud.sh ./get_container_cloud.sh
Change the directory to the
kaas-bootstrapfolder created by the script.
Obtain your license file that will be required during the bootstrap:
Create a user account at www.mirantis.com.
Log in to your account and download the
mirantis.liclicense file.Save the license file as
mirantis.licunder thekaas-bootstrapdirectory on the bootstrap node.Verify that
mirantis.liccontains the exact Container Cloud license previously downloaded from www.mirantis.com by decoding the license JWT token, for example, using jwt.io.Example of a valid decoded Container Cloud license data with the mandatory
licensefield:{ "exp": 1652304773, "iat": 1636669973, "sub": "demo", "license": { "dev": false, "limits": { "clusters": 10, "workers_per_cluster": 10 }, "openstack": null } }
Warning
The MKE license does not apply to
mirantis.lic. For details about MKE license, see MKE documentation.
Prepare the OpenStack configuration for a new cluster:
Log in to the OpenStack Horizon.
In the Project section, select API Access.
In the right-side drop-down menu Download OpenStack RC File, select OpenStack clouds.yaml File.
Save the downloaded
clouds.yamlfile in thekaas-bootstrapfolder created by theget_container_cloud.shscript.In
clouds.yaml, add thepasswordfield with your OpenStack password under theclouds/openstack/authsection.Example:
clouds: openstack: auth: auth_url: https://auth.openstack.example.com/v3 username: your_username password: your_secret_password project_id: your_project_id user_domain_name: your_user_domain_name region_name: RegionOne interface: public identity_api_version: 3
If you deploy Container Cloud on top of MOSK Victoria with Tungsten Fabric and use the default security group for newly created load balancers, add the following rules for the Kubernetes API server endpoint, Container Cloud application endpoint, and for the MKE web UI and API using the OpenStack CLI:
direction='ingress'ethertype='IPv4'protocol='tcp'remote_ip_prefix='0.0.0.0/0'port_range_maxandport_range_min:'443'for Kubernetes API and Container Cloud application endpoints'6443'for MKE web UI and API
Verify access to the target cloud endpoint from Docker. For example:
docker run --rm alpine sh -c "apk add --no-cache curl; \ curl https://auth.openstack.example.com/v3"
The system output must contain no error records.
In case of issues, follow the steps provided in Troubleshooting.
Configure the cluster and machines metadata:
In
templates/machines.yaml.template, modify thespec:providerSpec:valuesection for 3 control plane nodes marked with thecluster.sigs.k8s.io/control-planelabel by substituting theflavorandimageparameters with the corresponding values of the control plane nodes in the related OpenStack cluster. For example:spec: &cp_spec providerSpec: value: apiVersion: "openstackproviderconfig.k8s.io/v1alpha1" kind: "OpenstackMachineProviderSpec" flavor: kaas.minimal image: bionic-server-cloudimg-amd64-20190612
Note
The
flavorparameter value provided in the example above is cloud-specific and must meet the Container Cloud requirements.Also, modify other parameters as required.
Modify the
templates/cluster.yaml.templateparameters to fit your deployment. For example, add the corresponding values forcidrBlocksin thespec::clusterNetwork::servicessection.
Available since Container Cloud 2.24.0 as Technology Preview. Optional. Enable custom host names for cluster machines. When enabled, any machine host name in a particular region matches the related
Machineobject name. For example, instead of the defaultkaas-node-<UID>, a machine host name will bemaster-0. The custom naming format is more convenient and easier to operate with.To enable the feature on the management or regional and its future managed clusters, add the following environment variable:
export CUSTOM_HOSTNAMES=true
Optional. Available as TechPreview. To boot cluster machines from a block storage volume, define the following parameter in the
spec:providerSpecsection oftemplates/machines.yaml.template:bootFromVolume: enabled: true volumeSize: 120
Note
The minimal storage requirement is 120 GB per node. For details, see Requirements for an OpenStack-based cluster.
To boot the Bastion node from a volume, add the same parameter to
templates/cluster.yaml.templatein thespec:providerSpecsection for Bastion. The default amount of storage80is enough.Optional. Available since Container Cloud 2.24.0 as Technology Preview. Create all load balancers of the cluster with a specific Octavia flavor by defining the following parameter in the
spec:providerSpecsection oftemplates/cluster.yaml.template:serviceAnnotations: loadbalancer.openstack.org/flavor-id: <octaviaFlavorID>
For details, see OpenStack documentation: Octavia Flavors.
Note
This feature is not supported by OpenStack Queens.
Optional. Configure backups for the MariaDB database as described in Configure periodic backups of MariaDB for the OpenStack provider.
Configure NTP server.
Before Container Cloud 2.23.0, optional if servers from the Ubuntu NTP pool (
*.ubuntu.pool.ntp.org) are accessible from the node where the management cluster is being provisioned. Otherwise, configure the regional NTP server parameters as described below.Since Container Cloud 2.23.0, optionally disable NTP that is enabled by default. This option disables the management of
chronyconfiguration by Container Cloud to use your own system forchronymanagement. Otherwise, configure the regional NTP server parameters as described below.NTP configuration
Configure the regional NTP server parameters to be applied to all machines of regional and managed clusters in the specified region.
In
templates/cluster.yaml.template, add thentp:serverssection with the list of required server names:spec: ... providerSpec: value: kaas: ... ntpEnabled: true regional: - helmReleases: - name: <providerName>-provider values: config: lcm: ... ntp: servers: - 0.pool.ntp.org ... provider: <providerName> ...
To disable NTP:
spec: ... providerSpec: value: ... ntpEnabled: false ...
Optional. If you require all Internet access to go through a proxy server, in
bootstrap.env, add the following environment variables to bootstrap the management and regional cluster using proxy:HTTP_PROXYHTTPS_PROXYNO_PROXYPROXY_CA_CERTIFICATE_PATH
Example snippet:
export HTTP_PROXY=http://proxy.example.com:3128 export HTTPS_PROXY=http://user:pass@proxy.example.com:3128 export NO_PROXY=172.18.10.0,registry.internal.lan export PROXY_CA_CERTIFICATE_PATH="/home/ubuntu/.mitmproxy/mitmproxy-ca-cert.cer"
The following formats of variables are accepted:
Proxy configuration data¶ Variable
Format
HTTP_PROXYHTTPS_PROXYhttp://proxy.example.com:port- for anonymous access.http://user:password@proxy.example.com:port- for restricted access.
NO_PROXYComma-separated list of IP addresses or domain names.
PROXY_CA_CERTIFICATE_PATHOptional. Absolute path to the proxy CA certificate for man-in-the-middle (MITM) proxies. Must be placed on the bootstrap node to be trusted. For details, see Install a CA certificate for a MITM proxy on a bootstrap node.
Warning
If you require Internet access to go through a MITM proxy, ensure that the proxy has streaming enabled as described in Enable streaming for MITM.
Note
For MOSK-based deployments, the parameter is generally available since MOSK 22.4.
For implementation details, see Proxy and cache support.
For the list of Mirantis resources and IP addresses to be accessible from the Container Cloud clusters, see Requirements for an OpenStack-based cluster.
Available as TechPreview since Container Cloud 2.24.0 and 2.24.2 for MOSK 23.2. Optional. Enable the Linux Audit daemon auditd to monitor activity of cluster processes and prevent potential malicious activity.
Configuration for auditd
In
templates/cluster.yaml.template, add the auditd parameters:spec: providerSpec: value: audit: auditd: enabled: <bool> enabledAtBoot: <bool> backlogLimit: <int> maxLogFile: <int> maxLogFileAction: <string> maxLogFileKeep: <int> mayHaltSystem: <bool> presetRules: <string> customRules: <string> customRulesX32: <text> customRulesX64: <text>
Configuration parameters for auditd:
enabledBoolean, default -
false. Enables theauditdrole to install the auditd packages and configure rules. CIS rules: 4.1.1.1, 4.1.1.2.enabledAtBootBoolean, default -
false. Configures grub to audit processes that can be audited even if they start up prior to auditd startup. CIS rule: 4.1.1.3.backlogLimitInteger, default - none. Configures the backlog to hold records. If during boot
audit=1is configured, the backlog holds 64 records. If more than 64 records are created during boot, auditd records will be lost with a potential malicious activity being undetected. CIS rule: 4.1.1.4.maxLogFileInteger, default - none. Configures the maximum size of the audit log file. Once the log reaches the maximum size, it is rotated and a new log file is created. CIS rule: 4.1.2.1.
maxLogFileActionString, default - none. Defines handling of the audit log file reaching the maximum file size. Allowed values:
keep_logs- rotate logs but never delete themrotate- add a cron job to compress rotated log files and keep maximum 5 compressed files.compress- compress log files and keep them under the/var/log/auditd/directory. Requiresauditd_max_log_file_keepto be enabled.
CIS rule: 4.1.2.2.
maxLogFileKeepInteger, default -
5. Defines the number of compressed log files to keep under the/var/log/auditd/directory. Requiresauditd_max_log_file_action=compress. CIS rules - none.mayHaltSystemBoolean, default -
false. Halts the system when the audit logs are full. Applies the following configuration:space_left_action = emailaction_mail_acct = rootadmin_space_left_action = halt
CIS rule: 4.1.2.3.
customRulesString, default - none. Base64-encoded content of the
60-custom.rulesfile for any architecture. CIS rules - none.customRulesX32String, default - none. Base64-encoded content of the
60-custom.rulesfile for thei386architecture. CIS rules - none.customRulesX64String, default - none. Base64-encoded content of the
60-custom.rulesfile for thex86_64architecture. CIS rules - none.presetRulesString, default - none. Comma-separated list of the following built-in preset rules:
accessactionsdeletedocker
identityimmutableloginsmac-policy
modulesmountsperm-modprivileged
scopesessionsystem-localetime-change
You can use two keywords for these rules:
none- disables all built-in rules.all- enables all built-in rules. With this key, you can add the!prefix to a rule name to exclude some rules. You can use the!prefix for rules only if you add theallkeyword as the first rule. Place a rule with the!prefix only after theallkeyword.
Example configurations:
presetRules: none- disable all preset rulespresetRules: docker- enable only thedockerrulespresetRules: access,actions,logins- enable only theaccess,actions, andloginsrulespresetRules: all- enable all preset rulespresetRules: all,!immutable,!sessions- enable all preset rules exceptimmutableandsessions
CIS controls
4.1.3 (time-change)4.1.4 (identity)4.1.5 (system-locale)4.1.6 (mac-policy)4.1.7 (logins)4.1.8 (session)4.1.9 (perm-mod)4.1.10 (access)4.1.11 (privileged)4.1.12 (mounts)4.1.13 (delete)4.1.14 (scope)4.1.15 (actions)4.1.16 (modules)4.1.17 (immutable)Docker CIS controls
1.1.41.1.81.1.101.1.121.1.131.1.151.1.161.1.171.1.181.2.31.2.41.2.51.2.61.2.71.2.101.2.11
Optional. Configure external identity provider for IAM.
Optional. Enable infinite timeout for all bootstrap stages by exporting the following environment variable or adding it to
bootstrap.env:export KAAS_BOOTSTRAP_INFINITE_TIMEOUT=true
Infinite timeout prevents the bootstrap failure due to timeout. This option is useful in the following cases:
The network speed is slow for artifacts downloading
An infrastructure configuration does not allow booting fast
A bare-metal node inspecting presupposes more than two HDDSATA disks to attach to a machine
Optional. Available since Container Cloud 2.23.0. Customize the cluster and region name by exporting the following environment variables or adding them to
bootstrap.env:export REGION=<customRegionName> export CLUSTER_NAME=<customClusterName>
By default, the system uses
region-onefor the region name andkaas-mgmtfor the management cluster name.Run the bootstrap script:
./bootstrap.sh allIn case of deployment issues, refer to Troubleshooting and inspect logs.
If the script fails for an unknown reason:
Run the cleanup script:
./bootstrap.sh cleanupRerun the bootstrap script.
When the bootstrap is complete, collect and save the following management cluster details in a secure location:
The
kubeconfigfile located in the same directory as the bootstrap script. This file contains the admin credentials for the management cluster.The private
ssh_keyfor access to the management cluster nodes that is located in the same directory as the bootstrap script.Note
If the initial version of your Container Cloud management cluster was earlier than 2.6.0,
ssh_keyis namedopenstack_tmpand is located at~/.ssh/.The URL for the Container Cloud web UI.
To create users with permissions required for accessing the Container Cloud web UI, see Create initial users after a management cluster bootstrap.
The StackLight endpoints. For details, see Access StackLight web UIs.
The Keycloak URL that the system outputs when the bootstrap completes. The admin password for Keycloak is located in
kaas-bootstrap/passwords.ymlalong with other IAM passwords.
Note
The Container Cloud web UI and StackLight endpoints are available through Transport Layer Security (TLS) and communicate with Keycloak to authenticate users. Keycloak is exposed using HTTPS and self-signed TLS certificates that are not trusted by web browsers.
To use your own TLS certificates for Keycloak, refer to Configure TLS certificates for cluster applications.
Note
When the bootstrap is complete, the bootstrap cluster resources are freed up.
Verify that network addresses used on your clusters do not overlap with the following default MKE network addresses for Swarm and MCR:
10.0.0.0/16is used for Swarm networks. IP addresses from this network are virtual.10.99.0.0/16is used for MCR networks. IP addresses from this network are allocated on hosts.
