ON THIS PAGE
Overview: Deploying Contrail Command with a Contrail Cluster Using Juju
Preparing the SSL Certificate Authority (CA) for the Deployment
Deploy Contrail Command and Import a Contrail Cluster Using Juju
Example: Config.YML File for Deploying Contrail Command with a Cluster Using Juju
Prerequisites for Contrail Insights and Contrail Insights Flow
Install Contrail Insights on the Juju Cluster after Contrail Command is Installed
Install Contrail Insights Flows on the Juju Cluster after Contrail Insights is Installed
How to Deploy Contrail Command and Import a Cluster Using Juju
You can use this document to deploy Contrail Command and import an existing cluster into Contrail Command using Juju with a single procedure. This procedure can be applied in environments using Canonical Openstack or environments that are running Juju and using Kubernetes for orchestration.
If you are already running Contrail Command in a Canonical Openstack environment and want to import a cluster, see Importing a Canonical Openstack Deployment Into Contrail Command.
Overview: Deploying Contrail Command with a Contrail Cluster Using Juju
Starting in Contrail Release 2005, you can deploy Contrail Command and import a cluster using Juju in a Canonical Openstack environment.
Starting in Contrail Release 2008, you can deploy Contrail Command and import a cluster using Juju in an environment using Kubernetes orchestration.
This document makes the following assumptions about your initial environment:
Juju is already running in your environment, and your environment is either a Canonical Openstack deployment or a deployment using Kubernetes orchestration.
Contrail Networking Release 2005 or later is running if you are operating a Canonical Openstack deployment.
Contrail Networking Release 2008 or later is running if you are operating an environment using Kubernetes orchestration.
See Contrail Networking Supported Platforms
A Juju controller is configured and reachable.
Contrail Command is not running.
Preparing the SSL Certificate Authority (CA) for the Deployment
A base64-encoded SSL Certificate Authority (CA) for the Juju controller is required to deploy Contrail Command with an existing cluster in a Canonical Openstack or Kubernetes environment.
There are multiple ways to generate a base64-encoded SSL CA. You can use this procedure or a more familiar procedure to generate your base64-encoded SSL CA.
To create a base64-encoded SSL CA:
- From the Juju jumphost, enter the juju show-controller command and locate the certificate output in the ca-cert: hierarchy.
$ juju show-controller jc5-cloud: details: ...<output removed for readability>... ca-cert: | -----BEGIN CERTIFICATE----- MIIErTCCAxWgAwIBAgIVAKRPIub8Q7imJ2+T2U8AK4thOss7MA0GCSqGSIb3DQEB CwUAMG4xDTALBgNVBAoTBGp1anUxLjAsBgNVBAMMJWp1anUtZ2VuZXJhdGVkIENB IGZvciBtb2RlbCAianVqdS1jYSIxLTArBgNVBAUTJDI0ZDJjODg0LTllYWYtNDU2 Ni04NTA0LWJkZGYxZWJiYTgzYjAeFw0yMDA0MTUwMzE2MzdaFw0zMDA0MjIwMzE2 MzVaMG4xDTALBgNVBAoTBGp1anUxLjAsBgNVBAMMJWp1anUtZ2VuZXJhdGVkIENB IGZvciBtb2RlbCAianVqdS1jYSIxLTArBgNVBAUTJDI0ZDJjODg0LTllYWYtNDU2 Ni04NTA0LWJkZGYxZWJiYTgzYjCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoC ggGBAL/7d3JtNcHW6ue6yOeKvOlSDhxgGs4vYLDO0QzlIMyW39+BytB4XY+05EBg A5JKfYV+u8xXL0meLvh+4yE87cwRObsT1WYFCDFVTiGSeSN3w+2UJxHWwuAubDl7 zfAKnGgIzq/KZJJimxa6Yuqw5isCxffu3fQz+H5UlSpLCpFxvAq38VjrW7FnjEm1 c4fFlBf07LUOqBxSIS0gxarO1DQE2IQv4mfIAFvJgT/5UKJYuGEX3NH9DerYqjJa NchyGMkXgyBj3YVec8bFE4+erDMISBvJHBMwyx74PTDQys+KlfNXptup5FH/FwBb 