Instalar Contrail Service Orchestration
Implementar CSO
Antes de iniciar la implementación, asegúrese de que haya conectividad a Internet en todas las máquinas virtuales. Se necesita conectividad a Internet para verificar la licencia de ESM.
Después de aprovisionar las máquinas virtuales, para implementar CSO:
- Copie el archivo del paquete de instalación del servidor CSO central a la máquina virtual startupserver1.
scp cso<version>.tar.gz root@<startupserver1 IP>:/root/
- Inicie sesión en la máquina virtual startupserver1 como usuario raíz.
Ejecute el
get_vm_details.sh
script para buscar la dirección IP de la máquina virtual startupserver1 . Use SSH para acceder a la máquina virtual. - Expanda el paquete del instalador.
root@host:~/# tar –xvzf cso<version>.tar.gz
El paquete expandido es un directorio que tiene el mismo nombre que el paquete del instalador y contiene los archivos de instalación.
-
-
Para hipervisores KVM:
Ejecute el
deploy.sh
script.1. Deploy CSO 2. Replace VM 0. Exit #Your choice: [1 --> CSO Infra Deployment; 2 --> Replace existing VM, currently supports only k8-master, k8-infra and k8-microservices node for replacement in KVM]
-
Para el hipervisor ESXi:
Ejecute el
deploy.sh
script. Utilice el script interactivo para crear archivos de configuración para la topología específica del entorno. Seleccione la opción 1 (Implementar CSO) para implementar la infraestructura de CSO, la opción 2 (Reemplazar VM) no se aplica a los hipervisores ESXi.Resultado de ejemplo para la implementación de CSO en el hipervisor ESXi:
root@host:~/Contrail_Service_Orchestration_6.3.0./ deploy.sh Enter the number for operation to be performed: 1. Deploy CSO 2. Replace VM 0. Exit Your choice: 1 ********************************************* Generic Questions ********************************************* Do you need a Standalone/HA deployment (1/2) [2]: Would you like to install streaming feature? (y/n) [y]:y ********************************************* Server Details ********************************************* Please select hypervisor (kvm/esxi) [kvm]:esxi Enter the number of cluster groups []:3 Do all your VMs have same password for root(y/n) []:y Enter the password common for all the VMs: Confirm Password: Provide the list/comma separated VM IPs for cluster group 1(except VRR) []:192.168.x.2-192.168.x.7,192.168.x.9 Provide the list/comma separated VM IPs for cluster group 2(except VRR) []:192.168.x.10-192.168.x.15,192.168.x.17 Provide the list/comma separated VM IPs for cluster group 3(except VRR) []:192.168.x.22-192.168.x.29,192.168.x.30 Provide VIP (for admin portal and SBLB usage) for VMs []:10.x.x.183 Please provide the CSO reachable subnet for device communication []:10.x.0.0/20 Provide password for VRR VMs: Confirm Password: Number of VRR instances : 2 Redundancy group for VRR0 : 0 Provide routable IP for VRR1 []:10.x.x.234 Provide private IP for VRR1 []:192.168.x.8 Redundancy group for VRR1 : 1 Provide routable IP for VRR2 []:10.x.x.235 Provide private IP for VRR2 []:192.168.x.16 ********************************************* Authentication and Other Questions ********************************************* Provide list/comma separated 10 IPs to be used for load balancers []:192.168.x.42-192.168.x.53 Provide Email Address for cspadmin user []:nutans@juniper.net The Autonomous System Number for BGP [64512]: Do you have a signed certificate for CSO? (y/n) [n]: Please provide commonname for CSO certificate (FQDN) []: CSO certificate validity (in days): [365]: DNS name of CSO Customer Portal []:jcs.juniper.net DNS name of CSO Admin Portal (can be same as Customer Portal) []:jcs.juniper.net Timezone for the servers in topology [America/Los_Angeles]: List of ntp servers (comma separated) []: Do you use IPV6 (y/n) [n]:n Specify additional disk for Swift storage [/dev/vdc]:/dev/sdb
-
- Confirme si tiene la licencia ESM de Ubuntu. Esta licencia es necesaria para obtener las actualizaciones de seguridad. Si no tiene la licencia, póngase en contacto con el soporte de Juniper.
Do you have Ubuntu ESM (Extended Security Maintenance) license? (y/n): y #recommended
- Implemente microservicios.
./python.sh micro_services/deploy_micro_services.py
- Aplicar reglas NAT. Para revisar los detalles de los puertos, consulte Requisitos mínimos para servidores y máquinas virtuales.
