Deploy Contrail Cloud
Prerequisites for Contrail Cloud Deployment
Before you deploy Contrail Cloud, ensure that your system meets the following prerequisites:
Infrastructure Networking
Every system must have access to the Contrail Cloud repository satellite. The satellite is used to distribute packages and control software versions.
The Contrail Cloud jump host must have access to the Intelligent Platform Management Interface (IPMI) of every managed server.
The jump host must be in the same broadcast domain as each managed server’s management interface to allow Preboot Execution Environment (PXE) booting.
Note:When running multiple networks that use different switching devices per rack, PXE booting is accomplished by stretching a VLAN across the interfaces. BOOTP forwarding in the network fabric is not supported. The undercloud is the only DHCP server in this network.
- You must set the jump host hostname to a long name (FQDN).
- You must also set proper /etc/hosts entry on the jump host for the given FQDN.
- The jump host FQDN should also be resolvable by DNS, returning and IP that is reachable/routable from the whole cloud environment.
Contrail Cloud Jump Host Setup
The Red Hat Openstack Platform Director (also known as the undercloud) is deployed as a virtual machine on a Linux kernel-based virtual machine (KVM) Contrail Cloud jump host. You must ensure that the KVM host OS:
Runs Red Hat Enterprise Linux 8.2 or earlier with only base packages installed. Contrail Cloud installs RHEL 8.2 and all necessary packages as part of the installation process.
Is not running other virtual machines.
Has a network connection that can reach the Contrail Cloud Repository Satellite and has IPMI access to physical hardware.
Has a network connection that can be used for provisioning other infrastructure resources.
Has at least 500 GB space in the
/var
directory to host virtual machines, packages, and images.Has at least 40 GB RAM and 24 vCPUs.
Supports users such as a root user with password-less
sudo
permissions.Provides password-less SSH access in loopback for users with
sudo
permissions.Resolves Internet and satellite sites with DNS.
Has the time synchronized with an NTP source.
Deployment Sequence for Contrail Cloud Deployment
The following deployment sequence describes how to install, configure, and deploy Contrail Cloud.
If you an encounter an error in any step in the sequence, you can undo the step with the clean up feature. You reverse the installation sequence by running each script (using the “-c” argument) to get back to the desired state in the sequence. For example, to redeploy the Contrail Cloud and OpenStack clusters:
/var/lib/contrail_cloud/scripts/k8s-tf-operator-deploy.sh -c /var/lib/contrail_cloud/scripts/openstack-deploy.sh -c /var/lib/contrail_cloud/scripts/openstack-deploy.sh /var/lib/contrail_cloud/scripts/k8s-tf-operator-deploy.sh
When you clean the k8s-tf-operator-deploy.sh script, you must also clean the openstack-deploy.sh script and then deploy both to ensure that each has a consistent state.
- Install Contrail Cloud Installer on the Jump Host
- Prepare the Configuration Files
- Add Nodes to the Openstack Ironic Inventory
- Deploy Control Hosts
- Create VMs for all Control Roles
- Assign Compute Nodes
- Assign Storage Nodes
- Deploy the Kubernetes Cluster
- Deploy the OpenStack Cluster
- Deploy the Contrail Cloud Control Plane
- Validate the OpenStack Environment
- Install VNF Images and Templates
- Add New Compute and Storage Nodes
- Gather Logs
Install Contrail Cloud Installer on the Jump Host
The jump host is the Contrail Cloud host and is the starting point for deploying Contrail Cloud. Before you begin the installation, do the following:
Install Contrail Cloud
-
Untar the contrail_cloud_installer.sh on the jump host.
You can download the installer at: Juniper Networks Contrail Cloud Download Site.
Specify the activation key by setting the environment variables.
For example:
SATELLITE="contrail-cloud-satellite.juniper.net" SATELLITE_KEY="ak-my-account-key" SATELLITE_ORG=”ContrailCloud”
Verify that the installer script has the required permissions to install the packages. The packages are installed in the /var/lib/contrail_cloud directory.
