diff --git a/.gitignore b/.gitignore index 3dba62b..f48defe 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ temp 09_apigw/krakend/dockerfiles/krakend* 08_keycloak/ansible/archives/keycloak-12.0.2.tar.gz 08_keycloak/ansible/centos/archives/keycloak-12.0.2.tar.gz +01_template/ssh/id_ecdsa diff --git a/00_proliant/00_addumy.sh b/00_proliant/00_addumy.sh deleted file mode 100755 index c6ff4b0..0000000 --- a/00_proliant/00_addumy.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash - -modprobe dummy -echo "dummy" > /etc/modules-load.d/dummy.conf -echo "options dummy numdummies=1" > /etc/modprobe.d/dummy.conf diff --git a/00_proliant/00_packages.sh b/00_proliant/00_packages.sh new file mode 100755 index 0000000..f2d8708 --- /dev/null +++ b/00_proliant/00_packages.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +dnf -y install mc openvswitch3.3 git qemu-kvm libvirt virt-manager virt-install uuid + diff --git a/00_proliant/01_newnet.sh b/00_proliant/01_newnet.sh deleted file mode 100755 index 706442d..0000000 --- a/00_proliant/01_newnet.sh +++ /dev/null @@ -1,56 +0,0 @@ -#!/bin/bash - -MAC=`hexdump -vn3 -e '/3 "52:54:00"' -e '/1 ":%02x"' -e '"\n"' /dev/urandom` -NUM=$1 - -if [ -z "$1" ] - then - echo "No argument supplied" - exit 1 -fi - -virsh net-destroy default -virsh net-autostart --disable default - - -echo "MACADDR=${MAC}" > /etc/sysconfig/virbr${NUM}-dummy - -cat << EOF | sed s/XXX/${NUM}/g > /etc/sysconfig/network-scripts/virbr${NUM} -DEVICE="virbrXXX" -ONBOOT="yes" -TYPE=Bridge -IPADDR=10.1.XXX.1 -NETMASK=255.255.255.0 -BOOTPROTO=static -NM_CONTROLED="no" -EOF - -cat << EOF | sed s/XXX/${NUM}/g | sed s/YYY/${MAC}/g > /etc/sysconfig/network-scripts/virbr${NUM}-dummy -DEVICE="virbrXXX-dummy" -MACADDR=YYY -ONBOOT=yes -TYPE=Dummy -NM_CONTROLLED=no -BRIDGE=virbrXXX -EOF - -ifup virbr${NUM} - -systemctl daemon-reload -systemctl enable dummy@virbr${NUM}.service -systemctl start dummy@virbr${NUM}.service - -virsh net-undefine virbr${NUM} - -cat << EOF | sed s/XXX/${NUM}/g > /tmp/virbr${NUM}.xml - - virbrXXX - - - -EOF - -virsh net-define /tmp/virbr${NUM}.xml -virsh net-autostart --network virbr${NUM} -virsh net-start virbr${NUM} -rm -f /tmp/virbr${NUM}.xml diff --git a/00_proliant/02_iptables.sh b/00_proliant/02_iptables.sh deleted file mode 100755 index ac01956..0000000 --- a/00_proliant/02_iptables.sh +++ /dev/null @@ -1,4 +0,0 @@ -cp include/iptables.save /etc/sysconfig/iptables -yum install -y iptables-services -systemctl enable iptables -systemctl start iptables diff --git a/00_proliant/02_libvirtd.sh b/00_proliant/02_libvirtd.sh new file mode 100644 index 0000000..abaaacb --- /dev/null +++ b/00_proliant/02_libvirtd.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +systemctl enable libvirtd +systemctl start libvirtd diff --git a/00_proliant/03_storage.sh b/00_proliant/03_storage.sh new file mode 100644 index 0000000..c881d42 --- /dev/null +++ b/00_proliant/03_storage.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +lvcreate -L+20G -n iso rootvg +lvcreate -L+100G -n vms rootvg + diff --git a/00_proliant/04_libvirt-network.sh b/00_proliant/04_libvirt-network.sh new file mode 100755 index 0000000..3794496 --- /dev/null +++ b/00_proliant/04_libvirt-network.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +ovs-vsctl add-br br-pub0 +#nmcli con up br-pub0 +ip link set dev br-pub0 up +#nmcli con modify br-pub0 connection.autoconnect true +nmcli con add type vlan con-name vlan8 ifname vlan8 dev br-pub0 id 8 ip4 10.1.8.1/24 connection.autoconnect true +nmcli con up vlan8 +echo "net.ipv4.conf.vlan8.forwarding=1" > /etc/sysctl.d/10-vlan8-forwarding.conf +echo "net.ipv4.conf.eno1.forwarding=1" > /etc/sysctl.d/10-eno1-forwarding.conf + +virsh net-define libvirt-network/public.xml +virsh net-start public +virsh net-autostart public diff --git a/00_proliant/04_ovn_network.sh b/00_proliant/04_ovn_network.sh new file mode 100755 index 0000000..b07adba --- /dev/null +++ b/00_proliant/04_ovn_network.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +ovs-vsctl add-br br-int0 +#nmcli con up br-int0 +ip link set dev br-int0 up +#nmcli con modify br-int0 connection.autoconnect true +nmcli con add type vlan con-name vlan64 ifname vlan64 dev br-int0 id 64 ip4 10.2.64.1/24 connection.autoconnect true +nmcli con up vlan64 +echo "net.ipv4.conf.vlan64.forwarding=1" > /etc/sysctl.d/10-vlan64-forwarding.conf + +virsh net-define libvirt-network/ovn.xml +virsh net-start ovn +virsh net-autostart ovn diff --git a/00_proliant/05_vlan8-nat.sh b/00_proliant/05_vlan8-nat.sh new file mode 100755 index 0000000..dec4aa0 --- /dev/null +++ b/00_proliant/05_vlan8-nat.sh @@ -0,0 +1,4 @@ +nft add table nat +nft 'add chain nat postrouting { type nat hook postrouting priority 100 ; }' + +nft add rule nat postrouting ip saddr 10.1.8.0/24 oif eno1 masquerade diff --git a/00_proliant/06_nftables.sh b/00_proliant/06_nftables.sh new file mode 100755 index 0000000..28669b8 --- /dev/null +++ b/00_proliant/06_nftables.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +# Flush existing rules +nft flush ruleset + +# Create NAT table and chains +nft add table ip nat +nft add chain ip nat prerouting { type nat hook prerouting priority 0 \; } +nft add chain ip nat postrouting { type nat hook postrouting priority 100 \; } + +# NAT rule for outgoing traffic to the internet +nft add rule ip nat postrouting oif "eno1" ip saddr 10.1.4.0/24 ip daddr != 192.168.1.0/24 ip daddr != 10.2.0.0/16 counter snat to 192.168.1.228 +nft add rule ip nat postrouting oif "eno1" ip saddr 10.1.8.0/24 ip daddr != 192.168.1.0/24 ip daddr != 10.2.0.0/16 counter snat to 192.168.1.228 +nft add rule ip nat postrouting oif "eno1" ip saddr 10.1.16.0/24 ip daddr != 192.168.1.0/24 ip daddr != 10.2.0.0/16 counter snat to 192.168.1.228 + +# Accept rule for local traffic to 192.168.1.0/24 and 10.2.0.0/16 +nft add rule ip nat postrouting oif "eno1" ip daddr { 192.168.1.0/24, 10.2.0.0/16 } counter accept diff --git a/00_proliant/06_nftables_bsegment.sh b/00_proliant/06_nftables_bsegment.sh new file mode 100755 index 0000000..6089eb5 --- /dev/null +++ b/00_proliant/06_nftables_bsegment.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +# Flush existing rules +nft flush ruleset + +# Create NAT table and chains +nft add table ip nat +nft add chain ip nat prerouting { type nat hook prerouting priority 0 \; } +nft add chain ip nat postrouting { type nat hook postrouting priority 100 \; } + +# NAT rule for outgoing traffic to the internet +nft add rule ip nat postrouting oif "eno1" ip saddr 10.1.0.0/16 ip daddr != 192.168.1.0/24 ip daddr != 10.2.0.0/16 ip daddr != 10.1.0.0/16 counter snat to 192.168.1.228 +nft add rule ip nat postrouting oif "eno1" ip saddr 10.2.0.0/16 ip daddr != 192.168.1.0/24 ip daddr != 10.2.0.0/16 ip daddr != 10.1.0.0/16 counter snat to 192.168.1.228 + +# Accept rule for local traffic to 192.168.1.0/24 and 10.2.0.0/16 +nft add rule ip nat postrouting oif "eno1" ip daddr { 192.168.1.0/24, 192.168.2.0/24 } counter accept diff --git a/00_proliant/99_service.sh b/00_proliant/99_service.sh new file mode 100755 index 0000000..7072efd --- /dev/null +++ b/00_proliant/99_service.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +SERVICE=$1 + +systemctl enable $1 +systemctl start $1 diff --git a/00_proliant/99_vlans.sh b/00_proliant/99_vlans.sh new file mode 100755 index 0000000..3b9c4b2 --- /dev/null +++ b/00_proliant/99_vlans.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +ID=$1 +RE='^[0-9]+$' + + + ! [[ "$1" =~ $RE ]] && echo "Add correct vlan id" + [[ "$1" -ge 4095 ]] && echo "Add correct vlan id" + +nmcli con add type vlan con-name vlan$ID ifname vlan$ID dev br-pub0 id $ID ip4 10.1.$ID.1/24 connection.autoconnect true +nmcli con up vlan$ID + +sysctl -w net.ipv4.conf.vlan$ID.forwarding=1 + +echo "net.ipv4.conf.vlan$ID.forwarding=1" > /etc/sysctl.d/10-vlan$ID-forwarding.conf diff --git a/00_proliant/include/anaconda-ks.cfg b/00_proliant/include/anaconda-ks.cfg deleted file mode 100644 index bd54d43..0000000 --- a/00_proliant/include/anaconda-ks.cfg +++ /dev/null @@ -1,56 +0,0 @@ -#version=RHEL8 -ignoredisk --only-use=sda -# Partition clearing information -clearpart --none --initlabel -# Use graphical install -graphical -repo --name="AppStream" --baseurl=file:///run/install/repo/AppStream -# Use CDROM installation media -cdrom -# Keyboard layouts -keyboard --vckeymap=us --xlayouts='us' -# System language -lang en_US.UTF-8 - -# Network information -network --bootproto=dhcp --device=eno1 --onboot=off --ipv6=auto --no-activate -network --bootproto=dhcp --device=eno2 --onboot=off --ipv6=auto -network --bootproto=dhcp --device=eno3 --onboot=off --ipv6=auto -network --bootproto=dhcp --device=eno4 --onboot=off --ipv6=auto -network --hostname=localhost.localdomain -# Root password -rootpw --iscrypted $6$/qHnlNSnyPTpmjKL$yDslOPd4/Egu70Bjx0EU5PtzkCj9GE.BqVBu/gM3v3zSg4m0O7Q8rOwh4dVwO.2VXMg0CaaOvmS6zKfrlMTil1 -# Run the Setup Agent on first boot -firstboot --enable -# Do not configure the X Window System -skipx -# System services -services --enabled="chronyd" -# System timezone -timezone America/New_York --isUtc -# Disk partitioning information -part /boot --fstype="ext4" --ondisk=sda --size=1024 --label=boot -part pv.382 --fstype="lvmpv" --ondisk=sda --size=20484 -volgroup rootvg --pesize=4096 pv.382 -logvol /usr --fstype="ext4" --size=4096 --label="usr" --name=usr --vgname=rootvg -logvol / --fstype="ext4" --size=2048 --label="root" --name=root --vgname=rootvg -logvol /var --fstype="ext4" --size=4096 --label="var" --name=var --vgname=rootvg -logvol /tmp --fstype="ext4" --size=2048 --label="tmp" --name=tmp --vgname=rootvg -logvol /home --fstype="ext4" --size=2048 --label="home" --name=home --vgname=rootvg - -%packages -@^virtualization-host-environment -@virtualization-platform -kexec-tools - -%end - -%addon com_redhat_kdump --enable --reserve-mb='auto' - -%end - -%anaconda -pwpolicy root --minlen=6 --minquality=1 --notstrict --nochanges --notempty -pwpolicy user --minlen=6 --minquality=1 --notstrict --nochanges --emptyok -pwpolicy luks --minlen=6 --minquality=1 --notstrict --nochanges --notempty -%end diff --git a/00_proliant/include/dummy@.service b/00_proliant/include/dummy@.service deleted file mode 100644 index f3ea11f..0000000 --- a/00_proliant/include/dummy@.service +++ /dev/null @@ -1,16 +0,0 @@ -# '%i' becomes 'virbr10' when running `systemctl start dnsmasq@virbr10.service` -# Remember to run `systemctl daemon-reload` after creating or editing this file. - -[Unit] -Description=Dummy network interface for %i -After=network.target - -[Service] -Type=oneshot -RemainAfterExit=yes -EnvironmentFile=/etc/sysconfig/%i-dummy -ExecStartPre=-/sbin/ip link add %i-dummy address ${MACADDR} type dummy ; ifup %i -ExecStart=/sbin/ip link set %i-dummy master %i ; ifup %i-dummy - -[Install] -WantedBy=multi-user.target diff --git a/00_proliant/include/iptables.save b/00_proliant/include/iptables.save deleted file mode 100644 index f7a10cc..0000000 --- a/00_proliant/include/iptables.save +++ /dev/null @@ -1,15 +0,0 @@ -# This format is understood by iptables-restore. See `man iptables-restore`. -*nat -:PREROUTING ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -:POSTROUTING ACCEPT [0:0] -# Do not masquerade to these reserved address blocks. --A POSTROUTING -s 10.1.0.0/16 -d 224.0.0.0/16 -j RETURN --A POSTROUTING -s 10.1.0.0/16 -d 255.255.255.255/32 -j RETURN -# Masquerade all packets going from VMs to the LAN/Internet. --A POSTROUTING -s 10.1.0.0/16 ! -d 10.1.16.0/16 -p tcp -j MASQUERADE --to-ports 1024-65535 --A POSTROUTING -s 10.1.0.0/16 ! -d 10.1.16.0/16 -p udp -j MASQUERADE --to-ports 1024-65535 --A POSTROUTING -s 10.1.0.0/16 ! -d 192.168.1.224/27 -p tcp -j MASQUERADE --to-ports 1024-65535 --A POSTROUTING -s 10.1.0.0/16 ! -d 192.168.1.224/27 -p udp -j MASQUERADE --to-ports 1024-65535 --A POSTROUTING -s 10.1.0.0/16 ! -d 10.1.0.0/16 -j MASQUERADE -COMMIT diff --git a/00_proliant/include/sysctl.conf b/00_proliant/include/sysctl.conf deleted file mode 100644 index b44aa8d..0000000 --- a/00_proliant/include/sysctl.conf +++ /dev/null @@ -1,2 +0,0 @@ -sysctl -w net.ipv4.ip_forward=1 -sysctl -w net.ipv4.conf.all.forwarding=1 diff --git a/00_proliant/isolation-cpu.md b/00_proliant/isolation-cpu.md deleted file mode 100644 index f435fe4..0000000 --- a/00_proliant/isolation-cpu.md +++ /dev/null @@ -1,5 +0,0 @@ -#### CPU Issolation - -For dedicating proc just for host and irq, can be feasible to split cpus core just for workload (guest machine), console and hw stuff. -For this purpose we have to add isoaltion_cpus stanza to the kernel parameters. Next posible tweaking can be settting of vcpu realtime -kernel. diff --git a/00_proliant/issue-readme.md b/00_proliant/issue-readme.md deleted file mode 100644 index 61bc3dc..0000000 --- a/00_proliant/issue-readme.md +++ /dev/null @@ -1,33 +0,0 @@ -[root@dl380 libvirt]# virsh start freeipa.lab.local -error: Failed to start domain freeipa.lab.local -error: Cannot set scheduler parameters for pid 5861: Operation not permitted - -[root@dl380 libvirt]# sysctl -a | grep kernel.sched_rt_runtime_us -kernel.sched_rt_runtime_us = 950000 -[root@dl380 libvirt]# sysctl -q kernel.sched_rt_runtime_us=-1 -[root@dl380 libvirt]# sysctl -a | grep kernel.sched_rt_runtime_us -kernel.sched_rt_runtime_us = -1 -[root@dl380 libvirt]# virsh start freeipa.lab.local -Domain freeipa.lab.local started - -[root@dl380 libvirt]# sysctl -a | grep kernel.sched_rt_runtime_us^C -[root@dl380 libvirt]# htop -[root@dl380 libvirt]# systemctl status tuned -● tuned.service - Dynamic System Tuning Daemon - Loaded: loaded (/usr/lib/systemd/system/tuned.service; enabled; vendor preset: enabled) - Active: active (running) since Thu 2021-04-01 13:34:56 CEST; 1h 4min ago - Docs: man:tuned(8) - man:tuned.conf(5) - man:tuned-adm(8) - Main PID: 1745 (tuned) - Tasks: 4 (limit: 822932) - Memory: 19.8M - CGroup: /system.slice/tuned.service - └─1745 /usr/libexec/platform-python -Es /usr/sbin/tuned -l -P - -Apr 01 13:34:55 dl380 systemd[1]: Starting Dynamic System Tuning Daemon... -Apr 01 13:34:56 dl380 systemd[1]: Started Dynamic System Tuning Daemon. -[root@dl380 libvirt]# systemctl stop tuned -[root@dl380 libvirt]# systemctl disable tuned -Removed /etc/systemd/system/multi-user.target.wants/tuned.service. - diff --git a/00_proliant/libvirt-network/ovn.xml b/00_proliant/libvirt-network/ovn.xml new file mode 100644 index 0000000..7026bc8 --- /dev/null +++ b/00_proliant/libvirt-network/ovn.xml @@ -0,0 +1,11 @@ + + ovn + 88115f4c-3e06-4a29-8d4d-e1648358324b + + + + + + + + diff --git a/00_proliant/libvirt-network/public.xml b/00_proliant/libvirt-network/public.xml new file mode 100644 index 0000000..0c47f6a --- /dev/null +++ b/00_proliant/libvirt-network/public.xml @@ -0,0 +1,17 @@ + + public + 9cdde189-9298-4de1-a513-d2e4d8ac8cef + + + + + + + + + + + + + + diff --git a/01_tcentos7/kickstart/anaconda-ks.cfg b/01_tcentos7/kickstart/anaconda-ks.cfg deleted file mode 100644 index 519dfe6..0000000 --- a/01_tcentos7/kickstart/anaconda-ks.cfg +++ /dev/null @@ -1,57 +0,0 @@ -#version=DEVEL -# System authorization information -auth --enableshadow --passalgo=sha512 -# Use CDROM installation media -cdrom -# Use graphical install -graphical -# Run the Setup Agent on first boot -firstboot --enable -ignoredisk --only-use=sda -# Keyboard layouts -keyboard --vckeymap=us --xlayouts='us' -# System language -lang en_US.UTF-8 - -# Network information -network --bootproto=dhcp --device=ens3 --onboot=off --ipv6=auto --no-activate -network --hostname=localhost.localdomain - -# Root password -rootpw --iscrypted $6$4AbadjvCZuk07Aq.$hCOlIiq7mqytsuuM7FkeNz/44TMB/8mw.jOD0I3NWU9PrktBNkBpcuhJhjnhIsUHpldZWrKhxUeUX3zWLe7e40 -# System services -services --enabled="chronyd" -# System timezone -timezone America/New_York --isUtc -# System bootloader configuration -bootloader --append=" crashkernel=auto" --location=mbr --boot-drive=sda -# Partition clearing information -clearpart --none --initlabel -# Disk partitioning information -part pv.375 --fstype="lvmpv" --ondisk=sda --size=14344 -part /boot --fstype="ext4" --ondisk=sda --size=1024 --label=boot -volgroup rootvg --pesize=4096 pv.375 -logvol swap --fstype="swap" --size=2048 --name=swap --vgname=rootvg -logvol / --fstype="ext4" --size=2048 --label="root" --name=root --vgname=rootvg -logvol /home --fstype="ext4" --size=2048 --label="home" --name=home --vgname=rootvg -logvol /tmp --fstype="ext4" --size=2048 --label="tmp" --name=tmp --vgname=rootvg -logvol /usr --fstype="ext4" --size=4096 --label="usr" --name=usr --vgname=rootvg -logvol /var --fstype="ext4" --size=2048 --label="var" --name=var --vgname=rootvg - -%packages -@^minimal -@core -chrony -kexec-tools - -%end - -%addon com_redhat_kdump --enable --reserve-mb='auto' - -%end - -%anaconda -pwpolicy root --minlen=6 --minquality=1 --notstrict --nochanges --notempty -pwpolicy user --minlen=6 --minquality=1 --notstrict --nochanges --emptyok -pwpolicy luks --minlen=6 --minquality=1 --notstrict --nochanges --notempty -%end diff --git a/01_tcentos7/make-template.sh b/01_tcentos7/make-template.sh deleted file mode 100755 index 4a2c566..0000000 --- a/01_tcentos7/make-template.sh +++ /dev/null @@ -1,7 +0,0 @@ -#yum install -y virt-install -#yum install -y libguestfs-tools -virt-clone --original centos7 --name t_centos7 --auto-clone -w=$(virt-sysprep --list-operations | egrep -v 'fs-uuids|lvm-uuids|ssh-userdir|ssh-hostkeys|bash-history' | awk '{ printf "%s,", $1}' | sed 's/,$//') -virt-sysprep -d t_centos7 --hostname centos7 --enable $w -mv /data/vms/t_centos7.qcow2 /data/templates/t_centos7 -virsh undefine t_centos7 diff --git a/01_tcentos7/make_base_image.sh b/01_tcentos7/make_base_image.sh deleted file mode 100644 index f494197..0000000 --- a/01_tcentos7/make_base_image.sh +++ /dev/null @@ -1,32 +0,0 @@ -# Create a folder for our new root structure -export centos_root='/centos_image/rootfs' -mkdir -p $centos_root -# initialize rpm database -rpm --root $centos_root --initdb -# download and install the centos-release package, it contains our repository sources -yum reinstall --downloadonly --downloaddir . centos-release -rpm --root $centos_root -ivh centos-release*.rpm -rpm --root $centos_root --import $centos_root/etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 -install yum without docs and install only the english language files during the process -yum -y --installroot=$centos_root --setopt=tsflags='nodocs' --setopt=override_install_langs=en_US.utf8 install yum -# configure yum to avoid installing of docs and other language files than english generally -sed -i "/distroverpkg=centos-release/a override_install_langs=en_US.utf8\ntsflags=nodocs" $centos_root/etc/yum.conf - -# chroot to the environment and install some additional tools -cp /etc/resolv.conf $centos_root/etc -chroot $centos_root /bin/bash </root/.ssh/authorized_keys +ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAGTWpkHDuiMAZYkTfaAqcCRoPXgpMRMSa1+unxzhUO9/SZyBr2w0sWQGUeDp1+3g54HZ8ItV0fUK4acDKCckOkSTQGkQDNXAvJ1sZIQP2/7CbwVOOs5B3ZLY63pdqwL2i3nWZbZ4spGzepJ8oPGYXv5Egb/KWt+6W5vPb8RcM/YltWFCw== localhost +EOF + +chmod 0600 /root/.ssh/authorized_keys + +restorecon -R /root/.ssh/ + +systemctl enable sshd.service + +# sed -iE 's/wheel:x:10:/wheel:x:10:veldrane/g' /etc/group +sed -E 's/(\#auth)(\s+sufficient\s+pam_wheel.so)/auth\2/g' -i /etc/pam.d/su + +yum upgrade -y +%end + +# Reboot the node +reboot diff --git a/01_template/kickstart/rocky9-template.sh b/01_template/kickstart/rocky9-template.sh new file mode 100755 index 0000000..8f4f043 --- /dev/null +++ b/01_template/kickstart/rocky9-template.sh @@ -0,0 +1,18 @@ +#!