Verification of Swarm and MCR network addresses
To verify Swarm and MCR network addresses, run on any master node:
docker infoExample of system response:
Server: ... Swarm: ... Default Address Pool: 10.0.0.0/16 SubnetSize: 24 ... Default Address Pools: Base: 10.99.0.0/16, Size: 20 ...
Not all of Swarm and MCR addresses are usually in use. One Swarm Ingress network is created by default and occupies the
10.0.0.0/24address block. Also, three MCR networks are created by default and occupy three address blocks:10.99.0.0/20,10.99.16.0/20,10.99.32.0/20.To verify the actual networks state and addresses in use, run:
docker network ls docker network inspect <networkName>
Optional. Deploy an additional regional cluster as described in Deploy an additional regional cluster (optional).
Now, you can proceed with operating your management cluster using the Container Cloud web UI and deploying managed clusters as described in Create and operate an OpenStack-based managed cluster.
Deploy a VMware vSphere-based management cluster¶
This section describes how to bootstrap a VMware vSphere-based Mirantis Container Cloud management cluster.
Note
You can deploy vSphere-based clusters on CentOS. Support of this operating system is available as Technology Preview. Use it for testing and evaluation purposes only.
Deployment of a Container Cloud cluster that is based on different operating systems, such as RHEL and CentOS or CentOS and Ubuntu, is not supported.
Workflow overview¶
Perform the following steps to install Mirantis Container Cloud on a VMware vSphere-based environment:
Prepare a vSphere environment that meets the Requirements for a VMware vSphere-based cluster.
Determine vSphere resources required for the deployment as described in Deployment resources requirements.
Prepare the bootstrap node as described in Prerequisites.
Obtain the Mirantis license file to use during the bootstrap.
Set up the VMware accounts for deployment as described in VMware deployment users.
Create and configure the deployment configuration files that include the cluster and machines metadata as described in Bootstrap a management cluster.
Prepare the VM template for the management cluster nodes using VM template requirements.
Run the bootstrap script for the fully automated installation of the management cluster.
For more details, see Bootstrap a management cluster.
Deployment resources requirements¶
The VMware vSphere provider of Mirantis Container Cloud requires the following resources to successfully create virtual machines for Container Cloud clusters:
- Data center
All resources below must be related to one data center.
- Cluster
All virtual machines must run on the hosts of one cluster.
- Virtual Network or Distributed Port Group
Network for virtual machines. For details, see VMware vSphere network objects and IPAM recommendations.
- Datastore
Storage for virtual machines disks and Kubernetes volumes.
- Folder
Placement of virtual machines.
- Resource pool
Pool of CPU and memory resources for virtual machines.
You must provide the data center and cluster resources by name. You can provide other resources by:
- Name
Resource name must be unique in the data center and cluster. Otherwise, the vSphere provider detects multiple resources with same name and cannot determine which one to use.
- Full path (recommended)
Full path to a resource depends on its type. For example:
- Network
/<data_center>/network/<network_name>
- Resource pool
/<data_center>/host/<cluster>/Resources/<resource pool_name>
- Folder
/<data_center>/vm/<folder1>/<folder2>/.../<folder_name>or/<data_center>/vm/<folder_name>
- Datastore
/<data_center>/datastore/<datastore_name>
You can determine the proper resource name using the vSphere UI.
To obtain the full path to vSphere resources:
Download the latest version of GOVC utility depending on your operating system and unpack the
govcbinary intoPATHon your machine.Set the environment variables to access your vSphere cluster. For example:
export GOVC_USERNAME=user export GOVC_PASSWORD=password export GOVC_URL=https://vcenter.example.com
List the data center root using the govc ls command. Example output:
/<data_center>/vm /<data_center>/network /<data_center>/host /<data_center>/datastore
Obtain the full path to resources by name for:
Network or Distributed Port Group (Distributed Virtual Port Group):
govc find /<data_center> -type n -name <network_name>
Datastore:
govc find /<data_center> -type s -name <datastore_name>
Folder:
govc find /<data_center> -type f -name <folder_name>
Resource pool:
govc find /<data_center> -type p -name <resource_pool_name>
Verify the resource type by full path:
govc object.collect -json -o "<full_path_to_resource>" | jq .Self.Type
Prerequisites¶
Before bootstrapping a VMware vSphere-based management cluster, complete the following prerequisite steps:
Verify that your planned cloud configuration meets the reference hardware bill of material and software requirements as described in Requirements for a VMware vSphere-based cluster.
Verify that your planned cloud configuration meets the deployment resources requirements.
Configure Ubuntu or RHEL on the bootstrap node:
For Ubuntu:
Log in to any personal computer or VM running Ubuntu 20.04 that you will be using as the bootstrap node.
If you use a newly created VM, run:
sudo apt-get update
Install the current Docker version available for Ubuntu 20.04:
sudo apt install docker.io
Grant your
USERaccess to the Docker daemon:sudo usermod -aG docker $USER
Log off and log in again to the bootstrap node to apply the changes.
Verify that Docker is configured correctly and has access to Container Cloud CDN. For example:
docker run --rm alpine sh -c "apk add --no-cache curl; \ curl https://binary.mirantis.com"
The system output must contain no error records. In case of issues, follow the steps provided in Troubleshooting.
For RHEL:
Log in to a VM running RHEL 7.9 or 8.7 TechPreview that you will be using as a bootstrap node.
If you do not use RedHat Satellite server locally in your infrastructure and require all Internet access to go through a proxy server, including access to RedHat customer portal, configure proxy parameters for
subscription-managerusing the example below:subscription-manager config \ --server.proxy_scheme=$SCHEME \ --server.proxy_hostname=$HOST \ --server.proxy_port=$PORT \ --server.proxy_user=$USER \ --server.proxy_password=$PASS \ --server.no_proxy=$NO_PROXY
Caution
In MITM proxy deployments, use the internal Red Hat Satellite server to register RHEL machines so that a VM can access this server directly without a MITM proxy.
Attach the RHEL subscription using
subscription-manager.Install the following packages:
sudo yum install yum-utils wget vim -y
For RHEL 7.9, verify that the
extrasrepository is enabled:sudo yum-config-manager --enable rhel-7-server-extras-rpms
Add the Docker mirror according to the operating system major version (
7for 7.9 and8for 8.7 TechPreview). Provide the proxy URL, if required, or set to_none_.sudo cat <<EOF > /etc/yum.repos.d/docker-ee.repo [docker-ee] name=Docker EE gpgcheck=0 enabled=1 priority=1 baseurl=https://repos.mirantis.com/rhel/RHEL_MAJOR_VERSION/x86_64/stable-20.10/ proxy=PROXY EOF
Install and configure Docker:
sudo yum install docker-ee -y sudo systemctl start docker sudo chmod 666 /var/run/docker.sock
Verify that Docker is configured correctly and has access to Container Cloud CDN. For example:
docker run --rm alpine sh -c "apk add --no-cache curl; \ curl https://binary.mirantis.com"
The system output must contain no error records. In case of issues, follow the steps provided in Troubleshooting.
Note
If you require all Internet access to go through a proxy server for security and audit purposes, configure Docker proxy settings as described in the official Docker documentation.
Prepare the VMware deployment user setup and permissions¶
To deploy Mirantis Container Cloud on the VMware vSphere-based environment, you need to prepare vSphere accounts for Container Cloud. Contact your vSphere administrator to set up the required users and permissions following the steps below:
Log in to the vCenter Server Web Console.
Create the
cluster-apiuser with the following privileges:Note
Container Cloud uses two separate vSphere accounts for:
Cluster API related operations, such as create or delete VMs, and for preparation of the VM template using Packer
Storage operations, such as dynamic PVC provisioning
You can also create one user that has all privileges sets mentioned above.
The cluster-api user privileges
Privilege
Permission
Content library
Download files
Read storage
Sync library item
Datastore
Allocate space
Browse datastore
Low-level file operations
Update virtual machine metadata
Distributed switch
Host operation
IPFIX operation
Modify
Network I/O control operation
Policy operation
Port configuration operation
Port setting operation
VSPAN operation
Folder
Create folder
Rename folder
Global
Cancel task
Host local operations
Create virtual machine
Delete virtual machine
Reconfigure virtual machine
Network
Assign network
Resource
Assign virtual machine to resource pool
Scheduled task
Create tasks
Modify task
Remove task
Run task
Sessions
Validate session
View and stop sessions
Storage views
View
Tasks
Create task
Update task
Virtual machine permissions¶ Privilege
Permission
Change configuration
Acquire disk lease
Add existing disk
Add new disk
Add or remove device
Advanced configuration
Change CPU count
Change Memory
Change Settings
Change Swapfile placement
Change resource
Configure Host USB device
Configure Raw device
Configure managedBy
Display connection settings
Extend virtual disk
Modify device settings
Query Fault Tolerance compatibility
Query unowned files
Reload from path
Remove disk
Rename
Reset guest information
Set annotation
Toggle disk change tracking
Toggle fork parent
Upgrade virtual machine compatibility
Interaction
Configure CD media
Configure floppy media
Console interaction
Device connection
Inject USB HID scan codes
Power off
Power on
Reset
Suspend
Inventory
Create from existing
Create new
Move
Register
Remove
Unregister
Provisioning
Allow disk access
Allow file access
Allow read-only disk access
Allow virtual machine download
Allow virtual machine files upload
Clone template
Clone virtual machine
Create template from virtual machine
Customize guest
Deploy template
Mark as template
Mark as virtual machine
Modify customization specification
Promote disks
Read customization specifications
Snapshot management
Create snapshot
Remove snapshot
Rename snapshot
Revert to snapshot
vSphere replication
Monitor replication
Create the
storageuser with the following privileges:Note
For more details about all required privileges for the
storageuser, see vSphere Cloud Provider documentation.The storage user privileges
Privilege
Permission
Cloud Native Storage
Searchable
Content library
View configuration settings
Datastore
Allocate space
Browse datastore
Low level file operations
Remove file
Folder
Create folder
Host configuration
Storage partition configuration
Host local operations
Create virtual machine
Delete virtual machine
Reconfigure virtual machine
Host profile
View
Profile-driven storage
Profile-driven storage view
Resource
Assign virtual machine to resource pool
Scheduled task
Create tasks
Modify task
Run task
Sessions
Validate session
View and stop sessions
Storage views
View
Virtual machine permissions¶ Privilege
Permission
Change configuration
Add existing disk
Add new disk
Add or remove device
Advanced configuration
Change CPU count
Change Memory
Change Settings
Configure managedBy
Extend virtual disk
Remove disk
Rename
Inventory
Create from existing
Create new
Remove
For RHEL deployments, if you do not have a RHEL machine with the
virt-whoservice configured to report the vSphere environment configuration and hypervisors information to RedHat Customer Portal or RedHat Satellite server, set up thevirt-whoservice inside the Container Cloud machines for a proper RHEL license activation.Create a
virt-whouser with at least read-only access to all objects in the vCenter Data Center.The
virt-whoservice on RHEL machines will be provided with thevirt-whouser credentials to properly manage RHEL subscriptions.For details on how to create the
virt-whouser, refer to the official RedHat Customer Portal documentation.
Now, proceed to Bootstrap a management cluster.
Bootstrap a management cluster¶
After you complete the prerequisite steps described in Prerequisites, proceed with bootstrapping your VMware vSphere-based Mirantis Container Cloud management cluster.
To bootstrap a vSphere-based management cluster:
Log in to the bootstrap node running Ubuntu 20.04 that is configured as described in Prerequisites.
Prepare the bootstrap script:
Download and run the Container Cloud bootstrap script:
sudo apt-get update sudo apt-get install wget wget https://binary.mirantis.com/releases/get_container_cloud.sh chmod 0755 get_container_cloud.sh ./get_container_cloud.sh
Change the directory to the
kaas-bootstrapfolder created by the script.
Obtain your license file that will be required during the bootstrap:
Create a user account at www.mirantis.com.
Log in to your account and download the
mirantis.liclicense file.Save the license file as
mirantis.licunder thekaas-bootstrapdirectory on the bootstrap node.Verify that
mirantis.liccontains the exact Container Cloud license previously downloaded from www.mirantis.com by decoding the license JWT token, for example, using jwt.io.Example of a valid decoded Container Cloud license data with the mandatory
licensefield:{ "exp": 1652304773, "iat": 1636669973, "sub": "demo", "license": { "dev": false, "limits": { "clusters": 10, "workers_per_cluster": 10 }, "openstack": null } }
Warning
The MKE license does not apply to
mirantis.lic. For details about MKE license, see MKE documentation.
Prepare deployment templates:
Modify
templates/vsphere/vsphere-config.yaml.template:Note
Contact your vSphere administrator to provide you with the values for the below parameters.
vSphere configuration data¶ Parameter
Description
SET_VSPHERE_SERVERIP address or FQDN of the vCenter Server.
SET_VSPHERE_SERVER_PORTPort of the vCenter Server. For example,
port: "8443". Leave empty to use"443"by default.SET_VSPHERE_DATACENTERvSphere data center name.
SET_VSPHERE_SERVER_INSECUREFlag that controls validation of the vSphere Server certificate. Must be
trueorfalse.SET_VSPHERE_CAPI_PROVIDER_USERNAMEvSphere Cluster API provider user name that you added when preparing the deployment user setup and permissions.
SET_VSPHERE_CAPI_PROVIDER_PASSWORDvSphere Cluster API provider user password.
SET_VSPHERE_CLOUD_PROVIDER_USERNAMEvSphere Cloud Provider deployment user name that you added when preparing the deployment user setup and permissions.
