Contrail サービス オーケストレーションのインストール
CSOの導入
メモ:
導入を開始する前に、すべての VM にインターネット接続があることを確認します。ESM ライセンスの検証にはインターネット接続が必要です。
VMをプロビジョニングした後、CSOを展開します。
- 中央 CSO サーバーから startupserver1 VM にインストーラー パッケージ ファイルをコピーします。
scp cso<version>.tar.gz root@<startupserver1 IP>:/root/ - root ユーザーとして startupserver1 VM にログインします。
スクリプトを
get_vm_details.sh実行して 、startupserver1 VM の IP アドレスを見つけます。SSHを使用してVMにアクセスします。 - インストーラー パッケージを展開します。
root@host:~/# tar –xvzf cso<version>.tar.gz
展開パッケージは、インストーラー パッケージと同じ名前を持ち、インストール ファイルを含むディレクトリです。
-
-
KVM ハイパーバイザーの場合:
スクリプトを実行します
deploy.sh。1. Deploy CSO 2. Replace VM 0. Exit #Your choice: [1 --> CSO Infra Deployment; 2 --> Replace existing VM, currently supports only k8-master, k8-infra and k8-microservices node for replacement in KVM]
-
ESXiハイパーバイザーの場合:
スクリプトを実行します
deploy.sh。対話型スクリプトを使用して、環境固有のトポロジーの設定ファイルを作成します。オプション1(CSOを導入)を選択してCSOインフラストラクチャを導入し、オプション2(VMを置き換え)はESXiハイパーバイザーには適用できません。ESXiハイパーバイザーでのCSO導入の出力例—
root@host:~/Contrail_Service_Orchestration_6.3.0./ deploy.sh Enter the number for operation to be performed: 1. Deploy CSO 2. Replace VM 0. Exit Your choice: 1 ********************************************* Generic Questions ********************************************* Do you need a Standalone/HA deployment (1/2) [2]: Would you like to install streaming feature? (y/n) [y]:y ********************************************* Server Details ********************************************* Please select hypervisor (kvm/esxi) [kvm]:esxi Enter the number of cluster groups []:3 Do all your VMs have same password for root(y/n) []:y Enter the password common for all the VMs: Confirm Password: Provide the list/comma separated VM IPs for cluster group 1(except VRR) []:192.168.x.2-192.168.x.7,192.168.x.9 Provide the list/comma separated VM IPs for cluster group 2(except VRR) []:192.168.x.10-192.168.x.15,192.168.x.17 Provide the list/comma separated VM IPs for cluster group 3(except VRR) []:192.168.x.22-192.168.x.29,192.168.x.30 Provide VIP (for admin portal and SBLB usage) for VMs []:10.x.x.183 Please provide the CSO reachable subnet for device communication []:10.x.0.0/20 Provide password for VRR VMs: Confirm Password: Number of VRR instances : 2 Redundancy group for VRR0 : 0 Provide routable IP for VRR1 []:10.x.x.234 Provide private IP for VRR1 []:192.168.x.8 Redundancy group for VRR1 : 1 Provide routable IP for VRR2 []:10.x.x.235 Provide private IP for VRR2 []:192.168.x.16 ********************************************* Authentication and Other Questions ********************************************* Provide list/comma separated 10 IPs to be used for load balancers []:192.168.x.42-192.168.x.53 Provide Email Address for cspadmin user []:nutans@juniper.net The Autonomous System Number for BGP [64512]: Do you have a signed certificate for CSO? (y/n) [n]: Please provide commonname for CSO certificate (FQDN) []: CSO certificate validity (in days): [365]: DNS name of CSO Customer Portal []:jcs.juniper.net DNS name of CSO Admin Portal (can be same as Customer Portal) []:jcs.juniper.net Timezone for the servers in topology [America/Los_Angeles]: List of ntp servers (comma separated) []: Do you use IPV6 (y/n) [n]:n Specify additional disk for Swift storage [/dev/vdc]:/dev/sdb
-
- Ubuntu ESMライセンスがあるかどうかを確認します。このライセンスは、セキュリティ更新プログラムを入手する場合に必要です。ライセンスをお持ちでない場合は、ジュニパーのサポートにお問い合わせください。
Do you have Ubuntu ESM (Extended Security Maintenance) license? (y/n): y #recommended
- マイクロサービスを導入する。
./python.sh micro_services/deploy_micro_services.py - NAT ルールを適用します。ポートの詳細については、「 サーバーと VM の最小要件」を参照してください。
-
スクリプトを実行
./get_vm_details.shして、各コンポーネントの IP アドレスを検索します。root@startupserver1:~/Contrail_Service_Orchestration_6.3.0# ./get_vm_details.sh Load Balancer IP: nginx : 192.168.10.16 keystone : 192.168.10.20 haproxy_confd : 192.168.10.48 etcd : 192.168.10.19 haproxy_confd_sblb : 192.168.10.49 mariadb : 192.168.10.17 nginx_nsd : 192.168.10.18
-
VRR パブリック IP アドレス(10.x.x.3 や 10.x.x.4 など)が SRX IP アドレス(例:—10.x.x.2)を指すゲートウェイでネクスト ホップを設定します。
-
パブリックに接続するデバイスには、以下のNAT設定を適用します。
NAT 設定