/bin/bash + +KICKSTART="/root/lab/01_template/kickstart/kickstart.cfg" + +mkdir -p /data/vms/rocky9 + +virt-install \ +--name rocky9 \ +--ram 2048 \ +--vcpus 2 \ +--disk bus=virtio,path=/data/vms/rocky9/rootvg.qcow2,format=qcow2,size=20 \ +--os-variant rocky9 \ +--network model=virtio,network=public \ +--xml './devices/interface/vlan/tag/@id=8' \ +--graphics none \ +--location /data/iso/Rocky-9.4-x86_64-dvd.iso \ +--initrd-inject=$KICKSTART \ +--extra-args="inst.ks=file:/kickstart.cfg console=tty0 console=ttyS0,115200n8" diff --git a/01_template/make-template.sh b/01_template/make-template.sh new file mode 100755 index 0000000..cd83e3c --- /dev/null +++ b/01_template/make-template.sh @@ -0,0 +1,6 @@ +virt-clone --original rocky9 --name basevm -f /data/vms/templates/basevm.qcow2 +w=$(virt-sysprep --list-operations | egrep -v 'fs-uuids|lvm-uuids|ssh-userdir|ssh-hostkeys|bash-history' | awk '{ printf "%s,", $1}' | sed 's/,$//') +virt-sysprep -d basevm --hostname basevm --enable $w +cp /data/vms/basevm.qcow2 /data/templates/basevm.qcow2 +#virsh dumpxml basevm > /data/vms/templates/basevm.xml +virsh undefine basevm diff --git a/02_freeipa/01_make_vm.sh b/02_freeipa/01_make_vm.sh index 6187a8e..9250269 100755 --- a/02_freeipa/01_make_vm.sh +++ b/02_freeipa/01_make_vm.sh @@ -1,7 +1,7 @@ #!/bin/bash -mkdir /data/vms/freeipa.lab.local -virt-clone --original-xml /data/templates/t_centos7/t_centos7.xml --name freeipa.lab.local --file /data/vms/freeipa.lab.local/rootvg.qcow2 -virsh setmaxmem freeipa.lab.local 2G --config -virsh setmem freeipa.lab.local 2G --config -virsh autostart freeipa.lab.local -virsh start freeipa.lab.local +mkdir /data/vms/freeipa.lab.syscallx86.com +virt-clone --original-xml /data/vms/templates/basevm.xml --name freeipa.lab.syscallx86.com --file /data/vms/freeipa.lab.syscallx86.com/rootvg.qcow2 +virsh setmaxmem freeipa.lab.syscallx86.com 2G --config +virsh setmem freeipa.lab.syscallx86.com 2G --config +virsh autostart freeipa.lab.syscallx86.com +virsh start freeipa.lab.syscallx86.com diff --git a/02_freeipa/99_disable_dnssec_forwarders.md b/02_freeipa/99_disable_dnssec_forwarders.md new file mode 100644 index 0000000..bb43e5a --- /dev/null +++ b/02_freeipa/99_disable_dnssec_forwarders.md @@ -0,0 +1,24 @@ +## https://www.freeipa.org/page/V4/DNSSEC_Support + +It is necessary to add: + +``` +options { + dnssec-validation no; +} +``` + +to named configuration of ip. Without that dsn resolving for external hosts wont work properly + +ALso is necessary to allow recursive query for other vlans: + +https://serverfault.com/questions/1078706/freeipa-external-dns-requests-google-etc-fail-for-clients-on-new-subnet + + +```/etc/named/ipa-ext.conf +acl "trusted_network" { + 127.0.0.1; + 192.168.1.0/24; + 10.1.0.0/16; +}; +``` diff --git a/02_freeipa/ansible/.01_prepare_nodes.yaml.swp b/02_freeipa/ansible/.01_prepare_nodes.yaml.swp deleted file mode 100644 index 2096822..0000000 Binary files a/02_freeipa/ansible/.01_prepare_nodes.yaml.swp and /dev/null differ diff --git a/02_freeipa/ansible/01_prepare_nodes.yaml b/02_freeipa/ansible/01_prepare_nodes.yaml index 209458e..0c89e0e 100644 --- a/02_freeipa/ansible/01_prepare_nodes.yaml +++ b/02_freeipa/ansible/01_prepare_nodes.yaml @@ -23,7 +23,7 @@ shell: mkdir /data/vms/{{ hostname }}.{{ domain }} - name: Clone template - shell: virt-clone --original-xml /data/templates/t_centos7/t_centos7.xml --name {{ fqdn }} --file /data/vms/{{ fqdn }}/rootvg.qcow2 + shell: virt-clone --original-xml /data/vms/templates/basevm.xml --name {{ fqdn }} --file /data/vms/{{ fqdn }}/rootvg.qcow2 - name: Change rootvg size shell: qemu-img resize /data/vms/{{ fqdn }}/rootvg.qcow2 +{{ rootvg_size - 20 }}G @@ -41,7 +41,7 @@ -- hosts: centos7 +- hosts: basevm become: true gather_facts: no tasks: @@ -56,7 +56,7 @@ shell: echo "{{ fqdn }}" > /etc/hostname - name: Add hosts to hostname - shell: echo "{{ ip }} {{ hostname }} {{ fqdn }}" >> /etc/hosts + shell: echo "{{ ip }} {{ fqdn }} {{ hostname }}" >> /etc/hosts - name: Resize partition shell: printf 'd\n2\np\nn\np\n2\n\n\nt\n2\n8e\nw' | fdisk /dev/vda @@ -69,14 +69,11 @@ shell: pvresize /dev/vda2 - name: Add an Ethernet connection with static IP configuration - shell: nmcli connection modify eth0 ipv4.addresses {{ ip }}/24 ipv4.method manual ipv4.dns "{{ ipaip }}" + shell: nmcli connection modify enp1s0 ipv4.addresses {{ ip }}/24 ipv4.method manual ipv4.dns "{{ ipaip }}" - name: Install additional packages shell: yum install -y ipa-client sssd openldap-clients krb5-workstation - - name: Enable make dir option for new users - shell: authconfig --enablemkhomedir --update - - name: Update sshd config - part 1 shell: echo "AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys" >> /etc/ssh/sshd_config @@ -104,9 +101,5 @@ shell: "virsh destroy {{ fqdn }}" ignore_errors: yes - - name: "Change virbr interface" - shell: virt-xml {{ fqdn }} --edit -w vnet0 --network bridge=virbr{{ virbr }} - - - name: "Start domain" shell: "virsh start {{ fqdn }}" diff --git a/02_freeipa/ansible/02_install_ipa.yaml b/02_freeipa/ansible/02_install_ipa.yaml index 9ec6e68..2e3e716 100644 --- a/02_freeipa/ansible/02_install_ipa.yaml +++ b/02_freeipa/ansible/02_install_ipa.yaml @@ -28,7 +28,7 @@ include: include/_setup_vars.yaml - name: Setup temporary external DNS - shell: echo "nameserver 8.8.8.8" > /etc/resolv.conf + shell: nmcli connection modify enp1s0 ipv4.dns 8.8.8.8 ; systemctl restart NetworkManager - name: Install prereq packages shell: yum install ipa-server ipa-server-dns -y @@ -39,9 +39,6 @@ - name: Allow https on firewalld shell: firewall-cmd --add-service=https --add-service=ldap --add-service=ldaps --add-service=kerberos --add-service=kpasswd --add-service=dns --permanent ; firewall-cmd --reload - - name: Setup temporary external DNS - shell: echo "nameserver {{ ip }}" > /etc/resolv.conf - - name: Customize /etc/hosts shell: sed -i -E "/{{ ip }}/d" /etc/hosts ; echo "{{ ip }} {{ fqdn }} {{ hostname }}" >> /etc/hosts diff --git a/02_freeipa/ansible/03_add_groups.yaml b/02_freeipa/ansible/03_add_groups.yaml index 61d1f04..7e47445 100644 --- a/02_freeipa/ansible/03_add_groups.yaml +++ b/02_freeipa/ansible/03_add_groups.yaml @@ -1,5 +1,5 @@ --- -- hosts: freeipa.lab.local +- hosts: freeipa.lab.syscallx86.com become: true gather_facts: no tasks: @@ -14,34 +14,37 @@ shell: ipa group-add {{ item.groupname }} --gid={{ item.gid }} loop: - { groupname: 'stuff', gid: '1100' } - - { groupname: 'k8s-cluster-admin', gid: '1101' } - - { groupname: 'simple-admin', gid: '1102' } - - { groupname: 'simple-user', gid: '1103' } + - { groupname: 'k8s-cluster-admin', gid: '1111' } + - { groupname: 'k8s-cluster-user', gid: '1112' } + - { groupname: 'ocp-cluster-admin', gid: '1121' } + - { groupname: 'ocp-cluster-user', gid: '1122' } + - { groupname: 'simple-admin', gid: '1151' } + - { groupname: 'simple-user', gid: '1152' } ignore_errors: yes - name: Add users - shell: ipa user-add {{ item.username }} --uid={{ item.uid }} --gid=1100 --homedir=/nfshome/{{ item.username }} --random --shell=/bin/bash --first={{ item.first }} --last={{ item.last }} + shell: ipa user-add {{ item.username }} --gid=1100 --homedir=/nfshome/{{ item.username }} --random --shell=/bin/bash --first={{ item.first }} --last={{ item.last }} loop: - - { username: 'veldrane', uid: '1001', first: 'Veldrane', last: 'Veldranovic' } - - { username: 'valor', uid: '1002',first: 'Valor', last: 'Valorovic' } - - { username: 'jdvorak', uid: '2001', first: 'Jan', last: 'Dvorak' } - - { username: 'mnovak', uid: '2002', first: 'Martin', last: 'Novak' } - - { username: 'ddvorak', uid: '2003', first: 'David', last: 'Dvorak' } + - { username: 'veldrane', first: 'Veldrane', last: 'Veldranovic' } + - { username: 'valor', first: 'Valor', last: 'Valorovic' } + - { username: 'jdvorak', first: 'Jan', last: 'Dvorak' } + - { username: 'mnovak', first: 'Martin', last: 'Novak' } + - { username: 'ddvorak', first: 'David', last: 'Dvorak' } ignore_errors: yes -- hosts: nfsnode.lab.local +- hosts: nfsnode.lab.syscallx86.com become: true gather_facts: no tasks: - name: Create home dir for users - shell: cp -r /etc/skel /nfsvg/home/{{ item.username }} && chown {{ item.username }}:stuff -R /nfsvg/home/{{ item.username }} + shell: mkdir /nfsvg/home/{{ item.username }} && cp -r /etc/skel /nfsvg/home/{{ item.username }} && chown {{ item.username }}:stuff -R /nfsvg/home/{{ item.username }} loop: - - { username: 'veldrane', uid: '1001', first: 'Veldrane', last: 'Veldranovic' } - - { username: 'valor', uid: '1002',first: 'Valor', last: 'Valorovic' } - - { username: 'jdvorak', uid: '2001', first: 'Jan', last: 'Dvorak' } - - { username: 'mnovak', uid: '2002', first: 'Martin', last: 'Novak' } - - { username: 'ddvorak', uid: '2003', first: 'David', last: 'Dvorak' } + - { username: 'veldrane', first: 'Veldrane', last: 'Veldranovic' } + - { username: 'valor', first: 'Valor', last: 'Valorovic' } + - { username: 'jdvorak', first: 'Jan', last: 'Dvorak' } + - { username: 'mnovak', first: 'Martin', last: 'Novak' } + - { username: 'ddvorak', first: 'David', last: 'Dvorak' } ignore_errors: yes - name: restore selinux context diff --git a/02_freeipa/ansible/03_add_groups.yaml-ids b/02_freeipa/ansible/03_add_groups.yaml-ids new file mode 100644 index 0000000..d503056 --- /dev/null +++ b/02_freeipa/ansible/03_add_groups.yaml-ids @@ -0,0 +1,51 @@ +--- +- hosts: freeipa.lab.syscallx86.com + become: true + gather_facts: no + tasks: + + - name: Set variables + include: include/_setup_vars.yaml + + - name: Get the krb5 ticket + shell: echo "{{ adminpwd }}" | kinit {{ svcadmin }} + + - name: Add groups + shell: ipa group-add {{ item.groupname }} --gid={{ item.gid }} + loop: + - { groupname: 'stuff', gid: '1100' } + - { groupname: 'k8s-cluster-admin', gid: '1111' } + - { groupname: 'k8s-cluster-user', gid: '1112' } + - { groupname: 'ocp-cluster-admin', gid: '1121' } + - { groupname: 'ocp-cluster-user', gid: '1122' } + - { groupname: 'simple-admin', gid: '1151' } + - { groupname: 'simple-user', gid: '1152' } + ignore_errors: yes + + - name: Add users + shell: ipa user-add {{ item.username }} --uid={{ item.uid }} --gid=1100 --homedir=/nfshome/{{ item.username }} --random --shell=/bin/bash --first={{ item.first }} --last={{ item.last }} + loop: + - { username: 'veldrane', uid: '1001', first: 'Veldrane', last: 'Veldranovic' } + - { username: 'valor', uid: '1002',first: 'Valor', last: 'Valorovic' } + - { username: 'jdvorak', uid: '2001', first: 'Jan', last: 'Dvorak' } + - { username: 'mnovak', uid: '2002', first: 'Martin', last: 'Novak' } + - { username: 'ddvorak', uid: '2003', first: 'David', last: 'Dvorak' } + ignore_errors: yes + +- hosts: nfsnode.lab.syscallx86.com + become: true + gather_facts: no + tasks: + + - name: Create home dir for users + shell: mkdir /nfsvg/home/{{ item.username }} && cp -r /etc/skel /nfsvg/home/{{ item.username }} && chown {{ item.username }}:stuff -R /nfsvg/home/{{ item.username }} + loop: + - { username: 'veldrane', uid: '1001', first: 'Veldrane', last: 'Veldranovic' } + - { username: 'valor', uid: '1002',first: 'Valor', last: 'Valorovic' } + - { username: 'jdvorak', uid: '2001', first: 'Jan', last: 'Dvorak' } + - { username: 'mnovak', uid: '2002', first: 'Martin', last: 'Novak' } + - { username: 'ddvorak', uid: '2003', first: 'David', last: 'Dvorak' } + ignore_errors: yes + + - name: restore selinux context + shell: restorecon -R /nfsvg/home diff --git a/02_freeipa/ansible/include/_setup_vars.yaml b/02_freeipa/ansible/include/_setup_vars.yaml index 910f904..f677c41 100644 --- a/02_freeipa/ansible/include/_setup_vars.yaml +++ b/02_freeipa/ansible/include/_setup_vars.yaml @@ -3,15 +3,15 @@ virbr: "8" netsuffix: "10" hostname: "freeipa" - domain: "lab.local" + domain: "lab.syscallx86.com" mem: "2G" - ipaserver: "freeipa.lab.local" + ipaserver: "freeipa.lab.syscallx86.com" ipaip: "10.1.8.10" - ldapbase: "dc=lab,dc=local" + ldapbase: "dc=lab,dc=syscallx86,dc=com" svcadmin: "admin" adminpwd: "admin123" - template: "t_centos7" - template_dir: "/data/templates" + template: "basevm" + template_dir: "/data/vms/templates" vms_dir: "/data/vms" rootvg_size: 30 diff --git a/03_nfs/ansible/01_prepare_nodes.yaml b/03_nfs/ansible/01_prepare_nodes.yaml new file mode 100644 index 0000000..46934bf --- /dev/null +++ b/03_nfs/ansible/01_prepare_nodes.yaml @@ -0,0 +1,119 @@ +--- +- hosts: localhost + become: true + gather_facts: no + tasks: + + - name: Set variables + include: include/_setup_vars.yaml + + - name: "Create ansible group for new hosts" + add_host: name="{{ ip }}" groups=newhost + + - name: "Delete ssh keys for template" + shell: sed -i -E '/10.1.16.200/d' $HOME/.ssh/known_hosts + + - name: "Delete ssh keys for ip" + shell: sed -i -E "/{{ ip }}/d" $HOME/.ssh/known_hosts + + - name: "Create ansible group for ipa server" + add_host: name="{{ ipaip }}" groups=ipaserver + + - name: Create data directory + shell: mkdir /data/vms/{{ hostname }}.{{ domain }} + + - name: Clone template + shell: virt-clone --original-xml /data/vms/templates/basevm.xml --name {{ fqdn }} --file /data/vms/{{ fqdn }}/rootvg.qcow2 + + - name: Change rootvg size + shell: qemu-img resize /data/vms/{{ fqdn }}/rootvg.qcow2 +{{ rootvg_size - 20 }}G + when: rootvg_size is defined + + - name: Set max memory + shell: virsh setmaxmem {{ fqdn }} {{ mem }} --config + + - name: Set more memory + shell: virsh setmem {{ fqdn }} {{ mem }} --config + + - name: Start machine + shell: virsh start {{ fqdn }} + ignore_errors: yes + + + +- hosts: basevm + become: true + gather_facts: no + tasks: + + - pause: + seconds: 35 + + - name: Set variables + include: include/_setup_vars.yaml + + - name: Change hostname + shell: echo "{{ fqdn }}" > /etc/hostname + + - name: Add hosts to hostname + shell: echo "{{ ip }} {{ fqdn }} {{ hostname }}" >> /etc/hosts + + - name: Resize partition + shell: printf 'd\n2\np\nn\np\n2\n\n\nt\n2\n8e\nw' | fdisk /dev/vda + ignore_errors: yes + + - name: Partprobe disks + shell: partprobe /dev/vda + + - name: PV resize + shell: pvresize /dev/vda2 + + - name: Add an Ethernet connection with static IP configuration + shell: nmcli connection modify enp1s0 ipv4.addresses {{ ip }}/24 ipv4.method manual ipv4.dns "{{ ipaip }}" + + - name: Install additional packages + shell: yum install -y ipa-client sssd openldap-clients krb5-workstation nfs-utils autofs + + - name: Update sshd config - part 1 + shell: echo "AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys" >> /etc/ssh/sshd_config + + - name: Update sshd config - part 2 + shell: echo "AuthorizedKeysCommandUser nobody" >> /etc/ssh/sshd_config + + - name: Update ssh config - non strict host checking + shell: echo "StrictHostKeyChecking no" >> /etc/ssh/ssh_config + + - name: Set timezone to Prague + shell: timedatectl set-timezone 'Europe/Prague' + +- hosts: localhost + become: true + gather_facts: no + tasks: + + - name: "Shutdown host" + shell: virsh shutdown {{ fqdn }} --mode acpi + + - pause: + seconds: 5 + + - name: "Destroy domain" + shell: "virsh destroy {{ fqdn }}" + ignore_errors: yes + + - name: "Start domain" + shell: "virsh start {{ fqdn }}" + +- hosts: newhost + become: true + gather_facts: no + tasks: + + - pause: + seconds: 25 + + - name: Set variables + include: include/_setup_vars.yaml + + - name: Join machine to IPA domain + shell: ipa-client-install -U -p {{ svcadmin }} -w {{ adminpwd }} --mkhomedir diff --git a/10_nfs/server/ansible/01_prepare_nodes.yaml b/03_nfs/ansible/01_prepare_nodes.yaml.old similarity index 97% rename from 10_nfs/server/ansible/01_prepare_nodes.yaml rename to 03_nfs/ansible/01_prepare_nodes.yaml.old index eff9b02..8cb7f30 100644 --- a/10_nfs/server/ansible/01_prepare_nodes.yaml +++ b/03_nfs/ansible/01_prepare_nodes.yaml.old @@ -56,7 +56,7 @@ shell: echo "{{ fqdn }}" > /etc/hostname - name: Add hosts to hostname - shell: echo "{{ ip }} {{ hostname }} {{ fqdn }}" >> /etc/hosts + shell: echo "{{ ip }} {{ fqdn }} {{ hostname }} " >> /etc/hosts - name: Resize partition shell: printf 'd\n2\np\nn\np\n2\n\n\nt\n2\n8e\nw' | fdisk /dev/vda diff --git a/10_nfs/server/ansible/02_install_nfsnode.yaml b/03_nfs/ansible/02_install_nfsnode.yaml