SET_VSPHERE_CLOUD_PROVIDER_PASSWORDvSphere Cloud Provider deployment user password.
Modify
templates/vsphere/cluster.yaml.template:vSphere cluster network parameters
Modify the following required network parameters:
Required parameters¶ Parameter
Description
SET_LB_HOSTIP address from the provided vSphere network for Kubernetes API load balancer (Keepalived VIP).
SET_VSPHERE_DATASTOREName of the vSphere datastore. You can use different datastores for vSphere Cluster API and vSphere Cloud Provider.
SET_VSPHERE_MACHINES_FOLDERPath to a folder where the cluster machines metadata will be stored.
SET_VSPHERE_NETWORK_PATHPath to a network for cluster machines.
SET_VSPHERE_RESOURCE_POOL_PATHPath to a resource pool in which VMs will be created.
Note
To obtain the
LB_HOSTparameter for the selected vSphere network, contact your vSphere administrator who provides you with the IP ranges dedicated to your environment.Modify other parameters if required. For example, add the corresponding values for
cidrBlocksin thespec::clusterNetwork::servicessection.For either DHCP or non-DHCP vSphere network:
Determine the vSphere network parameters as described in VMware vSphere network objects and IPAM recommendations.
Provide the following additional parameters for a proper network setup on machines using embedded IP address management (IPAM) in
templates/vsphere/cluster.yaml.template:Note
To obtain IPAM parameters for the selected vSphere network, contact your vSphere administrator who provides you with IP ranges dedicated to your environment only.
vSphere configuration data¶ Parameter
Description
ipamEnabledEnables IPAM. Recommended value is
truefor either DHCP or non-DHCP networks.SET_VSPHERE_NETWORK_CIDRCIDR of the provided vSphere network. For example,
10.20.0.0/16.SET_VSPHERE_NETWORK_GATEWAYGateway of the provided vSphere network.
SET_VSPHERE_CIDR_INCLUDE_RANGESIP range for the cluster machines. Specify the range of the provided CIDR. For example,
10.20.0.100-10.20.0.200. If the DHCP network is used, this range must not intersect with the DHCP range of the network.SET_VSPHERE_CIDR_EXCLUDE_RANGESOptional. IP ranges to be excluded from being assigned to the cluster machines. The MetalLB range and
SET_LB_HOSTshould not intersect with the addresses for IPAM. For example,10.20.0.150-10.20.0.170.SET_VSPHERE_NETWORK_NAMESERVERSList of nameservers for the provided vSphere network.
Configure MetalLB parameters:
Open the required configuration file for editing:
Open
templates/vsphere/metallbconfig.yaml.template. For a detailedMetalLBConfigobject description, see API Reference: MetalLBConfig resource.Open
templates/vsphere/cluster.yaml.template.Add
SET_VSPHERE_METALLB_RANGEthat is the MetalLB range of IP addresses to assign to load balancers for Kubernetes Services.Note
To obtain the
VSPHERE_METALLB_RANGEparameter for the selected vSphere network, contact your vSphere administrator who provides you with the IP ranges dedicated to your environment.
For RHEL deployments, fill out
templates/vsphere/rhellicenses.yaml.template.RHEL license configuration
Use one of the following set of parameters for RHEL machines subscription:
The user name and password of your RedHat Customer Portal account associated with your RHEL license for Virtual Datacenters.
Optionally, provide the subscription allocation pools to use for the RHEL subscription activation. If not needed, remove the
poolIDsfield forsubscription-managerto automatically select the licenses for machines.For example:
spec: username: <username> password: value: <password> poolIDs: - <pool1> - <pool2>
The activation key and organization ID associated with your RedHat account with RHEL license for Virtual Datacenters. The activation key can be created by the organization administrator on the RedHat Customer Portal.
If you use the RedHat Satellite server for management of your RHEL infrastructure, you can provide a pre-generated activation key from that server. In this case:
Provide the URL to the RedHat Satellite RPM for installation of the CA certificate that belongs to that server.
Configure
squid-proxyon the management or regional cluster to allow access to your Satellite server. For details, see Configure squid-proxy.
For example:
spec: activationKey: value: <activation key> orgID: "<organization ID>" rpmUrl: <rpm url>
Caution
For RHEL 8.7 TechPreview, verify mirrors configuration for your activation key. For more details, see RHEL 8 mirrors configuration.
Warning
Provide only one set of parameters. Mixing the parameters from different activation methods will cause deployment failure.
For CentOS deployments, in
templates/vsphere/rhellicenses.yaml.template, remove all lines underitems:.
Available since Container Cloud 2.24.0 as Technology Preview. Optional. Enable custom host names for cluster machines. When enabled, any machine host name in a particular region matches the related
Machineobject name. For example, instead of the defaultkaas-node-<UID>, a machine host name will bemaster-0. The custom naming format is more convenient and easier to operate with.To enable the feature on the management or regional and its future managed clusters, add the following environment variable:
export CUSTOM_HOSTNAMES=true
In
bootstrap.env, add theKAAS_VSPHERE_ENABLED=trueenvironment variable that enables the vSphere provider deployment in Container Cloud.Configure NTP server.
Before Container Cloud 2.23.0, optional if servers from the Ubuntu NTP pool (
*.ubuntu.pool.ntp.org) are accessible from the node where the management cluster is being provisioned. Otherwise, configure the regional NTP server parameters as described below.Since Container Cloud 2.23.0, optionally disable NTP that is enabled by default. This option disables the management of
chronyconfiguration by Container Cloud to use your own system forchronymanagement. Otherwise, configure the regional NTP server parameters as described below.NTP configuration
Configure the regional NTP server parameters to be applied to all machines of regional and managed clusters in the specified region.
In
templates/vsphere/cluster.yaml.template, add thentp:serverssection with the list of required server names:spec: ... providerSpec: value: kaas: ... ntpEnabled: true regional: - helmReleases: - name: <providerName>-provider values: config: lcm: ... ntp: servers: - 0.pool.ntp.org ... provider: <providerName> ...
To disable NTP:
spec: ... providerSpec: value: ... ntpEnabled: false ...
Prepare the VM template as described in Prepare the virtual machine template.
In
templates/vsphere/machines.yaml.template, define the following parameters:rhelLicenseRHEL license name defined in
rhellicenses.yaml.template, defaults tokaas-mgmt-rhel-license. Remove or comment out this parameter for CentOS and Ubuntu deployments.
diskGiBDisk size in GiB for machines that must match the disk size of the VM template. You can leave this parameter commented to use the disk size of the VM template. The minimum requirement is 120 GiB.
templatePath to the VM template prepared in the previous step.
Sample template:
spec: providerSpec: value: apiVersion: vsphere.cluster.k8s.io/v1alpha1 kind: VsphereMachineProviderSpec rhelLicense: <rhelLicenseName> numCPUs: 8 memoryMiB: 32768 # diskGiB: 120 template: <vSphereVMTemplatePath>
Also, modify other parameters if required.
If you require all Internet access to go through a proxy server, in
bootstrap.env, add the following environment variables to bootstrap the management and regional cluster using proxy:HTTP_PROXYHTTPS_PROXYNO_PROXYPROXY_CA_CERTIFICATE_PATH
Example snippet:
export HTTP_PROXY=http://proxy.example.com:3128 export HTTPS_PROXY=http://user:pass@proxy.example.com:3128 export NO_PROXY=172.18.10.0,registry.internal.lan export PROXY_CA_CERTIFICATE_PATH="/home/ubuntu/.mitmproxy/mitmproxy-ca-cert.cer"
The following formats of variables are accepted:
Proxy configuration data¶ Variable
Format
HTTP_PROXYHTTPS_PROXYhttp://proxy.example.com:port- for anonymous access.http://user:password@proxy.example.com:port- for restricted access.
NO_PROXYComma-separated list of IP addresses or domain names. Mandatory to add
host[:port]of the vCenter server.PROXY_CA_CERTIFICATE_PATHOptional. Absolute path to the proxy CA certificate for man-in-the-middle (MITM) proxies. Must be placed on the bootstrap node to be trusted. For details, see Install a CA certificate for a MITM proxy on a bootstrap node.
Warning
If you require Internet access to go through a MITM proxy, ensure that the proxy has streaming enabled as described in Enable streaming for MITM.
Note
For MOSK-based deployments, the parameter is generally available since MOSK 22.4.
For implementation details, see Proxy and cache support.
Caution
In MITM proxy deployments, use the internal Red Hat Satellite server to register RHEL machines so that a VM can access this server directly without a MITM proxy.
For the list of Mirantis resources and IP addresses to be accessible from the Container Cloud clusters, see Requirements for a VMware vSphere-based cluster.
Available as TechPreview since Container Cloud 2.24.0 and 2.24.2 for MOSK 23.2. Optional. Enable the Linux Audit daemon auditd to monitor activity of cluster processes and prevent potential malicious activity.
Configuration for auditd
In
templates/vsphere/cluster.yaml.template, add the auditd parameters:spec: providerSpec: value: audit: auditd: enabled: <bool> enabledAtBoot: <bool> backlogLimit: <int> maxLogFile: <int> maxLogFileAction: <string> maxLogFileKeep: <int> mayHaltSystem: <bool> presetRules: <string> customRules: <string> customRulesX32: <text> customRulesX64: <text>
Configuration parameters for auditd:
enabledBoolean, default -
false. Enables theauditdrole to install the auditd packages and configure rules. CIS rules: 4.1.1.1, 4.1.1.2.enabledAtBootBoolean, default -
false. Configures grub to audit processes that can be audited even if they start up prior to auditd startup. CIS rule: 4.1.1.3.backlogLimitInteger, default - none. Configures the backlog to hold records. If during boot
audit=1is configured, the backlog holds 64 records. If more than 64 records are created during boot, auditd records will be lost with a potential malicious activity being undetected. CIS rule: 4.1.1.4.maxLogFileInteger, default - none. Configures the maximum size of the audit log file. Once the log reaches the maximum size, it is rotated and a new log file is created. CIS rule: 4.1.2.1.
maxLogFileActionString, default - none. Defines handling of the audit log file reaching the maximum file size. Allowed values:
keep_logs- rotate logs but never delete themrotate- add a cron job to compress rotated log files and keep maximum 5 compressed files.compress- compress log files and keep them under the/var/log/auditd/directory. Requiresauditd_max_log_file_keepto be enabled.
CIS rule: 4.1.2.2.
maxLogFileKeepInteger, default -
5. Defines the number of compressed log files to keep under the/var/log/auditd/directory. Requiresauditd_max_log_file_action=compress. CIS rules - none.mayHaltSystemBoolean, default -
false. Halts the system when the audit logs are full. Applies the following configuration:space_left_action = emailaction_mail_acct = rootadmin_space_left_action = halt
CIS rule: 4.1.2.3.
customRulesString, default - none. Base64-encoded content of the
60-custom.rulesfile for any architecture. CIS rules - none.customRulesX32String, default - none. Base64-encoded content of the
60-custom.rulesfile for thei386architecture. CIS rules - none.customRulesX64String, default - none. Base64-encoded content of the
60-custom.rulesfile for thex86_64architecture. CIS rules - none.presetRulesString, default - none. Comma-separated list of the following built-in preset rules:
accessactionsdeletedocker
identityimmutableloginsmac-policy
modulesmountsperm-modprivileged
scopesessionsystem-localetime-change
You can use two keywords for these rules:
none- disables all built-in rules.all- enables all built-in rules. With this key, you can add the!prefix to a rule name to exclude some rules. You can use the!prefix for rules only if you add theallkeyword as the first rule. Place a rule with the!prefix only after theallkeyword.
Example configurations:
presetRules: none- disable all preset rulespresetRules: docker- enable only thedockerrulespresetRules: access,actions,logins- enable only theaccess,actions, andloginsrulespresetRules: all- enable all preset rulespresetRules: all,!immutable,!sessions- enable all preset rules exceptimmutableandsessions
CIS controls
4.1.3 (time-change)4.1.4 (identity)4.1.5 (system-locale)4.1.6 (mac-policy)4.1.7 (logins)4.1.8 (session)4.1.9 (perm-mod)4.1.10 (access)4.1.11 (privileged)4.1.12 (mounts)4.1.13 (delete)4.1.14 (scope)4.1.15 (actions)4.1.16 (modules)4.1.17 (immutable)Docker CIS controls
1.1.41.1.81.1.101.1.121.1.131.1.151.1.161.1.171.1.181.2.31.2.41.2.51.2.61.2.71.2.101.2.11
Optional. Configure external identity provider for IAM.
Optional. Enable infinite timeout for all bootstrap stages by exporting the following environment variable or adding it to
bootstrap.env:export KAAS_BOOTSTRAP_INFINITE_TIMEOUT=true
Infinite timeout prevents the bootstrap failure due to timeout. This option is useful in the following cases:
The network speed is slow for artifacts downloading
An infrastructure configuration does not allow booting fast
A bare-metal node inspecting presupposes more than two HDDSATA disks to attach to a machine
Optional. Available since Container Cloud 2.23.0. Customize the cluster and region name by exporting the following environment variables or adding them to
bootstrap.env:export REGION=<customRegionName> export CLUSTER_NAME=<customClusterName>
By default, the system uses
region-onefor the region name andkaas-mgmtfor the management cluster name.Run the bootstrap script:
./bootstrap.sh allIn case of deployment issues, refer to Troubleshooting and inspect logs.