## Public address space set security address-book global address public 10.x.x.2/32 set security address-book global address vrr-1-public 10.x.x.3/32 set security address-book global address vrr-2-public 10.x.x.4/32 ### Private CSO address space (192.168.10.0/24) set security address-book global address monitoring1 192.168.10.31/32 set security address-book global address keystone 192.168.10.20/32 set security address-book global address nginx 192.168.10.16/32 set security address-book global address nginx_nsd 192.168.10.18/32 set security address-book global address haproxy_confd 192.168.10.46/32 set security address-book global address haproxy_confd_sblb 192.168.10.47/32 set security address-book global address vrr-1 192.168.10.29/32 set security address-book global address vrr-2 192.168.10.30/32 set security address-book global address startupserver1 192.168.10.45/32 set security nat source rule-set inetAccess from zone trust set security nat source rule-set inetAccess to zone untrust set security nat source rule-set inetAccess rule inet match source-address 192.168.10.0/24 set security nat source rule-set inetAccess rule inet match destination-address 0.0.0.0/0 set security nat source rule-set inetAccess rule inet match application any set security nat source rule-set inetAccess rule inet then source-nat interface set security nat static rule-set cso from zone untrust set security nat static rule-set cso rule adminportal-443 match destination-address-name public set security nat static rule-set cso rule adminportal-443 match destination-port 443 set security nat static rule-set cso rule adminportal-443 then static-nat prefix-name nginx set security nat static rule-set cso rule adminportal-443 then static-nat prefix-name mapped-port 443 set security nat static rule-set cso rule designtools-83 match destination-address-name public set security nat static rule-set cso rule designtools-83 match destination-port 83 set security nat static rule-set cso rule designtools-83 then static-nat prefix-name nginx_nsd set security nat static rule-set cso rule designtools-83 then static-nat prefix-name mapped-port 443 set security nat static rule-set cso rule outbound-ssh-7804 match destination-address-name public set security nat static rule-set cso rule outbound-ssh-7804 match destination-port 7804 set security nat static rule-set cso rule outbound-ssh-7804 then static-nat prefix-name haproxy_confd set security nat static rule-set cso rule outbound-ssh-7804 then static-nat prefix-name mapped-port 7804 set security nat static rule-set cso rule rsyslog-514 match destination-address-name public set security nat static rule-set cso rule rsyslog-514 match destination-port 514 set security nat static rule-set cso rule rsyslog-514 then static-nat prefix-name haproxy_confd_sblb set security nat static rule-set cso rule rsyslog-514 then static-nat prefix-name mapped-port 514 set security nat static rule-set cso rule syslog-3514 match destination-address-name public set security nat static rule-set cso rule syslog-3514 match destination-port 3514 set security nat static rule-set cso rule syslog-3514 then static-nat prefix-name haproxy_confd_sblb set security nat static rule-set cso rule syslog-3514 then static-nat prefix-name mapped-port 3514 set security nat static rule-set cso rule syslog-6514 match destination-address-name public set security nat static rule-set cso rule syslog-6514 match destination-port 6514 set security nat static rule-set cso rule syslog-6514 then static-nat prefix-name haproxy_confd_sblb set security nat static rule-set cso rule syslog-6514 then static-nat prefix-name mapped-port 6514 set security nat static rule-set cso rule syslog-2216 match destination-address-name public set security nat static rule-set cso rule syslog-2216 match destination-port 2216 set security nat static rule-set cso rule syslog-2216 then static-nat prefix-name haproxy_confd_sblb set security nat static rule-set cso rule syslog-2216 then static-nat prefix-name mapped-port 2216 set security nat static rule-set cso rule CRL-8060 match destination-address-name public set security nat static rule-set cso rule CRL-8060 match destination-port 8060 set security nat static rule-set cso rule CRL-8060 then static-nat prefix-name haproxy_confd set security nat static rule-set cso rule CRL-8060 then static-nat prefix-name mapped-port 8060 set security nat static rule-set cso rule vrr-1 match destination-address-name vrr-1-public set security nat static rule-set cso rule vrr-1 then static-nat prefix-name vrr-1 set security nat static rule-set cso rule vrr-2 match destination-address-name vrr-2-public set security nat static rule-set cso rule vrr-2 then static-nat prefix-name vrr-2 set security nat static rule-set cso rule kibana-5601 match destination-address-name public set security nat static rule-set cso rule kibana-5601 match destination-port 5601 set security nat static rule-set cso rule kibana-5601 then static-nat prefix-name haproxy_confd set security nat static rule-set cso rule kibana-5601 then static-nat prefix-name mapped-port 5601 set security nat static