similarity index 89% rename from 10_nfs/server/ansible/02_install_nfsnode.yaml rename to 03_nfs/ansible/02_install_nfsnode.yaml index 82476ed..7e4a5f4 100644 --- a/10_nfs/server/ansible/02_install_nfsnode.yaml +++ b/03_nfs/ansible/02_install_nfsnode.yaml @@ -10,6 +10,10 @@ - name: "Create ansible group for new hosts" add_host: name="{{ ip }}" groups=newhost + - name: Create snapshot for the host + shell: virsh snapshot-create-as --domain {{ fqdn }} --name "before NFS Server installation" + ignore_errors: yes + - name: Create nfs home data disk shell: qemu-img create -f qcow2 {{ vms_dir }}/{{ fqdn }}/nfsvg.qcow2 {{ disksize }} @@ -31,7 +35,7 @@ shell: firewall-cmd --permanent --add-service={mountd,nfs,rpc-bind} ; firewall-cmd --reload - name: Install prerequisites - shell: yum install -y nfs-utils policycoreutils-python-2.5-33.el7.x86_64 + shell: yum install -y nfs-utils policycoreutils-python-utils python3-policycoreutils.noarch - name: Create datavg and logical volume shell: pvcreate /dev/vdb ; vgcreate nfsvg /dev/vdb ; lvcreate -n home -L20G nfsvg @@ -70,7 +74,7 @@ shell: systemctl enable nfs-client.target && systemctl start nfs-client.target - name: Enable and start nfs server - shell: systemctl enable nfs && systemctl start nfs + shell: systemctl enable --now nfs-server - name: Create nfshome dir shell: mkdir /nfshome diff --git a/03_nfs/ansible/03_home_dirs.yaml b/03_nfs/ansible/03_home_dirs.yaml new file mode 100644 index 0000000..1417e9a --- /dev/null +++ b/03_nfs/ansible/03_home_dirs.yaml @@ -0,0 +1,18 @@ +- hosts: nfsnode.lab.syscallx86.com + become: true + gather_facts: no + tasks: + + - name: Create home dir for users + shell: mkdir /nfsvg/home/{{ item.username }} && find /etc/skel/ -type f -exec cp {} /nfsvg/home/{{ item.username }}/ \; && chown {{ item.username }}:stuff -R /nfsvg/home/{{ item.username }} + loop: + - { username: 'veldrane', first: 'Veldrane', last: 'Veldranovic' } + - { username: 'valor', first: 'Valor', last: 'Valorovic' } + - { username: 'jdvorak', first: 'Jan', last: 'Dvorak' } + - { username: 'mnovak', first: 'Martin', last: 'Novak' } + - { username: 'ddvorak', first: 'David', last: 'Dvorak' } + ignore_errors: yes + + - name: restore selinux context + shell: restorecon -R /nfsvg/home + diff --git a/10_nfs/server/ansible/include/_setup_vars.yaml b/03_nfs/ansible/include/_setup_vars.yaml similarity index 72% rename from 10_nfs/server/ansible/include/_setup_vars.yaml rename to 03_nfs/ansible/include/_setup_vars.yaml index 08f98b2..1565a3e 100644 --- a/10_nfs/server/ansible/include/_setup_vars.yaml +++ b/03_nfs/ansible/include/_setup_vars.yaml @@ -3,15 +3,15 @@ virbr: "8" netsuffix: "24" hostname: "nfsnode" - domain: "lab.local" + domain: "lab.syscallx86.com" mem: "2G" - ipaserver: "freeipa.lab.local" + ipaserver: "freeipa.lab.syscallx86.com" ipaip: "10.1.8.10" - ldapbase: "dc=lab,dc=local" + ldapbase: "dc=lab,dc=syscallx86,dc=com" svcadmin: "admin" adminpwd: "admin123" - template: "t_centos7" - template_dir: "/data/templates" + template: "basevm" + template_dir: "/data/vms/templates" vms_dir: "/data/vms" rootvg_size: 30 diff --git a/03_okdv3/01_master/01_make_master.sh b/03_okdv3/01_master/01_make_master.sh deleted file mode 100755 index 9dc7132..0000000 --- a/03_okdv3/01_master/01_make_master.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh -i=1 -while [ "$i" -ne 2 ] -do - echo "node1$i.lab.local" - cat include/_setup_vars.template | sed s/XXX/$i/g > include/_setup_vars.yaml - ansible-playbook ./01_prepare_nodes.yaml - i=$((i + 1)) -done diff --git a/03_okdv3/01_master/01_make_master.sh.old b/03_okdv3/01_master/01_make_master.sh.old deleted file mode 100755 index f40a5a5..0000000 --- a/03_okdv3/01_master/01_make_master.sh.old +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/sh -i=1 -while [ "$i" -ne 2 ] -do - echo "node1$i.lab.local" - mkdir /data/vms/node1$i.lab.local - virt-clone --original-xml /data/templates/t_centos7/t_centos7.xml --name node1$i.lab.local --file /data/vms/node1$i.lab.local/rootvg.qcow2 - cat include/_setup_vars.template | sed s/XXX/$i/g > include/_setup_vars.yaml - virsh setmaxmem node1$i.lab.local 16G --config - qemu-img resize /data/vms/node1$i.lab.local/rootvg.qcow2 +20G - ansible-playbook ./01_prepare_master.yaml - i=$((i + 1)) -done diff --git a/03_okdv3/01_master/01_prepare_master.yaml.old b/03_okdv3/01_master/01_prepare_master.yaml.old deleted file mode 100644 index 4b7de3d..0000000 --- a/03_okdv3/01_master/01_prepare_master.yaml.old +++ /dev/null @@ -1,101 +0,0 @@ ---- -- hosts: localhost - become: true - gather_facts: no - tasks: - - - name: Set variables - include: include/_setup_vars.yaml - - - name: Set more memory - shell: virsh setmem {{ hostname }}.{{ domain }} 16G --config - - - name: Start machine - shell: virsh start {{ hostname }}.{{ domain }} - ignore_errors: yes - -- hosts: freeipa.lab.local - become: true - gather_facts: no - tasks: - - - name: Set variables - include: include/_setup_vars.yaml - - - name: Login to ipa - shell: echo "{{ adminpwd }}" | kinit admin - - - name: Add DNS record for host - shell: ipa dnsrecord-add {{ domain }} {{ hostname }} --a-rec {{ ip }} - ignore_errors: yes - -- hosts: centos7 - become: true - gather_facts: no - tasks: - - - pause: - seconds: 25 - - - name: Set variables - include: include/_setup_vars.yaml - - - name: Change hostname - shell: echo "{{ hostname }}.{{ domain }}" > /etc/hostname - - - name: Add hosts to hostname - shell: echo "{{ ip }} {{ hostname }} {{ hostname }}.{{ domain }}" >> /etc/hosts - - - name: Resize partition - shell: printf 'd\n2\np\nn\np\n2\n\n\nt\n2\n8e\nw' | fdisk /dev/sda - ignore_errors: yes - - - name: Partprobe disks - shell: partprobe /dev/sda - - - name: PV resize - shell: pvresize /dev/sda2 - - - name: LV extend /lv-var - shell: lvresize /dev/rootvg/var -L+20G - - - name: Resize fs - shell: resize2fs /dev/rootvg/var - - - name: Add an Ethernet connection with static IP configuration - add ipa server client - shell: nmcli connection modify eth0 ipv4.addresses {{ ip }}/24 ipv4.method manual ipv4.dns "10.1.8.10" - - - name: Change strict policy on ssh client - shell: echo "StrictHostKeyChecking no" >> /etc/ssh/ssh_config - - - name: Make gshipley directory - shell: mkdir /root/gshipley - - - name: Copy gshipley - copy: - src: /root/bitbucket/private/lab/temp/gshipley.tgz - dest: /root/gshipley/gshipley.tgz - mode: 644 - - - name: extract gshipley - shell: cd /root/gshipley ; tar xvfz ./gshipley.tgz - - - name: Run prepare script - shell: cd /root/gshipley ; ./prepare-install.sh - - - name: Copy inventory.ini - copy: - src: /root/bitbucket/private/lab/03_okdv3/gshipley/inventory.ini - dest: /root/gshipley/cluster.ini - mode: 644 - - - -- hosts: localhost - become: true - gather_facts: no - tasks: - - - name: Shutdown the vm - shell: virsh shutdown {{ hostname }}.{{ domain }} - diff --git a/03_okdv3/01_master/01_prepare_nodes.yaml b/03_okdv3/01_master/01_prepare_nodes.yaml deleted file mode 120000 index 36ecbd8..0000000 --- a/03_okdv3/01_master/01_prepare_nodes.yaml +++ /dev/null @@ -1 +0,0 @@ -../../99_newhost/ansible/01_prepare_nodes.yaml \ No newline at end of file diff --git a/03_okdv3/01_master/02_prepare_master.yaml b/03_okdv3/01_master/02_prepare_master.yaml deleted file mode 100644 index 3333cf2..0000000 --- a/03_okdv3/01_master/02_prepare_master.yaml +++ /dev/null @@ -1,46 +0,0 @@ ---- -- hosts: localhost - become: true - gather_facts: no - tasks: - - - name: Set variables - include: include/_setup_vars.yaml - - - name: "Create ansible group for new hosts" - add_host: name="{{ ip }}" groups=newhost - -- hosts: newhost - become: true - gather_facts: no - tasks: - - - name: Set variables - include: include/_setup_vars.yaml - - - name: Resize fs - shell: resize2fs /dev/rootvg/var - - - name: LV extend /lv-home - shell: lvresize /dev/rootvg/var -L+8G - - - name: Make gshipley directory - shell: mkdir /root/gshipley - - - name: Copy gshipley - copy: - src: /root/bitbucket/private/lab/temp/gshipley.tgz - dest: /root/gshipley/gshipley.tgz - mode: 644 - - - name: extract gshipley - shell: cd /root/gshipley ; tar xvfz ./gshipley.tgz - - - name: Run prepare script - shell: cd /root/gshipley ; ./prepare-install.sh - - - name: Copy inventory.ini - copy: - src: /root/bitbucket/private/lab/03_okdv3/gshipley/inventory.ini - dest: /root/gshipley/cluster.ini - mode: 644 diff --git a/03_okdv3/01_master/include/_setup_vars.template b/03_okdv3/01_master/include/_setup_vars.template deleted file mode 100644 index 4f23ca0..0000000 --- a/03_okdv3/01_master/include/_setup_vars.template +++ /dev/null @@ -1,34 +0,0 @@ -- name: Set global variables - set_fact: - virbr: "16" - netsuffix: "1XXX" - hostname: "node1XXX" - domain: "lab.local" - mem: "16G" - ipaserver: "freeipa.lab.local" - ipaip: "10.1.8.10" - ldapbase: "dc=lab,dc=local" - svcadmin: "admin" - adminpwd: "admin123" - template: "t_centos7" - template_dir: "/data/templates" - vms_dir: "/data/vms" - rootvg_size: 30 - -- name: Set ip - set_fact: - ip: "10.1.{{ virbr }}.{{ netsuffix }}" - - - -- name: Set FQDN - set_fact: - fqdn: "{{ hostname }}.{{ domain }}" - -- name: Set REALM - set_fact: - realm: "{{ domain|upper }}" - -- name: Set disksize - set_fact: - disksize: "40G" diff --git a/03_okdv3/02_infra/01_make_nodes.sh b/03_okdv3/02_infra/01_make_nodes.sh deleted file mode 100755 index 0725737..0000000 --- a/03_okdv3/02_infra/01_make_nodes.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh -i=7 -while [ "$i" -ne 9 ] -do - echo "node1$i.lab.local" - cat include/_setup_vars.template | sed s/XXX/$i/g > include/_setup_vars.yaml - ansible-playbook ./01_prepare_nodes.yaml - i=$((i + 1)) -done diff --git a/03_okdv3/02_infra/01_prepare_nodes.yaml.old b/03_okdv3/02_infra/01_prepare_nodes.yaml.old deleted file mode 100644 index d97f3b8..0000000 --- a/03_okdv3/02_infra/01_prepare_nodes.yaml.old +++ /dev/null @@ -1,75 +0,0 @@ ---- -- hosts: localhost - become: true - gather_facts: no - tasks: - - - name: Set variables - include: include/_setup_vars.yaml - - - name: Set more memory - shell: virsh setmem {{ hostname }}.{{ domain }} 8G --config - - - name: Start machin_ - shell: virsh start {{ hostname }}.{{ domain }} - ignore_errors: yes - -- hosts: freeipa.lab.local - become: true - gather_facts: no - tasks: - - - name: Set variables - include: include/_setup_vars.yaml - - - name: Login to ipa - shell: echo "{{ adminpwd }}" | kinit admin - - - name: Add DNS record for host - shell: ipa dnsrecord-add {{ domain }} {{ hostname }} --a-rec {{ ip }} - ignore_errors: yes - -- hosts: centos7 - become: true - gather_facts: no - tasks: - - - pause: - seconds: 25 - - - name: Set variables - include: include/_setup_vars.yaml - - - name: Change hostname - shell: echo "{{ hostname }}.{{ domain }}" > /etc/hostname - - - name: Add hosts to hostname - shell: echo "{{ ip }} {{ hostname }} {{ hostname }}.{{ domain }}" >> /etc/hosts - - - name: Resize partition - shell: printf 'd\n2\np\nn\np\n2\n\n\nt\n2\n8e\nw' | fdisk /dev/sda - ignore_errors: yes - - - name: Partprobe disks - shell: partprobe /dev/sda - - - name: PV resize - shell: pvresize /dev/sda2 - - - name: LV extend /lv-var - shell: lvresize /dev/rootvg/var -L+20G - - - name: Resize fs - shell: resize2fs /dev/rootvg/var - - - name: Add an Ethernet connection with static IP configuration - shell: nmcli connection modify eth0 ipv4.addresses {{ ip }}/24 ipv4.method manual ipv4.dns "10.1.8.10" - -- hosts: localhost - become: true - gather_facts: no - tasks: - - - name: Reboot the vm - shell: virsh shutdown {{ hostname }}.{{ domain }} - diff --git a/03_okdv3/03_compute/01_make_nodes.sh b/03_okdv3/03_compute/01_make_nodes.sh deleted file mode 100755 index 1112194..0000000 --- a/03_okdv3/03_compute/01_make_nodes.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh -i=1 -while [ "$i" -ne 5 ] -do - echo "node2$i.lab.local" - cat include/_setup_vars.template | sed s/XXX/$i/g > include/_setup_vars.yaml - ansible-playbook ./01_prepare_nodes.yaml - i=$((i + 1)) -done diff --git a/03_okdv3/03_compute/01_prepare_nodes.yaml b/03_okdv3/03_compute/01_prepare_nodes.yaml deleted file mode 120000 index 36ecbd8..0000000 --- a/03_okdv3/03_compute/01_prepare_nodes.yaml +++ /dev/null @@ -1 +0,0 @@ -../../99_newhost/ansible/01_prepare_nodes.yaml \ No newline at end of file diff --git a/03_okdv3/03_compute/01_prepare_nodes.yaml.old b/03_okdv3/03_compute/01_prepare_nodes.yaml.old deleted file mode 100644 index d97f3b8..0000000 --- a/03_okdv3/03_compute/01_prepare_nodes.yaml.old +++ /dev/null @@ -1,75 +0,0 @@ ---- -- hosts: localhost - become: true - gather_facts: no - tasks: - - - name: Set variables - include: include/_setup_vars.yaml - - - name: Set more memory - shell: virsh setmem {{ hostname }}.{{ domain }} 8G --config - - - name: Start machin_ - shell: virsh start {{ hostname }}.{{ domain }} - ignore_errors: yes - -- hosts: freeipa.lab.local - become: true - gather_facts: no - tasks: - - - name: Set variables - include: include/_setup_vars.yaml - - - name: Login to ipa - shell: echo "{{ adminpwd }}" | kinit admin - - - name: Add DNS record for host - shell: ipa dnsrecord-add {{ domain }} {{ hostname }} --a-rec {{ ip }} - ignore_errors: yes - -- hosts: centos7 - become: true - gather_facts: no - tasks: - - - pause: - seconds: 25 - - - name: Set variables - include: include/_setup_vars.yaml - - - name: Change hostname - shell: echo "{{ hostname }}.{{ domain }}" > /etc/hostname - - - name: Add hosts to hostname - shell: echo "{{ ip }} {{ hostname }} {{ hostname }}.{{ domain }}" >> /etc/hosts - - - name: Resize partition - shell: printf 'd\n2\np\nn\np\n2\n\n\nt\n2\n8e\nw' | fdisk /dev/sda - ignore_errors: yes - - - name: Partprobe disks - shell: partprobe /dev/sda - - - name: PV resize - shell: pvresize /dev/sda2 - - - name: LV extend /lv-var - shell: lvresize /dev/rootvg/var -L+20G - - - name: Resize fs - shell: resize2fs /dev/rootvg/var - - - name: Add an Ethernet connection with static IP configuration - shell: nmcli connection modify eth0 ipv4.addresses {{ ip }}/24 ipv4.method manual ipv4.dns "10.1.8.10" - -- hosts: localhost - become: true - gather_facts: no - tasks: - - - name: Reboot the vm - shell: virsh shutdown {{ hostname }}.{{ domain }} - diff --git a/03_okdv3/03_compute/include/_setup_vars.template b/03_okdv3/03_compute/include/_setup_vars.template deleted file mode 100644 index bdb668c..0000000 --- a/03_okdv3/03_compute/include/_setup_vars.template +++ /dev/null @@ -1,34 +0,0 @@ -- name: Set global variables - set_fact: - virbr: "16" - netsuffix: "2XXX" - hostname: "node2XXX" - domain: "lab.local" - mem: "8G" - ipaserver: "freeipa.lab.local" - ipaip: "10.1.8.10" - ldapbase: "dc=lab,dc=local" - svcadmin: "admin" - adminpwd: "admin123" - template: "t_centos7" - template_dir: "/data/templates" - vms_dir: "/data/vms" - rootvg_size: 30 - -- name: Set ip - set_fact: - ip: "10.1.{{ virbr }}.{{ netsuffix }}" - - - -- name: Set FQDN - set_fact: - fqdn: "{{ hostname }}.{{ domain }}" - -- name: Set REALM - set_fact: - realm: "{{ domain|upper }}" - -- name: Set disksize - set_fact: - disksize: "40G" diff --git a/03_okdv3/ansible/99_extend_var.yaml b/03_okdv3/ansible/99_extend_var.yaml deleted file mode 100644 index dba5c62..0000000 --- a/03_okdv3/ansible/99_extend_var.yaml +++ /dev/null @@ -1,20 +0,0 @@ -- hosts: - - node11.lab.local - - node17.lab.local - - node18.lab.local - - node21.lab.local - - node22.lab.local - - node23.lab.local - - node24.lab.local - become: true - gather_facts: no - tasks: - - - name: Setup firewall rules - shell: firewall-cmd --permanent --add-port=443/tcp ; firewall-cmd --reload - - - name: LV extend /lv-var - shell: lvresize /dev/rootvg/var -L+10G - - - name: Resize fs - shell: resize2fs /dev/rootvg/var diff --git a/03_okdv3/ansible/99_install_stap.yaml b/03_okdv3/ansible/99_install_stap.yaml deleted file mode 100644 index ed4b612..0000000 --- a/03_okdv3/ansible/99_install_stap.yaml +++ /dev/null @@ -1,14 +0,0 @@ -- hosts: - - node11.lab.local - - node17.lab.local - - node18.lab.local - - node21.lab.local - - node22.lab.local - - node23.lab.local - - node24.lab.local - become: true - gather_facts: no - tasks: - - - name: Install additional packages - shell: yum install -y systemtap bcc-tools curl tcpdump diff --git a/03_okdv3/gshipley/inventory.ini b/03_okdv3/gshipley/inventory.ini deleted file mode 100644 index f774503..0000000 --- a/03_okdv3/gshipley/inventory.ini +++ /dev/null @@ -1,62 +0,0 @@ -[OSEv3:children] -masters -etcd -nodes - -[masters] -10.1.16.11 openshift_ip=10.1.16.11 - -[etcd] -10.1.16.11 openshift_ip=10.1.16.11 - -[nodes] -10.1.16.11 openshift_ip=10.1.16.11 openshift_node_group_name='node-config-master' -10.1.16.17 openshift_ip=10.1.16.17 openshift_node_group_name='node-config-infra' -10.1.16.18 openshift_ip=10.1.16.18 openshift_node_group_name='node-config-infra' -10.1.16.21 openshift_ip=10.1.16.21 openshift_node_group_name='node-config-compute' -10.1.16.22 openshift_ip=10.1.16.22 openshift_node_group_name='node-config-compute' -10.1.16.23 openshift_ip=10.1.16.23 openshift_node_group_name='node-config-compute' -10.1.16.24 openshift_ip=10.1.16.24 openshift_node_group_name='node-config-compute' - -[OSEv3:vars] -openshift_additional_repos=[{'id': 'centos-paas', 'name': 'centos-paas', 'baseurl' :'https://buildlogs.centos.org/centos/7/paas/x86_64/openshift-origin311', 'gpgcheck' :'0', 'enabled' :'1'}] - -openshift_portal_net=10.49.0.0/16 -osm_cluster_network_cidr=10.48.0.0/16 -osm_host_subnet_length=8 - - - -ansible_ssh_user=root -enable_excluders=False -enable_docker_excluder=False -ansible_service_broker_install=False - -containerized=True -os_sdn_network_plugin_name='redhat/openshift-ovs-networkpolicy' -openshift_disable_check=disk_availability,docker_storage,memory_availability,docker_image_availability - -openshift_node_groups=[{'name': 'node-config-master', 