./contrail_cloud_installer.sh \ --satellite_host ${SATELLITE} \ --satellite_key ${SATELLITE_KEY} \ --satellite_org ${SATELLITE_ORG}
Define site-specific information in the Ansible variables:
Change the directory to /var/lib/contrail_cloud/config.
Copy the sample /var/lib/contrail_cloud/samples/*.yml configuration files to the /var/lib/contrail_cloud/config directory.
Note:You can skip this step if you have existing configuration files in the config directory.
Add your activation key (satellite organization and FQDN) to the site.yml configuration file.
global: rhel: # Contrail Cloud Activation Key # These details are provided when you request an activation key from # contrail cloud subscriptions <contrail_cloud_subscriptions@juniper.net> # satellite: #SATELLITE_KEY should be defined in vault-data.yml file #SATELLITE_ORG organization: "ContrailCloud" #SATELLITE_FQDN fqdn: contrail-cloud-satellite.juniper.net
Customize the site.yml configuration file (/var/lib/contrail_cloud/config/site.yml) with site-specific settings for your environment. Ensure that the following fields are changed for each site:
global: # List of DNS nameservers dns: # Google Public DNS - "8.8.8.8" - "8.8.4.4" # List of NTP time servers ntp: # public pool.ntp.org - "0.pool.ntp.org" - "1.pool.ntp.org" - "2.pool.ntp.org" - "3.pool.ntp.org" # Timezone for all servers timezone: 'America/Los_Angeles' rhel: # Contrail Cloud Activation Key # These details are provided when you request an activation key from # contrail cloud subscriptions <contrail_cloud_subscriptions@juniper.net> # satellite: #SATELLITE_KEY should be defined in vault-data.yml file #SATELLITE_ORG organization: "ContrailCloud16" #SATELLITE_FQDN fqdn: contrail-cloud-satellite.juniper.net # DNS domain information. # Must be unique for every deployment to avoid name conflicts. # Need not be a registered DNS domain. domain: “my.unique.domain” jumphost: network: # network used for provisioning (PXE booting) servers provision: # jumphost nic to be used for provisioning (PXE booting) servers nic: eno1
Note:If you are deploying DPDK on an Intel X710 NIC, set the DPDK driver to
vfio-pci
in the site.yml configuration file as follows:overcloud: contrail: vrouter: dpdk: driver: "vfio-pci"
For a complete matrix of supported NIC and driver mapping, see theContrail Networking NIC Support Matrix.
-
Prepare the Ansible Vault. The vault allows you to keep sensitive data such as passwords or keys in encrypted files, rather than as plaintext in playbooks or roles.
-
Customize the vault-data.yml configuration file:
ansible-vault edit /var/lib/contrail_cloud/config/vault-data.yml
-
Change the password for the vault-encrypted file. The default password is
c0ntrail123
.ansible-vault rekey /var/lib/contrail_cloud/config/vault-data.yml
Note:Use a plain-text password to create the vault password. Using a plain-text password prevents Ansible from asking you for a password every time. When creating a the file for the
contrail
user, make sure it is read-only. We recommend that you delete the file after the deployment completes.sudo chown contrail /var/lib/contrail_cloud/config/.vault_password sudo chmod 0400 /var/lib/contrail_cloud/config/.vault_password
-
Add the satellite key to the vault by using the ansible-vault edit config/vault-data.yml command.
vault: global: rhel: # Contrail Cloud Activation Key satellite: #SATELLITE_KEY key: "ak-my-account-key"
-
Run the Ansible provisioning. The provisioning includes setting up the jump host, RHV Manager, and the undercloud (RHOSPd).