9ZRBAD99c0f0VW6moNxoAkKhrGVZt1w7CxwvgRZnWUezthwoHI8yFqBvkT+lq6Nd jvLEv1DQ+3zmMfhz/emRD1DOQQfn3mQhSk40NdO3kw/B8bHOIXmgIgNbv48g0Ac7 /hQO02moDxrLkCZNN0fVgOKvonDjbSo5YNCH/7fleacmQN3Mug3wXp9kYh7rKDHw 6pkQQwIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB/zAd BgNVHQ4EFgQUcGE6bMiGsQQyiDYKBl+txAfeFAkwDQYJKoZIhvcNAQELBQADggGB AG7pivQhJVNSCbG+9jVy3owhg/POnp2sewD1t8BMOkPTPgAa/37vrp4KSPdNXKZz hnFzBXkL8jBUP0qg2Vfy9iqlgXNdVAdb4Ijk44OhlwWNGUiZwl2nNbvnUL7NnTeh jqZaIb6Oe2y1ByNrQweVMO85qdrYJCelf9Wh9fYdtofx4TyOMg+ZqPqmvTRO8yTx KOupywxmezbjhEaaILXo9kouU4UV2gAIdYiHfvsbTaLkWbYeNgvvE5WAan8HuQqb YVnvxggIN45UgEgqGUHEgcj9tHgssfbnX3f2sCbOJkXL2cv7D+wK7hvUCS5tKS6H 6O7OoXxfimFBdSZQuuqhqyiMYafnRo48Q2oCyQn1Q+g/qG+GYxmujIigoiYS1srV mIUaJQUGHtgXvyZGJFIvQiAzImQCylq1iyz77Da3myDRX0i0dauu5MACn5i9cgu9 W7/MD2xR3kKMAY3b4y+pP7CKbEJ6UDswLyAQUkwPyeLi1r82vGh6CasinnGaUhk+ zg== -----END CERTIFICATE----- ...<additional output removed for readability>... - Copy the contents of the SSL CA into the cert.pem file.
Copy and paste options vary by user interface. The SSL CA content—all highlighted text from step 1 starting at the beginning of the -----BEGIN CERTIFICATE----- line and ending at the end of the -----END CERTIFICATE----- line—should be the only content in the cert.pem file.
Confirm that leading white spaces are not added to the SSL CA after copying the SSL CA into the cert.pem file. These leading white spaces are introduced by some user interfaces—often at the start of new lines—and will cause the SSL CA certification to be unusable. If leading whitespaces are added to the SSL CA after it is copied into the cert.pem file, manually delete the whitespaces before proceeding to the next step.
- Generate the cert.pem file into base64-encoded output.
You can generate the cert.pem file into base64-encoded output without saving the file contents by entering the following command:
cat cert.pem | base64
You can also generate the base-64 encoded output and save the SSL CA contents into a separate file.
In this example, the base64-encoded output is generated and a new file containing the output—cert.pem.b64—is saved.
cat cert.pem | base64 > "cert.pem.b64"
The SSL CA in the cert.pem.b64 file is now a base64-encoded SSL CA.
The base64-encoded SSL CA will be entered as the juju-CA-certificate variable in Deploy Contrail Command and Import a Contrail Cluster Using Juju.
Deploy Contrail Command and Import a Contrail Cluster Using Juju
To deploy Contrail Command and import a Contrail cluster into Contrail Command:
- From the Juju
jumphost, deploy Contrail Command using one of the following command strings:
juju deploy cs:~juniper-os-software/contrail-command --constraints tags=<machine-tag> --config docker-registry=<registry-directory> --config image-tag=<image-tag>
juju deploy cs:~juniper-os-software/contrail-command --to <machine-name> --config docker-registry=<registry-directory> --config image-tag=<image-tag>
where:
machine-name—the name of the machine instance in Juju that will host Contrail Command.
The IP address of this machine—which can be obtained by entering the juju status command—is used to access Contrail Command from a web browser after the installation is complete.
registry-directory—the directory path to the Contrail Networking registry.
This registry-directory path can be obtained from Juniper Networks. Contact contrail-registry@juniper.net for information on accessing the Juniper registry.
image-tag—the image tag for your target Contrail release.