'labels': ['node-role.kubernetes.io/master=true']}, {'name': 'node-config-infra', 'labels': ['node-role.kubernetes.io/infra=true']}, {'name': 'node-config-compute', 'labels': ['node-role.kubernetes.io/compute=true']}, {'name': 'node-config-prometheus', 'labels': ['node-role.kubernetes.io/prometheus=true']}] - -deployment_type=origin -openshift_deployment_type=origin - -template_service_broker_selector={"region":"infra"} -openshift_metrics_image_version="v3.11" -openshift_logging_image_version="v3.11" -openshift_logging_elasticsearch_proxy_image_version="v1.0.0" -openshift_logging_es_nodeselector={"node-role.kubernetes.io/infra":"true"} -logging_elasticsearch_rollout_override=false -osm_use_cockpit=true - -openshift_metrics_install_metrics=False -openshift_logging_install_logging=False - -openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider'}] -openshift_master_htpasswd_file='/etc/origin/master/htpasswd' - -openshift_public_hostname=console.lab.local -openshift_master_default_subdomain=route.local -openshift_master_api_port=8443 -openshift_master_console_port=8443 - diff --git a/03_okdv3/gshipley/inventory.ini-all-in-one b/03_okdv3/gshipley/inventory.ini-all-in-one deleted file mode 100644 index 672fa0f..0000000 --- a/03_okdv3/gshipley/inventory.ini-all-in-one +++ /dev/null @@ -1,48 +0,0 @@ -[OSEv3:children] -masters -nodes -etcd - -[masters] -10.16.1.11 openshift_ip=10.16.1.11 openshift_schedulable=true - -[etcd] -10.16.1.11 openshift_ip=10.16.1.11 - -[nodes] -10.16.1.11 containerized=false openshift_ip=10.16.1.11 openshift_schedulable=true openshift_node_group_name="node-config-all-in-one" - -[OSEv3:vars] -openshift_additional_repos=[{'id': 'centos-paas', 'name': 'centos-paas', 'baseurl' :'https://buildlogs.centos.org/centos/7/paas/x86_64/openshift-origin311', 'gpgcheck' :'0', 'enabled' :'1'}] - -ansible_ssh_user=root -enable_excluders=False -enable_docker_excluder=False -ansible_service_broker_install=False - -os_sdn_network_plugin_name='redhat/openshift-ovs-networkpolicy' -openshift_disable_check=disk_availability,docker_storage,memory_availability,docker_image_availability - -openshift_node_kubelet_args={'pods-per-core': ['10']} - -deployment_type=origin -openshift_deployment_type=origin - -template_service_broker_selector={"region":"infra"} -openshift_metrics_image_version="v3.11" -openshift_logging_image_version="v3.11" -openshift_logging_elasticsearch_proxy_image_version="v1.0.0" -openshift_logging_es_nodeselector={"node-role.kubernetes.io/infra":"true"} -logging_elasticsearch_rollout_override=false -osm_use_cockpit=true - -openshift_metrics_install_metrics=False -openshift_logging_install_logging=False - -openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider'}] -openshift_master_htpasswd_file='/etc/origin/master/htpasswd' - -openshift_public_hostname=console.ex.local -openshift_master_default_subdomain=apps.ex.local -openshift_master_api_port=8443 -openshift_master_console_port=8443 diff --git a/03_okdv3/gshipley/inventory.ini-skell b/03_okdv3/gshipley/inventory.ini-skell deleted file mode 100644 index 0184fcf..0000000 --- a/03_okdv3/gshipley/inventory.ini-skell +++ /dev/null @@ -1,52 +0,0 @@ -[OSEv3:children] -masters -etcd -nodes - -[masters] -10.16.1.11 openshift_ip=10.16.1.11 - -[etcd] -10.16.1.11 openshift_ip=10.16.1.11 - -[nodes] -10.16.1.11 openshift_ip=10.16.1.11 openshift_node_group_name='node-config-master' -10.16.1.12 openshift_ip=10.16.1.12 openshift_node_group_name='node-config-infra' -10.16.1.13 openshift_ip=10.16.1.13 openshift_node_group_name='node-config-infra' -10.16.1.14 openshift_ip=10.16.1.14 openshift_node_group_name='node-config-compute' -10.16.1.15 openshift_ip=10.16.1.15 openshift_node_group_name='node-config-compute' - -[OSEv3:vars] -openshift_additional_repos=[{'id': 'centos-paas', 'name': 'centos-paas', 'baseurl' :'https://buildlogs.centos.org/centos/7/paas/x86_64/openshift-origin311', 'gpgcheck' :'0', 'enabled' :'1'}] - -ansible_ssh_user=root -enable_excluders=False -enable_docker_excluder=False -ansible_service_broker_install=False - -containerized=False -os_sdn_network_plugin_name='redhat/openshift-ovs-networkpolicy' -openshift_disable_check=disk_availability,docker_storage,memory_availability,docker_image_availability - -deployment_type=origin -openshift_deployment_type=origin - -template_service_broker_selector={"region":"infra"} -openshift_metrics_image_version="v3.11" -openshift_logging_image_version="v3.11" -openshift_logging_elasticsearch_proxy_image_version="v1.0.0" -openshift_logging_es_nodeselector={"node-role.kubernetes.io/infra":"true"} -logging_elasticsearch_rollout_override=false -osm_use_cockpit=true - -openshift_metrics_install_metrics=False -openshift_logging_install_logging=False - -openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider'}] -openshift_master_htpasswd_file='/etc/origin/master/htpasswd' - -openshift_public_hostname=console.lab.local -openshift_master_default_subdomain=apps.lab.local -openshift_master_api_port=8443 -openshift_master_console_port=8443 - diff --git a/03_okdv3/gshipley/new_nodes.ini b/03_okdv3/gshipley/new_nodes.ini deleted file mode 100644 index bacaba7..0000000 --- a/03_okdv3/gshipley/new_nodes.ini +++ /dev/null @@ -1,53 +0,0 @@ -[OSEv3:children] -masters -etcd -nodes -new_nodes - -[masters] -10.16.1.11 openshift_ip=10.16.1.11 openshift_schedulable=true - -[etcd] -10.16.1.11 openshift_ip=10.16.1.11 - -[nodes] -10.16.1.11 openshift_ip=10.16.1.11 openshift_schedulable=true openshift_node_group_name="node-config-all-in-one" - -[new_nodes] -10.16.1.12 openshift_ip=10.16.1.12 openshift_node_group_name='node-config-infra' -10.16.1.13 openshift_ip=10.16.1.13 openshift_node_group_name='node-config-infra' - -[OSEv3:vars] -openshift_additional_repos=[{'id': 'centos-paas', 'name': 'centos-paas', 'baseurl' :'https://buildlogs.centos.org/centos/7/paas/x86_64/openshift-origin311', 'gpgcheck' :'0', 'enabled' :'1'}] - -ansible_ssh_user=root -enable_excluders=False -enable_docker_excluder=False -ansible_service_broker_install=False - -containerized=True -os_sdn_network_plugin_name='redhat/openshift-ovs-multitenant' -openshift_disable_check=disk_availability,docker_storage,memory_availability,docker_image_availability - -deployment_type=origin -openshift_deployment_type=origin - -template_service_broker_selector={"region":"infra"} -openshift_metrics_image_version="v3.11" -openshift_logging_image_version="v3.11" -openshift_logging_elasticsearch_proxy_image_version="v1.0.0" -openshift_logging_es_nodeselector={"node-role.kubernetes.io/infra":"true"} -logging_elasticsearch_rollout_override=false -osm_use_cockpit=true - -openshift_metrics_install_metrics=False -openshift_logging_install_logging=False - -openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider'}] -openshift_master_htpasswd_file='/etc/origin/master/htpasswd' - -openshift_public_hostname=console.lab.local -openshift_master_default_subdomain=apps.lab.local -openshift_master_api_port=8443 -openshift_master_console_port=8443 - diff --git a/03_okdv3/hostsubnets/backup/node11.lab.local.yaml b/03_okdv3/hostsubnets/backup/node11.lab.local.yaml deleted file mode 100644 index 2c76248..0000000 --- a/03_okdv3/hostsubnets/backup/node11.lab.local.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: network.openshift.io/v1 -host: node11.lab.local -hostIP: 10.1.16.11 -kind: HostSubnet -metadata: - annotations: - pod.network.openshift.io/node-uid: bf816c18-4084-11ea-b599-525400dc1209 - creationTimestamp: null - name: node11.lab.local - selfLink: /apis/network.openshift.io/v1/hostsubnets/node11.lab.local -subnet: 10.48.0.0/24 diff --git a/03_okdv3/hostsubnets/backup/node17.lab.local.yaml b/03_okdv3/hostsubnets/backup/node17.lab.local.yaml deleted file mode 100644 index aedab2c..0000000 --- a/03_okdv3/hostsubnets/backup/node17.lab.local.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: network.openshift.io/v1 -host: node17.lab.local -hostIP: 10.1.16.17 -kind: HostSubnet -metadata: - annotations: - pod.network.openshift.io/node-uid: be4dcfc2-4085-11ea-b599-525400dc1209 - creationTimestamp: null - name: node17.lab.local - selfLink: /apis/network.openshift.io/v1/hostsubnets/node17.lab.local -subnet: 10.48.4.0/24 diff --git a/03_okdv3/hostsubnets/backup/node18.lab.local.yaml b/03_okdv3/hostsubnets/backup/node18.lab.local.yaml deleted file mode 100644 index 269cfb1..0000000 --- a/03_okdv3/hostsubnets/backup/node18.lab.local.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: network.openshift.io/v1 -host: node18.lab.local -hostIP: 10.1.16.18 -kind: HostSubnet -metadata: - annotations: - pod.network.openshift.io/node-uid: beac79a0-4085-11ea-b599-525400dc1209 - creationTimestamp: null - name: node18.lab.local - selfLink: /apis/network.openshift.io/v1/hostsubnets/node18.lab.local -subnet: 10.48.5.0/24 diff --git a/03_okdv3/hostsubnets/backup/node21.lab.local.yaml b/03_okdv3/hostsubnets/backup/node21.lab.local.yaml deleted file mode 100644 index 4c5ab4c..0000000 --- a/03_okdv3/hostsubnets/backup/node21.lab.local.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: network.openshift.io/v1 -host: node21.lab.local -hostIP: 10.1.16.21 -kind: HostSubnet -metadata: - annotations: - pod.network.openshift.io/node-uid: bdce2e7d-4085-11ea-b599-525400dc1209 - creationTimestamp: null - name: node21.lab.local - selfLink: /apis/network.openshift.io/v1/hostsubnets/node21.lab.local -subnet: 10.48.2.0/24 diff --git a/03_okdv3/hostsubnets/backup/node22.lab.local.yaml b/03_okdv3/hostsubnets/backup/node22.lab.local.yaml deleted file mode 100644 index 472fb86..0000000 --- a/03_okdv3/hostsubnets/backup/node22.lab.local.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: network.openshift.io/v1 -host: node22.lab.local -hostIP: 10.1.16.22 -kind: HostSubnet -metadata: - annotations: - pod.network.openshift.io/node-uid: bebb2e6f-4085-11ea-b599-525400dc1209 - creationTimestamp: null - name: node22.lab.local - selfLink: /apis/network.openshift.io/v1/hostsubnets/node22.lab.local -subnet: 10.48.6.0/24 diff --git a/03_okdv3/hostsubnets/backup/node23.lab.local.yaml b/03_okdv3/hostsubnets/backup/node23.lab.local.yaml deleted file mode 100644 index 2e8c50c..0000000 --- a/03_okdv3/hostsubnets/backup/node23.lab.local.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: network.openshift.io/v1 -host: node23.lab.local -hostIP: 10.1.16.23 -kind: HostSubnet -metadata: - annotations: - pod.network.openshift.io/node-uid: bd6fbf16-4085-11ea-b599-525400dc1209 - creationTimestamp: null - name: node23.lab.local - selfLink: /apis/network.openshift.io/v1/hostsubnets/node23.lab.local -subnet: 10.48.1.0/24 diff --git a/03_okdv3/hostsubnets/backup/node24.lab.local.yaml b/03_okdv3/hostsubnets/backup/node24.lab.local.yaml deleted file mode 100644 index 9e0c68d..0000000 --- a/03_okdv3/hostsubnets/backup/node24.lab.local.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: network.openshift.io/v1 -host: node24.lab.local -hostIP: 10.1.16.24 -kind: HostSubnet -metadata: - annotations: - pod.network.openshift.io/node-uid: be131a8e-4085-11ea-b599-525400dc1209 - creationTimestamp: null - name: node24.lab.local - selfLink: /apis/network.openshift.io/v1/hostsubnets/node24.lab.local -subnet: 10.48.3.0/24 diff --git a/03_okdv3/hostsubnets/node11.lab.local.yaml b/03_okdv3/hostsubnets/node11.lab.local.yaml deleted file mode 100644 index a0a2b42..0000000 --- a/03_okdv3/hostsubnets/node11.lab.local.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: network.openshift.io/v1 -host: node11.lab.local -hostIP: 10.1.16.11 -kind: HostSubnet -metadata: - annotations: - pod.network.openshift.io/node-uid: bf816c18-4084-11ea-b599-525400dc1209 - creationTimestamp: null - name: node11.lab.local - selfLink: /apis/network.openshift.io/v1/hostsubnets/node11.lab.local -subnet: 10.48.11.0/24 diff --git a/03_okdv3/hostsubnets/node17.lab.local.yaml b/03_okdv3/hostsubnets/node17.lab.local.yaml deleted file mode 100644 index 4e06e4c..0000000 --- a/03_okdv3/hostsubnets/node17.lab.local.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: network.openshift.io/v1 -host: node17.lab.local -hostIP: 10.1.16.17 -kind: HostSubnet -metadata: - annotations: - pod.network.openshift.io/node-uid: be4dcfc2-4085-11ea-b599-525400dc1209 - creationTimestamp: null - name: node17.lab.local - selfLink: /apis/network.openshift.io/v1/hostsubnets/node17.lab.local -subnet: 10.48.17.0/24 diff --git a/03_okdv3/hostsubnets/node18.lab.local.yaml b/03_okdv3/hostsubnets/node18.lab.local.yaml deleted file mode 100644 index fd32702..0000000 --- a/03_okdv3/hostsubnets/node18.lab.local.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: network.openshift.io/v1 -host: node18.lab.local -hostIP: 10.1.16.18 -kind: HostSubnet -metadata: - annotations: - pod.network.openshift.io/node-uid: beac79a0-4085-11ea-b599-525400dc1209 - creationTimestamp: null - name: node18.lab.local - selfLink: /apis/network.openshift.io/v1/hostsubnets/node18.lab.local -subnet: 10.48.18.0/24 diff --git a/03_okdv3/hostsubnets/node21.lab.local.yaml b/03_okdv3/hostsubnets/node21.lab.local.yaml deleted file mode 100644 index 6e19862..0000000 --- a/03_okdv3/hostsubnets/node21.lab.local.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: network.openshift.io/v1 -host: node21.lab.local -hostIP: 10.1.16.21 -kind: HostSubnet -metadata: - annotations: - pod.network.openshift.io/node-uid: bdce2e7d-4085-11ea-b599-525400dc1209 - creationTimestamp: null - name: node21.lab.local - selfLink: /apis/network.openshift.io/v1/hostsubnets/node21.lab.local -subnet: 10.48.21.0/24 diff --git a/03_okdv3/hostsubnets/node22.lab.local.yaml b/03_okdv3/hostsubnets/node22.lab.local.yaml deleted file mode 100644 index e6e650c..0000000 --- a/03_okdv3/hostsubnets/node22.lab.local.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: network.openshift.io/v1 -host: node22.lab.local -hostIP: 10.1.16.22 -kind: HostSubnet -metadata: - annotations: - pod.network.openshift.io/node-uid: bebb2e6f-4085-11ea-b599-525400dc1209 - creationTimestamp: null - name: node22.lab.local - selfLink: /apis/network.openshift.io/v1/hostsubnets/node22.lab.local -subnet: 10.48.22.0/24 - diff --git a/03_okdv3/hostsubnets/node23.lab.local.yaml b/03_okdv3/hostsubnets/node23.lab.local.yaml deleted file mode 100644 index 437f5f9..0000000 --- a/03_okdv3/hostsubnets/node23.lab.local.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: network.openshift.io/v1 -host: node23.lab.local -hostIP: 10.1.16.23 -kind: HostSubnet -metadata: - annotations: - pod.network.openshift.io/node-uid: bd6fbf16-4085-11ea-b599-525400dc1209 - creationTimestamp: null - name: node23.lab.local - selfLink: /apis/network.openshift.io/v1/hostsubnets/node23.lab.local -subnet: 10.48.23.0/24 diff --git a/03_okdv3/hostsubnets/node24.lab.local.yaml b/03_okdv3/hostsubnets/node24.lab.local.yaml deleted file mode 100644 index 797690f..0000000 --- a/03_okdv3/hostsubnets/node24.lab.local.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: network.openshift.io/v1 -host: node24.lab.local -hostIP: 10.1.16.24 -kind: HostSubnet -metadata: - annotations: - pod.network.openshift.io/node-uid: be131a8e-4085-11ea-b599-525400dc1209 - creationTimestamp: null - name: node24.lab.local - selfLink: /apis/network.openshift.io/v1/hostsubnets/node24.lab.local -subnet: 10.48.24.0/24 diff --git a/03_okdv3/nodes.lst b/03_okdv3/nodes.lst deleted file mode 100644 index acfdbe3..0000000 --- a/03_okdv3/nodes.lst +++ /dev/null @@ -1,7 +0,0 @@ -node11.lab.local -node17.lab.local -node18.lab.local -node21.lab.local -node22.lab.local -node23.lab.local -node24.lab.local diff --git a/03_okdv3/post-install.md b/03_okdv3/post-install.md deleted file mode 100644 index 2e1732b..0000000 --- a/03_okdv3/post-install.md +++ /dev/null @@ -1,3 +0,0 @@ ---- Add cluster role to admin account - -oc adm policy add-cluster-role-to-user cluster-admin admin diff --git a/03_okdv3/sdn/articles b/03_okdv3/sdn/articles deleted file mode 100644 index 7ef5fee..0000000 --- a/03_okdv3/sdn/articles +++ /dev/null @@ -1 +0,0 @@ -https://www.apress.com/gp/book/9781430261964 diff --git a/03_okdv3/sdn/examples/01_kubeproxy/svc-krakend.yaml b/03_okdv3/sdn/examples/01_kubeproxy/svc-krakend.yaml deleted file mode 100644 index 2897088..0000000 --- a/03_okdv3/sdn/examples/01_kubeproxy/svc-krakend.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - creationTimestamp: null - labels: - app: krakend - application: krakend - name: krakend - selfLink: /api/v1/namespaces/krakend/services/krakend -spec: - externalIPs: - - 10.1.16.130 - ports: - - port: 80 - protocol: TCP - targetPort: 8080 - selector: - deploymentConfig: krakend - sessionAffinity: None - type: ClusterIP -status: - loadBalancer: {} diff --git a/03_okdv3/sdn/examples/02_ovs/examples b/03_okdv3/sdn/examples/02_ovs/examples deleted file mode 100644 index 5384546..0000000 --- a/03_okdv3/sdn/examples/02_ovs/examples +++ /dev/null @@ -1,4 +0,0 @@ -ovs-ofctl -O OpenFlow13 dump-flows br0 -ovs-vsctl --format=table --columns=ofport,name,type,external_ids list interface -ovs-appctl ofproto/trace br0 in_port=2,tcp,nw_src=10.48.21.1,nw_dst=10.48.21.30 -ovs-appctl ofproto/trace br0 in_port=30,tcp,ct_state=trk,nw_src=10.48.21.30,nw_dst=10.1.8.22 diff --git a/03_okdv3/sdn/examples/03_tcpdumps/clean_egress.sh b/03_okdv3/sdn/examples/03_tcpdumps/clean_egress.sh deleted file mode 100755 index 2875ca0..0000000 --- a/03_okdv3/sdn/examples/03_tcpdumps/clean_egress.sh +++ /dev/null @@ -1,3 +0,0 @@ -oc patch hostsubnet node17.lab.local -p '{"egressCIDRs": []}' -oc patch hostsubnet node18.lab.local -p '{"egressCIDRs": []}' -oc patch netnamespace krakend -p '{"egressIPs": []}' diff --git a/03_okdv3/sdn/examples/03_tcpdumps/examples b/03_okdv3/sdn/examples/03_tcpdumps/examples deleted file mode 100644 index b35e479..0000000 --- a/03_okdv3/sdn/examples/03_tcpdumps/examples +++ /dev/null @@ -1 +0,0 @@ -tcpdump -i eth0 "tcp[tcpflags] & (tcp-syn) != 0" diff --git a/03_okdv3/sdn/examples/03_tcpdumps/patch_egress-wrong.sh b/03_okdv3/sdn/examples/03_tcpdumps/patch_egress-wrong.sh deleted file mode 100755 index 614cdeb..0000000 --- a/03_okdv3/sdn/examples/03_tcpdumps/patch_egress-wrong.sh +++ /dev/null @@ -1,3 +0,0 @@ -oc patch hostsubnet node17.lab.local -p '{"egressCIDRs": ["10.16.1.224/27"]}' -oc patch hostsubnet node18.lab.local -p '{"egressCIDRs": ["10.16.1.224/27"]}' -oc patch netnamespace krakend -p '{"egressIPs": ["10.16.1.225"]}' diff --git a/03_okdv3/sdn/examples/03_tcpdumps/patch_egress.sh b/03_okdv3/sdn/examples/03_tcpdumps/patch_egress.sh deleted file mode 100755 index fdb0d3c..0000000 --- a/03_okdv3/sdn/examples/03_tcpdumps/patch_egress.sh +++ /dev/null @@ -1,3 +0,0 @@ -#oc patch hostsubnet node17.lab.local -p '{"egressCIDRs": ["10.1.16.224/27"]}' -oc patch hostsubnet node18.lab.local -p '{"egressCIDRs": ["10.1.16.224/27"]}' -oc patch netnamespace krakend -p '{"egressIPs": ["10.1.16.225"]}' diff --git a/03_okdv3/sdn/stap/all_nat_packet.stp b/03_okdv3/sdn/stap/all_nat_packet.stp deleted file mode 100644 index 8b2ce5e..0000000 --- a/03_okdv3/sdn/stap/all_nat_packet.stp +++ /dev/null @@ -1,174 +0,0 @@ -#!