-
Make sure that you can establish an SSH connection without specifying a password:
sudo ssh localhost true
-
Install the automation scripts:
sudo /var/lib/contrail_cloud/scripts/install_contrail_cloud_manager.sh
When the provisioning is finished, a new user with the username
contrail
is created on the jump host and a new set of SSH keys is generated that gives the user access to the undercloud VM and the control hosts. The overcloud nodes, including the Contrail Insights nodes, are accessible by the heat-admin user and use a separate pair of keys stored on the undercloud VM, by default.Make sure that you change the default password in your vault-data.yml file as discussed above.
-
Contrail Cloud adds entries to the /home/contrail/.ssh/config
directory that includes the username used for each of the overcloud
nodes (and the undercloud). This means you can use ssh undercloud
or ssh <address>
without specifying a user.
You can authorize the contrail
user keys for a heat-admin
by defining them in the site.yml configuration file:
global: service_user: use_ssh_key_in_overcloud: true
Use the contrail
user to run all subsequent operations
in Contrail Cloud from the /var/lib/contrail_cloud/scripts directory:
su - contrail cd /var/lib/contrail_cloud/scripts
The contrail user’s SSH keys are authorized by
the root. This means that the contrail user can SSH to root
on the jump host.
Prepare the Configuration Files
Table 1 describes the configuration files that you use in Contrail Cloud. See Appendix A for the corresponding sample YAML files.
You can validate your configuration files at any time by running the /var/lib/contrail_cloud/scripts/node-configuration.py script. This script loads all the configuration files, checks the syntax, and verifies that the structures and values conform to the schema. You can use different arguments with the Python script depending on the results you are looking for.
Secured registry is used as of Contrail Cloud Release 16.3. You must provide your
container image registry credentials in your vault-data.yml
file. From
the jump host, see
/var/lib/contrail_cloud/samples/unencrypted-vault-data.yml
for more
information and vault data example. Always update your vault-data.yml
file with your most recent credentials before performing any deployment activities.
You can copy the sample files from the /var/lib/contrail_cloud/samples/ directory on your jump host.
Configuration Settings |
Filename and Location |
Description |
---|---|---|
Site settings |
|
Defines the properties for your deployment environment. The properties in this file are unique for every deployment and need to be customized. |
Inventory settings |
|
Defines all servers used by Contrail Cloud. |
Control hosts settings |
To ensure high availability of the control functions, you must define the three control hosts in your configuration and also in the inventory.yml file. |
Defines the server and network properties for each control host. Runs virtual machines for all Contrail Cloud control functions. The VMs created on the control hosts include:
To host the control VMs, the control host must meet the following minimum specifications:
|
Kubernetes host settings |
|
Defines the Kubernetes VMs host nodes. |
Overcloud network settings |
|
Roles that are deployed to the OpenStack and Contrail Insights VMs. Defines the network layout for each role. |
Compute node settings |
|
Defines the compute resources and host aggregates. You also manage host aggregates and match them with availability zones in this file. You must also define the compute nodes in the |
Storage node settings |
|
Defines the storage nodes that run Ceph storage services. You must define a minimum of three storage hosts to ensure high
availability of the storage functions. You must also define the storage
nodes in the |
Vault data settings |
|
Encrypted file that holds all sensitive user data, such as passwords, product keys, user data and secured registry information. |
Add Nodes to the Openstack Ironic Inventory
The /var/lib/contrail_cloud/scripts/inventory-assign.sh script adds all nodes you define in the inventory.yml
file to the ironic inventory. The nodes added to the ironic inventory
are managed by Contrail Cloud.
To add nodes to the ironic inventory:
Deploy Control Hosts
A control host is a hypervisor running on a server that hosts virtualized control functions as controller nodes. Controller nodes are VMs responsible for managing server functions. The control-hosts-deploy.sh script assigns all nodes that are defined in the /var/lib/contrail_cloud/config/control-host-nodes.yml file as control hosts. The hosts are imaged, booted, configured, and prepared to host the overcloud control plane VMs.