The image tag is used to identify your Contrail Networking image within the registry. You can retrieve the image tag for any Contrail Release 21xx image from README Access to Contrail Registry 21XX
- Create a juju relation between the Contrail Command charm
and the Contrail Controller charm:
juju add-relation contrail-command contrail-controller
- Import the Contrail cluster into Contrail command:
- Create a config.yaml file with
the following parameters:
$ cat config.yaml juju-controller: juju-controller-ip juju-controller-password: password juju-ca-cert: | juju-CA-certificate juju-model-id: juju-model-id juju-controller-user: juju-controller-userThe command variables:
juju-controller-ip—The IP address of the Juju controller.
You can retrieve the juju-controller-ip from the juju show-controller command output:
username@contrail-ci:~$ juju show-controller jc5-cloud: details: ...<output removed for readability>... api-endpoints: [10.102.72.40:17070] ...<output removed for readability>...password—The password for Juju controller access.
You can set the password for Juju controller access using the juju change-user-password command.
juju-CA-certificate—The base64-encoded SSL Certificate Authority (CA) for the Juju controller.
The juju-CA-certificate is the base64-encoded SSL CA created in Preparing the SSL Certificate Authority (CA) for the Deployment.
See Example: Config.YML File for Deploying Contrail Command with a Cluster Using Juju for a sample juju-CA-certificate entry.
juju-model-id—The universally unique identifier (UUID) assigned to the model environment that includes the Contrail Networking cluster..
You can retrieve the juju-model-id from the juju show-controller command output:
$ juju show-controller jc5-cloud: ...<output removed for readability>... models: default: model-uuid: 4a62e0b0-bcfe-4b35-8db7-48e55f439217 ...<output removed for readability>...juju_controller_user—(Optional) The username of the user with Juju controller access.
The admin username is used by default if no user with Juju controller access is configured.
See Example: Config.YML File for Deploying Contrail Command with a Cluster Using Juju for a sample config.yaml configuration for this deployment.
- Save the config.yaml file.
- Import the Contrail cluster with the parameters defined
in the config.yaml file:
juju run-action contrail-command/0 import-cluster --params config.yaml Action queued with id: 1
- Check the cluster import status.
You can check the import status by entering the juju show-action-status action-ID and juju show-action-output action-ID | grep result commands.
The action-ID is assigned immediately after entering the juju run-action command in the previous step.
The cluster import is complete when the status field output in the juju show-action-status action-ID command shows completed, or when the result field in the juju show-action-output action-ID | grep result indicates Success.
Examples:
juju show-action-status 1 actions: - action: import-cluster completed at: "2020-04-03 12:49:55" id: "60" status: completed unit: contrail-command/19juju show-action-output 1 | grep result results: result: Success
- Create a config.yaml file with
the following parameters:
- Login to Contrail Command by opening a web browser and
entering https://<juju-machine-ip-address>:<port-number> as the URL.
The <juju-machine-ip-address> is the IP address of the machine hosting Contrail command that was specified in 1. You can retrieve the IP address using the juju status command:
Note Some juju status output removed for readability.
juju status Unit Workload Agent Machine Public address contrail-command/0* active idle 3 10.0.12.40
The port-number typically defaults to 9091 or 8079. You can, however, configure a unique port number for your environment using the command_servers.yml file.
Enter the following values after the Contrail Command homescreen appears:
Select Cluster: Select a Contrail Cluster from the dropdown menu. The cluster is presented in the <cluster-name>-<string> format.
Username: Enter the username of the Juju keystone user.
Password: Enter the password of the Juju keystone user.
Domain: If you are running Juju in a Canonical Openstack environment, enter admin_domain—the default domain name for Canonical Openstack— if you haven’t established a unique domain in Canonical Openstack. Enter the name of your domain if you have created a unique domain.
If you are running Juju in a Kubernetes environment, you can leave this field blank unless you’ve established a unique domain name in Kubernetes. Enter the name of your domain if you have created a unique domain.
Figure 1 illustrates an example Contrail Command login to complete this procedure.
Figure 1: Contrail Command Login Example—Cluster in Environment using Canonical Openstack 
See How to Login to Contrail Command for additional information on logging into Contrail Command.