/usr/bin/stap -# BEGIN nf_nat_packet - -global NF_HOOK -global NF_FAM - -probe begin { - NF_HOOK[0] = "NF_IP_PRE_ROUTING" - NF_HOOK[1] = "NF_IP_LOCAL_IN" - NF_HOOK[2] = "NF_IP_FORWARD" - NF_HOOK[3] = "NF_IP_LOCAL_OUT" - NF_HOOK[4] = "NF_IP_POST_ROUTING" - - NF_FAM[0] = "NFPROTO_UNSPEC" - NF_FAM[1] = "NFPROTO_INET" - NF_FAM[2] = "NFPROTO_IPV4" - NF_FAM[3] = "NFPROTO_ARP" - NF_FAM[7] = "NFPROTO_BRIGE" - NF_FAM[10] = "NFPROTO_IPV6" - NF_FAM[12] = "NFPROTO_DECNET" - - printf("SystemTap started %s ...\n", ctime(gettimeofday_s())) -} - - -probe end { printf("SystemTap stopped %s.\n", ctime(gettimeofday_s())) } - -function get_ipid:long(skb:long) -%{ /* pure */ - struct iphdr *iph = ip_hdr((struct sk_buff *)STAP_ARG_skb); - STAP_RETURN(iph->id); -%} - -function get_ipsrc:long(skb:long) -%{ /* pure */ - struct iphdr *iph = ip_hdr((struct sk_buff *)STAP_ARG_skb); - STAP_RETURN(iph->saddr); -%} - -function get_ipdst:long(skb:long) -%{ /* pure */ - struct iphdr *iph = ip_hdr((struct sk_buff *)STAP_ARG_skb); - STAP_RETURN(iph->daddr); -%} - -function get_tcpsrc:long(skb:long) -%{ /* pure */ - struct tcphdr *tcph = tcp_hdr((struct sk_buff *)STAP_ARG_skb); - STAP_RETURN(tcph->source); -%} - -function get_tcpdst:long(skb:long) -%{ /* pure */ - struct tcphdr *tcph = tcp_hdr((struct sk_buff *)STAP_ARG_skb); - STAP_RETURN(tcph->dest); -%} - - -probe module("nf_nat").function("nf_nat_packet") { - - if (ipmib_get_proto($skb) == 6) { - - tcpdst = ntohs(get_tcpdst($skb)) - - time = gettimeofday_us() - printf("%lu.%06lu: ", time/1000000, time%1000000) - - ipid = ntohs(get_ipid($skb)) - ipsrc = ip_ntop(get_ipsrc($skb)) - ipdst = ip_ntop(get_ipdst($skb)) - tcpsrc = ntohs(get_tcpsrc($skb)) - hook = $hooknum - mark = $skb->mark - - printf("nat tcp ins ipid 0x%x: %s:%d -> %s:%d mark:0x%x ", ipid, ipsrc, tcpsrc, ipdst, tcpdst, mark) - - printf("hook: %s ", NF_HOOK[hook]) - - printf("rc: NULL \n") - } -} - - -probe module("nf_nat").function("nf_nat_packet").return { - - if (ipmib_get_proto($skb) == 6) { - - tcpdst = ntohs(get_tcpdst($skb)) - - time = gettimeofday_us() - printf("%lu.%06lu: ", time/1000000, time%1000000) - - ipid = ntohs(get_ipid($skb)) - ipsrc = ip_ntop(get_ipsrc($skb)) - ipdst = ip_ntop(get_ipdst($skb)) - tcpsrc = ntohs(get_tcpsrc($skb)) - hook = $hooknum - mark = $skb->mark - - printf("nat tcp ret ipid 0x%x: %s:%d -> %s:%d mark:0x%x ", ipid, ipsrc, tcpsrc, ipdst, tcpdst, mark) - - printf("hook: %s ", NF_HOOK[hook]) - - printf("rc: %d\n", $return) - } -} - -probe module("ip_tables").function("ipt_do_table") { - - if (ipmib_get_proto($skb) == 6) { - - tcpdst = ntohs(get_tcpdst($skb)) - - time = gettimeofday_us() - printf("%lu.%06lu: ", time/1000000, time%1000000) - - ipid = ntohs(get_ipid($skb)) - ipsrc = ip_ntop(get_ipsrc($skb)) - ipdst = ip_ntop(get_ipdst($skb)) - tcpsrc = ntohs(get_tcpsrc($skb)) - hookid = $table->valid_hooks - hook = $hook - mark = $skb->mark - - printf("ipf tcp ins ipid 0x%x: %s:%d -> %s:%d mark:0x%x ", ipid, ipsrc, tcpsrc, ipdst, tcpdst, mark) - - if ($state->in->name) { - indev = kernel_string(@cast($state->in, "net_device")->name) - } else { indev = "NULL"} - - if ($state->out->name) { - outdev = kernel_string(@cast($state->out, "net_device")->name) - } else { outdev = "NULL"} - - - printf("in: %s out: %s hook: %s hookid: %d rc: NULL\n", indev, outdev, NF_HOOK[hook], hookid) - - } -} - -probe module("ip_tables").function("ipt_do_table").return { - - if (ipmib_get_proto($skb) == 6) { - - tcpdst = ntohs(get_tcpdst($skb)) - - time = gettimeofday_us() - printf("%lu.%06lu: ", time/1000000, time%1000000) - - ipid = ntohs(get_ipid($skb)) - ipsrc = ip_ntop(get_ipsrc($skb)) - ipdst = ip_ntop(get_ipdst($skb)) - tcpsrc = ntohs(get_tcpsrc($skb)) - hookid = $table->valid_hooks - hook = $hook - mark = $skb->mark - - printf("ipf tcp ins ipid 0x%x: %s:%d -> %s:%d mark:0x%x ", ipid, ipsrc, tcpsrc, ipdst, tcpdst, mark) - - if ($state->in->name) { - indev = kernel_string(@cast($state->in, "net_device")->name) - } else { indev = "NULL"} - - if ($state->out->name) { - outdev = kernel_string(@cast($state->out, "net_device")->name) - } else { outdev = "NULL"} - - - printf("in: %s out: %s hook: %s hookid: %d rc: %d\n", indev, outdev, NF_HOOK[hook], hookid, $return) - - } -} - - diff --git a/03_okdv3/sdn/stap/dropwatch.stp b/03_okdv3/sdn/stap/dropwatch.stp deleted file mode 100644 index bba7ecd..0000000 --- a/03_okdv3/sdn/stap/dropwatch.stp +++ /dev/null @@ -1,30 +0,0 @@ -#!/usr/bin/stap - -############################################################ -# Dropwatch.stp -# Author: Neil Horman -# An example script to mimic the behavior of the dropwatch utility -# http://fedorahosted.org/dropwatch -############################################################ - -# Array to hold the list of drop points we find -global locations - -# Note when we turn the monitor on and off -probe begin { printf("Monitoring for dropped packets\n") } -probe end { printf("Stopping dropped packet monitor\n") } - -# increment a drop counter for every location we drop at -probe kernel.trace("kfree_skb") { locations[$location] <<< 1 } - -# Every 5 seconds report our drop locations -probe timer.sec(5) -{ - printf("\n") - foreach (l in locations-) { - printf("%d packets dropped at location %p\n", - @count(locations[l]), l) - } - delete locations -} - diff --git a/03_okdv3/sdn/stap/ipt_do_table_hook.stp b/03_okdv3/sdn/stap/ipt_do_table_hook.stp deleted file mode 100644 index f273029..0000000 --- a/03_okdv3/sdn/stap/ipt_do_table_hook.stp +++ /dev/null @@ -1,103 +0,0 @@ -#!/usr/bin/stap -# BEGIN mark.stp - -global NF_HOOK -global NF_FAM - -probe begin { - NF_HOOK[0] = "NF_IP_PRE_ROUTING" - NF_HOOK[1] = "NF_IP_LOCAL_IN" - NF_HOOK[2] = "NF_IP_FORWARD" - NF_HOOK[3] = "NF_IP_LOCAL_OUT" - NF_HOOK[4] = "NF_IP_POST_ROUTING" - - NF_FAM[0] = "NFPROTO_UNSPEC" - NF_FAM[1] = "NFPROTO_INET" - NF_FAM[2] = "NFPROTO_IPV4" - NF_FAM[3] = "NFPROTO_ARP" - NF_FAM[7] = "NFPROTO_BRIGE" - NF_FAM[10] = "NFPROTO_IPV6" - NF_FAM[12] = "NFPROTO_DECNET" - - printf("SystemTap started %s ...\n", ctime(gettimeofday_s())) -} - - -probe end { printf("SystemTap stopped %s.\n", ctime(gettimeofday_s())) } - -function get_ipid:long(skb:long) -%{ /* pure */ - struct iphdr *iph = ip_hdr((struct sk_buff *)STAP_ARG_skb); - STAP_RETURN(iph->id); -%} - -function get_ipsrc:long(skb:long) -%{ /* pure */ - struct iphdr *iph = ip_hdr((struct sk_buff *)STAP_ARG_skb); - STAP_RETURN(iph->saddr); -%} - -function get_ipdst:long(skb:long) -%{ /* pure */ - struct iphdr *iph = ip_hdr((struct sk_buff *)STAP_ARG_skb); - STAP_RETURN(iph->daddr); -%} - -function get_tcpsrc:long(skb:long) -%{ /* pure */ - struct tcphdr *tcph = tcp_hdr((struct sk_buff *)STAP_ARG_skb); - STAP_RETURN(tcph->source); -%} - -function get_tcpdst:long(skb:long) -%{ /* pure */ - struct tcphdr *tcph = tcp_hdr((struct sk_buff *)STAP_ARG_skb); - STAP_RETURN(tcph->dest); -%} - - -probe module("ip_tables").function("ipt_do_table") { - - if (ipmib_get_proto($skb) == 6) { - - tcpdst = ntohs(get_tcpdst($skb)) - - time = gettimeofday_us() - printf("%lu.%06lu: ", time/1000000, time%1000000) - - ipid = ntohs(get_ipid($skb)) - ipsrc = ip_ntop(get_ipsrc($skb)) - ipdst = ip_ntop(get_ipdst($skb)) - tcpsrc = ntohs(get_tcpsrc($skb)) - hookid = $table->valid_hooks - hook = $hook - mark = $skb->mark - - printf("tcp ipid 0x%x: %s:%d -> %s:%d mark:0x%x ", ipid, ipsrc, tcpsrc, ipdst, tcpdst, mark) - - if ($state->in->name) { - indev = kernel_string(@cast($state->in, "net_device")->name) - } else { indev = "NULL"} - - if ($state->out->name) { - outdev = kernel_string(@cast($state->out, "net_device")->name) - } else { outdev = "NULL"} - - - printf("in: %s out: %s hook: %s hookid: %d ", indev, outdev, NF_HOOK[hook], hookid) - - } -} - -probe module("ip_tables").function("ipt_do_table").return { - -if (ipmib_get_proto($skb) == 6) { - - printf("rc: %d\n", $return) - - } - - -} - -# END mark.stp diff --git a/03_okdv3/sdn/stap/iptable_filter_hook.stp b/03_okdv3/sdn/stap/iptable_filter_hook.stp deleted file mode 100644 index d99782c..0000000 --- a/03_okdv3/sdn/stap/iptable_filter_hook.stp +++ /dev/null @@ -1,105 +0,0 @@ -#!/usr/bin/stap -# BEGIN mark.stp - -global NF_HOOK -global NF_FAM - -probe begin { - NF_HOOK[0] = "NF_IP_PRE_ROUTING" - NF_HOOK[1] = "NF_IP_LOCAL_IN" - NF_HOOK[2] = "NF_IP_FORWARD" - NF_HOOK[3] = "NF_IP_LOCAL_OUT" - NF_HOOK[4] = "NF_IP_POST_ROUTING" - - NF_FAM[0] = "NFPROTO_UNSPEC" - NF_FAM[1] = "NFPROTO_INET" - NF_FAM[2] = "NFPROTO_IPV4" - NF_FAM[3] = "NFPROTO_ARP" - NF_FAM[7] = "NFPROTO_BRIGE" - NF_FAM[10] = "NFPROTO_IPV6" - NF_FAM[12] = "NFPROTO_DECNET" - - printf("SystemTap started %s ...\n", ctime(gettimeofday_s())) -} -probe end { printf("SystemTap stopped %s.\n", ctime(gettimeofday_s())) } - -function get_ipid:long(skb:long) -%{ /* pure */ - struct iphdr *iph = ip_hdr((struct sk_buff *)STAP_ARG_skb); - STAP_RETURN(iph->id); -%} - -function get_ipsrc:long(skb:long) -%{ /* pure */ - struct iphdr *iph = ip_hdr((struct sk_buff *)STAP_ARG_skb); - STAP_RETURN(iph->saddr); -%} - -function get_ipdst:long(skb:long) -%{ /* pure */ - struct iphdr *iph = ip_hdr((struct sk_buff *)STAP_ARG_skb); - STAP_RETURN(iph->daddr); -%} - -function get_tcpsrc:long(skb:long) -%{ /* pure */ - struct tcphdr *tcph = tcp_hdr((struct sk_buff *)STAP_ARG_skb); - STAP_RETURN(tcph->source); -%} - -function get_tcpdst:long(skb:long) -%{ /* pure */ - struct tcphdr *tcph = tcp_hdr((struct sk_buff *)STAP_ARG_skb); - STAP_RETURN(tcph->dest); -%} - - -probe module("iptable_filter").function("iptable_filter_hook") { - - if (ipmib_get_proto($skb) == 6) { - - tcpdst = ntohs(get_tcpdst($skb)) - - time = gettimeofday_us() - printf("%lu.%06lu: ", time/1000000, time%1000000) - - ipid = ntohs(get_ipid($skb)) - ipsrc = ip_ntop(get_ipsrc($skb)) - ipdst = ip_ntop(get_ipdst($skb)) - tcpsrc = ntohs(get_tcpsrc($skb)) - - printf("tcp: 0x%x: %s:%d -> %s:%d ", ipid, ipsrc, tcpsrc, ipdst, tcpdst) - - if ($state->in->name) { - hookindev = kernel_string(@cast($state->in, "net_device")->name) - } else { hookindev = "NULL"} - if ($state->out->name) { - hookoutdev = kernel_string(@cast($state->out, "net_device")->name) - } else { hookoutdev = "NULL"} - - if ($in->name) { - indev = kernel_string(@cast($in, "net_device")->name) - } else { indev = "NULL"} - - if ($out->name) { - outdev = kernel_string(@cast($out, "net_device")->name) - } else { outdev = "NULL"} - - - printf("in: %s out: %s hook_in: %s hook_out: %s ", indev, outdev, hookindev, hookoutdev) - - } -} - -probe module("iptable_filter").function("iptable_filter_hook").return { - -if (ipmib_get_proto($skb) == 6) { - - printf("rc: %d\n", $return) - - } - - -} - -# END mark.stp diff --git a/03_okdv3/sdn/stap/mark.stp b/03_okdv3/sdn/stap/mark.stp deleted file mode 100644 index 2b72baf..0000000 --- a/03_okdv3/sdn/stap/mark.stp +++ /dev/null @@ -1,155 +0,0 @@ -#!/usr/bin/stap -# BEGIN mark.stp - -global NF_HOOK -global NF_FAM - -probe begin { - NF_HOOK[0] = "NF_IP_PRE_ROUTING" - NF_HOOK[1] = "NF_IP_LOCAL_IN" - NF_HOOK[2] = "NF_IP_FORWARD" - NF_HOOK[3] = "NF_IP_LOCAL_OUT" - NF_HOOK[4] = "NF_IP_POST_ROUTING" - - NF_FAM[0] = "NFPROTO_UNSPEC" - NF_FAM[1] = "NFPROTO_INET" - NF_FAM[2] = "NFPROTO_IPV4" - NF_FAM[3] = "NFPROTO_ARP" - NF_FAM[7] = "NFPROTO_BRIGE" - NF_FAM[10] = "NFPROTO_IPV6" - NF_FAM[12] = "NFPROTO_DECNET" - - printf("SystemTap started %s ...\n", ctime(gettimeofday_s())) -} -probe end { printf("SystemTap stopped %s.\n", ctime(gettimeofday_s())) } - -function get_ipid:long(skb:long) -%{ /* pure */ - struct iphdr *iph = ip_hdr((struct sk_buff *)STAP_ARG_skb); - STAP_RETURN(iph->id); -%} - -function get_ipsrc:long(skb:long) -%{ /* pure */ - struct iphdr *iph = ip_hdr((struct sk_buff *)STAP_ARG_skb); - STAP_RETURN(iph->saddr); -%} - -function get_ipdst:long(skb:long) -%{ /* pure */ - struct iphdr *iph = ip_hdr((struct sk_buff *)STAP_ARG_skb); - STAP_RETURN(iph->daddr); -%} - -function get_udpsrc:long(skb:long) -%{ /* pure */ - struct udphdr *udph = udp_hdr((struct sk_buff *)STAP_ARG_skb); - STAP_RETURN(udph->source); -%} - -function get_tcpsrc:long(skb:long) -%{ /* pure */ - struct tcphdr *tcph = tcp_hdr((struct sk_buff *)STAP_ARG_skb); - STAP_RETURN(tcph->source); -%} - -function get_tcpdst:long(skb:long) -%{ /* pure */ - struct tcphdr *tcph = tcp_hdr((struct sk_buff *)STAP_ARG_skb); - STAP_RETURN(tcph->dest); -%} - - -function get_udpdst:long(skb:long) -%{ /* pure */ - struct udphdr *udph = udp_hdr((struct sk_buff *)STAP_ARG_skb); - STAP_RETURN(udph->dest); -%} - -probe module("xt_mark").function("mark_mt") { - - if (ipmib_get_proto($skb) == 6) { - - tcpdst = ntohs(get_tcpdst($skb)) - - time = gettimeofday_us() - printf("%lu.%06lu: ", time/1000000, time%1000000) - - ipid = ntohs(get_ipid($skb)) - ipsrc = ip_ntop(get_ipsrc($skb)) - ipdst = ip_ntop(get_ipdst($skb)) - tcpsrc = ntohs(get_tcpsrc($skb)) - - printf("tcp: 0x%x: %s:%d -> %s:%d ", ipid, ipsrc, tcpsrc, ipdst, tcpdst) - - family = $par->family - hook = $par->hooknum - if ($par->in->name) { - indev = kernel_string(@cast($par->in, "net_device")->name) - } else { indev = "NULL"} - if ($par->out->name) { - outdev = kernel_string(@cast($par->out, "net_device")->name) - } else { outdev = "NULL"} - if ($par->target->table) { - table = $par->target->table - } else { table = -1 } - - printf("family: %s, hook: %s, indev: %s, outdev: %s, table: %d ", - NF_FAM[family], - NF_HOOK[hook], - indev, outdev, - table) - - skbmark = $skb->mark - mark = @cast($par->targinfo, "xt_mark_tginfo2")->mark - mask = @cast($par->targinfo, "xt_mark_tginfo2")->mask - - printf("skb init mark: 0x%x, input mark: 0x%x, input mask: 0x%x\n", skbmark, mark, mask) - - } - - - - if (ipmib_get_proto($skb) == 17) { - - udpdst = ntohs(get_udpdst($skb)) - - - time = gettimeofday_us() - printf("%lu.%06lu: ", time/1000000, time%1000000) - - ipid = ntohs(get_ipid($skb)) - ipsrc = ip_ntop(get_ipsrc($skb)) - ipdst = ip_ntop(get_ipdst($skb)) - udpsrc = ntohs(get_udpsrc($skb)) - - printf("udp: 0x%x: %s:%d -> %s:%d ", ipid, ipsrc, udpsrc, ipdst, udpdst) - - family = $par->family - hook = $par->hooknum - if ($par->in->name) { - indev = kernel_string(@cast($par->in, "net_device")->name) - } else { indev = "NULL"} - if ($par->out->name) { - outdev = kernel_string(@cast($par->out, "net_device")->name) - } else { outdev = "NULL"} - if ($par->target->table) { - table = $par->target->table - } else { table = -1 } - - printf("family: %s, hook: %s, indev: %s, outdev: %s, table: %d ", - NF_FAM[family], - NF_HOOK[hook], - indev, outdev, - table) - - skbmark = $skb->mark - mark = @cast($par->targinfo, "xt_mark_tginfo2")->mark - mask = @cast($par->targinfo, "xt_mark_tginfo2")->mask - - printf("skb init mark: 0x%x, input mark: 0x%x, input mask: 0x%x\n", skbmark, mark, mask) - - } -} - -# END mark.stp diff --git a/03_okdv3/sdn/stap/netfilter_drop.stp b/03_okdv3/sdn/stap/netfilter_drop.stp deleted file mode 100644 index 122f394..0000000 --- a/03_okdv3/sdn/stap/netfilter_drop.stp +++ /dev/null @@ -1,58 +0,0 @@ -#! /usr/bin/env stap - -global drop_count - -function get_ipsrc:long(skb:long) -%{ /* pure */ - struct iphdr *iph = ip_hdr((struct sk_buff *)STAP_ARG_skb); - STAP_RETURN(iph->saddr); -%} - -probe begin { - - // Make sure the protocol is either UDP or TCP - // and the number of packets is positive. - if ((@1 != "TCP" && @1 != "UDP" && @1 != "ALL") || ($2 <0)) - { - printf("Please enter \"TCP\", \"UDP\" or \"ALL\" on the command line, followed by the number of packets to drop.\n") - exit() - } - else - printf("Dropping packets! Ctrl-C to exit.\n") -} - -probe netfilter.ipv4.local_in { - - // If the protocol matches that specified (or ALL), - // make sure we have not exceeded the number - // provided, then drop the packet. - if(convert_protocol(protocol) == @1 || @1 == "ALL") { - if(@count(drop_count[@1]) >= $2 && $2 != 0) - exit() - else { - $verdict = nf_drop - drop_count[@1]<<id); -%} - -function get_ipsrc:long(skb:long) -%{ /* pure */ - struct iphdr *iph = ip_hdr((struct sk_buff *)STAP_ARG_skb); - STAP_RETURN(iph->saddr); -%} - -function get_ipdst:long(skb:long) -%{ /* pure */ - struct iphdr *iph = ip_hdr((struct sk_buff *)STAP_ARG_skb); - STAP_RETURN(iph->daddr); -%} - -function get_tcpsrc:long(skb:long) -%{ /* pure */ - struct tcphdr *tcph = tcp_hdr((struct sk_buff *)STAP_ARG_skb); - STAP_RETURN(tcph->source); -%} - -function get_tcpdst:long(skb:long) -%{ /* pure */ - struct tcphdr *tcph = tcp_hdr((struct sk_buff *)STAP_ARG_skb); - STAP_RETURN(tcph->dest); -%} - - -probe module("nf_nat").function("nf_nat_packet").return { - - if (ipmib_get_proto($skb) == 6) { - - tcpdst = ntohs(get_tcpdst($skb)) - - time = gettimeofday_us() - printf("%lu.