rule-set cso rule rabbitmq-15672 match destination-address-name public set security nat static rule-set cso rule rabbitmq-15672 match destination-port 15672 set security nat static rule-set cso rule rabbitmq-15672 then static-nat prefix-name nginx set security nat static rule-set cso rule rabbitmq-15672 then static-nat prefix-name mapped-port 15672 set security nat static rule-set cso rule es-9210 match destination-address-name public set security nat static rule-set cso rule es-9210 match destination-port 9210 set security nat static rule-set cso rule es-9210 then static-nat prefix-name monitoring1 set security nat static rule-set cso rule es-9210 then static-nat prefix-name mapped-port 9210 set security nat static rule-set cso rule keystone-port-5000 match destination-address-name public set security nat static rule-set cso rule keystone-port-5000 match destination-port 5000 set security nat static rule-set cso rule keystone-port-5000 then static-nat prefix-name keystone set security nat static rule-set cso rule keystone-port-5000 then static-nat prefix-name mapped-port 5000 set security nat static rule-set cso rule can-8081 match destination-address-name public set security nat static rule-set cso rule can-8081 match destination-port 8081 set security nat static rule-set cso rule can-8081 then static-nat prefix-name haproxy_confd_sblb set security nat static rule-set cso rule can-8081 then static-nat prefix-name mapped-port 8081 set security nat static rule-set cso rule can-8082 match destination-address-name public set security nat static rule-set cso rule can-8082 match destination-port 8082 set security nat static rule-set cso rule can-8082 then static-nat prefix-name haproxy_confd_sblb set security nat static rule-set cso rule can-8082 then static-nat prefix-name mapped-port 8082 set security nat static rule-set cso rule grafana-3000 match destination-address-name public set security nat static rule-set cso rule grafana-3000 match destination-port 3000 set security nat static rule-set cso rule grafana-3000 then static-nat prefix-name monitoring1 set security nat static rule-set cso rule grafana-3000 then static-nat prefix-name mapped-port 3000 set security nat static rule-set cso rule icinga-1947 match destination-address-name public set security nat static rule-set cso rule icinga-1947 match destination-port 1947 set security nat static rule-set cso rule icinga-1947 then static-nat prefix-name nginx set security nat static rule-set cso rule icinga-1947 then static-nat prefix-name mapped-port 1947
-
以下の設定は、SRXシリーズデバイスをファイアウォールとして使用している場合にのみ適用されます。サードパーティー製ファイアウォールがある場合は、同様のルールを適用します。
SRX構成の例
set system host-name example.net set system root-authentication encrypted-password "$5$.eexxxTzK$KpQKybUds3P89Y9N5ol2FubLREaliyh9see.hCBJo5" set system services ssh root-login allow set system services netconf ssh set system services dhcp-local-server group jdhcp-group interface fxp0.0 set system services dhcp-local-server group jdhcp-group interface irb.0 set system services web-management https system-generated-certificate set system name-server 8.8.8.8 set system name-server 8.8.4.4 set system syslog archive size 100k set system syslog archive files 3 set system syslog user * any emergency set system syslog file messages any notice set system syslog file messages authorization info set system syslog file interactive-commands interactive-commands any set system max-configurations-on-flash 5 set system max-configuration-rollbacks 5 set security address-book global address public 10.x.x.2/32 set security address-book global address vrr-1-public 10.x.x.3/32 set security address-book global address vrr-2-public 10.x.x.4/32 set security address-book global address monitoring1 192.168.10.31/32 set security address-book global address keystone 192.168.10.20/32 set security address-book global address nginx 192.168.10.16/32 set security address-book global address nginx_nsd 192.168.10.18/32 set security address-book global address haproxy_confd 192.168.10.46/32 set security address-book global address haproxy_confd_sblb 192.168.10.47/32 set security address-book global address vrr-1 192.168.10.29/32 set security address-book global address vrr-2 192.168.10.30/32 set security address-book global address startupserver1 192.168.10.45/32 set security screen ids-option untrust-screen icmp ping-death set security screen ids-option untrust-screen ip source-route-option set security screen ids-option untrust-screen ip tear-drop set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200 