Example: Config.YML File for Deploying Contrail Command with a Cluster Using Juju
This sample config.yml file provides a representative example of a configuration that could be used to deploy Contrail Command with Contrail clusters in an environment running Juju.
See Deploy Contrail Command and Import a Contrail Cluster Using Juju for step-by-step procedures to create this config.yml file and Preparing the SSL Certificate Authority (CA) for the Deployment for instructions on generating the juju-ca-cert in the required base64-encoded format.
This sample config.yml file does not contain the juju-controller-user: field to specify a user with Juju controller access, so the default admin username is used.
The password password is used in this example for illustrative purposes only.
We strongly recommend creating a unique password that meets your organization’s security requirements for your environment.
$ cat config.yaml
juju-controller: 10.102.72.40
juju-ca-cert: |
LS0tLS9CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVyVENDQXhXZ0F3SUJBZ0lWQUtSUEl1YjhR
N2ltSjIrVDJVOEFLNHRoT3NzN01BMEdDU3FHU0liM0RRRUIKQ3dVQU1HNHhEVEFMQmdOVkJBb1RC
R3AxYW5VeExqQXNCZ05WQkFNTUpXcDFhblV0WjJWdVpYSmhkR1ZrSUVOQgpJR1p2Y2lCdGIyUmxi
Q0FpYW5WcWRTMWpZU0l7TFRBckJnTlZCQVVUSkRJMFpESmpPRGcwTFRsbFlXWXRORFUyCk5pMDRO
VEEwTFdKa1pHWXhaV0ppWVRnellqQWVGdzB5TURBME1UVXdNekUyTXpkYUZ3MHpNREEwTWpJd016
RTIKTXpWYU1HNHhEVEFMQmdOVkJBb1RCR3AxYW5VeExqQXNCZ05WQkFNTUpXcDFhblV0WjJWdVpY
SmhkR1ZrSUVOQgrJR1p2Y2lCdGIyUmxiQ0FpYW5WcWRTMWpZU0l4TFRBckJnTlZCQVVUSkRJMFpE
SmpPRGcwTFRsaFlXWXRORFUyCk5pMDROVEEwTFdKa1pHWXhaV0ppWVRnellqQ0NBYUl3RFFZSktv
WklodmNOQVFFQkJRQURnZ0dQQURDQ0FZb0MKZ2dHQkFMLzdkM0p0TmNIVzZ1ZTZ5T2VLdk9sU0Ro
eGdHczR2WUxETzBRemxJTXlXMzkrQnl0QjRYWSswNUVCZwpBNUpLZllWK3U4eFhMMG1lTHZoKzR5
RTg3Y3dST2JwVDFXWUZDREZWVGlHU2VTTjN3KzJVSnhIV3d1QXViRGw3CnpmQUtuR2dJenEvS1pK
SmlteGE2WXVxdzVpc0N4ZmZ1M2ZReitINVVsU3BMQ3BGeHZBcTM4VmpyVzdGbmpFbTEKYzRmRmxC
ZjA3TFVPcUJ4U0lTMGd4YXJPMURRRTJJUXY0bWZJQUZ2SmdULzVVS0pZdUdFWDNOSDlEZXJZcWpK
YQpOY2h5R01rWGd5QmozWVZlYzhiRkU0K2VyRE1JU0J2SkhCTXd5eDc0UFREUXlzK0tsZk5YcHR1
cDVGSC9Gd0JiCjlaUkJBRDk5YzBmMFZXNm1vTnhvQWtLaHJHVlp0MXc3Q3h3dmdSWm5XVWV6dGh3
b0hJOHlGcUJ2a1QrbHE2TmQKanZMRXYxRFErM3ptTWZoei9lbVJEMURPUVFmbjNtUWhTazQwTmRA
M2t3L0I4YkhPSVhtZ0lnTmJ2NDhnMEFjNwovaFFPMDJtb0R4ckxrQ1pOTjBmVmdPS3ZvbkRqYlNv
NVlOQ0gvN2ZsZWFjbVFOM011ZzN3WHA5a1loN3JLREh3CjZwa1FRd0lEQVFBQm8wSXdRREFPQmdO
VkhROEJBZjhFQkFNQ0FxUXdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QWQKQmdOVkhRNEVGZ1FVY0dF
NmJNaUdzUVF5aURZS0JpK3R4QWZlRkFrd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dHQgpBRzdwaXZR
aEpWTlNDYkcrOWpWeTNad2hnL1BPbnAyc2V3RDF0OEJNT2tQVFBnQWEvMzd2cnA0S1NQZE5YS1p6
CmhuRnpCWGtMOGpCVVAwcWcyVmZ5OWlxbGdYTmRWQWRiNElqazQ0T2hsd1dOR1VpWndsMm5OYnZu