If the script fails for an unknown reason:
Run the cleanup script:
./bootstrap.sh cleanupRerun the bootstrap script.
When the bootstrap is complete, collect and save the following management cluster details in a secure location:
The
kubeconfigfile located in the same directory as the bootstrap script. This file contains the admin credentials for the management cluster.The private
ssh_keyfor access to the management cluster nodes that is located in the same directory as the bootstrap script.Note
If the initial version of your Container Cloud management cluster was earlier than 2.6.0,
ssh_keyis namedopenstack_tmpand is located at~/.ssh/.The URL for the Container Cloud web UI.
To create users with permissions required for accessing the Container Cloud web UI, see Create initial users after a management cluster bootstrap.
The StackLight endpoints. For details, see Access StackLight web UIs.
The Keycloak URL that the system outputs when the bootstrap completes. The admin password for Keycloak is located in
kaas-bootstrap/passwords.ymlalong with other IAM passwords.
Note
The Container Cloud web UI and StackLight endpoints are available through Transport Layer Security (TLS) and communicate with Keycloak to authenticate users. Keycloak is exposed using HTTPS and self-signed TLS certificates that are not trusted by web browsers.
To use your own TLS certificates for Keycloak, refer to Configure TLS certificates for cluster applications.
Note
When the bootstrap is complete, the bootstrap cluster resources are freed up.
Verify that network addresses used on your clusters do not overlap with the following default MKE network addresses for Swarm and MCR:
10.0.0.0/16is used for Swarm networks. IP addresses from this network are virtual.10.99.0.0/16is used for MCR networks. IP addresses from this network are allocated on hosts.
Verification of Swarm and MCR network addresses
To verify Swarm and MCR network addresses, run on any master node:
docker infoExample of system response:
Server: ... Swarm: ... Default Address Pool: 10.0.0.0/16 SubnetSize: 24 ... Default Address Pools: Base: 10.99.0.0/16, Size: 20 ...
Not all of Swarm and MCR addresses are usually in use. One Swarm Ingress network is created by default and occupies the
10.0.0.0/24address block. Also, three MCR networks are created by default and occupy three address blocks:10.99.0.0/20,10.99.16.0/20,10.99.32.0/20.To verify the actual networks state and addresses in use, run:
docker network ls docker network inspect <networkName>
Now, you can proceed with operating your management cluster using the Container Cloud web UI and deploying managed clusters as described in Create and operate a VMware vSphere-based managed cluster.
Prepare the virtual machine template¶
To deploy Mirantis Container Cloud on the vSphere-based environment, prepare the virtual machine (VM) template for cluster machines that fits the following requirements:
The VMware Tools package is installed.
The
cloud-initutility is installed and configured with the specificVMwareGuestInfodata source.
The following procedures describe how to meet the requirements above either using the Container Cloud script or manually.
Prepare the VM template using the Container Cloud script¶
Prepare the Container Cloud bootstrap and modify
templates/vsphere/vsphere-config.yaml.templateandtemplates/vsphere/cluster.yaml.templateas described in Bootstrap a management cluster, steps 1-9.Download or add to the vSphere datastore the ISO image depending on the target operating system:
Ubuntu 20.04 Server Install Image from Ubuntu images
RHEL 7.8, 7.9, or 8.7 (Technology Preview) DVD ISO from the RedHat Customer Portal
Technology Preview: CentOS 7.9 DVD ISO from the CentOS mirrors
Export the environment variable for the ISO file depending on its placement:
# On the seed node export VSPHERE_PACKER_ISO_FILE=$(pwd)/iso-file.dvd.iso # On the vSphere datastore export VSPHERE_PACKER_STORAGE_PATH="[<datastoreName>] /<path/to>/iso-file.dvd.iso"
Verify that the Docker service is running and the bootstrap node user is added to the
dockergroup.For RHEL, SELinux has to be in permissive mode or disabled.
For more details about the bootstrap seed node prerequisites, see Prerequisites.
Export the following variables:
The path to the downloaded ISO file.
The vSphere cluster name.
The OS name:
rhel,ubuntu, orcentos.The OS version:
7.8,7.9, or8.7(Technology Preview) for RHEL;7.9for CentOS (Technology Preview),20.04for Ubuntu.
For example, for RHEL:
export KAAS_VSPHERE_ENABLED=true export VSPHERE_CLUSTER_NAME=<vsphereClusterName> export VSPHERE_PACKER_IMAGE_OS_NAME=rhel export VSPHERE_PACKER_IMAGE_OS_VERSION=7.9
Optional variables¶ Variable
Description
VSPHERE_VM_TIMEZONETime zone for virtual machines. Defaults to
America/New_York.VSPHERE_PACKER_ACTION_ON_ERRORPacker action to apply if the template build fails. Defaults to
cleanup. Set toabortto keep the VM in case of the build failure.KAAS_BOOTSTRAP_LOG_LVLLog level output for the packer build command. Set to
4to display the full Docker command.Optional. If you require all Internet access to go through a proxy server, in
bootstrap.env, add the following environment variables:HTTP_PROXYHTTPS_PROXYNO_PROXYPROXY_CA_CERTIFICATE_PATH
Example snippet:
export HTTP_PROXY=http://proxy.example.com:3128 export HTTPS_PROXY=http://user:pass@proxy.example.com:3128 export NO_PROXY=172.18.10.0,registry.internal.lan export PROXY_CA_CERTIFICATE_PATH="/home/ubuntu/.mitmproxy/mitmproxy-ca-cert.cer"
The following formats of variables are accepted:
Proxy configuration data¶ Variable
Format
HTTP_PROXYHTTPS_PROXYhttp://proxy.example.com:port- for anonymous access.http://user:password@proxy.example.com:port- for restricted access.
NO_PROXYComma-separated list of IP addresses or domain names. Mandatory to add
host[:port]of the vCenter server.PROXY_CA_CERTIFICATE_PATHOptional. Absolute path to the proxy CA certificate for man-in-the-middle (MITM) proxies. Must be placed on the bootstrap node to be trusted. For details, see Install a CA certificate for a MITM proxy on a bootstrap node.
Warning
If you require Internet access to go through a MITM proxy, ensure that the proxy has streaming enabled as described in Enable streaming for MITM.
Note
For MOSK-based deployments, the parameter is generally available since MOSK 22.4.
For implementation details, see Proxy and cache support.
Caution
In MITM proxy deployments, use the internal Red Hat Satellite server to register RHEL machines so that a VM can access this server directly without a MITM proxy.
For the list of Mirantis resources and IP addresses to be accessible from the Container Cloud clusters, see Requirements for a VMware vSphere-based cluster.
Prepare the VM template:
./bootstrap.sh vsphere_templateAfter the template is prepared, set the
<vSphereVMTemplatePath>parameter intemplates/vsphere/machines.yaml.templateas described in Bootstrap a management cluster.
Prepare the VM template manually¶
Run a VM on the vSphere Data Center with the DVD ISO of the selected operating system (OS) mounted to the VM.
Specify the amount of resources that will be used in the Container Cloud setup. A minimal configuration of resources must match the Requirements for a VMware vSphere-based cluster.
Caution
Make sure that a VM has one hard disk with 120 GiB or more in size. Several hard disks per VM are not supported.
Bootstrap the OS using vSphere Web Console with the following configuration:
Select a minimal setup in the installation configuration of the VM.
For Ubuntu, select the
opensshserver installation.Create a user with
rootorsudopermissions to access the VM.
Log in to the VM using SSH with the previously created user.
For RHEL, attach your RHEL license for the Virtual Datacenter to the VM using your user name with password or activation key with organization ID:
Optional. Configure proxy:
subscription-manager config \ --server.proxy_scheme=$SCHEME \ --server.proxy_hostname=$HOST \ --server.proxy_port=$PORT \ --server.proxy_user=$USER \ --server.proxy_password=$PASS \ --server.no_proxy=$NO_PROXY
Optional. Configure the Satellite server:
yum install -y <katello-RPM-URL>
Attach the subscription to the VM:
# Username/Password: subscription-manager register --username <username> --password <password> # Activation key/Organization ID: subscription-manager register --activationkey=<key> --org=<organizationIDorName> # automatic subscription selection: subscription-manager attach --auto # or specify pool id: subscription-manager attach --pool=<poolID> # verify subscription status subscription-manager status
Select from the following options:
Automatically configure cloud-init:
Download and run the automation script:
curl https://gerrit.mcp.mirantis.com/plugins/gitiles/kubernetes/vmware-guestinfo/+/refs/tags/v1.1.6/install.sh?format=TEXT | base64 -d > install.sh chmod +x install.sh ./install.sh
Manually configure cloud-init:
Install the
open-vm-toolspackage version 11.0.5 or later with dependencies and verify its version:# RHEL/CentOS: yum install open-vm-tools net-tools perl -y # Ubuntu: apt-get update apt-get install open-vm-tools net-tools perl -y # Verify version: vmtoolsd --version vmware-toolbox-cmd --version
Install and configure cloud-init:
Install the
cloud-initpackage and verify its version:19.4 or later for RHEL 7.8 and 7.9, or CentOS 7.9 TechPreview
20.3 or later for RHEL 8.7 TechPreview
22.1 or later for Ubuntu 20.04
# RHEL/CentOS: yum install cloud-init -y # Ubuntu: apt-get install cloud-init -y # Verify version: cloud-init --version
For RHEL or CentOS, add the VMware data source for cloud-init:
Download the
VMwareGuestInfodata source files:curl https://gerrit.mcp.mirantis.com/plugins/gitiles/kubernetes/vmware-guestinfo/+/refs/tags/v1.1.6/DataSourceVMwareGuestInfo.py?format=TEXT | base64 -d > DataSourceVMwareGuestInfo.py curl https://gerrit.mcp.mirantis.com/plugins/gitiles/kubernetes/vmware-guestinfo/+/refs/tags/v1.1.6/99-DataSourceVMwareGuestInfo.cfg?format=TEXT | base64 -d > 99-DataSourceVMwareGuestInfo.cfg
Add
99-DataSourceVMwareGuestInfo.cfgto/etc/cloud/cloud.cfg.d/.Depending on the Python version on the VM operating system, add
DataSourceVMwareGuestInfo.pyto thecloud-initsources folder. Obtain thecloud-initfolder on the OS:python -c 'import os; from cloudinit import sources; print(os.path.dirname(sources.__file__));'
For Ubuntu, create
/etc/cloud/cloud.cfg.d/99_mcc.cfgwith the following content:datasource_list: [ VMware ] package_update: false package_upgrade: false apt: preserve_sources_list: true
For CentOS, verify that
.yummirrors are set to use only the*.centos.orgURLs. Otherwise, access to other mirrors may be blocked bysquid-proxyon managed clusters. Refer to Configure squid-proxy on how to allow access to custom mirrors.Configure the interface name for
eth0:In
/etc/default/grub, add the following parameters toGRUB_CMDLINE_LINUX:GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"
Update the GRUB configuration:
# RHEL/CentOS: grub2-mkconfig -o /boot/grub2/grub.cfg # Ubuntu: update-grub2
Clean up the
aptoryumcache and the cloud init metadata:# RHEL/Centos: yum clean all rm -rf /var/lib/cloud/instances # Ubuntu: apt-get clean rm -f /etc/cloud/cloud.cfg.d/99-installer.cfg rm -f /etc/cloud/cloud.cfg.d/curtin-preserve-sources.cfg rm -f /etc/cloud/cloud.cfg.d/subiquity-disable-cloudinit-networking.cfg rm -rf /var/lib/cloud/instances
For RHEL, remove the RHEL subscription and proxy configuration from the node.
subscription-manager remove --all subscription-manager unregister subscription-manager clean subscription-manager config \ --remove=server.proxy_scheme \ --remove=server.proxy_hostname \ --remove=server.proxy_port \ --remove=server.proxy_user \ --remove=server.proxy_password \ --remove=server.no_proxy
Shut down the VM.
Clone the VM to the template.
Now, proceed to Bootstrap a management cluster.
Configure squid-proxy¶
By default squid-proxy allows an access only to the official RedHat
subscription.rhsm.redhat.com and .cdn.redhat.com URLs or to the
CentOS *.centos.org mirrors.
If you use RedHat Satellite server or if you want to access some specific
yum repositories of RedHat or CentOS, allow those domains
(or IPs addresses) in the squid-proxy configuration
on the management or regional cluster.
Note
You can apply the procedure below before or after the management or regional cluster deployment.
To configure squid-proxy for an access to specific domains:
Modify the allowed domains for
squid-proxyin the regional Helm releases configuration for thevsphereprovider using the example below.For new deployments, modify
templates/vsphere/cluster.yaml.templateFor existing deployments, modify the management or regional cluster configuration:
kubectl edit cluster <mgmtOrRegionalClusterName> -n <projectName>
Example configuration:
spec: ... providerSpec: value: ... kaas: ... regional: - helmReleases: ... - name: squid-proxy values: config: domains: rhel: - .subscription.rhsm.redhat.com - .cdn.redhat.com - .centos.org - .satellite.server.org - .custom.centos.mirror.org - 172.16.10.10 provider: vsphere
On a deployed cluster, verify that the configuration is applied properly by verifying
configmapforsquid-proxy:kubectl describe configmap squid-proxy -n kaas
The
squid.confdata should include the provided domains. For example:acl rhel dstdomain .subscription.rhsm.redhat.com .cdn.redhat.com .centos.org .satellite.server.org .custom.centos.mirror.org 172.16.10.10
RHEL 8 mirrors configuration¶
TechPreview
By default, the RHEL subscription grants access to the AppStream
and BaseOS repositories that are not bound to a specific operating system
version and that are stream repositories, so they are frequently updated.