%06lu: ", time/1000000, time%1000000) - - ipid = ntohs(get_ipid($skb)) - ipsrc = ip_ntop(get_ipsrc($skb)) - ipdst = ip_ntop(get_ipdst($skb)) - tcpsrc = ntohs(get_tcpsrc($skb)) - hook = $hooknum - mark = $skb->mark - - printf("tcp ipid 0x%x: %s:%d -> %s:%d mark:0x%x ", ipid, ipsrc, tcpsrc, ipdst, tcpdst, mark) - - printf("hook: %s ", NF_HOOK[hook]) - - printf("rc: %d\n", $return) - } -} - -/* - -probe module("nf_nat").function("nf_nat_packet").return { - -if (ipmib_get_proto($skb) == 6) { - - printf("rc: %d\n", $return) - - } -} - -*/ - diff --git a/03_okdv3/sdn/stap/stap_org.stp b/03_okdv3/sdn/stap/stap_org.stp deleted file mode 100644 index 8b3bb77..0000000 --- a/03_okdv3/sdn/stap/stap_org.stp +++ /dev/null @@ -1,101 +0,0 @@ -#!/usr/bin/stap -# BEGIN mark.stp - -global NF_HOOK -global NF_FAM - -probe begin { - NF_HOOK[0] = "NF_IP_PRE_ROUTING" - NF_HOOK[1] = "NF_IP_LOCAL_IN" - NF_HOOK[2] = "NF_IP_FORWARD" - NF_HOOK[3] = "NF_IP_LOCAL_OUT" - NF_HOOK[4] = "NF_IP_POST_ROUTING" - - NF_FAM[0] = "NFPROTO_UNSPEC" - NF_FAM[1] = "NFPROTO_INET" - NF_FAM[2] = "NFPROTO_IPV4" - NF_FAM[3] = "NFPROTO_ARP" - NF_FAM[7] = "NFPROTO_BRIGE" - NF_FAM[10] = "NFPROTO_IPV6" - NF_FAM[12] = "NFPROTO_DECNET" - - printf("SystemTap started %s ...\n", ctime(gettimeofday_s())) -} -probe end { printf("SystemTap stopped %s.\n", ctime(gettimeofday_s())) } - -function get_ipid:long(skb:long) -%{ /* pure */ - struct iphdr *iph = ip_hdr((struct sk_buff *)STAP_ARG_skb); - STAP_RETURN(iph->id); -%} - -function get_ipsrc:long(skb:long) -%{ /* pure */ - struct iphdr *iph = ip_hdr((struct sk_buff *)STAP_ARG_skb); - STAP_RETURN(iph->saddr); -%} - -function get_ipdst:long(skb:long) -%{ /* pure */ - struct iphdr *iph = ip_hdr((struct sk_buff *)STAP_ARG_skb); - STAP_RETURN(iph->daddr); -%} - -function get_udpsrc:long(skb:long) -%{ /* pure */ - struct udphdr *udph = udp_hdr((struct sk_buff *)STAP_ARG_skb); - STAP_RETURN(udph->source); -%} - -function get_udpdst:long(skb:long) -%{ /* pure */ - struct udphdr *udph = udp_hdr((struct sk_buff *)STAP_ARG_skb); - STAP_RETURN(udph->dest); -%} - -probe module("xt_mark").function("mark_tg") { - - if (ipmib_get_proto($skb) == 17) { - - udpdst = ntohs(get_udpdst($skb)) - - if (udpdst == 4789) { - - time = gettimeofday_us() - printf("%lu.%06lu: ", time/1000000, time%1000000) - - ipid = ntohs(get_ipid($skb)) - ipsrc = ip_ntop(get_ipsrc($skb)) - ipdst = ip_ntop(get_ipdst($skb)) - udpsrc = ntohs(get_udpsrc($skb)) - - printf("0x%x: %s:%d -> %s:%d ", ipid, ipsrc, udpsrc, ipdst, udpdst) - - family = $par->family - hook = $par->hooknum - if ($par->in->name) { - indev = kernel_string(@cast($par->in, "net_device")->name) - } else { indev = "NULL"} - if ($par->out->name) { - outdev = kernel_string(@cast($par->out, "net_device")->name) - } else { outdev = "NULL"} - if ($par->target->table) { - table = $par->target->table - } else { table = -1 } - - printf("family: %s, hook: %s, indev: %s, outdev: %s, table: %d ", - NF_FAM[family], - NF_HOOK[hook], - indev, outdev, - table) - - skbmark = $skb->mark - mark = @cast($par->targinfo, "xt_mark_tginfo2")->mark - mask = @cast($par->targinfo, "xt_mark_tginfo2")->mask - - printf("skb init mark: 0x%x, input mark: 0x%x, input mask: 0x%x\n", skbmark, mark, mask) - } - } -} - -# END mark.stp diff --git a/03_okdv3/sdn/stap/stps.tgz b/03_okdv3/sdn/stap/stps.tgz deleted file mode 100644 index 857883f..0000000 Binary files a/03_okdv3/sdn/stap/stps.tgz and /dev/null differ diff --git a/05_k8s/01_make_workers_ovn.sh b/05_k8s/01_make_workers_ovn.sh new file mode 120000 index 0000000..1c62507 --- /dev/null +++ b/05_k8s/01_make_workers_ovn.sh @@ -0,0 +1 @@ +ovn/01_make_workers_ovn.sh \ No newline at end of file diff --git a/05_k8s/01_prepare_master_ovn.sh b/05_k8s/01_prepare_master_ovn.sh new file mode 120000 index 0000000..5952fe1 --- /dev/null +++ b/05_k8s/01_prepare_master_ovn.sh @@ -0,0 +1 @@ +ovn/01_prepare_master_ovn.sh \ No newline at end of file diff --git a/05_k8s/ansible/01_prepare_nodes_ovn.yaml b/05_k8s/ansible/01_prepare_nodes_ovn.yaml new file mode 100644 index 0000000..684a81f --- /dev/null +++ b/05_k8s/ansible/01_prepare_nodes_ovn.yaml @@ -0,0 +1,153 @@ +--- +- hosts: localhost + become: true + gather_facts: no + tasks: + + - name: Set variables + include: include/_setup_vars.yaml + + - name: "Create ansible group for new hosts" + add_host: name="{{ ip }}" groups=newhost + + - name: "Delete ssh keys for template" + shell: sed -i -E '/10.1.16.200/d' $HOME/.ssh/known_hosts + + - name: "Delete ssh keys for ip" + shell: sed -i -E "/{{ ip }}/d" $HOME/.ssh/known_hosts + + - name: "Create ansible group for ipa server" + add_host: name="{{ ipaip }}" groups=ipaserver + + - name: Create data directory + shell: mkdir /data/vms/{{ hostname }}.{{ domain }} + + - name: Clone template + shell: virt-clone --original-xml /data/vms/templates/basevm.xml --name {{ fqdn }} --file /data/vms/{{ fqdn }}/rootvg.qcow2 + + - name: Change rootvg size + shell: qemu-img resize /data/vms/{{ fqdn }}/rootvg.qcow2 +{{ rootvg_size - 20 }}G + when: rootvg_size is defined + + - name: Set max memory + shell: virsh setmaxmem {{ fqdn }} {{ mem }} --config + + - name: Set more memory + shell: virsh setmem {{ fqdn }} {{ mem }} --config + + - name: Start machine + shell: virsh start {{ fqdn }} + ignore_errors: yes + + + +- hosts: basevm + become: true + gather_facts: no + tasks: + + - pause: + seconds: 35 + + - name: Set variables + include: include/_setup_vars.yaml + + - name: Change hostname + shell: echo "{{ fqdn }}" > /etc/hostname + + - name: Add hosts to hostname + shell: echo "{{ ip }} {{ fqdn }} {{ hostname }}" >> /etc/hosts + + - name: Resize partition + shell: printf 'd\n2\np\nn\np\n2\n\n\nt\n2\n8e\nw' | fdisk /dev/vda + ignore_errors: yes + + - name: Partprobe disks + shell: partprobe /dev/vda + + - name: PV resize + shell: pvresize /dev/vda2 + + - name: Add an Ethernet connection with static ip configuration + shell: nmcli connection modify enp1s0 ipv4.addresses {{ ip }}/24 ipv4.method manual ipv4.dns "{{ ipaip }}" + + - name: Install additional packages + shell: yum install -y ipa-client sssd openldap-clients krb5-workstation nfs-utils autofs policycoreutils-python-utils python3-policycoreutils.noarch + + - name: Update sshd config - part 1 + shell: echo "AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys" >> /etc/ssh/sshd_config + + - name: Update sshd config - part 2 + shell: echo "AuthorizedKeysCommandUser nobody" >> /etc/ssh/sshd_config + + - name: Update ssh config - non strict host checking + shell: echo "StrictHostKeyChecking no" >> /etc/ssh/ssh_config + + - name: Update ssh config - GSSAPI + shell: printf "GSSAPIKeyExchange yes\nGSSAPIDelegateCredentials yes\nGSSAPIRenewalForcesRekey yes\nGSSAPITrustDns yes" >> /etc/ssh/ssh_config + + - name: Create nfshome dir + shell: mkdir /nfshome + + - name: Set nfs home boolean + shell: setsebool -P use_nfs_home_dirs 1 + + - name: Prepare autofs master + shell: echo "/nfshome /etc/auto.nfshome --timeout=180 " >> /etc/auto.master + + - name: Create auto.nfshome + shell: echo "* -fstype=nfs,rw,soft,sec=krb5i,nfsvers=4,minorversion=2,user=& {{ nfsserver }}:{{ home_export }}/&" >> /etc/auto.nfshome + + - name: Set timezone to Prague + shell: timedatectl set-timezone 'Europe/Prague' + +- hosts: localhost + become: true + gather_facts: no + tasks: + + - name: "Shutdown host" + shell: virsh shutdown {{ fqdn }} --mode acpi + + - pause: + seconds: 5 + + - name: "Destroy domain" + shell: "virsh destroy {{ fqdn }}" + ignore_errors: yes + + - name: "Change network configuration" + shell: "virt-xml {{ fqdn }} --xml ./devices/interface/vlan/tag/@id={{ virbr }} --edit" + + - name: "Start domain" + shell: "virsh start {{ fqdn }}" + + +- hosts: newhost + become: true + gather_facts: no + tasks: + + - pause: + seconds: 25 + + - name: Set variables + include: include/_setup_vars.yaml + + - name: Join machine to IPA domain + shell: ipa-client-install -U -p {{ svcadmin }} -w {{ adminpwd }} --mkhomedir + + - name: Get the krb5 ticket + shell: echo "{{ adminpwd }}" | kinit {{ svcadmin }} + + - name: Add nfs server to the ipa server + shell: ipa service-add nfs/{{ fqdn }} + + - name: Create nfs service for krb5 mount client + shell: ipa-getkeytab -s {{ ipaserver }} -p nfs/{{ fqdn }} -k /etc/krb5.keytab + + - name: Enable and start nfs client + shell: systemctl enable nfs-client.target && systemctl start nfs-client.target + + - name: Enable and start autofs + shell: systemctl enable autofs && systemctl start autofs diff --git a/05_k8s/ansible/02_install_master_ovn_crio.yaml.old b/05_k8s/ansible/02_install_master_ovn_crio.yaml.old new file mode 100644 index 0000000..223c4b4 --- /dev/null +++ b/05_k8s/ansible/02_install_master_ovn_crio.yaml.old @@ -0,0 +1,169 @@ +--- +- hosts: localhost + become: true + gather_facts: no + tasks: + + - name: Set variables + include: include/_setup_vars.yaml + + - name: Create snapshot for the host + shell: virsh snapshot-create-as --domain {{ fqdn }} --name "before k8s installation" + ignore_errors: yes + + - name: "Create ansible group for new hosts" + add_host: name="{{ master }}" groups=master + +- hosts: master + become: true + gather_facts: no + tasks: + + - name: Set variables + include: include/_setup_vars.yaml + + - name: Disable SElinux + shell: setenforce 0 ; sed -i --follow-symlinks 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux + + - name: Make /etc/kubernetes directory and change the selinux context + shell: mkdir /etc/kubernetes ; semanage fcontext -a -t svirt_sandbox_file_t '/etc/kubernetes(/.*)?' + + - name: Make /var/lib/etcd and change the selinux context + shell: mkdir -p /var/lib/etcd ; semanage fcontext -a -t svirt_sandbox_file_t '/var/lib/etcd(/.*)?' + + - name: Restore contexts + shell: restorecon -vR /etc/kubernetes ; restorecon -vR /var/lib/etcd + + - name: Disable swap + shell: swapoff -a ; sed -i -E '/swap/d' /etc/fstab + + - name: Disable firewalld + shell: systemctl stop firewalld && systemctl disable firewalld + + +# - name: Setup firewall rules +# shell: firewall-cmd --permanent --add-port=6443/tcp --add-port=2379-2380/tcp --add-port=10250-10252/tcp --add-port=10255/tcp --add-port=8472/udp + +# - name: Open BGP protocal on firewalld +# shell: firewall-cmd --permanent --add-port=179/tcp + +# - name: Setup masquarade and reload rules +# shell: firewall-cmd --add-masquerade --permanent ; firewall-cmd --reload + +# - name: Enable br_netfilter (probably not survive the reboot!!! - check in the future) +# shell: modprobe br_netfilter; echo '1' > /proc/sys/net/bridge/bridge-nf-call-iptables + + - name: Copy kubernetes repo definition to yum dir + copy: + src: include/kubernetes.repo + dest: /etc/yum.repos.d/kubernetes.repo + + - name: Copy crio repo definition to yum dir + copy: + src: include/crio.repo + dest: /etc/yum.repos.d/crio.repo + + - name: Install kubeadm, crio and wget + shell: yum install wget kubeadm cri-o kubelet libnetfilter_conntrack conntrack-tools socat kubectl tar traceroute git python3-pip make podman buildah -y + + - name: Install ovs + shell: yum install -y epel-release centos-release-nfv-common centos-release-nfv-openvswitch && yum install -y openvswitch3.3 libibverbs NetworkManager-ovs + + - name: Restart and network manager + shell: systemctl restart NetworkManager + + - name: Start and enable openvswitch + shell: systemctl enable openvswitch ; systemctl start openvswitch + + - name: Enable crio + shell: systemctl restart crio && systemctl enable crio + + - name: Add bridge + shell: nmcli c add type ovs-bridge conn.interface {{ bridge_name }} con-name {{ bridge_name }} + + - name: Add bridge - new port + shell: nmcli c add type ovs-port conn.interface {{ bridge_name }} master {{ bridge_name }} con-name ovs-port-{{ bridge_name }} + + - name: Add bridge - slave + shell: nmcli c add type ovs-interface slave-type ovs-port conn.interface {{ bridge_name }} master ovs-port-{{ bridge_name }} con-name ovs-if-{{ bridge_name }} + + - name: Add bridge - second iface + shell: nmcli c add type ovs-port conn.interface {{ iface }} master {{ bridge_name }} con-name ovs-port-{{ iface }} + + - name: Add bridge - add ethernet iface + shell: nmcli c add type ethernet conn.interface {{ iface }} master ovs-port-{{ iface }} con-name ovs-if-{{ iface }} + +# - name: Delete second connection +# shell: nmcli conn delete {{ iface }} + + - name: Set autoconnect to bridge + shell: nmcli conn mod {{ bridge_name }} connection.autoconnect yes + + - name: Set autoconnect to bridge + shell: nmcli conn mod ovs-if-{{ bridge_name }} connection.autoconnect yes + + - name: Set autoconnect to bridge + shell: nmcli conn mod ovs-if-{{ iface }} connection.autoconnect yes + + - name: Set autoconnect to bridge + shell: nmcli conn mod ovs-port-{{ iface }} connection.autoconnect yes + + - name: Set autoconnect to bridge + shell: nmcli conn mod ovs-port-{{ bridge_name }} connection.autoconnect yes + + - name: Change ovn bridge + shell: nmcli conn mod ovs-if-{{ bridge_name }} ipv4.address {{ ip_address }} + + - name: Change ovn bridge + shell: nmcli conn mod ovs-if-{{ bridge_name }} ipv4.method static + + - name: Change ovn bridge + shell: nmcli conn mod ovs-if-{{ bridge_name }} ipv4.route-metric 50 + + - name: Change ovn bridge + shell: nmcli conn mod ovs-if-{{ bridge_name }} ipv4.gateway "10.1.16.1" + + - name: Change ovn bridge + shell: nmcli conn mod {{ iface }} ipv4.never-default yes + + - name: Change ovn bridge + shell: nmcli conn mod {{ iface }} ipv4.ignore-auto-dns yes + + - name: Change ovn bridge + shell: nmcli conn mod ovs-if-{{ bridge_name }} ipv4.dns "10.1.8.10" + + - name: Modules for crio + shell: modprobe br_netfilter; sysctl -w net.ipv4.ip_forward=1 + + - name: Run kubeadm + shell: kubeadm init --pod-network-cidr={{ podnetwork }} --service-cidr={{ svcnetwork }} --apiserver-advertise-address={{ ip }} > /tmp/kubeadm.out + + - name: Enable kubelet + shell: systemctl enable kubelet + + - name: Get token + shell: cat /tmp/kubeadm.out | grep -E '\-\-token' | awk '{print $5}' + register: kube_token + + - name: Recreate kube_token + shell: kubectl token delete {{ kube_token.stdout }} ; kubeadm token create + + - name: Register new kube token + shell: kubeadm token list | tail -n 1 | awk '{print $1}' + register: bootstrap_token + + - name: Get CA sha256 + shell: cat /tmp/kubeadm.out | grep -E 'sha256' | awk '{print $2}' + register: ca_token + + - name: Create Token file + shell: echo "{{ bootstrap_token.stdout }};{{ ca_token.stdout }}" > /root/token.out + + - name: Create .kube directory + shell: mkdir -p /root/.kube + + - name: Copy cfg to .kube dir + shell: cp -i /etc/kubernetes/admin.conf /root/.kube/config + + - name: Change ownership to kube directory + shell: chown $(id -u):$(id -g) /root/.kube/config \ No newline at end of file diff --git a/05_k8s/ansible/02_install_master_ovn_crio_network.yaml b/05_k8s/ansible/02_install_master_ovn_crio_network.yaml new file mode 100644 index 0000000..af7634b --- /dev/null +++ b/05_k8s/ansible/02_install_master_ovn_crio_network.yaml @@ -0,0 +1,140 @@ +--- +- hosts: localhost + become: true + gather_facts: no + tasks: + + - name: Set variables + include: include/_setup_vars.yaml + + - name: Create snapshot for the host + shell: virsh snapshot-create-as --domain {{ fqdn }} --name "before k8s installation" + ignore_errors: yes + + - name: "Create ansible group for new hosts" + add_host: name="{{ master }}" groups=master + +- hosts: master + become: true + gather_facts: no + tasks: + + - name: Set variables + include: include/_setup_vars.yaml + + - name: Disable SElinux + shell: setenforce 0 ; sed -i --follow-symlinks 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux + + - name: Make /etc/kubernetes directory and change the selinux context + shell: mkdir /etc/kubernetes ; semanage fcontext -a -t svirt_sandbox_file_t '/etc/kubernetes(/.*)?' + + - name: Make /var/lib/etcd and change the selinux context + shell: mkdir -p /var/lib/etcd ; semanage fcontext -a -t svirt_sandbox_file_t '/var/lib/etcd(/.