-
Ejecute
./get_vm_details.sh
un script para encontrar las direcciones IP de cada componente.root@startupserver1:~/Contrail_Service_Orchestration_6.3.0# ./get_vm_details.sh Load Balancer IP: nginx : 192.168.10.16 keystone : 192.168.10.20 haproxy_confd : 192.168.10.48 etcd : 192.168.10.19 haproxy_confd_sblb : 192.168.10.49 mariadb : 192.168.10.17 nginx_nsd : 192.168.10.18
-
Configure el siguiente salto en la puerta de enlace para que las direcciones IP públicas de VRR (por ejemplo, 10.x.x.3 y 10.x.x.4) apunten a la dirección IP de SRX (por ejemplo, 10.x.x.2).
-
Aplique la siguiente configuración de NAT para cualquier dispositivo público:
Configuración de NAT
## Public address space set security address-book global address public 10.x.x.2/32 set security address-book global address vrr-1-public 10.x.x.3/32 set security address-book global address vrr-2-public 10.x.x.4/32 ### Private CSO address space (192.168.10.0/24) set security address-book global address monitoring1 192.168.10.31/32 set security address-book global address keystone 192.168.10.20/32 set security address-book global address nginx 192.168.10.16/32 set security address-book global address nginx_nsd 192.168.10.18/32 set security address-book global address haproxy_confd 192.168.10.46/32 set security address-book global address haproxy_confd_sblb 192.168.10.47/32 set security address-book global address vrr-1 192.168.10.29/32 set security address-book global address vrr-2 192.168.10.30/32 set security address-book global address startupserver1 192.168.10.45/32 set security nat source rule-set inetAccess from zone trust set security nat source rule-set inetAccess to zone untrust set security nat source rule-set inetAccess rule inet match source-address 192.168.10.0/24 set security nat source rule-set inetAccess rule inet match destination-address 0.0.0.0/0 set security nat source rule-set inetAccess rule inet match application any set security nat source rule-set inetAccess rule inet then source-nat interface set security nat static rule-set cso from zone untrust set security nat static rule-set cso rule adminportal-443 match destination-address-name public set security nat static rule-set cso rule adminportal-443 match destination-port 443 set security nat static rule-set cso rule adminportal-443 then static-nat prefix-name nginx set security nat static rule-set cso rule adminportal-443 then static-nat prefix-name mapped-port 443 set security nat static rule-set cso rule designtools-83 match destination-address-name public set security nat static rule-set cso rule designtools-83 match destination-port 83 set security nat static rule-set cso rule designtools-83 then static-nat prefix-name nginx_nsd set security nat static rule-set cso rule designtools-83 then static-nat prefix-name mapped-port 443 set security nat static rule-set cso rule outbound-ssh-7804 match destination-address-name public set security nat static rule-set cso rule outbound-ssh-7804 match destination-port 7804 set security nat static rule-set cso rule outbound-ssh-7804 then static-nat prefix-name haproxy_confd set security nat static rule-set cso rule outbound-ssh-7804 then static-nat prefix-name mapped-port 7804 set security nat static rule-set cso rule rsyslog-514 match destination-address-name public set security nat static rule-set cso rule rsyslog-514 match destination-port 514 set security nat static rule-set cso rule rsyslog-514 then static-nat prefix-name haproxy_confd_sblb set security nat static rule-set cso rule rsyslog-514 then static-nat prefix-name mapped-port 514 set security nat static rule-set cso rule syslog-3514 match destination-address-name public set security nat static rule-set cso rule syslog-3514 match destination-port 3514 set security nat static rule-set cso rule syslog-3514 then static-nat prefix-name haproxy_confd_sblb set security nat static rule-set cso rule syslog-3514 then static-nat prefix-name mapped-port 3514 set security nat static rule-set cso rule syslog-6514 match destination-address-name public set security nat static rule-set cso rule syslog-6514 match destination-port 6514 set security nat static rule-set cso rule syslog-6514 then static-nat prefix-name haproxy_confd_sblb set security nat static rule-set