To deploy RHEL 8.7 and make sure that packages are installed
from the version 8.7 AppStream and BaseOS repositories, the
RHEL VM template has the releasever variable for .yum set to 8.7.
You can verify this variable in /etc/yum/vars/releasever on a VM.
If you are using the RedHat Satellite server, verify that your activation key
is configured with the release version set to 8.7 and includes only
the following repositories:
Red Hat Enterprise Linux 8 for x86_64 - BaseOS RPMs 8.7
Red Hat Enterprise Linux 8 for x86_64 - AppStream RPMs 8.7
Deploy an additional regional cluster (optional)¶
After you bootstrap a management cluster of the required cloud provider type, you can optionally deploy an additional regional cluster of the same or different provider type. For details about regions, see Container Cloud regions.
Perform this procedure if you wish to operate managed clusters across clouds from a single Mirantis Container Cloud management plane.
Caution
A regional cluster requires access to the management cluster.
Multi-regional deployment enables you to create managed clusters of several provider types using one management cluster. For example, you can bootstrap a vSphere-based management cluster and deploy an OpenStack-based regional cluster on this management cluster. Such cluster enables creation of OpenStack-based and vSphere-based managed clusters with Kubernetes deployments.
Note
If the bootstrap node for deployment of an additional regional cluster is not the same where you bootstrapped the management cluster, first prepare the bootstrap as described in Configure the bootstrap node.
Configure the bootstrap node¶
This section describes how to prepare a new bootstrap node for an additional regional cluster deployment on top of the management cluster. To use the same node where you bootstrapped the management cluster, skip this instruction and proceed to deploying a regional cluster of the required provider type.
To configure a new bootstrap node for a regional cluster:
Install and configure Docker:
Log in to any personal computer or VM running Ubuntu 20.04 that you will be using as the bootstrap node.
If you use a newly created VM, run:
sudo apt-get update
Install the current Docker version available for Ubuntu 20.04:
sudo apt install docker.io
Grant your
USERaccess to the Docker daemon:sudo usermod -aG docker $USER
Log off and log in again to the bootstrap node to apply the changes.
Verify that Docker is configured correctly and has access to Container Cloud CDN. For example:
docker run --rm alpine sh -c "apk add --no-cache curl; \ curl https://binary.mirantis.com"
The system output must contain no error records. In case of issues, follow the steps provided in Troubleshooting.
Note
If you require all Internet access to go through a proxy server for security and audit purposes, configure Docker proxy settings as described in the official Docker documentation.
Prepare the bootstrap script:
Download and run the Container Cloud bootstrap script:
sudo apt-get update sudo apt-get install wget wget https://binary.mirantis.com/releases/get_container_cloud.sh chmod 0755 get_container_cloud.sh ./get_container_cloud.sh
Change the directory to the
kaas-bootstrapfolder created by the script.
If you deleted the
mirantis.licfile used during the management cluster bootstrap:Create a user account at www.mirantis.com.
Log in to your account and download the
mirantis.liclicense file.Save the license file as
mirantis.licunder thekaas-bootstrapdirectory on the bootstrap node.Verify that
mirantis.liccontains the exact Container Cloud license previously downloaded from www.mirantis.com by decoding the license JWT token, for example, using jwt.io.Example of a valid decoded Container Cloud license data with the mandatory
licensefield:{ "exp": 1652304773, "iat": 1636669973, "sub": "demo", "license": { "dev": false, "limits": { "clusters": 10, "workers_per_cluster": 10 }, "openstack": null } }
Warning
The MKE license does not apply to
mirantis.lic. For details about MKE license, see MKE documentation.
On the new bootstrap node, save the management cluster
kubeconfigthat was created after the management cluster bootstrap.
Now, proceed to deploying an additional regional cluster of the required provider type as described in Deploy an additional regional cluster.
Deploy an OpenStack-based regional cluster¶
You can deploy an additional regional OpenStack-based cluster to create managed clusters of several provider types or with different configurations.
To deploy an OpenStack-based regional cluster:
Log in to the node where you bootstrapped a management cluster.
Verify that the bootstrap directory is updated.
Select from the following options:
For clusters deployed using Container Cloud 2.11.0 or later:
./container-cloud bootstrap download --management-kubeconfig <pathToMgmtKubeconfig> \ --target-dir <pathToBootstrapDirectory>
For clusters deployed using the Container Cloud release earlier than 2.11.0 or if you deleted the
kaas-bootstrapfolder, download and run the Container Cloud bootstrap script:wget https://binary.mirantis.com/releases/get_container_cloud.sh chmod 0755 get_container_cloud.sh ./get_container_cloud.sh
Prepare the OpenStack configuration for a new regional cluster:
Log in to the OpenStack Horizon.
In the Project section, select API Access.
In the right-side drop-down menu Download OpenStack RC File, select OpenStack clouds.yaml File.
Save the downloaded
clouds.yamlfile in thekaas-bootstrapfolder created by theget_container_cloud.shscript.In
clouds.yaml, add thepasswordfield with your OpenStack password under theclouds/openstack/authsection.Example:
clouds: openstack: auth: auth_url: https://auth.openstack.example.com/v3 username: your_username password: your_secret_password project_id: your_project_id user_domain_name: your_user_domain_name region_name: RegionOne interface: public identity_api_version: 3
If you deploy Container Cloud on top of MOSK Victoria with Tungsten Fabric and use the default security group for newly created load balancers, add the following rules for the Kubernetes API server endpoint, Container Cloud application endpoint, and for the MKE web UI and API using the OpenStack CLI:
direction='ingress'ethertype='IPv4'protocol='tcp'remote_ip_prefix='0.0.0.0/0'port_range_maxandport_range_min:'443'for Kubernetes API and Container Cloud application endpoints'6443'for MKE web UI and API
Verify access to the target cloud endpoint from Docker. For example:
docker run --rm alpine sh -c "apk add --no-cache curl; \ curl https://auth.openstack.example.com/v3"
The system output must contain no error records.
In case of issues, follow the steps provided in Troubleshooting.
Configure the cluster and machines metadata:
In
templates/machines.yaml.template, modify thespec:providerSpec:valuesection for 3 control plane nodes marked with thecluster.sigs.k8s.io/control-planelabel by substituting theflavorandimageparameters with the corresponding values of the control plane nodes in the related OpenStack cluster. For example:spec: &cp_spec providerSpec: value: apiVersion: "openstackproviderconfig.k8s.io/v1alpha1" kind: "OpenstackMachineProviderSpec" flavor: kaas.minimal image: bionic-server-cloudimg-amd64-20190612
Note
The
flavorparameter value provided in the example above is cloud-specific and must meet the Container Cloud requirements.Also, modify other parameters as required.
Modify the
templates/cluster.yaml.templateparameters to fit your deployment. For example, add the corresponding values forcidrBlocksin thespec::clusterNetwork::servicessection.
Available since Container Cloud 2.24.0 as Technology Preview. Optional. Enable custom host names for cluster machines. When enabled, any machine host name in a particular region matches the related
Machineobject name. For example, instead of the defaultkaas-node-<UID>, a machine host name will bemaster-0. The custom naming format is more convenient and easier to operate with.To enable the feature on the management or regional and its future managed clusters, add the following environment variable:
export CUSTOM_HOSTNAMES=true
Optional. Available as TechPreview. To boot cluster machines from a block storage volume, define the following parameter in the
spec:providerSpecsection oftemplates/machines.yaml.template:bootFromVolume: enabled: true volumeSize: 120
Note
The minimal storage requirement is 120 GB per node. For details, see Requirements for an OpenStack-based cluster.
To boot the Bastion node from a volume, add the same parameter to
templates/cluster.yaml.templatein thespec:providerSpecsection for Bastion. The default amount of storage80is enough.Optional. Available since Container Cloud 2.24.0 as Technology Preview. Create all load balancers of the cluster with a specific Octavia flavor by defining the following parameter in the
spec:providerSpecsection oftemplates/cluster.yaml.template:serviceAnnotations: loadbalancer.openstack.org/flavor-id: <octaviaFlavorID>
For details, see OpenStack documentation: Octavia Flavors.
Note
This feature is not supported by OpenStack Queens.
Configure NTP server.
Before Container Cloud 2.23.0, optional if servers from the Ubuntu NTP pool (
*.ubuntu.pool.ntp.org) are accessible from the node where the regional cluster is being provisioned. Otherwise, configure the regional NTP server parameters as described below.Since Container Cloud 2.23.0, optionally disable NTP that is enabled by default. This option disables the management of
chronyconfiguration by Container Cloud to use your own system forchronymanagement. Otherwise, configure the regional NTP server parameters as described below.NTP configuration
Configure the regional NTP server parameters to be applied to all machines of regional and managed clusters in the specified region.
In
templates/cluster.yaml.template, add thentp:serverssection with the list of required server names:spec: ... providerSpec: value: kaas: ... ntpEnabled: true regional: - helmReleases: - name: <providerName>-provider values: config: lcm: ... ntp: servers: - 0.pool.ntp.org ... provider: <providerName> ...
To disable NTP:
spec: ... providerSpec: value: ... ntpEnabled: false ...
Optional. If you require all Internet access to go through a proxy server, in
bootstrap.env, add the following environment variables to bootstrap the regional cluster using proxy:HTTP_PROXYHTTPS_PROXYNO_PROXYPROXY_CA_CERTIFICATE_PATH
Example snippet:
export HTTP_PROXY=http://proxy.example.com:3128 export HTTPS_PROXY=http://user:pass@proxy.example.com:3128 export NO_PROXY=172.18.10.0,registry.internal.lan export PROXY_CA_CERTIFICATE_PATH="/home/ubuntu/.mitmproxy/mitmproxy-ca-cert.cer"
The following formats of variables are accepted:
Proxy configuration data¶ Variable
Format
HTTP_PROXYHTTPS_PROXYhttp://proxy.example.com:port- for anonymous access.http://user:password@proxy.example.com:port- for restricted access.
NO_PROXYComma-separated list of IP addresses or domain names.
PROXY_CA_CERTIFICATE_PATHOptional. Absolute path to the proxy CA certificate for man-in-the-middle (MITM) proxies. Must be placed on the bootstrap node to be trusted. For details, see Install a CA certificate for a MITM proxy on a bootstrap node.
Warning
If you require Internet access to go through a MITM proxy, ensure that the proxy has streaming enabled as described in Enable streaming for MITM.
Note
For MOSK-based deployments, the parameter is generally available since MOSK 22.4.
For implementation details, see Proxy and cache support.
For the list of Mirantis resources and IP addresses to be accessible from the Container Cloud clusters, see Requirements for an OpenStack-based cluster.
If you are deploying the regional cluster on top of a baremetal-based management cluster, unset the following parameters:
unset KAAS_BM_ENABLED KAAS_BM_FULL_PREFLIGHT KAAS_BM_PXE_IP \ KAAS_BM_PXE_MASK KAAS_BM_PXE_BRIDGE KAAS_BM_BM_DHCP_RANGE \ TEMPLATES_DIR
Export the following parameters:
export KUBECONFIG=<pathToMgmtClusterKubeconfig> export REGIONAL_CLUSTER_NAME=<newRegionalClusterName> export REGION=<NewRegionName>
Substitute the parameters enclosed in angle brackets with the corresponding values of your cluster.
Caution
The
REGIONandREGIONAL_CLUSTER_NAMEparameters values must contain only lowercase alphanumeric characters, hyphens, or periods.Note
If the bootstrap node for the regional cluster deployment is not the same where you bootstrapped the management cluster, also export
SSH_KEY_NAME. It is required for the management cluster to create apublicKeyKubernetes CRD with the public part of your newly generatedssh_keyfor the regional cluster.export SSH_KEY_NAME=<newRegionalClusterSshKeyName>
Run the regional cluster bootstrap script:
./bootstrap.sh deploy_regionalNote
When the bootstrap is complete, obtain and save in a secure location the
kubeconfig-<regionalClusterName>file located in the same directory as the bootstrap script. This file contains the admin credentials for the regional cluster.If the bootstrap node for the regional cluster deployment is not the same where you bootstrapped the management cluster, a new regional
ssh_keywill be generated. Make sure to save this key in a secure location as well.The workflow of the regional cluster bootstrap script¶ #
Description
1
Prepare the bootstrap cluster for the new regional cluster.
2
Load the updated Container Cloud CRDs for
Credentials,Cluster, andMachineswith information about the new regional cluster to the management cluster.3
Connect to each machine of the management cluster through SSH.
4
Wait for the
MachinesandClusterobjects of the new regional cluster to be ready on the management cluster.5
Load the following objects to the new regional cluster:
Secretwith the management clusterkubeconfigandClusterRolefor the Container Cloud provider.6
Forward the bootstrap cluster endpoint to
helm-controller.7
Wait for all CRDs to be available and verify the objects created using these CRDs.
8
Pivot the cluster API stack to the regional cluster.
9
Switch the LCM Agent from the bootstrap cluster to the regional one.
10
Wait for the Container Cloud components to start on the regional cluster.
Verify that network addresses used on your clusters do not overlap with the following default MKE network addresses for Swarm and MCR:
10.0.0.0/16is used for Swarm networks. IP addresses from this network are virtual.10.99.0.0/16is used for MCR networks. IP addresses from this network are allocated on hosts.