*)?' + + - name: Restore contexts + shell: restorecon -vR /etc/kubernetes ; restorecon -vR /var/lib/etcd + + - name: Disable swap + shell: swapoff -a ; sed -i -E '/swap/d' /etc/fstab + + - name: Disable firewalld + shell: systemctl stop firewalld && systemctl disable firewalld + + +# - name: Setup firewall rules +# shell: firewall-cmd --permanent --add-port=6443/tcp --add-port=2379-2380/tcp --add-port=10250-10252/tcp --add-port=10255/tcp --add-port=8472/udp + +# - name: Open BGP protocal on firewalld +# shell: firewall-cmd --permanent --add-port=179/tcp + +# - name: Setup masquarade and reload rules +# shell: firewall-cmd --add-masquerade --permanent ; firewall-cmd --reload + +# - name: Enable br_netfilter (probably not survive the reboot!!! - check in the future) +# shell: modprobe br_netfilter; echo '1' > /proc/sys/net/bridge/bridge-nf-call-iptables + + - name: Copy kubernetes repo definition to yum dir + copy: + src: include/kubernetes.repo + dest: /etc/yum.repos.d/kubernetes.repo + + - name: Copy crio repo definition to yum dir + copy: + src: include/crio.repo + dest: /etc/yum.repos.d/crio.repo + + - name: Install kubeadm, crio and wget + shell: yum install wget kubeadm cri-o kubelet libnetfilter_conntrack conntrack-tools socat kubectl tar traceroute git python3-pip make podman buildah -y + + - name: Install ovs + shell: yum install -y epel-release centos-release-nfv-common centos-release-nfv-openvswitch && yum install -y openvswitch3.3 libibverbs NetworkManager-ovs + + - name: Restart and network manager + shell: systemctl restart NetworkManager + + - name: Start and enable openvswitch + shell: systemctl enable openvswitch ; systemctl start openvswitch + + - name: Enable crio + shell: systemctl restart crio && systemctl enable crio + + - name: Add bridge + shell: nmcli c add type ovs-bridge conn.interface {{ bridge_name }} con-name {{ bridge_name }} + + - name: Add bridge - new port + shell: nmcli c add type ovs-port conn.interface {{ bridge_name }} master {{ bridge_name }} con-name ovs-port-{{ bridge_name }} + + - name: Add bridge - slave + shell: nmcli c add type ovs-interface slave-type ovs-port conn.interface {{ bridge_name }} master ovs-port-{{ bridge_name }} con-name ovs-if-{{ bridge_name }} + + - name: Add bridge - second iface + shell: nmcli c add type ovs-port conn.interface {{ iface }} master {{ bridge_name }} con-name ovs-port-{{ iface }} + + - name: Add bridge - add ethernet iface + shell: nmcli c add type ethernet conn.interface {{ iface }} master ovs-port-{{ iface }} con-name ovs-if-{{ iface }} + + - name: Set no to autoconnect for ethernet + shell: nmcli conn mod {{ iface }} connection.autoconnect no + + - name: Set autoconnect to bridge + shell: nmcli conn mod {{ bridge_name }} connection.autoconnect yes + + - name: Set autoconnect to bridge + shell: nmcli conn mod ovs-if-{{ bridge_name }} connection.autoconnect yes + + - name: Set autoconnect to bridge + shell: nmcli conn mod ovs-if-{{ iface }} connection.autoconnect yes + + - name: Set autoconnect to bridge + shell: nmcli conn mod ovs-port-{{ iface }} connection.autoconnect yes + + - name: Set autoconnect to bridge + shell: nmcli conn mod ovs-port-{{ bridge_name }} connection.autoconnect yes + + - name: Change ovn bridge + shell: nmcli conn mod ovs-if-{{ bridge_name }} ipv4.address {{ ip_address }} + + - name: Change ovn bridge + shell: nmcli conn mod ovs-if-{{ bridge_name }} ipv4.method static + + - name: Change ovn bridge + shell: nmcli conn mod ovs-if-{{ bridge_name }} ipv4.route-metric 50 + + - name: Change ovn bridge + shell: nmcli conn mod ovs-if-{{ bridge_name }} ipv4.gateway "10.1.16.1" + + - name: Change ovn bridge + shell: nmcli conn mod {{ iface }} ipv4.never-default yes + + - name: Change ovn bridge + shell: nmcli conn mod {{ iface }} ipv4.ignore-auto-dns yes + + - name: Change ovn bridge + shell: nmcli conn mod ovs-if-{{ bridge_name }} ipv4.dns "10.1.8.10" + + - name: Modules for crio + shell: modprobe br_netfilter; sysctl -w net.ipv4.ip_forward=1 + + - name: Reboot node + shell: reboot + ignore_errors: yes \ No newline at end of file diff --git a/05_k8s/ansible/03_install_master_k8s.yaml b/05_k8s/ansible/03_install_master_k8s.yaml new file mode 100644 index 0000000..681dfe6 --- /dev/null +++ b/05_k8s/ansible/03_install_master_k8s.yaml @@ -0,0 +1,68 @@ +--- +- hosts: localhost + become: true + gather_facts: no + tasks: + + - name: Set variables + include: include/_setup_vars.yaml + + - name: Create snapshot for the host + shell: virsh snapshot-create-as --domain {{ fqdn }} --name "before kubeadm run" + ignore_errors: yes + + - name: "Create ansible group for new hosts" + add_host: name="{{ master }}" groups=master + +- hosts: master + become: true + gather_facts: no + tasks: + + - name: Set variables + include: include/_setup_vars.yaml + + - name: Extend var + shell: lvextend -L+6GiB /dev/mapper/rootvg-var ; resize2fs /dev/mapper/rootvg-var + + - name: Delete old ethernet interface + shell: nmcli con delete {{ iface }} + + - name: Enable kubelet + shell: systemctl enable kubelet + + - name: Modules for crio + shell: modprobe br_netfilter; sysctl -w net.ipv4.ip_forward=1 + + - name: Run kubeadm + shell: kubeadm init --pod-network-cidr={{ podnetwork }} --service-cidr={{ svcnetwork }} --apiserver-advertise-address={{ ip }} > /tmp/kubeadm.out + + - name: Enable kubelet + shell: systemctl enable kubelet + + - name: Get token + shell: cat /tmp/kubeadm.out | grep -E '\-\-token' | awk '{print $5}' + register: kube_token + + - name: Recreate kube_token + shell: kubectl token delete {{ kube_token.stdout }} ; kubeadm token create + + - name: Register new kube token + shell: kubeadm token list | tail -n 1 | awk '{print $1}' + register: bootstrap_token + + - name: Get CA sha256 + shell: cat /tmp/kubeadm.out | grep -E 'sha256' | awk '{print $2}' + register: ca_token + + - name: Create Token file + shell: echo "{{ bootstrap_token.stdout }};{{ ca_token.stdout }}" > /root/token.out + + - name: Create .kube directory + shell: mkdir -p /root/.kube + + - name: Copy cfg to .kube dir + shell: cp -i /etc/kubernetes/admin.conf /root/.kube/config + + - name: Change ownership to kube directory + shell: chown $(id -u):$(id -g) /root/.kube/config \ No newline at end of file diff --git a/05_k8s/ansible/03_install_nodes_k8s.yaml b/05_k8s/ansible/03_install_nodes_k8s.yaml new file mode 100644 index 0000000..5ad5fdd --- /dev/null +++ b/05_k8s/ansible/03_install_nodes_k8s.yaml @@ -0,0 +1,83 @@ +--- +- hosts: localhost + become: true + gather_facts: no + tasks: + + - name: Set variables + include: include/_setup_vars.yaml + + - name: Create snapshot for the host + shell: virsh snapshot-create-as --domain {{ fqdn }} --name "before kubeadm installation" + ignore_errors: yes + + - name: "Create ansible group for new hosts" + add_host: name="{{ ip }}" groups=newhost + + - name: "Create ansible group for new hosts" + add_host: name="{{ master }}" groups=master + +- hosts: master + become: true + gather_facts: no + tasks: + + - name: Set variables + include: include/_setup_vars.yaml + + - name: Create bootstrap token + shell: kubeadm token create + register: bootstrap_token + + - name: "Add K8S Token to dummy host" + add_host: + name: "K8S_TOKEN_HOLDER" + token: "{{ bootstrap_token.stdout }}" + +- hosts: newhost + become: true + gather_facts: no + tasks: + + - name: Set variables + include: include/_setup_vars.yaml + + - name: Copy ssh keys for root - HACK - must be changed! + copy: + src: /root/.ssh/id_ecdsa + dest: /root/.ssh/id_ecdsa + + - name: Copy ssh keys for root - HACK - must be changed! - changing perm + shell: chmod 0400 /root/.ssh/id_ecdsa + + - name: Get token file + shell: scp root@{{ master }}:/root/token.out /tmp/token.out + + - name: Get token + shell: cat /tmp/token.out | awk -F\; '{print $1}' + register: kube_token + + - name: Get CA token + shell: cat /tmp/token.out | awk -F\; '{print $2}' + register: ca_token + + - name: Enable kubelet + shell: systemctl enable kubelet + + - name: Join node to kubernetes cluster + shell: kubeadm join --token {{ hostvars['K8S_TOKEN_HOLDER']['token'] }} --discovery-token-ca-cert-hash {{ ca_token.stdout }} {{ master }}:6443 + + - name: Restart kubelet + shell: systemctl restart kubelet + + - name: Create .kube directory + shell: mkdir -p /root/.kube + + - name: Copy cfg to .kube dir + shell: scp root@{{ master }}:/etc/kubernetes/admin.conf /root/.kube/config + + - name: Change ownership to kube directory + shell: chown $(id -u):$(id -g) /root/.kube/config + + - name: Label node as a worker + shell: kubectl label node {{ fqdn }} node-role.kubernetes.io/worker=worker \ No newline at end of file diff --git a/05_k8s/ansible/03_install_nodes_ovn_crio_network.yaml b/05_k8s/ansible/03_install_nodes_ovn_crio_network.yaml new file mode 100644 index 0000000..414771b --- /dev/null +++ b/05_k8s/ansible/03_install_nodes_ovn_crio_network.yaml @@ -0,0 +1,149 @@ +--- +- hosts: localhost + become: true + gather_facts: no + tasks: + + - name: Set variables + include: include/_setup_vars.yaml + + - name: Create snapshot for the host + shell: virsh snapshot-create-as --domain {{ fqdn }} --name "before k8s installation" + ignore_errors: yes + + - name: "Create ansible group for new hosts" + add_host: name="{{ ip }}" groups=newhost + + - name: "Create ansible group for new hosts" + add_host: name="{{ master }}" groups=master + +- hosts: master + become: true + gather_facts: no + tasks: + + - name: Set variables + include: include/_setup_vars.yaml + + - name: Create bootstrap token + shell: kubeadm token create + register: bootstrap_token + + - name: "Add K8S Token to dummy host" + add_host: + name: "K8S_TOKEN_HOLDER" + token: "{{ bootstrap_token.stdout }}" + +- hosts: newhost + become: true + gather_facts: no + tasks: + + - name: Set variables + include: include/_setup_vars.yaml + + - name: Disable SElinux + shell: setenforce 0 ; sed -i --follow-symlinks 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux + + - name: Make /etc/kubernetes directory and change the selinux context + shell: mkdir /etc/kubernetes ; semanage fcontext -a -t svirt_sandbox_file_t '/etc/kubernetes(/.*)?' + + - name: Make /var/lib/etcd and change the selinux context + shell: mkdir -p /var/lib/etcd ; semanage fcontext -a -t svirt_sandbox_file_t '/var/lib/etcd(/.*)?' + + - name: Restore contexts + shell: restorecon -vR /etc/kubernetes ; restorecon -vR /var/lib/etcd + + - name: Disable swap + shell: swapoff -a ; sed -i -E '/swap/d' /etc/fstab + + - name: Disable firewalld + shell: systemctl stop firewalld && systemctl disable firewalld + + - name: Install ovs + shell: yum install -y epel-release centos-release-nfv-common centos-release-nfv-openvswitch && yum install -y openvswitch3.3 libibverbs NetworkManager-ovs + + - name: Copy kubernetes repo definition to yum dir + copy: + src: include/kubernetes.repo + dest: /etc/yum.repos.d/kubernetes.repo + + - name: Copy crio repo definition to yum dir + copy: + src: include/crio.repo + dest: /etc/yum.repos.d/crio.repo + + - name: Install kubeadm, crio and wget + shell: yum install wget kubeadm cri-o kubelet libnetfilter_conntrack conntrack-tools socat kubectl -y + + - name: Restart and network manager + shell: systemctl restart NetworkManager + + - name: Start and enable openvswitch + shell: systemctl enable openvswitch ; systemctl start openvswitch + + - name: Enable crio + shell: systemctl restart crio && systemctl enable crio + + - name: Add bridge + shell: nmcli c add type ovs-bridge conn.interface {{ bridge_name }} con-name {{ bridge_name }} + + - name: Add bridge - new port + shell: nmcli c add type ovs-port conn.interface {{ bridge_name }} master {{ bridge_name }} con-name ovs-port-{{ bridge_name }} + + - name: Add bridge - slave + shell: nmcli c add type ovs-interface slave-type ovs-port conn.interface {{ bridge_name }} master ovs-port-{{ bridge_name }} con-name ovs-if-{{ bridge_name }} + + - name: Add bridge - second iface + shell: nmcli c add type ovs-port conn.interface {{ iface }} master {{ bridge_name }} con-name ovs-port-{{ iface }} + + - name: Add bridge - add ethernet iface + shell: nmcli c add type ethernet conn.interface {{ iface }} master ovs-port-{{ iface }} con-name ovs-if-{{ iface }} + + - name: Set no to autoconnect for ethernet + shell: nmcli conn mod {{ iface }} connection.autoconnect no + + - name: Set autoconnect to bridge + shell: nmcli conn mod {{ bridge_name }} connection.autoconnect yes + + - name: Set autoconnect to bridge + shell: nmcli conn mod ovs-if-{{ bridge_name }} connection.autoconnect yes + + - name: Set autoconnect to bridge + shell: nmcli conn mod ovs-if-{{ iface }} connection.autoconnect yes + + - name: Set autoconnect to bridge + shell: nmcli conn mod ovs-port-{{ iface }} connection.autoconnect yes + + - name: Set autoconnect to bridge + shell: nmcli conn mod ovs-port-{{ bridge_name }} connection.autoconnect yes + + - name: Change ovn bridge + shell: nmcli conn mod ovs-if-{{ bridge_name }} ipv4.address {{ ip_address }} + + - name: Change ovn bridge + shell: nmcli conn mod ovs-if-{{ bridge_name }} ipv4.method static + + - name: Change ovn bridge + shell: nmcli conn mod ovs-if-{{ bridge_name }} ipv4.route-metric 50 + + - name: Change ovn bridge + shell: nmcli conn mod ovs-if-{{ bridge_name }} ipv4.gateway "10.1.16.1" + + - name: Change ovn bridge + shell: nmcli conn mod {{ iface }} ipv4.never-default yes + + - name: Change ovn bridge + shell: nmcli conn mod {{ iface }} ipv4.ignore-auto-dns yes + + - name: Change ovn bridge + shell: nmcli conn mod ovs-if-{{ bridge_name }} ipv4.dns "10.1.8.10" + + - name: Modules for crio + shell: modprobe br_netfilter; sysctl -w net.ipv4.ip_forward=1 + + - name: Reboot node + shell: reboot + ignore_errors: yes + + diff --git a/05_k8s/ansible/antrea/02_install_master_antrea.yaml b/05_k8s/ansible/antrea/02_install_master_antrea.yaml new file mode 100644 index 0000000..80234ad --- /dev/null +++ b/05_k8s/ansible/antrea/02_install_master_antrea.yaml @@ -0,0 +1,86 @@ +--- +- hosts: localhost + become: true + gather_facts: no + tasks: + + - name: Set variables + include: include/_setup_vars.yaml + + - name: "Create ansible group for new hosts" + add_host: name="{{ master }}" groups=master + +- hosts: master + become: true + gather_facts: no + tasks: + + - name: Set variables + include: include/_setup_vars.yaml + + - name: Make /etc/kubernetes directory and change the selinux context + shell: mkdir /etc/kubernetes ; semanage fcontext -a -t svirt_sandbox_file_t '/etc/kubernetes(/.*)?' + + - name: Make /var/lib/etcd and change the selinux context + shell: mkdir -p /var/lib/etcd ; semanage fcontext -a -t svirt_sandbox_file_t '/var/lib/etcd(/.*)?' + + - name: Restore contexts + shell: restorecon -vR /etc/kubernetes ; restorecon -vR /var/lib/etcd + + - name: Disable swap + shell: swapoff -a ; sed -i -E '/swap/d' /etc/fstab + + - name: Disable firewalld + shell: systemctl stop firewalld && systemctl disable firewalld + +# - name: Setup firewall rules +# shell: firewall-cmd --permanent --add-port=6443/tcp --add-port=2379-2380/tcp --add-port=10250-10252/tcp --add-port=10255/tcp --add-port=8472/udp + +# - name: Open BGP protocal on firewalld +# shell: firewall-cmd --permanent --add-port=179/tcp + +# - name: Setup masquarade and reload rules +# shell: firewall-cmd --add-masquerade --permanent ; firewall-cmd --reload + +# - name: Enable br_netfilter (probably not survive the reboot!!! - check in the future) +# shell: modprobe br_netfilter; echo '1' > /proc/sys/net/bridge/bridge-nf-call-iptables + + - name: Copy kubernetes repo definition to yum dir + copy: + src: include/kubernetes.repo + dest: /etc/yum.repos.d/kubernetes.repo + + - name: Install kubeadm, docker and wget + shell: yum install wget kubeadm docker -y + + - name: Enable docker + shell: systemctl restart docker && systemctl enable docker + + - name: Enable kubelet + shell: systemctl restart kubelet && systemctl enable kubelet + + - name: Run kubeadm + shell: kubeadm init --pod-network-cidr={{ podnetwork }} --service-cidr={{ svcnetwork }} --apiserver-advertise-address={{ ip }} > /tmp/kubeadm.out + + - name: Get token + shell: cat /tmp/kubeadm.out | grep -E '\-\-token' | awk '{print $5}' + register: kube_token + + - name: Get CA sha256 + shell: cat /tmp/kubeadm.out | grep -E 'sha256' | awk '{print $2}' + register: ca_token + + - name: Create Token file + shell: echo "{{ kube_token.stdout }};{{ ca_token.stdout }}" > /root/token.out + + - name: Create .kube directory + shell: mkdir -p /root/.kube + + - name: Copy cfg to .kube dir + shell: cp -i /etc/kubernetes/admin.conf /root/.kube/config + + - name: Change ownership to kube directory + shell: chown $(id -u):$(id -g) /root/.kube/config + + - name: Create SDN namespace + shell: kubectl create namespace kube-sdn diff --git a/05_k8s/ansible/antrea/02_install_master_antrea_crio.yaml b/05_k8s/ansible/antrea/02_install_master_antrea_crio.yaml new file mode 100644 index 0000000..f14efc3 --- /dev/null +++ b/05_k8s/ansible/antrea/02_install_master_antrea_crio.yaml @@ -0,0 +1,114 @@ +--- +- hosts: localhost + become: true + gather_facts: no + tasks: + + - name: Set variables + include: include/_setup_vars.yaml + + - name: Create snapshot for the host + shell: virsh snapshot-create-as --domain {{ fqdn }} --name "before k8s installation" + ignore_errors: yes + + - name: "Create ansible group for new hosts" + add_host: name="{{ master }}" groups=master + +- hosts: master + become: true + gather_facts: no + tasks: + + - name: Set variables + include: include/_setup_vars.yaml + + - name: Disable SElinux + shell: setenforce 0 ; sed -i --follow-symlinks 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux + + - name: Make /etc/kubernetes directory and change the selinux context + shell: mkdir /etc/kubernetes ; semanage fcontext -a -t svirt_sandbox_file_t '/etc/kubernetes(/.*)?' + + - name: Make /var/lib/etcd and change the selinux context + shell: mkdir -p /var/lib/etcd ; semanage fcontext -a -t svirt_sandbox_file_t '/var/lib/etcd(/.