VUw3Tm5UZWgKanFaYUliNk9lMnkxQnlOclF3ZVZNTzg1cWRyWUpDZWxmOVdoOWZZZHRvZng0VHlP
TWcrWnFQcW12VFJPOHlUeApLT3VweXd4bWV6YmpoRWFhSUxYbzlrb3VVNFVWMmdBSWRZaUhmdnNi
VGFMa1diWWVOZ3Z2RTVXQWFuOEh1UXFiCllWbnZ4Z2dJTjQ1VWdFZ3FHVUhFZ2NqOXRIZ3NzZmJu
WDNmMnNDYk9Ka1hMMmN2N0Qrd0s3aHZVQ1M1dEtTNkgKNk83T29YeGZpbUZCZFNaUXV1cWhxeWlN
WWFmblJvNDhRMm9DeRFuMVErZy9xRytHWXhtdWpJaWdvaVlTMXNyVgptSVVhSlFVR0h0Z1h2eVpH
SkZJdlFpQXpJbVFDeWxxMWl5ejc3RGEzbXlEUlgwaTBkYXV1NU1BQ241aTljZ3U5Clc3L01EMnhS
M2tLTUFZM2I0eStwUDdDS2JFSjZVRHN3THlBUVVrd1B5ZUxpMXI4MnZHaDZDYXNpbm5HYVVoaysK
eac9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
juju-model-id: 4a62e0b0-bcfe-4b35-8db7-48e55f439217
juju-controller-password: passwordPrerequisites for Contrail Insights and Contrail Insights Flow
Contrail Networking Release 2011 supports installing Contrail Insights and Contrail Insights Flows on a Juju cluster after Contrail Networking and Contrail Command are installed. The following prerequisites apply.
docker, python2.7, python-pip must be installed on the
Contrail Insights node and Contrail Insights Flows node.
To install the Docker engine, you need the 64-bit version of one of these Ubuntu versions:
Ubuntu Groovy 20.10
Ubuntu Focal 20.04 (LTS)
Ubuntu Bionic 18.04 (LTS)
Ubuntu Xenial 16.04 (LTS)
Docker Engine is supported on x86_64 (or amd64), armhf, and arm64 architectures. For more information, see https://docs.docker.com/engine/install/ubuntu/.
To install python 2.7 and python-pip run the following commands:
sudo apt install python2.7 sudo apt install python-pip
If you are running the playbooks as root user then this step can be skipped. As a non-root user (for example,
“ubuntu”), the user “ubuntu” needs access
to the docker user group. The following command adds the user to the
docker group:
sudo usermod -aG docker ubuntu
For more information, see Contrail Insights Installation for OpenStack in HA.
Contrail Insights Installation for Ubuntu Focal
Contrail Insights Release 3.3.5 supports Ubuntu 20.04 (Focal).
Software Requirements
docker-ce :
5:19.03.9~3-0~ubuntu-focalNote Python 2 is not installed by default with Ubuntu 20.04 (Focal).
Follow these steps before you install Contrail Insights.
- Install
pythonandpython-pipon the Contrail Insights Controller nodes, and on the host(s) that the Contrail Insights Agent runs on.sudo apt-get install -y python python3-pip sudo apt install python-is-python3
- In
group_vars/all, setappformix_ansible_python3_interpreter_enabledto true.appformix_ansible_python3_interpreter_enabled: true
- Run the
iptablesrule to access port 9000.iptables -t filter -A IN_public_allow -p tcp --dport 9000 -j ACCEPT
Note Ignore any errors that may arise if
IN_public_allowdoes not exist.
After you have completed these steps, you can install Contrail Insights.