cso rule syslog-6514 then static-nat prefix-name mapped-port 6514 set security nat static rule-set cso rule syslog-2216 match destination-address-name public set security nat static rule-set cso rule syslog-2216 match destination-port 2216 set security nat static rule-set cso rule syslog-2216 then static-nat prefix-name haproxy_confd_sblb set security nat static rule-set cso rule syslog-2216 then static-nat prefix-name mapped-port 2216 set security nat static rule-set cso rule CRL-8060 match destination-address-name public set security nat static rule-set cso rule CRL-8060 match destination-port 8060 set security nat static rule-set cso rule CRL-8060 then static-nat prefix-name haproxy_confd set security nat static rule-set cso rule CRL-8060 then static-nat prefix-name mapped-port 8060 set security nat static rule-set cso rule vrr-1 match destination-address-name vrr-1-public set security nat static rule-set cso rule vrr-1 then static-nat prefix-name vrr-1 set security nat static rule-set cso rule vrr-2 match destination-address-name vrr-2-public set security nat static rule-set cso rule vrr-2 then static-nat prefix-name vrr-2 set security nat static rule-set cso rule kibana-5601 match destination-address-name public set security nat static rule-set cso rule kibana-5601 match destination-port 5601 set security nat static rule-set cso rule kibana-5601 then static-nat prefix-name haproxy_confd set security nat static rule-set cso rule kibana-5601 then static-nat prefix-name mapped-port 5601 set security nat static rule-set cso rule rabbitmq-15672 match destination-address-name public set security nat static rule-set cso rule rabbitmq-15672 match destination-port 15672 set security nat static rule-set cso rule rabbitmq-15672 then static-nat prefix-name nginx set security nat static rule-set cso rule rabbitmq-15672 then static-nat prefix-name mapped-port 15672 set security nat static rule-set cso rule es-9210 match destination-address-name public set security nat static rule-set cso rule es-9210 match destination-port 9210 set security nat static rule-set cso rule es-9210 then static-nat prefix-name monitoring1 set security nat static rule-set cso rule es-9210 then static-nat prefix-name mapped-port 9210 set security nat static rule-set cso rule keystone-port-5000 match destination-address-name public set security nat static rule-set cso rule keystone-port-5000 match destination-port 5000 set security nat static rule-set cso rule keystone-port-5000 then static-nat prefix-name keystone set security nat static rule-set cso rule keystone-port-5000 then static-nat prefix-name mapped-port 5000 set security nat static rule-set cso rule can-8081 match destination-address-name public set security nat static rule-set cso rule can-8081 match destination-port 8081 set security nat static rule-set cso rule can-8081 then static-nat prefix-name haproxy_confd_sblb set security nat static rule-set cso rule can-8081 then static-nat prefix-name mapped-port 8081 set security nat static rule-set cso rule can-8082 match destination-address-name public set security nat static rule-set cso rule can-8082 match destination-port 8082 set security nat static rule-set cso rule can-8082 then static-nat prefix-name haproxy_confd_sblb set security nat static rule-set cso rule can-8082 then static-nat prefix-name mapped-port 8082 set security nat static rule-set cso rule grafana-3000 match destination-address-name public set security nat static rule-set cso rule grafana-3000 match destination-port 3000 set security nat static rule-set cso rule grafana-3000 then static-nat prefix-name monitoring1 set security nat static rule-set cso rule grafana-3000 then static-nat prefix-name mapped-port 3000 set security nat static rule-set cso rule icinga-1947 match destination-address-name public set security nat static rule-set cso rule icinga-1947 match destination-port 1947 set security nat static rule-set cso rule icinga-1947 then static-nat prefix-name nginx set security nat static rule-set cso rule icinga-1947 then static-nat prefix-name mapped-port 1947
-
La siguiente configuración solo es aplicable si tiene un dispositivo de la serie SRX como firewall. Aplique reglas similares si tiene un firewall de terceros.