set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 set security screen ids-option untrust-screen tcp syn-flood timeout 20 set security screen ids-option untrust-screen tcp land set security nat source rule-set inetAccess from zone trust set security nat source rule-set inetAccess to zone untrust set security nat source rule-set inetAccess rule inet match source-address 192.168.10.0/24 set security nat source rule-set inetAccess rule inet match destination-address 0.0.0.0/0 set security nat source rule-set inetAccess rule inet match application any set security nat source rule-set inetAccess rule inet then source-nat interface set security nat static rule-set cso from zone untrust set security nat static rule-set cso rule adminportal-443 match destination-address-name public set security nat static rule-set cso rule adminportal-443 match destination-port 443 set security nat static rule-set cso rule adminportal-443 then static-nat prefix-name nginx set security nat static rule-set cso rule adminportal-443 then static-nat prefix-name mapped-port 443 set security nat static rule-set cso rule rsyslog-514 match destination-address-name public set security nat static rule-set cso rule rsyslog-514 match destination-port 514 set security nat static rule-set cso rule rsyslog-514 then static-nat prefix-name haproxy_confd_sblb set security nat static rule-set cso rule rsyslog-514 then static-nat prefix-name mapped-port 514 set security nat static rule-set cso rule syslog-3514 match destination-address-name public set security nat static rule-set cso rule syslog-3514 match destination-port 3514 set security nat static rule-set cso rule syslog-3514 then static-nat prefix-name haproxy_confd_sblb set security nat static rule-set cso rule syslog-3514 then static-nat prefix-name mapped-port 3514 set security nat static rule-set cso rule syslog-6514 match destination-address-name public set security nat static rule-set cso rule syslog-6514 match destination-port 6514 set security nat static rule-set cso rule syslog-6514 then static-nat prefix-name haproxy_confd_sblb set security nat static rule-set cso rule syslog-6514 then static-nat prefix-name mapped-port 6514 set security nat static rule-set cso rule designtools-83 match destination-address-name public set security nat static rule-set cso rule designtools-83 match destination-port 83 set security nat static rule-set cso rule designtools-83 then static-nat prefix-name nginx_nsd set security nat static rule-set cso rule designtools-83 then static-nat prefix-name mapped-port 443 set security nat static rule-set cso rule outbound-ssh-7804 match destination-address-name public set security nat static rule-set cso rule outbound-ssh-7804 match destination-port 7804 set security nat static rule-set cso rule outbound-ssh-7804 then static-nat prefix-name haproxy_confd set security nat static rule-set cso rule outbound-ssh-7804 then static-nat prefix-name mapped-port 7804 set security nat static rule-set cso rule kibana-5601 match destination-address-name public set security nat static rule-set cso rule kibana-5601 match destination-port 5601 set security nat static rule-set cso rule kibana-5601 then static-nat prefix-name haproxy_confd set security nat static rule-set cso rule kibana-5601 then static-nat prefix-name mapped-port 5601 set security nat static rule-set cso rule syslog-2216 match destination-address-name public set security nat static rule-set cso rule syslog-2216 match destination-port 2216 set security nat static rule-set cso rule syslog-2216 then static-nat prefix-name haproxy_confd_sblb set security nat static rule-set cso rule syslog-2216 then static-nat prefix-name mapped-port 2216 set security nat static rule-set cso rule CRL-8060 match destination-address-name public set security nat static rule-set cso rule CRL-8060 match destination-port 8060 set security nat static rule-set cso rule CRL-8060 then static-nat prefix-name haproxy_confd set security nat static rule-set cso rule CRL-8060 then static-nat prefix-name mapped-port 8060 set security nat static rule-set cso rule rabbitmq-15672 match destination-address-name public set security nat static rule-set cso rule rabbitmq-15672 match destination-port 15672 set security nat static rule-set cso rule rabbitmq-15672 then static-nat prefix-name nginx set security nat static rule-set cso rule rabbitmq-15672 then static-nat prefix-name mapped-port 15672 set security nat static rule-set cso rule es-9210 match destination-address-name public set security nat static rule-set cso rule es-9210 match