Verification of Swarm and MCR network addresses
To verify Swarm and MCR network addresses, run on any master node:
docker infoExample of system response:
Server: ... Swarm: ... Default Address Pool: 10.0.0.0/16 SubnetSize: 24 ... Default Address Pools: Base: 10.99.0.0/16, Size: 20 ...
Not all of Swarm and MCR addresses are usually in use. One Swarm Ingress network is created by default and occupies the
10.0.0.0/24address block. Also, three MCR networks are created by default and occupy three address blocks:10.99.0.0/20,10.99.16.0/20,10.99.32.0/20.To verify the actual networks state and addresses in use, run:
docker network ls docker network inspect <networkName>
Now, you can proceed with deploying the managed clusters of supported provider types as described in Create and operate managed clusters.
See also
Deploy a baremetal-based regional cluster¶
You can deploy an additional regional baremetal-based cluster to create managed clusters of several provider types or with different configurations within a single Container Cloud deployment.
To deploy a baremetal-based regional cluster:
Log in to the node where you bootstrapped the Container Cloud management cluster.
Verify that the bootstrap directory is updated.
Select from the following options:
For clusters deployed using Container Cloud 2.11.0 or later:
./container-cloud bootstrap download --management-kubeconfig <pathToMgmtKubeconfig> \ --target-dir <pathToBootstrapDirectory>
For clusters deployed using the Container Cloud release earlier than 2.11.0 or if you deleted the
kaas-bootstrapfolder, download and run the Container Cloud bootstrap script:wget https://binary.mirantis.com/releases/get_container_cloud.sh chmod 0755 get_container_cloud.sh ./get_container_cloud.sh
Prepare the bare metal configuration for the new regional cluster:
Create a virtual bridge to connect to your PXE network on the seed node. Use the following
netplan-based configuration file as an example:# cat /etc/netplan/config.yaml network: version: 2 renderer: networkd ethernets: ens3: dhcp4: false dhcp6: false bridges: br0: addresses: # Please, adjust for your environment - 10.0.0.15/24 dhcp4: false dhcp6: false # Please, adjust for your environment gateway4: 10.0.0.1 interfaces: # Interface name may be different in your environment - ens3 nameservers: addresses: # Please, adjust for your environment - 8.8.8.8 parameters: forward-delay: 4 stp: false
Apply the new network configuration using
netplan:sudo netplan apply
Verify the new network configuration:
sudo apt update && sudo apt install -y bridge-utils sudo brctl show
Example of system response:
bridge name bridge id STP enabled interfaces br0 8000.fa163e72f146 no ens3
Verify that the interface connected to the PXE network belongs to the previously configured bridge.
Install the current Docker version available for Ubuntu 20.04:
sudo apt-get update sudo apt-get install docker.io
Verify that your logged
USERhas access to the Docker daemon:sudo usermod -aG docker $USER
Log out and log in again to the seed node to apply the changes.
Verify that Docker is configured correctly and has access to Container Cloud CDN. For example:
docker run --rm alpine sh -c "apk add --no-cache curl; \ curl https://binary.mirantis.com"
The system output must contain a
jsonfile with no error messages. In case of errors, follow the steps provided in Troubleshooting.Note
If you require all Internet access to go through a proxy server for security and audit purposes, configure Docker proxy settings as described in the official Docker documentation.
Prepare the deployment configuration files that contain the cluster and machines metadata:
Create a copy of the current
templatesdirectory for future reference.mkdir templates.backup cp -r templates/* templates.backup/
Update the cluster definition template in
templates/bm/cluster.yaml.templateaccording to the environment configuration. Use the table below. Manually set all parameters that start withSET_. For example,SET_METALLB_ADDR_POOL.Cluster template mandatory parameters¶ Parameter
Description
Example value
SET_LB_HOSTThe IP address of the externally accessible API endpoint of the cluster. This address must NOT be within the
SET_METALLB_ADDR_POOLrange but must be within the PXE/Management network. External load balancers are not supported.10.0.0.90SET_METALLB_ADDR_POOLThe IP range to be used as external load balancers for the Kubernetes services with the
LoadBalancertype. This range must be within the PXE/Management network. The minimum required range is 19 IP addresses.10.0.0.61-10.0.0.80Configure NTP server.
Before Container Cloud 2.23.0, optional if servers from the Ubuntu NTP pool (
*.ubuntu.pool.ntp.org) are accessible from the node where your cluster is being provisioned. Otherwise, configure the regional NTP server parameters as described below.Since Container Cloud 2.23.0, optionally disable NTP that is enabled by default. This option disables the management of
chronyconfiguration by Container Cloud to use your own system forchronymanagement. Otherwise, configure the regional NTP server parameters as described below.NTP configuration
Configure the regional NTP server parameters to be applied to all machines of regional and managed clusters in the specified region.
In
templates/bm/cluster.yaml.template, add thentp:serverssection with the list of required server names:spec: ... providerSpec: value: kaas: ... ntpEnabled: true regional: - helmReleases: - name: <providerName>-provider values: config: lcm: ... ntp: servers: - 0.pool.ntp.org ... provider: <providerName> ...
To disable NTP:
spec: ... providerSpec: value: ... ntpEnabled: false ...
Inspect the default bare metal host profile definition in
templates/bm/baremetalhostprofiles.yaml.template. If your hardware configuration differs from the reference, adjust the default profile to match. For details, see Customize the default bare metal host profile.Warning
All data will be wiped during cluster deployment on devices defined directly or indirectly in the
fileSystemslist ofBareMetalHostProfile. For example:A raw device partition with a file system on it
A device partition in a volume group with a logical volume that has a file system on it
An mdadm RAID device with a file system on it
An LVM RAID device with a file system on it
The
wipefield is always consideredtruefor these devices. Thefalsevalue is ignored.Therefore, to prevent data loss, move the necessary data from these file systems to another server beforehand, if required.
Update the bare metal hosts definition template in
templates/bm/baremetalhosts.yaml.templateaccording to the environment configuration. Use the table below. Manually set all parameters that start withSET_.Bare metal hosts template mandatory parameters¶ Parameter
Description
Example value
SET_MACHINE_0_IPMI_USERNAMEThe IPMI user name to access the BMC. 0
userSET_MACHINE_0_IPMI_PASSWORDThe IPMI password to access the BMC. 0
passwordSET_MACHINE_0_MACThe MAC address of the first master node in the PXE network.
ac:1f:6b:02:84:71SET_MACHINE_0_BMC_ADDRESSThe IP address of the BMC endpoint for the first master node in the cluster. Must be an address from the OOB network that is accessible through the PXE network default gateway.
192.168.100.11SET_MACHINE_1_IPMI_USERNAMEThe IPMI user name to access the BMC. 0
userSET_MACHINE_1_IPMI_PASSWORDThe IPMI password to access the BMC. 0
passwordSET_MACHINE_1_MACThe MAC address of the second master node in the PXE network.
ac:1f:6b:02:84:72SET_MACHINE_1_BMC_ADDRESSThe IP address of the BMC endpoint for the second master node in the cluster. Must be an address from the OOB network that is accessible through the PXE network default gateway.
192.168.100.12SET_MACHINE_2_IPMI_USERNAMEThe IPMI user name to access the BMC. 0
userSET_MACHINE_2_IPMI_PASSWORDThe IPMI password to access the BMC. 0
passwordSET_MACHINE_2_MACThe MAC address of the third master node in the PXE network.
ac:1f:6b:02:84:73SET_MACHINE_2_BMC_ADDRESSThe IP address of the BMC endpoint for the third master node in the cluster. Must be an address from the OOB network that is accessible through the PXE network default gateway.
192.168.100.13- 0(1,2,3,4,5,6)
Since Container Cloud 2.21.0, a user name and password in plain text are required.
Before Container Cloud 2.21.0, the Base64 encoding of a user name and password is required. You can obtain the Base64-encoded user name and password using the following command in your Linux console:
$ echo -n <username|password> | base64
Update the Subnet objects definition template in
templates/bm/ipam-objects.yaml.templateaccording to the environment configuration. Use the table below. Manually set all parameters that start withSET_. For example,SET_IPAM_POOL_RANGE.IP address pools template mandatory parameters¶ Parameter
Description
Example value
SET_IPAM_CIDRThe address of PXE network in CIDR notation. Must be minimum in the
/24network.10.0.0.0/24SET_PXE_NW_GWThe default gateway in the PXE network. Since this is the only network that cluster will use by default, this gateway must provide access to:
The Internet to download the Mirantis artifacts
The OOB network of the Container Cloud cluster
10.0.0.1SET_PXE_NW_DNSAn external (non-Kubernetes) DNS server accessible from the PXE network.
8.8.8.8SET_IPAM_POOL_RANGEThis IP address range includes addresses that will be allocated in the PXE/Management network to bare metal hosts of the cluster.
10.0.0.100-10.0.0.252SET_LB_HOST1The IP address of the externally accessible API endpoint of the cluster. This address must NOT be within the
SET_METALLB_ADDR_POOLrange but must be within the PXE/Management network. External load balancers are not supported.10.0.0.90SET_METALLB_ADDR_POOL1The IP address range to be used as external load balancers for the Kubernetes services with the
LoadBalancertype. This range must be within the PXE/Management network. The minimum required range is 19 IP addresses.10.0.0.61-10.0.0.80Optional. To configure the separated PXE and management networks instead of one PXE/management network, proceed to Separate PXE and management networks.
Optional. To connect the cluster hosts to the PXE/Management network using bond interfaces, proceed to Configure NIC bonding.
If you require all Internet access to go through a proxy server, in
bootstrap.env, add the following environment variables to bootstrap the cluster using proxy:HTTP_PROXYHTTPS_PROXYNO_PROXYPROXY_CA_CERTIFICATE_PATH
Example snippet:
export HTTP_PROXY=http://proxy.example.com:3128 export HTTPS_PROXY=http://user:pass@proxy.example.com:3128 export NO_PROXY=172.18.10.0,registry.internal.lan export PROXY_CA_CERTIFICATE_PATH="/home/ubuntu/.mitmproxy/mitmproxy-ca-cert.cer"
The following formats of variables are accepted:
Proxy configuration data¶ Variable
Format
HTTP_PROXYHTTPS_PROXYhttp://proxy.example.com:port- for anonymous access.http://user:password@proxy.example.com:port- for restricted access.
NO_PROXYComma-separated list of IP addresses or domain names.
PROXY_CA_CERTIFICATE_PATHOptional. Absolute path to the proxy CA certificate for man-in-the-middle (MITM) proxies. Must be placed on the bootstrap node to be trusted. For details, see Install a CA certificate for a MITM proxy on a bootstrap node.
Warning
If you require Internet access to go through a MITM proxy, ensure that the proxy has streaming enabled as described in Enable streaming for MITM.
Note
For MOSK-based deployments, the parameter is generally available since MOSK 22.4.
For implementation details, see Proxy and cache support.
For the list of Mirantis resources and IP addresses to be accessible from the Container Cloud clusters, see Requirements for a baremetal-based cluster.
Available as TechPreview since Container Cloud 2.24.0 and 2.24.2 for MOSK 23.2. Optional. Enable the Linux Audit daemon auditd to monitor activity of cluster processes and prevent potential malicious activity.
Configuration for auditd
In
templates/bm/cluster.yaml.template, add the auditd parameters:spec: providerSpec: value: audit: auditd: enabled: <bool> enabledAtBoot: <bool> backlogLimit: <int> maxLogFile: <int> maxLogFileAction: <string> maxLogFileKeep: <int> mayHaltSystem: <bool> presetRules: <string> customRules: <string> customRulesX32: <text> customRulesX64: <text>
Configuration parameters for auditd:
enabledBoolean, default -
false. Enables theauditdrole to install the auditd packages and configure rules. CIS rules: 4.1.1.1, 4.1.1.2.enabledAtBootBoolean, default -
false. Configures grub to audit processes that can be audited even if they start up prior to auditd startup. CIS rule: 4.1.1.3.backlogLimitInteger, default - none. Configures the backlog to hold records. If during boot
audit=1is configured, the backlog holds 64 records. If more than 64 records are created during boot, auditd records will be lost with a potential malicious activity being undetected. CIS rule: 4.1.1.4.maxLogFileInteger, default - none. Configures the maximum size of the audit log file. Once the log reaches the maximum size, it is rotated and a new log file is created. CIS rule: 4.1.2.1.
maxLogFileActionString, default - none. Defines handling of the audit log file reaching the maximum file size. Allowed values:
keep_logs- rotate logs but never delete themrotate- add a cron job to compress rotated log files and keep maximum 5 compressed files.compress- compress log files and keep them under the/var/log/auditd/directory. Requiresauditd_max_log_file_keepto be enabled.
CIS rule: 4.1.2.2.
maxLogFileKeepInteger, default -
5. Defines the number of compressed log files to keep under the/var/log/auditd/directory. Requiresauditd_max_log_file_action=compress. CIS rules - none.mayHaltSystemBoolean, default -
false. Halts the system when the audit logs are full. Applies the following configuration:space_left_action = emailaction_mail_acct = rootadmin_space_left_action = halt
CIS rule: 4.1.2.3.
customRulesString, default - none. Base64-encoded content of the
60-custom.rulesfile for any architecture. CIS rules - none.customRulesX32String, default - none. Base64-encoded content of the
60-custom.rulesfile for thei386architecture. CIS rules - none.customRulesX64String, default - none. Base64-encoded content of the
60-custom.rulesfile for thex86_64architecture. CIS rules - none.presetRulesString, default - none. Comma-separated list of the following built-in preset rules:
accessactionsdeletedocker
identityimmutableloginsmac-policy
modulesmountsperm-modprivileged
scopesessionsystem-localetime-change
You can use two keywords for these rules:
none- disables all built-in rules.all- enables all built-in rules. With this key, you can add the!prefix to a rule name to exclude some rules. You can use the!prefix for rules only if you add theallkeyword as the first rule. Place a rule with the!prefix only after theallkeyword.