Install Contrail Insights on the Juju Cluster after Contrail Command is Installed
Appformix and Appformix Flows were renamed Contrail Insights and Contrail Insights Flows. The Appformix naming conventions still appear during product usage, including within these directory names.
To install Contrail Insights on the Juju Cluster:
- Copy the Contrail Insights and Contrail Insights Flows
installation directories to the
/opt/software/appformix/and/opt/software/xflowdirectories inside the Contrail Command container, if not already present.docker run -v /opt/software/appformix:/opt/software/appformix svl-artifactory.juniper.net/contrail-nightly/appformix/appformix/contrail-insights-ansible:<Contrail Insights Version> docker run -v /opt/software/flow:/opt/software/flow svl-artifactory.juniper.net/contrail-nightly/appformix/flows/contrail-insights-flows-ansible:<Contrail Insights Flow Version>
For example
<Contrail Insights Version>=3.3.0-a8. - Create the following two inventory files:
docker exec -it contrail_command bash vi /opt/software/appformix/inventory/group_vars/all vi /opt/software/appformix/inventory/hosts
- Run the following commands to install Contrail Insights
in HA mode:
cd /usr/share/contrail/appformix-ansible-deployer/appformix/ . venv/bin/activate cd /opt/software/appformix/ ansible-playbook -i inventory --skip-tags=install_docker contrail-insights-ansible/appformix_openstack_ha.yml -v
Install Contrail Insights Flows on the Juju Cluster after Contrail Insights is Installed
Disclaimer: Official installation method for installation is
using the Contrail-Command UI. contrail-ansible-deployer installs all packages needed for Contrail Insights and Contrail
Insights Flows. appformix-ansible-deployer creates inventory files for the installation. There are many variables
set in the inventory files for specific releases, so setting them
manually is prone to errors.
To install Contrail Insights Flows on the Juju Cluster:
- Log in to the
contrail-commandcontainer:docker exec -it contrail_command bash
- Run the following two commands:
cd /usr/share/contrail/appformix-ansible-deployer/xflow source venv/bin/activate
- Run one of the following commands dependent on your Contrail
Networking Release version.
If you are running a Contrail Networking Release later than 2005:
bash deploy_contrail_insights_flows.sh <path-to-instances-yml>/instances.yml --cluster-id <cluster_id>
If you are running a Contrail Networking Release earlier than 2005:
bash deploy_xflow.sh <path-to-instances-yml>/instances.yml
If you are running a Contrail Networking Release earlier than 2005, add the following snippet to the end of the existing
instances.ymlbefore running thedeploy_contrail_insights_flows.shordeploy_xflow.sh.Example
instances.ymlsnippet for in-band configuration:global_configuration: CONTAINER_REGISTRY: hub.juniper.net/contrail CONTAINER_REGISTRY_USERNAME: < container_registry_username > CONTAINER_REGISTRY_PASSWORD: < container_registry_password > provider_config: bms: ssh_pwd: <Root Pwd> ssh_user: root ntpserver: <NTP Server> domainsuffix: local instances: < under existing hierarchy > a7s33: ip: 10.84.30.201 provider: bms roles: appformix_flows: telemetry_in_band_interface_name: enp4s0f0 xflow_configuration: clickhouse_retention_period_secs: 7200 loadbalancer_collector_vip: 30.1.1.3 telemetry_in_band_cidr: 30.1.1.0/24 loadbalancer_management_vip: 10.84.30.195 telemetry_in_band_vlan_id: 11Example
instances.ymlsnippet for out-of-band configuration:global_configuration: CONTAINER_REGISTRY: hub.juniper.net/contrail CONTAINER_REGISTRY_USERNAME: < container_registry_username > CONTAINER_REGISTRY_PASSWORD: < container_registry_password > provider_config: bms: ssh_pwd: <Root Pwd> ssh_user: root ntpserver: <NTP Server> domainsuffix: local instances: < under existing hierarchy > a7s33: ip: 10.84.30.201 provider: bms roles: appformix_flows: xflow_configuration: clickhouse_retention_period_secs: 7200 loadbalancer_collector_vip: 10.84.30.195 - Add the collector nodes:
bash deploy_insights_flows.sh <instance_file> --skip-provision --cluster-id <cluster_id>