To deploy control host roles to the inventory:
Create VMs for all Control Roles
The control-vms-deploy.sh script imports VM details into the ironic inventory.
To create VMs for control roles:
Assign Compute Nodes
A compute node is a server that hosts virtual machines that provide services over the network. The compute-nodes-assign.sh script assigns the Nova compute role for all nodes that you define in the compute-nodes.yml configuration file (/var/lib/contrail_cloud/config/compute-nodes.yml).
To assign compute nodes:
Assign Storage Nodes
Storage nodes are servers whose purpose is storing data. Storage
nodes run Red Hat Ceph storage software in Contrail Cloud. The storage-nodes-assign.yml playbook assigns the Ceph
storage role for all nodes that are defined in the storage-nodes.yml
(/var/lib/contrail_cloud/config/sorage-nodes.yml) file.
To assign storage nodes:
Deploy the Kubernetes Cluster
The Kubernetes (k8s) cluster is used to provide the infrastructure for the Contrail control plane, which is deployed adjacently (i.e. outside of) the overcloud OpenStack cluster. The k8s-cluster-deploy.sh script initiates the deployment of the Kubernetes cluster.
To deploy the Kubernetes cluster:
Deploy the OpenStack Cluster
The openstack-deploy.sh script deploys the OpenStack overcloud with all control functions and all compute and storage resources that were defined in the previous playbooks.
To deploy the OpenStack cluster:
Deploy the Contrail Cloud Control Plane
The k8s-tf-operator-deploy.sh script deploys the services that make up the Contrail control plane into Kubernetes.
This deployment is best done in parallel with the openstack-deploy.sh to allow both clusters to more efficiently synchronize with each other.
To deploy the control plane:
Validate the OpenStack Environment
You can validate and check that the environment By default,
tests that require floating IPs (FIPs) are skipped. You can execute
the provision-sdn-gateway.sh
script before validation to
provision SDN gateways and external network that can be used by Tempest.
Tempest is set of integration tests to be run against a live OpenStack
cluster. You can find examples of the object definitions in the site.yml file (/var/lib/contrail_cloud/samples/features/provision-sdn-gateway/site.yml).
Use the overcloud-validation.sh script to run Tempest test collections in newly deployed environments. The script downloads a CirrOS VM image, uploads it to the overcloud, and creates new flavors. After the script execution, results of the test can be found in the undercloud home directory where two files are created:
tempest-subunit-smoke.xml
tempest-subunit-full.xml
The first line of the file shows the number of failures and the total count of conducted tests.
Install VNF Images and Templates
You can use Horizon or OpenStack command-line clients to install Glance images and Heat templates for the VNF services.
Add New Compute and Storage Nodes
To add new compute and storage nodes to an existing environment:
Update the inventory.yml configuration file and run the inventory-assign.sh script.
Update the compute-nodes.yml configuration file with the new nodes, and run the compute-nodes-assign.sh script.
Update the storage-nodes.yml configuration file with the new nodes, and run the storage-nodes-assign.sh script.
Rerun the openstack-deploy.sh script.
Gather Logs
You can run a script that gathers important log, configuration, and status data from your deployed nodes all into one place. his script is useful tif you need specific information for troubleshooting or while making support calls.
We recommend you use the script after a successful deployment to provide a baseline that can be compared against future upgrades or failures. To archive the configuration, status, and logs from the deployment:
/var/lib/contrail_cloud/scripts/collect_data.sh -r all
The usage description of the collect_data.sh
script is as follows:
Usage: [-r ROLES ] [ -d ] [ -h|? ] -r ROLES collect data from specific role or environment. Possible values for ROLES: jumphost, undercloud, rhvm, control_hosts, k8s_hosts, openstack_controllers, contrail_tsn, compute_nodes, storage_nodes,contrail-insights_controller. You can specify multiple roles, eg. -r \"undercloud jumphost \" If not set data will be collected from all hosts. -d enable debugging messages -e external config -h print usage information