Example configurations:
presetRules: none- disable all preset rulespresetRules: docker- enable only thedockerrulespresetRules: access,actions,logins- enable only theaccess,actions, andloginsrulespresetRules: all- enable all preset rulespresetRules: all,!immutable,!sessions- enable all preset rules exceptimmutableandsessions
CIS controls
4.1.3 (time-change)4.1.4 (identity)4.1.5 (system-locale)4.1.6 (mac-policy)4.1.7 (logins)4.1.8 (session)4.1.9 (perm-mod)4.1.10 (access)4.1.11 (privileged)4.1.12 (mounts)4.1.13 (delete)4.1.14 (scope)4.1.15 (actions)4.1.16 (modules)4.1.17 (immutable)Docker CIS controls
1.1.41.1.81.1.101.1.121.1.131.1.151.1.161.1.171.1.181.2.31.2.41.2.51.2.61.2.71.2.101.2.11
Available as Technology Preview since 2.24.0 and 2.24.2 for MOSK 23.2. Optional. Enable WireGuard for traffic encryption on the Kubernetes workloads network.
WireGuard configuration
Ensure that the Calico MTU size is at least 60 bytes smaller than the interface MTU size of the workload network. IPv4 WireGuard uses a 60-byte header. For details, see Set the MTU size for Calico.
In
templates/bm/cluster.yaml.template, enable WireGuard by adding thesecureOverlayparameter:spec: ... providerSpec: value: ... secureOverlay: true
Caution
Changing this parameter on a running cluster causes a downtime that can vary depending on the cluster size.
For more details about WireGuard, see Calico documentation: Encrypt in-cluster pod traffic.
Available since Container Cloud 2.24.0 as Technology Preview. Optional. Enable custom host names for cluster machines. When enabled, any machine host name in a particular region matches the related
Machineobject name. For example, instead of the defaultkaas-node-<UID>, a machine host name will bemaster-0. The custom naming format is more convenient and easier to operate with.To enable the feature on the management or regional and its future managed clusters, add the following environment variable:
export CUSTOM_HOSTNAMES=true
Verify that the
kaas-bootstrapdirectory contains the following files:# tree ~/kaas-bootstrap ~/kaas-bootstrap/ .... ├── bootstrap.sh ├── kaas ├── mirantis.lic ├── releases ... ├── templates .... │ ├── bm │ │ ├── baremetalhostprofiles.yaml.template │ │ ├── baremetalhosts.yaml.template │ │ ├── cluster.yaml.template │ │ ├── ipam-objects.yaml.template │ │ └── machines.yaml.template .... ├── templates.backup ....
Export all required parameters using the table below.
export KAAS_BM_ENABLED="true" # export KAAS_BM_PXE_IP="10.0.0.20" export KAAS_BM_PXE_MASK="24" export KAAS_BM_PXE_BRIDGE="br0" # export KAAS_BM_BM_DHCP_RANGE="10.0.0.30,10.0.0.49,255.255.255.0" export BOOTSTRAP_METALLB_ADDRESS_POOL="10.0.0.61-10.0.0.80" # unset KAAS_BM_FULL_PREFLIGHT
Bare metal prerequisites data¶ Parameter
Description
Example value
KAAS_BM_PXE_IPThe provisioning IP address. This address will be assigned to the interface of the seed node defined by the
KAAS_BM_PXE_BRIDGEparameter (see below). The PXE service of the bootstrap cluster will use this address to network boot the bare metal hosts for the cluster.10.0.0.20KAAS_BM_PXE_MASKThe CIDR prefix for the PXE network. It will be used with
KAAS_BM_PXE_IPaddress when assigning it to network interface.24KAAS_BM_PXE_BRIDGEThe PXE network bridge name. The name must match the name of the bridge created on the seed node during the Prepare the seed node stage.
br0KAAS_BM_BM_DHCP_RANGEThe
start_ipandend_ipaddresses must be within the PXE network. This range will be used by dnsmasq to provide IP addresses for nodes during provisioning.10.0.0.30,10.0.0.49,255.255.255.0BOOTSTRAP_METALLB_ADDRESS_POOLThe pool of IP addresses that will be used by services in the bootstrap cluster. Can be the same as the
SET_METALLB_ADDR_POOLrange for the cluster, or a different range.10.0.0.61-10.0.0.80Run the verification
preflightscript to validate the deployment templates configuration:./bootstrap.sh preflightThe command outputs a human-readable report with the verification details. The report includes the list of verified bare metal nodes and their
Chassis Powerstatus. This status is based on the deployment templates configuration used during the verification.Caution
If the report contains information about missing dependencies or incorrect configuration, fix the issues before proceeding to the next step.
Available since Container Cloud 2.24.0 as Technology Preview. Optional. Enable custom host names for cluster machines. When enabled, any machine host name in a particular region matches the related
Machineobject name. For example, instead of the defaultkaas-node-<UID>, a machine host name will bemaster-0. The custom naming format is more convenient and easier to operate with.To enable the feature on the management or regional and its future managed clusters, add the following environment variable:
export CUSTOM_HOSTNAMES=true
Verify that the vSphere provider selection parameter is unset:
unset KAAS_VSPHERE_ENABLED
Export the following parameters:
export KAAS_BM_ENABLED=true export KUBECONFIG=<pathToMgmtClusterKubeconfig> export REGIONAL_CLUSTER_NAME=<newRegionalClusterName> export REGION=<NewRegionName>
Substitute the parameters enclosed in angle brackets with the corresponding values of your cluster.
Caution
The
REGIONandREGIONAL_CLUSTER_NAMEparameters values must contain only lowercase alphanumeric characters, hyphens, or periods.Note
If the bootstrap node for the regional cluster deployment is not the same where you bootstrapped the management cluster, also export
SSH_KEY_NAME. It is required for the management cluster to create apublicKeyKubernetes CRD with the public part of your newly generatedssh_keyfor the regional cluster.export SSH_KEY_NAME=<newRegionalClusterSshKeyName>
Run the regional cluster bootstrap script:
./bootstrap.sh deploy_regionalNote
When the bootstrap is complete, obtain and save in a secure location the
kubeconfig-<regionalClusterName>file located in the same directory as the bootstrap script. This file contains the admin credentials for the regional cluster.If the bootstrap node for the regional cluster deployment is not the same where you bootstrapped the management cluster, a new regional
ssh_keywill be generated. Make sure to save this key in a secure location as well.The workflow of the regional cluster bootstrap script¶ #
Description
1
Prepare the bootstrap cluster for the new regional cluster.
2
Load the updated Container Cloud CRDs for
Credentials,Cluster, andMachineswith information about the new regional cluster to the management cluster.3
Connect to each machine of the management cluster through SSH.
4
Wait for the
MachinesandClusterobjects of the new regional cluster to be ready on the management cluster.5
Load the following objects to the new regional cluster:
Secretwith the management clusterkubeconfigandClusterRolefor the Container Cloud provider.6
Forward the bootstrap cluster endpoint to
helm-controller.7
Wait for all CRDs to be available and verify the objects created using these CRDs.
8
Pivot the cluster API stack to the regional cluster.
9
Switch the LCM Agent from the bootstrap cluster to the regional one.
10
Wait for the Container Cloud components to start on the regional cluster.
Verify that network addresses used on your clusters do not overlap with the following default MKE network addresses for Swarm and MCR:
10.0.0.0/16is used for Swarm networks. IP addresses from this network are virtual.10.99.0.0/16is used for MCR networks. IP addresses from this network are allocated on hosts.
Verification of Swarm and MCR network addresses
To verify Swarm and MCR network addresses, run on any master node:
docker infoExample of system response:
Server: ... Swarm: ... Default Address Pool: 10.0.0.0/16 SubnetSize: 24 ... Default Address Pools: Base: 10.99.0.0/16, Size: 20 ...
Not all of Swarm and MCR addresses are usually in use. One Swarm Ingress network is created by default and occupies the
10.0.0.0/24address block. Also, three MCR networks are created by default and occupy three address blocks:10.99.0.0/20,10.99.16.0/20,10.99.32.0/20.To verify the actual networks state and addresses in use, run:
docker network ls docker network inspect <networkName>
Now, you can proceed with deploying the managed clusters of supported provider types as described in Create and operate managed clusters.
See also
Deploy a VMware vSphere-based regional cluster¶
You can deploy an additional regional VMware vSphere-based cluster to create managed clusters of several provider types or with different configurations.
To deploy a vSphere-based regional cluster:
Log in to the node where you bootstrapped a management cluster.
Verify that the bootstrap directory is updated.
Select from the following options:
For clusters deployed using Container Cloud 2.11.0 or later:
./container-cloud bootstrap download --management-kubeconfig <pathToMgmtKubeconfig> \ --target-dir <pathToBootstrapDirectory>
For clusters deployed using the Container Cloud release earlier than 2.11.0 or if you deleted the
kaas-bootstrapfolder, download and run the Container Cloud bootstrap script:wget https://binary.mirantis.com/releases/get_container_cloud.sh chmod 0755 get_container_cloud.sh ./get_container_cloud.sh
Verify access to the target vSphere cluster from Docker. For example:
docker run --rm alpine sh -c "apk add --no-cache curl; \ curl https://vsphere.server.com"
The system output must contain no error records. In case of issues, follow the steps provided in Troubleshooting.
Prepare deployment templates:
Modify
templates/vsphere/vsphere-config.yaml.template:Note
Contact your vSphere administrator to provide you with the values for the below parameters.
vSphere configuration data¶ Parameter
Description
SET_VSPHERE_SERVERIP address or FQDN of the vCenter Server.
SET_VSPHERE_SERVER_PORTPort of the vCenter Server. For example,
port: "8443". Leave empty to use"443"by default.SET_VSPHERE_DATACENTERvSphere data center name.
SET_VSPHERE_SERVER_INSECUREFlag that controls validation of the vSphere Server certificate. Must be
trueorfalse.SET_VSPHERE_CAPI_PROVIDER_USERNAMEvSphere Cluster API provider user name that you added when preparing the deployment user setup and permissions.
SET_VSPHERE_CAPI_PROVIDER_PASSWORDvSphere Cluster API provider user password.
SET_VSPHERE_CLOUD_PROVIDER_USERNAMEvSphere Cloud Provider deployment user name that you added when preparing the deployment user setup and permissions.
SET_VSPHERE_CLOUD_PROVIDER_PASSWORDvSphere Cloud Provider deployment user password.
Modify
templates/vsphere/cluster.yaml.template:vSphere cluster network parameters
Modify the following required network parameters:
Required parameters¶ Parameter
Description
SET_LB_HOSTIP address from the provided vSphere network for Kubernetes API load balancer (Keepalived VIP).
SET_VSPHERE_DATASTOREName of the vSphere datastore. You can use different datastores for vSphere Cluster API and vSphere Cloud Provider.
SET_VSPHERE_MACHINES_FOLDERPath to a folder where the cluster machines metadata will be stored.
SET_VSPHERE_NETWORK_PATHPath to a network for cluster machines.
SET_VSPHERE_RESOURCE_POOL_PATHPath to a resource pool in which VMs will be created.
Note
To obtain the
LB_HOSTparameter for the selected vSphere network, contact your vSphere administrator who provides you with the IP ranges dedicated to your environment.Modify other parameters if required. For example, add the corresponding values for
cidrBlocksin thespec::clusterNetwork::servicessection.For either DHCP or non-DHCP vSphere network:
Determine the vSphere network parameters as described in VMware vSphere network objects and IPAM recommendations.
Provide the following additional parameters for a proper network setup on machines using embedded IP address management (IPAM) in
templates/vsphere/cluster.yaml.template:Note
To obtain IPAM parameters for the selected vSphere network, contact your vSphere administrator who provides you with IP ranges dedicated to your environment only.
vSphere configuration data¶ Parameter
Description
ipamEnabledEnables IPAM. Recommended value is
truefor either DHCP or non-DHCP networks.SET_VSPHERE_NETWORK_CIDRCIDR of the provided vSphere network. For example,
10.20.0.0/16.SET_VSPHERE_NETWORK_GATEWAYGateway of the provided vSphere network.
SET_VSPHERE_CIDR_INCLUDE_RANGESIP range for the cluster machines. Specify the range of the provided CIDR. For example,
10.20.0.100-10.20.0.200. If the DHCP network is used, this range must not intersect with the DHCP range of the network.SET_VSPHERE_CIDR_EXCLUDE_RANGESOptional. IP ranges to be excluded from being assigned to the cluster machines. The MetalLB range and
SET_LB_HOSTshould not intersect with the addresses for IPAM. For example,10.20.0.150-10.20.0.170.SET_VSPHERE_NETWORK_NAMESERVERSList of nameservers for the provided vSphere network.