destination-port 9210 set security nat static rule-set cso rule es-9210 then static-nat prefix-name monitoring1 set security nat static rule-set cso rule es-9210 then static-nat prefix-name mapped-port 9210 set security nat static rule-set cso rule keystone-port-5000 match destination-address-name public set security nat static rule-set cso rule keystone-port-5000 match destination-port 5000 set security nat static rule-set cso rule keystone-port-5000 then static-nat prefix-name keystone set security nat static rule-set cso rule keystone-port-5000 then static-nat prefix-name mapped-port 5000 set security nat static rule-set cso rule can-8081 match destination-address-name public set security nat static rule-set cso rule can-8081 match destination-port 8081 set security nat static rule-set cso rule can-8081 then static-nat prefix-name haproxy_confd_sblb set security nat static rule-set cso rule can-8081 then static-nat prefix-name mapped-port 8081 set security nat static rule-set cso rule can-8082 match destination-address-name public set security nat static rule-set cso rule can-8082 match destination-port 8082 set security nat static rule-set cso rule can-8082 then static-nat prefix-name haproxy_confd_sblb set security nat static rule-set cso rule can-8082 then static-nat prefix-name mapped-port 8082 set security nat static rule-set cso rule grafana-3000 match destination-address-name public set security nat static rule-set cso rule grafana-3000 match destination-port 3000 set security nat static rule-set cso rule grafana-3000 then static-nat prefix-name monitoring1 set security nat static rule-set cso rule grafana-3000 then static-nat prefix-name mapped-port 3000 set security nat static rule-set cso rule icinga-1947 match destination-address-name public set security nat static rule-set cso rule icinga-1947 match destination-port 1947 set security nat static rule-set cso rule icinga-1947 then static-nat prefix-name nginx set security nat static rule-set cso rule icinga-1947 then static-nat prefix-name mapped-port 1947 set security nat static rule-set cso rule vrr-1 match destination-address-name vrr-1-public set security nat static rule-set cso rule vrr-1 then static-nat prefix-name vrr-1 set security nat static rule-set cso rule vrr-2 match destination-address-name vrr-2-public set security nat static rule-set cso rule vrr-2 then static-nat prefix-name vrr-2 set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any set security policies from-zone trust to-zone trust policy trust-to-trust match application any set security policies from-zone trust to-zone trust policy trust-to-trust then permit set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit set security policies from-zone untrust to-zone untrust policy default-permit match source-address any set security policies from-zone untrust to-zone untrust policy default-permit match destination-address any set security policies from-zone untrust to-zone untrust policy default-permit match application any set security policies from-zone untrust to-zone untrust policy default-permit then permit set security policies from-zone untrust to-zone trust policy default-permit match source-address any set security policies from-zone untrust to-zone trust policy default-permit match destination-address any set security policies from-zone untrust to-zone trust policy default-permit match application any set security policies from-zone untrust to-zone trust policy default-permit then permit set security policies default-policy deny-all set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces irb.0 set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/2.0 set interfaces ge-0/0/1 description "Public Facing" set interfaces ge-0/0/1 unit 0 proxy-arp restricted set interfaces ge-0/0/1 unit 0 family inet address 10.x.x.2/24 set interfaces ge-0/0/5 description Host-1 set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/6 description Host-2 set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/7 description Host-3 set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust set interfaces irb unit 0 family inet address 192.168.10.1/24 set vlans vlan-trust vlan-id 3 set vlans vlan-trust l3-interface irb.0 set protocols l2-learning global-mode switching set protocols lldp interface all set protocols rstp interface all set routing-options static route 0.0.0.0/0 next-hop 10.x.x.254
-
-
- データを読み込みます。
./python.sh micro_services/load_services_data.py
スクリプトを ./get_vm_details.sh 実行して、各コンポーネントの IP アドレスを見つけることができます。
ESXi 導入の VM のスナップショットを取得することをお勧めします。