Configuración de SRX de ejemplo
set system host-name example.net set system root-authentication encrypted-password "$5$.eexxxTzK$KpQKybUds3P89Y9N5ol2FubLREaliyh9see.hCBJo5" set system services ssh root-login allow set system services netconf ssh set system services dhcp-local-server group jdhcp-group interface fxp0.0 set system services dhcp-local-server group jdhcp-group interface irb.0 set system services web-management https system-generated-certificate set system name-server 8.8.8.8 set system name-server 8.8.4.4 set system syslog archive size 100k set system syslog archive files 3 set system syslog user * any emergency set system syslog file messages any notice set system syslog file messages authorization info set system syslog file interactive-commands interactive-commands any set system max-configurations-on-flash 5 set system max-configuration-rollbacks 5 set security address-book global address public 10.x.x.2/32 set security address-book global address vrr-1-public 10.x.x.3/32 set security address-book global address vrr-2-public 10.x.x.4/32 set security address-book global address monitoring1 192.168.10.31/32 set security address-book global address keystone 192.168.10.20/32 set security address-book global address nginx 192.168.10.16/32 set security address-book global address nginx_nsd 192.168.10.18/32 set security address-book global address haproxy_confd 192.168.10.46/32 set security address-book global address haproxy_confd_sblb 192.168.10.47/32 set security address-book global address vrr-1 192.168.10.29/32 set security address-book global address vrr-2 192.168.10.30/32 set security address-book global address startupserver1 192.168.10.45/32 set security screen ids-option untrust-screen icmp ping-death set security screen ids-option untrust-screen ip source-route-option set security screen ids-option untrust-screen ip tear-drop set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200 set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 set security screen ids-option untrust-screen tcp syn-flood timeout 20 set security screen ids-option untrust-screen tcp land set security nat source rule-set inetAccess from zone trust set security nat source rule-set inetAccess to zone untrust set security nat source rule-set inetAccess rule inet match source-address 192.168.10.0/24 set security nat source rule-set inetAccess rule inet match destination-address 0.0.0.0/0 set security nat source rule-set inetAccess rule inet match application any set security nat source rule-set inetAccess rule inet then source-nat interface set security nat static rule-set cso from zone untrust set security nat static rule-set cso rule adminportal-443 match destination-address-name public set security nat static rule-set cso rule adminportal-443 match destination-port 443 set security nat static rule-set cso rule adminportal-443 then static-nat prefix-name nginx set security nat static rule-set cso rule adminportal-443 then static-nat prefix-name mapped-port 443 set security nat static rule-set cso rule rsyslog-514 match destination-address-name public set security nat static rule-set cso rule rsyslog-514 match destination-port 514 set security nat static rule-set cso rule rsyslog-514 then static-nat prefix-name haproxy_confd_sblb set security nat static rule-set cso rule rsyslog-514 then static-nat prefix-name mapped-port 514 set security nat static rule-set cso rule syslog-3514 match destination-address-name public set security nat static rule-set cso rule syslog-3514 match destination-port 3514 set security nat static rule-set cso rule syslog-3514 then static-nat prefix-name haproxy_confd_sblb set security nat static rule-set cso rule syslog-3514 then static-nat prefix-name mapped-port 3514 set security nat static rule-set cso rule syslog-6514 match destination-address-name public set security nat static rule-set cso rule syslog-6514 match destination-port 6514 set security nat static rule-set cso rule syslog-6514 then static-nat prefix-name haproxy_confd_sblb set security nat static rule-set cso rule syslog-6514 then static-nat prefix-name mapped-port 6514 set security nat static rule-set cso rule designtools-83 match destination-address-name public set security nat static rule-set cso rule designtools-83 match destination-port 83 set security nat static rule-set cso rule designtools-83 then static-nat prefix-name nginx_nsd set security nat static rule-set cso rule designtools-83 then static-nat prefix-name mapped-port 443 set security nat static rule-set cso rule outbound-ssh-7804 match destination-address-name public set security nat static rule-set cso rule outbound-ssh-7804 match destination-port 7804 set security nat static rule-set cso rule outbound-ssh-7804 then static-nat prefix-name haproxy_confd set security nat static rule-set cso rule outbound-ssh-7804 then static-nat prefix-name mapped-port 7804 set security nat static rule-set cso rule kibana-5601 match destination-address-name public set security nat static rule-set cso rule kibana-5601 match destination-port 5601 set security nat static rule-set cso rule kibana-5601 then static-nat prefix-name haproxy_confd set security nat static rule-set cso rule kibana-5601 then static-nat prefix-name mapped-port 5601 set security nat static rule-set cso rule syslog-2216 match destination-address-name public set security nat static rule-set cso rule syslog-2216 match destination-port 2216 set security nat static rule-set cso rule syslog-2216 then static-nat prefix-name haproxy_confd_sblb set security nat static rule-set cso rule syslog-2216 then static-nat prefix-name mapped-port 2216 set