Configure MetalLB parameters:
Open the required configuration file for editing:
Open
templates/vsphere/metallbconfig.yaml.template. For a detailedMetalLBConfigobject description, see API Reference: MetalLBConfig resource.Open
templates/vsphere/cluster.yaml.template.Add
SET_VSPHERE_METALLB_RANGEthat is the MetalLB range of IP addresses to assign to load balancers for Kubernetes Services.Note
To obtain the
VSPHERE_METALLB_RANGEparameter for the selected vSphere network, contact your vSphere administrator who provides you with the IP ranges dedicated to your environment.
For RHEL deployments, fill out
templates/vsphere/rhellicenses.yaml.template.RHEL license configuration
Use one of the following set of parameters for RHEL machines subscription:
The user name and password of your RedHat Customer Portal account associated with your RHEL license for Virtual Datacenters.
Optionally, provide the subscription allocation pools to use for the RHEL subscription activation. If not needed, remove the
poolIDsfield forsubscription-managerto automatically select the licenses for machines.For example:
spec: username: <username> password: value: <password> poolIDs: - <pool1> - <pool2>
The activation key and organization ID associated with your RedHat account with RHEL license for Virtual Datacenters. The activation key can be created by the organization administrator on the RedHat Customer Portal.
If you use the RedHat Satellite server for management of your RHEL infrastructure, you can provide a pre-generated activation key from that server. In this case:
Provide the URL to the RedHat Satellite RPM for installation of the CA certificate that belongs to that server.
Configure
squid-proxyon the management or regional cluster to allow access to your Satellite server. For details, see Configure squid-proxy.
For example:
spec: activationKey: value: <activation key> orgID: "<organization ID>" rpmUrl: <rpm url>
Caution
For RHEL 8.7 TechPreview, verify mirrors configuration for your activation key. For more details, see RHEL 8 mirrors configuration.
Warning
Provide only one set of parameters. Mixing the parameters from different activation methods will cause deployment failure.
For CentOS deployments, in
templates/vsphere/rhellicenses.yaml.template, remove all lines underitems:.
Configure NTP server.
Before Container Cloud 2.23.0, optional if servers from the Ubuntu NTP pool (
*.ubuntu.pool.ntp.org) are accessible from the node where the regional cluster is being provisioned. Otherwise, configure the regional NTP server parameters as described below.Since Container Cloud 2.23.0, optionally disable NTP that is enabled by default. This option disables the management of
chronyconfiguration by Container Cloud to use your own system forchronymanagement. Otherwise, configure the regional NTP server parameters as described below.NTP configuration
Configure the regional NTP server parameters to be applied to all machines of regional and managed clusters in the specified region.
In
templates/vsphere/cluster.yaml.template, add thentp:serverssection with the list of required server names:spec: ... providerSpec: value: kaas: ... ntpEnabled: true regional: - helmReleases: - name: <providerName>-provider values: config: lcm: ... ntp: servers: - 0.pool.ntp.org ... provider: <providerName> ...
To disable NTP:
spec: ... providerSpec: value: ... ntpEnabled: false ...
Prepare the VM template as described in Prepare the virtual machine template.
In
templates/vsphere/machines.yaml.template, define the following parameters:rhelLicenseRHEL license name defined in
rhellicenses.yaml.template, defaults tokaas-mgmt-rhel-license. Remove or comment out this parameter for CentOS and Ubuntu deployments.
diskGiBDisk size in GiB for machines that must match the disk size of the VM template. You can leave this parameter commented to use the disk size of the VM template. The minimum requirement is 120 GiB.
templatePath to the VM template prepared in the previous step.
Sample template:
spec: providerSpec: value: apiVersion: vsphere.cluster.k8s.io/v1alpha1 kind: VsphereMachineProviderSpec rhelLicense: <rhelLicenseName> numCPUs: 8 memoryMiB: 32768 # diskGiB: 120 template: <vSphereVMTemplatePath>
Also, modify other parameters if required.
Available since Container Cloud 2.24.0 as Technology Preview. Optional. Enable custom host names for cluster machines. When enabled, any machine host name in a particular region matches the related
Machineobject name. For example, instead of the defaultkaas-node-<UID>, a machine host name will bemaster-0. The custom naming format is more convenient and easier to operate with.To enable the feature on the management or regional and its future managed clusters, add the following environment variable:
export CUSTOM_HOSTNAMES=true
Optional. If you require all Internet access to go through a proxy server, in
bootstrap.env, add the following environment variables to bootstrap the regional cluster using proxy:HTTP_PROXYHTTPS_PROXYNO_PROXYPROXY_CA_CERTIFICATE_PATH
Example snippet:
export HTTP_PROXY=http://proxy.example.com:3128 export HTTPS_PROXY=http://user:pass@proxy.example.com:3128 export NO_PROXY=172.18.10.0,registry.internal.lan export PROXY_CA_CERTIFICATE_PATH="/home/ubuntu/.mitmproxy/mitmproxy-ca-cert.cer"
The following formats of variables are accepted:
Proxy configuration data¶ Variable
Format
HTTP_PROXYHTTPS_PROXYhttp://proxy.example.com:port- for anonymous access.http://user:password@proxy.example.com:port- for restricted access.
NO_PROXYComma-separated list of IP addresses or domain names. Mandatory to add
host[:port]of the vCenter server.PROXY_CA_CERTIFICATE_PATHOptional. Absolute path to the proxy CA certificate for man-in-the-middle (MITM) proxies. Must be placed on the bootstrap node to be trusted. For details, see Install a CA certificate for a MITM proxy on a bootstrap node.
Warning
If you require Internet access to go through a MITM proxy, ensure that the proxy has streaming enabled as described in Enable streaming for MITM.
Note
For MOSK-based deployments, the parameter is generally available since MOSK 22.4.
For implementation details, see Proxy and cache support.
For the list of Mirantis resources and IP addresses to be accessible from the Container Cloud clusters, see Requirements for a VMware vSphere-based cluster.
Export the following parameters:
export KAAS_VSPHERE_ENABLED=true export KUBECONFIG=<pathToMgmtClusterKubeconfig> export REGIONAL_CLUSTER_NAME=<newRegionalClusterName> export REGION=<NewRegionName>
Substitute the parameters enclosed in angle brackets with the corresponding values of your cluster.
Caution
The
REGIONandREGIONAL_CLUSTER_NAMEparameters values must contain only lowercase alphanumeric characters, hyphens, or periods.Note
If the bootstrap node for the regional cluster deployment is not the same where you bootstrapped the management cluster, also export
SSH_KEY_NAME. It is required for the management cluster to create apublicKeyKubernetes CRD with the public part of your newly generatedssh_keyfor the regional cluster.export SSH_KEY_NAME=<newRegionalClusterSshKeyName>
Run the regional cluster bootstrap script:
./bootstrap.sh deploy_regionalNote
When the bootstrap is complete, obtain and save in a secure location the
kubeconfig-<regionalClusterName>file located in the same directory as the bootstrap script. This file contains the admin credentials for the regional cluster.If the bootstrap node for the regional cluster deployment is not the same where you bootstrapped the management cluster, a new regional
ssh_keywill be generated. Make sure to save this key in a secure location as well.The workflow of the regional cluster bootstrap script¶ #
Description
1
Prepare the bootstrap cluster for the new regional cluster.
2
Load the updated Container Cloud CRDs for
Credentials,Cluster, andMachineswith information about the new regional cluster to the management cluster.3
Connect to each machine of the management cluster through SSH.
4
Wait for the
MachinesandClusterobjects of the new regional cluster to be ready on the management cluster.5
Load the following objects to the new regional cluster:
Secretwith the management clusterkubeconfigandClusterRolefor the Container Cloud provider.6
Forward the bootstrap cluster endpoint to
helm-controller.7
Wait for all CRDs to be available and verify the objects created using these CRDs.
8
Pivot the cluster API stack to the regional cluster.
9
Switch the LCM Agent from the bootstrap cluster to the regional one.
10
Wait for the Container Cloud components to start on the regional cluster.
Verify that network addresses used on your clusters do not overlap with the following default MKE network addresses for Swarm and MCR:
10.0.0.0/16is used for Swarm networks. IP addresses from this network are virtual.10.99.0.0/16is used for MCR networks. IP addresses from this network are allocated on hosts.
Verification of Swarm and MCR network addresses
To verify Swarm and MCR network addresses, run on any master node:
docker infoExample of system response:
Server: ... Swarm: ... Default Address Pool: 10.0.0.0/16 SubnetSize: 24 ... Default Address Pools: Base: 10.99.0.0/16, Size: 20 ...
Not all of Swarm and MCR addresses are usually in use. One Swarm Ingress network is created by default and occupies the
10.0.0.0/24address block. Also, three MCR networks are created by default and occupy three address blocks:10.99.0.0/20,10.99.16.0/20,10.99.32.0/20.To verify the actual networks state and addresses in use, run:
docker network ls docker network inspect <networkName>
Now, you can proceed with deploying the managed clusters of supported provider types as described in Create and operate managed clusters.
See also
Requirements for a MITM proxy¶
Note
For MOSK, the feature is generally available since MOSK 23.1.
While bootstrapping a Container Cloud management or regional cluster using proxy, you may require Internet access to go through a man-in-the-middle (MITM) proxy. Such configuration requires that you enable streaming and install a CA certificate on a bootstrap node.
Enable streaming for MITM¶
Ensure that the MITM proxy is configured with enabled streaming. For example, if you use mitmproxy, enable the stream_large_bodies=1 option:
./mitmdump --set stream_large_bodies=1
Install a CA certificate for a MITM proxy on a bootstrap node¶
Log in to the bootstrap node.
Install
ca-certificates:apt install ca-certificates
Copy your CA certificate to the
/usr/local/share/ca-certificates/directory. For example:sudo cp ~/.mitmproxy/mitmproxy-ca-cert.cer /usr/local/share/ca-certificates/mitmproxy-ca-cert.crt
Replace
~/.mitmproxy/mitmproxy-ca-cert.cerwith the path to your CA certificate.Caution
The target CA certificate file must be in the
PEMformat with the.crtextension.Apply the changes:
sudo update-ca-certificates
Now, proceed with bootstrapping your management or regional cluster.
Create initial users after a management cluster bootstrap¶
Once you bootstrap your management or regional cluster,
create Keycloak users for access to the Container Cloud web UI.
Use the created credentials to log in to the Container Cloud web UI.
Mirantis recommends creating at least two users, user and operator,
that are required for a typical Container Cloud deployment.
To create the user for access to the Container Cloud web UI, use the following command:
./container-cloud bootstrap user add --username <userName> --roles <roleName>
--kubeconfig <pathToMgmtKubeconfig>
Note
You will be asked for the user password interactively.
Set the following command flags as required:
Flag |
Description |
|---|---|
|
Required. Name of the user to create. |
|
Required. Comma-separated roles to assign to the user.
|
|
Required. Path to the management cluster |
|
Optional. Name of the Container Cloud project where the user will be created. If not set, a global user will be created for all Container Cloud projects with the corresponding role access to view or manage all Container Cloud public objects. |
|
Optional. Flag to provide the user password from a file or echo '$PASSWORD' | ./container-cloud bootstrap user add \
--username <userName> \
--roles <roleName> \
--kubeconfig <pathToMgmtKubeconfig> \
--password-stdin
|
To delete the user, run the following command:
./container-cloud bootstrap user delete --username <userName> --kubeconfig <pathToMgmtKubeconfig>
Troubleshooting¶
This section provides solutions to the issues that may occur while deploying a management cluster.
Collect the bootstrap logs¶
If the bootstrap script fails during the deployment process, collect and inspect the bootstrap and management cluster logs.
Collect the bootstrap cluster logs¶
Log in to your local machine where the bootstrap script was executed.
If you bootstrapped the cluster a while ago, verify that the bootstrap directory is updated.
Select from the following options:
For clusters deployed using Container Cloud 2.11.0 or later:
./container-cloud bootstrap download --management-kubeconfig <pathToMgmtKubeconfig> \ --target-dir <pathToBootstrapDirectory>
For clusters deployed using the Container Cloud release earlier than 2.11.0 or if you deleted the
kaas-bootstrapfolder, download and run the Container Cloud bootstrap script:wget https://binary.mirantis.com/releases/get_container_cloud.sh chmod 0755 get_container_cloud.sh ./get_container_cloud.sh
Run the following command:
./bootstrap.sh collect_logsAdd
COLLECT_EXTENDED_LOGS=truebefore the command to output the extended version of logs that contains system and MKE logs, logs from LCM Ansible and LCM Agent along with cluster events and Kubernetes resources description and logs.Without the
--extendedflag, the basic version of logs is collected, which is sufficient for most use cases. The basic version of logs contains all events, Kubernetes custom resources, and logs from all Container Cloud components. This version does not require passing--key-file.The logs are collected in the directory where the bootstrap script is located.
Technology Preview. For bare metal clusters, assess the Ironic pod logs:
Extract the content of the
'message'fields from every log message:kubectl -n kaas logs <ironicPodName> -c syslog | jq -rM '.message'
Extract the content of the
'message'fields from theironic_conductorsource log messages:kubectl -n kaas logs <ironicPodName> -c syslog | jq -rM 'select(.source == "ironic_conductor") | .message'
The syslog container collects logs generated by Ansible during the node deployment and cleanup and outputs them in the JSON format.
Logs structure¶
The Container Cloud logs structure in <output_dir>/<cluster_name>/
is as follows:
/events.log- human-readable table that contains information about the cluster events./system- system logs./system/mke(or