security nat static rule-set cso rule CRL-8060 match destination-address-name public set security nat static rule-set cso rule CRL-8060 match destination-port 8060 set security nat static rule-set cso rule CRL-8060 then static-nat prefix-name haproxy_confd set security nat static rule-set cso rule CRL-8060 then static-nat prefix-name mapped-port 8060 set security nat static rule-set cso rule rabbitmq-15672 match destination-address-name public set security nat static rule-set cso rule rabbitmq-15672 match destination-port 15672 set security nat static rule-set cso rule rabbitmq-15672 then static-nat prefix-name nginx set security nat static rule-set cso rule rabbitmq-15672 then static-nat prefix-name mapped-port 15672 set security nat static rule-set cso rule es-9210 match destination-address-name public set security nat static rule-set cso rule es-9210 match destination-port 9210 set security nat static rule-set cso rule es-9210 then static-nat prefix-name monitoring1 set security nat static rule-set cso rule es-9210 then static-nat prefix-name mapped-port 9210 set security nat static rule-set cso rule keystone-port-5000 match destination-address-name public set security nat static rule-set cso rule keystone-port-5000 match destination-port 5000 set security nat static rule-set cso rule keystone-port-5000 then static-nat prefix-name keystone set security nat static rule-set cso rule keystone-port-5000 then static-nat prefix-name mapped-port 5000 set security nat static rule-set cso rule can-8081 match destination-address-name public set security nat static rule-set cso rule can-8081 match destination-port 8081 set security nat static rule-set cso rule can-8081 then static-nat prefix-name haproxy_confd_sblb set security nat static rule-set cso rule can-8081 then static-nat prefix-name mapped-port 8081 set security nat static rule-set cso rule can-8082 match destination-address-name public set security nat static rule-set cso rule can-8082 match destination-port 8082 set security nat static rule-set cso rule can-8082 then static-nat prefix-name haproxy_confd_sblb set security nat static rule-set cso rule can-8082 then static-nat prefix-name mapped-port 8082 set security nat static rule-set cso rule grafana-3000 match destination-address-name public set security nat static rule-set cso rule grafana-3000 match destination-port 3000 set security nat static rule-set cso rule grafana-3000 then static-nat prefix-name monitoring1 set security nat static rule-set cso rule grafana-3000 then static-nat prefix-name mapped-port 3000 set security nat static rule-set cso rule icinga-1947 match destination-address-name public set security nat static rule-set cso rule icinga-1947 match destination-port 1947 set security nat static rule-set cso rule icinga-1947 then static-nat prefix-name nginx set security nat static rule-set cso rule icinga-1947 then static-nat prefix-name mapped-port 1947 set security nat static rule-set cso rule vrr-1 match destination-address-name vrr-1-public set security nat static rule-set cso rule vrr-1 then static-nat prefix-name vrr-1 set security nat static rule-set cso rule vrr-2 match destination-address-name vrr-2-public set security nat static rule-set cso rule vrr-2 then static-nat prefix-name vrr-2 set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any set security policies from-zone trust to-zone trust policy trust-to-trust match application any set security policies from-zone trust to-zone trust policy trust-to-trust then permit set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit set security policies from-zone untrust to-zone untrust policy default-permit match source-address any set security policies from-zone untrust to-zone untrust policy default-permit match destination-address any set security policies from-zone untrust to-zone untrust policy default-permit match application any set security policies from-zone untrust to-zone untrust policy default-permit then permit set security policies from-zone untrust to-zone trust policy default-permit match source-address any set security policies from-zone untrust to-zone trust policy default-permit match destination-address any set security policies from-zone untrust to-zone trust policy default-permit match application any set security policies from-zone untrust to-zone trust policy default-permit then permit set security policies default-policy deny-all set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all set security zones security-zone trust interfaces irb.0 set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone untrust interfaces ge-0/0/2.0 set interfaces ge-0/0/1 description "Public Facing" set interfaces ge-0/0/1 unit 0 proxy-arp restricted set interfaces ge-0/0/1 unit 0 family inet address 10.x.x.2/24 set interfaces ge-0/0/5 description Host-1 set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/6 description Host-2 set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust set interfaces ge-0/0/7 description Host-3 set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust set interfaces irb unit 0 family inet address 192.168.10.1/24 set vlans vlan-trust vlan-id 3 set vlans vlan-trust l3-interface irb.0 set protocols l2-learning global-mode switching set protocols lldp interface all set protocols rstp interface all set routing-options static route 0.0.0.0/0 next-hop 10.x.x.254
-
-
- Cargue los datos.
./python.sh micro_services/load_services_data.py
Puede ejecutar el ./get_vm_details.sh
script para encontrar la dirección IP de cada componente.
Se recomienda tomar instantáneas de las máquinas virtuales para la implementación de ESXi.