*)?' + + - name: Restore contexts + shell: restorecon -vR /etc/kubernetes ; restorecon -vR /var/lib/etcd + + - name: Disable swap + shell: swapoff -a ; sed -i -E '/swap/d' /etc/fstab + + - name: Disable firewalld + shell: systemctl stop firewalld && systemctl disable firewalld + +# - name: Setup firewall rules +# shell: firewall-cmd --permanent --add-port=6443/tcp --add-port=2379-2380/tcp --add-port=10250-10252/tcp --add-port=10255/tcp --add-port=8472/udp + +# - name: Open BGP protocal on firewalld +# shell: firewall-cmd --permanent --add-port=179/tcp + +# - name: Setup masquarade and reload rules +# shell: firewall-cmd --add-masquerade --permanent ; firewall-cmd --reload + +# - name: Enable br_netfilter (probably not survive the reboot!!! - check in the future) +# shell: modprobe br_netfilter; echo '1' > /proc/sys/net/bridge/bridge-nf-call-iptables + + - name: Copy kubernetes repo definition to yum dir + copy: + src: include/kubernetes.repo + dest: /etc/yum.repos.d/kubernetes.repo + + - name: Copy crio repo definition to yum dir + copy: + src: include/crio.repo + dest: /etc/yum.repos.d/crio.repo + + - name: Install kubeadm, crio and wget + shell: yum install wget kubeadm cri-o kubelet libnetfilter_conntrack conntrack-tools socat kubectl -y + + - name: Install ovs + shell: yum install -y epel-release centos-release-nfv-common centos-release-nfv-openvswitch && yum install -y openvswitch3.3 libibverbs + + - name: Enable docker + shell: systemctl restart crio && systemctl enable crio + + - name: Modules for crio + shell: modprobe br_netfilter; sysctl -w net.ipv4.ip_forward=1 + + - name: Run kubeadm + shell: kubeadm init --pod-network-cidr={{ podnetwork }} --service-cidr={{ svcnetwork }} --apiserver-advertise-address={{ ip }} > /tmp/kubeadm.out + + - name: Enable kubelet + shell: systemctl enable kubelet + + - name: Get token + shell: cat /tmp/kubeadm.out | grep -E '\-\-token' | awk '{print $5}' + register: kube_token + + - name: Recreate kube_token + shell: kubectl token delete {{ kube_token.stdout }} ; kubeadm token create + + - name: Register new kube token + shell: kubeadm token list | tail -n 1 | awk '{print $1}' + register: bootstrap_token + + - name: Get CA sha256 + shell: cat /tmp/kubeadm.out | grep -E 'sha256' | awk '{print $2}' + register: ca_token + + - name: Create Token file + shell: echo "{{ bootstrap_token.stdout }};{{ ca_token.stdout }}" > /root/token.out + + - name: Create .kube directory + shell: mkdir -p /root/.kube + + - name: Copy cfg to .kube dir + shell: cp -i /etc/kubernetes/admin.conf /root/.kube/config + + - name: Change ownership to kube directory + shell: chown $(id -u):$(id -g) /root/.kube/config + + - name: Create SDN namespace + shell: kubectl create namespace antrea-sdn + + - name: Reboot master + shell: shutdown -r now \ No newline at end of file diff --git a/05_k8s/ansible/antrea/03_install_nodes_antrea.yaml b/05_k8s/ansible/antrea/03_install_nodes_antrea.yaml new file mode 100644 index 0000000..c387f22 --- /dev/null +++ b/05_k8s/ansible/antrea/03_install_nodes_antrea.yaml @@ -0,0 +1,120 @@ +--- +- hosts: localhost + become: true + gather_facts: no + tasks: + + - name: Set variables + include: include/_setup_vars.yaml + + - name: Create snapshot for the host + shell: virsh snapshot-create-as --domain {{ fqdn }} --name "before k8s installation" + ignore_errors: yes + + - name: "Create ansible group for new hosts" + add_host: name="{{ ip }}" groups=newhost + + - name: "Create ansible group for new hosts" + add_host: name="{{ master }}" groups=master + +- hosts: master + become: true + gather_facts: no + tasks: + + - name: Set variables + include: include/_setup_vars.yaml + + - name: Create bootstrap token + shell: kubeadm token create + register: bootstrap_token + + - name: "Add K8S Token to dummy host" + add_host: + name: "K8S_TOKEN_HOLDER" + token: "{{ bootstrap_token.stdout }}" + +- hosts: newhost + become: true + gather_facts: no + tasks: + + - name: Set variables + include: include/_setup_vars.yaml + + - name: Disable SElinux + shell: setenforce 0 ; sed -i --follow-symlinks 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux + + - name: Make /etc/kubernetes directory and change the selinux context + shell: mkdir /etc/kubernetes ; semanage fcontext -a -t svirt_sandbox_file_t '/etc/kubernetes(/.*)?' + + - name: Make /var/lib/etcd and change the selinux context + shell: mkdir -p /var/lib/etcd ; semanage fcontext -a -t svirt_sandbox_file_t '/var/lib/etcd(/.*)?' + + - name: Restore contexts + shell: restorecon -vR /etc/kubernetes ; restorecon -vR /var/lib/etcd + + - name: Disable swap + shell: swapoff -a ; sed -i -E '/swap/d' /etc/fstab + + - name: Disable firewalld + shell: systemctl stop firewalld && systemctl disable firewalld + + - name: Install ovs + shell: yum install -y epel-release centos-release-nfv-common centos-release-nfv-openvswitch && yum install -y openvswitch3.3 libibverbs + + - name: Copy kubernetes repo definition to yum dir + copy: + src: include/kubernetes.repo + dest: /etc/yum.repos.d/kubernetes.repo + + - name: Copy crio repo definition to yum dir + copy: + src: include/crio.repo + dest: /etc/yum.repos.d/crio.repo + + - name: Install kubeadm, crio and wget + shell: yum install wget kubeadm cri-o kubelet libnetfilter_conntrack conntrack-tools socat kubectl -y + + - name: Enable crio + shell: systemctl restart crio && systemctl enable crio + + - name: Copy ssh keys for root - HACK - must be changed! + copy: + src: /root/.ssh/id_ecdsa + dest: /root/.ssh/id_ecdsa + + - name: Copy ssh keys for root - HACK - must be changed! - changing perm + shell: chmod 0400 /root/.ssh/id_ecdsa + + - name: Get token file + shell: scp root@{{ master }}:/root/token.out /tmp/token.out + + - name: Get token + shell: cat /tmp/token.out | awk -F\; '{print $1}' + register: kube_token + + - name: Get CA token + shell: cat /tmp/token.out | awk -F\; '{print $2}' + register: ca_token + + - name: Enable kubelet + shell: systemctl enable kubelet + + - name: Join node to kubernetes cluster + shell: kubeadm join --token {{ hostvars['K8S_TOKEN_HOLDER']['token'] }} --discovery-token-ca-cert-hash {{ ca_token.stdout }} {{ master }}:6443 + + - name: Restart kubelet + shell: systemctl restart kubelet + + - name: Create .kube directory + shell: mkdir -p /root/.kube + + - name: Copy cfg to .kube dir + shell: scp root@{{ master }}:/etc/kubernetes/admin.conf /root/.kube/config + + - name: Change ownership to kube directory + shell: chown $(id -u):$(id -g) /root/.kube/config + + - name: Label node as a worker + shell: kubectl label node {{ fqdn }} node-role.kubernetes.io/worker=worker \ No newline at end of file diff --git a/05_k8s/ansible/02_install_master.yaml b/05_k8s/ansible/calico/02_install_master_calico.yaml similarity index 100% rename from 05_k8s/ansible/02_install_master.yaml rename to 05_k8s/ansible/calico/02_install_master_calico.yaml diff --git a/10_nfs/client/ansible/include/_setup_vars.yaml b/05_k8s/ansible/include/_setup_vars.antrea.template similarity index 70% rename from 10_nfs/client/ansible/include/_setup_vars.yaml rename to 05_k8s/ansible/include/_setup_vars.antrea.template index 0297ab4..717b909 100644 --- a/10_nfs/client/ansible/include/_setup_vars.yaml +++ b/05_k8s/ansible/include/_setup_vars.antrea.template @@ -1,14 +1,14 @@ - name: Set global variables set_fact: - virbr: "8" - netsuffix: "25" - hostname: "nfsclient" + virbr: "16" + netsuffix: "XXX" + hostname: "nodeXXX" domain: "lab.local" - mem: "2G" + mem: "4G" ipaserver: "freeipa.lab.local" + ipaip: "10.1.8.10" nfsserver: "nfsnode.lab.local" home_export: "/nfsvg/home" - ipaip: "10.1.8.10" ldapbase: "dc=lab,dc=local" svcadmin: "admin" adminpwd: "admin123" @@ -17,13 +17,10 @@ vms_dir: "/data/vms" rootvg_size: 30 - - name: Set ip set_fact: ip: "10.1.{{ virbr }}.{{ netsuffix }}" - - - name: Set FQDN set_fact: fqdn: "{{ hostname }}.{{ domain }}" @@ -31,3 +28,12 @@ - name: Set REALM set_fact: realm: "{{ domain|upper }}" + +- name: Set Kubernetes facts + set_fact: + podnetwork: "10.78.0.0/16" + svcnetwork: "10.79.0.0/16" + clusterdom: "cluster.local" + master: "node51.lab.local" + + diff --git a/05_k8s/ansible/include/_setup_vars.ovn.template b/05_k8s/ansible/include/_setup_vars.ovn.template new file mode 100644 index 0000000..e311c87 --- /dev/null +++ b/05_k8s/ansible/include/_setup_vars.ovn.template @@ -0,0 +1,40 @@ +- name: Set global variables + set_fact: + virbr: "16" + netsuffix: "XXX" + hostname: "ovnXXX" + domain: "lab.syscallx86.com" + mem: "4G" + ipaserver: "freeipa.lab.syscallx86.com" + ipaip: "10.1.8.10" + nfsserver: "nfsnode.lab.syscallx86.com" + home_export: "/nfsvg/home" + ldapbase: "dc=lab,dc=syscallx86,dc=com" + svcadmin: "admin" + adminpwd: "admin123" + template: "basevm" + template_dir: "/data/templates" + vms_dir: "/data/vms" + rootvg_size: 30 + +- name: Set ip + set_fact: + ip: "10.1.{{ virbr }}.{{ netsuffix }}" + +- name: Set FQDN + set_fact: + fqdn: "{{ hostname }}.{{ domain }}" + +- name: Set REALM + set_fact: + realm: "{{ domain|upper }}" + +- name: Set Kubernetes facts + set_fact: + podnetwork: "10.38.0.0/16" + svcnetwork: "10.49.0.0/16" + clusterdom: "cluster.local" + master: "ovn11.lab.syscallx86.com" + bridge_name: "br-ex" + iface: "enp1s0" + ip_address: "10.1.{{ virbr }}.{{ netsuffix }}" \ No newline at end of file diff --git a/05_k8s/ansible/include/_setup_vars.template b/05_k8s/ansible/include/_setup_vars.template index 977557d..fd6f222 100644 --- a/05_k8s/ansible/include/_setup_vars.template +++ b/05_k8s/ansible/include/_setup_vars.template @@ -1,18 +1,18 @@ - name: Set global variables set_fact: - virbr: "16" + virbr: "4" netsuffix: "XXX" hostname: "nodeXXX" - domain: "lab.local" + domain: "lab.syscallx86.com" mem: "4G" - ipaserver: "freeipa.lab.local" + ipaserver: "freeipa.lab.syscallx86.com" ipaip: "10.1.8.10" - nfsserver: "nfsnode.lab.local" + nfsserver: "nfsnode.lab.syscallx86.com" home_export: "/nfsvg/home" - ldapbase: "dc=lab,dc=local" + ldapbase: "dc=lab,dc=syscallx86,dc=com" svcadmin: "admin" adminpwd: "admin123" - template: "t_centos7" + template: "basevm" template_dir: "/data/templates" vms_dir: "/data/vms" rootvg_size: 30 @@ -34,6 +34,5 @@ podnetwork: "10.58.0.0/16" svcnetwork: "10.59.0.0/16" clusterdom: "cluster.local" - master: "node11.lab.local" - + master: "node11.lab.syscallx86.com" diff --git a/05_k8s/ansible/include/_setup_vars.yaml b/05_k8s/ansible/include/_setup_vars.yaml index 1aaf6c0..b32f7ed 100644 --- a/05_k8s/ansible/include/_setup_vars.yaml +++ b/05_k8s/ansible/include/_setup_vars.yaml @@ -1,18 +1,18 @@ - name: Set global variables set_fact: virbr: "16" - netsuffix: "24" - hostname: "node24" - domain: "lab.local" + netsuffix: "52" + hostname: "ovn52" + domain: "lab.syscallx86.com" mem: "4G" - ipaserver: "freeipa.lab.local" + ipaserver: "freeipa.lab.syscallx86.com" ipaip: "10.1.8.10" - nfsserver: "nfsnode.lab.local" + nfsserver: "nfsnode.lab.syscallx86.com" home_export: "/nfsvg/home" - ldapbase: "dc=lab,dc=local" + ldapbase: "dc=lab,dc=syscallx86,dc=com" svcadmin: "admin" adminpwd: "admin123" - template: "t_centos7" + template: "basevm" template_dir: "/data/templates" vms_dir: "/data/vms" rootvg_size: 30 @@ -31,9 +31,10 @@ - name: Set Kubernetes facts set_fact: - podnetwork: "10.58.0.0/16" - svcnetwork: "10.59.0.0/16" + podnetwork: "10.38.0.0/16" + svcnetwork: "10.49.0.0/16" clusterdom: "cluster.local" - master: "node11.lab.local" - - + master: "ovn11.lab.syscallx86.com" + bridge_name: "br-ex" + iface: "enp1s0" + ip_address: "10.1.{{ virbr }}.{{ netsuffix }}" \ No newline at end of file diff --git a/05_k8s/ansible/include/crio.repo b/05_k8s/ansible/include/crio.repo new file mode 120000 index 0000000..c638385 --- /dev/null +++ b/05_k8s/ansible/include/crio.repo @@ -0,0 +1 @@ +../../../99_newhost/repos/crio.repo \ No newline at end of file diff --git a/05_k8s/ansible/include/kubernetes.repo b/05_k8s/ansible/include/kubernetes.repo deleted file mode 100644 index 8094327..0000000 --- a/05_k8s/ansible/include/kubernetes.repo +++ /dev/null @@ -1,8 +0,0 @@ -[kubernetes] -name=Kubernetes -baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64 -enabled=1 -gpgcheck=1 -repo_gpgcheck=1 -gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg - https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg diff --git a/05_k8s/ansible/include/kubernetes.repo b/05_k8s/ansible/include/kubernetes.repo new file mode 120000 index 0000000..e5b59a2 --- /dev/null +++ b/05_k8s/ansible/include/kubernetes.repo @@ -0,0 +1 @@ +../../../99_newhost/repos/kubernetes.repo \ No newline at end of file diff --git a/03_okdv3/02_infra/01_prepare_nodes.yaml b/05_k8s/ansible/ovn/01_prepare_nodes_ovn.yaml similarity index 84% rename from 03_okdv3/02_infra/01_prepare_nodes.yaml rename to 05_k8s/ansible/ovn/01_prepare_nodes_ovn.yaml index 8aa69f4..0bcdee3 100644 --- a/03_okdv3/02_infra/01_prepare_nodes.yaml +++ b/05_k8s/ansible/ovn/01_prepare_nodes_ovn.yaml @@ -23,7 +23,7 @@ shell: mkdir /data/vms/{{ hostname }}.{{ domain }} - name: Clone template - shell: virt-clone --original-xml /data/templates/t_centos7/t_centos7.xml --name {{ fqdn }} --file /data/vms/{{ fqdn }}/rootvg.qcow2 + shell: virt-clone --original-xml /data/vms/templates/ovn.xml --name {{ fqdn }} --file /data/vms/{{ fqdn }}/rootvg.qcow2 - name: Change rootvg size shell: qemu-img resize /data/vms/{{ fqdn }}/rootvg.qcow2 +{{ rootvg_size - 20 }}G @@ -41,7 +41,7 @@ -- hosts: centos7 +- hosts: basevm become: true gather_facts: no tasks: @@ -56,7 +56,7 @@ shell: echo "{{ fqdn }}" > /etc/hostname - name: Add hosts to hostname - shell: echo "{{ ip }} {{ hostname }} {{ fqdn }}" >> /etc/hosts + shell: echo "{{ ip }} {{ fqdn }} {{ hostname }}" >> /etc/hosts - name: Resize partition shell: printf 'd\n2\np\nn\np\n2\n\n\nt\n2\n8e\nw' | fdisk /dev/vda @@ -68,14 +68,14 @@ - name: PV resize shell: pvresize /dev/vda2 - - name: Add an Ethernet connection with static IP configuration - shell: nmcli connection modify eth0 ipv4.addresses {{ ip }}/24 ipv4.method manual ipv4.dns "{{ ipaip }}" + - name: Delete wired connextion 1 + shell: nmcli con delete "Wired connection 1" + + - name: Add an Ethernet connection with static ip configuration + shell: nmcli connection modify enp1s0 ipv4.addresses {{ ip }}/24 ipv4.method manual ipv4.dns "{{ ipaip }}" - name: Install additional packages - shell: yum install -y ipa-client sssd openldap-clients krb5-workstation nfs-client autofs policycoreutils-python - - - name: Enable make dir option for new users - shell: authconfig --enablemkhomedir --update + shell: yum install -y ipa-client sssd openldap-clients krb5-workstation nfs-utils autofs policycoreutils-python-utils python3-policycoreutils.noarch - name: Update sshd config - part 1 shell: echo "AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys" >> /etc/ssh/sshd_config @@ -118,10 +118,9 @@ - name: "Destroy domain" shell: "virsh destroy {{ fqdn }}" ignore_errors: yes - - - name: "Change virbr interface" - shell: virt-xml {{ fqdn }} --edit -w vnet0 --network bridge=virbr{{ virbr }} - + + - name: "Change network configuration" + shell: "virt-xml {{ fqdn }} --xml ./devices/interface/vlan/tag/@id={{ virbr1 }} --edit" - name: "Start domain" shell: "virsh start {{ fqdn }}" diff --git a/05_k8s/ansible/ovn/02_install_master_ovn_crio.yaml b/05_k8s/ansible/ovn/02_install_master_ovn_crio.yaml new file mode 100644 index 0000000..cc7ef68 --- /dev/null +++ b/05_k8s/ansible/ovn/02_install_master_ovn_crio.yaml @@ -0,0 +1,175 @@ +--- +- hosts: localhost + become: true + gather_facts: no + tasks: + + - name: Set variables + include: include/_setup_vars.yaml + + - name: Create snapshot for the host + shell: virsh snapshot-create-as --domain {{ fqdn }} --name "before k8s installation" + ignore_errors: yes + + - name: "Create ansible group for new hosts" + add_host: name="{{ master }}" groups=master + +- hosts: master + become: true + gather_facts: no + tasks: + + - name: Set variables + include: include/_setup_vars.yaml + + - name: Disable SElinux + shell: setenforce 0 ; sed -i --follow-symlinks 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux + + - name: Make /etc/kubernetes directory and change the selinux context + shell: mkdir /etc/kubernetes ; semanage fcontext -a -t svirt_sandbox_file_t '/etc/kubernetes(/.*)?' + + - name: Make /var/lib/etcd and change the selinux context + shell: mkdir -p /var/lib/etcd ; semanage fcontext -a -t svirt_sandbox_file_t '/var/lib/etcd(/.*)?' + + - name: Restore contexts + shell: restorecon -vR /etc/kubernetes ; restorecon -vR /var/lib/etcd + + - name: Disable swap + shell: swapoff -a ; sed -i -E '/swap/d' /etc/fstab + + - name: Disable firewalld + shell: systemctl stop firewalld && systemctl disable firewalld + + +# - name: Setup firewall rules +# shell: firewall-cmd --permanent --add-port=6443/tcp --add-port=2379-2380/tcp --add-port=10250-10252/tcp --add-port=10255/tcp --add-port=8472/udp + +# - name: Open BGP protocal on firewalld +# shell: firewall-cmd --permanent --add-port=179/tcp + +# - name: Setup masquarade and reload rules +# shell: firewall-cmd --add-masquerade --permanent ; firewall-cmd --reload + +# - name: Enable br_netfilter (probably not survive the reboot!!! - check in the future) +# shell: modprobe br_netfilter; echo '1' > /proc/sys/net/bridge/bridge-nf-call-iptables + + - name: Copy kubernetes repo definition to yum dir + copy: + src: include/kubernetes.repo + dest: /etc/yum.repos.d/kubernetes.repo + + - name: Copy crio repo definition to yum dir + copy: + src: include/crio.repo + dest: /etc/yum.repos.d/crio.repo + + - name: Install kubeadm, crio and wget + shell: yum install wget kubeadm cri-o kubelet libnetfilter_conntrack conntrack-tools socat kubectl tar traceroute git python3-pip make podman buildah -y + + - name: Install ovs + shell: yum install -y epel-release centos-release-nfv-common centos-release-nfv-openvswitch && yum install -y openvswitch3.3 libibverbs NetworkManager-ovs + + - name: Restart and network manager + shell: systemctl restart NetworkManager + + - name: Start and enable openvswitch + shell: systemctl enable openvswitch ; systemctl start openvswitch + + - name: Enable crio + shell: systemctl restart crio && systemctl enable crio + + - name: Add bridge + shell: nmcli c add type ovs-bridge conn.interface {{ bridge_name }} con-name {{ bridge_name }} + + - name: Add bridge - new port + shell: nmcli c add type ovs-port conn.interface {{ bridge_name }} master {{ bridge_name }} con-name ovs-port-{{ bridge_name }} + + - name: Add bridge - slave + shell: nmcli c add type ovs-interface slave-type ovs-port conn.interface {{ bridge_name }} master ovs-port-{{ bridge_name }} con-name ovs-if-{{ bridge_name }} + + - name: Add bridge - second iface + shell: nmcli c add type ovs-port conn.interface {{ iface }} master {{ bridge_name }} con-name ovs-port-{{ iface }} + + - name: Add bridge - add ethernet iface + shell: nmcli c add type ethernet conn.interface {{ iface }} master ovs-port-{{ iface }} con-name ovs-if-{{ iface }} + + - name: Delete second connection + shell: nmcli conn delete {{ iface }} + + - name: Set autoconnect to bridge + shell: nmcli conn mod {{ bridge_name }} connection.autoconnect yes + + - name: Set autoconnect to bridge + shell: nmcli conn mod ovs-if-{{ bridge_name }} connection.autoconnect yes + + - name: Set autoconnect to bridge + shell: nmcli conn mod ovs-if-{{ iface }} connection.autoconnect yes + + - name: Set autoconnect to bridge + shell: nmcli conn mod ovs-port-{{ iface }} connection.autoconnect yes + + - name: Set autoconnect to bridge + shell: nmcli conn mod ovs-port-{{ bridge_name }} connection.autoconnect yes + + - name: Change ovn bridge + shell: nmcli conn mod ovs-if-{{ bridge_name }} ipv4.address {{ ip_address }} + + - name: Change ovn bridge + shell: nmcli conn mod ovs-if-{{ bridge_name }} ipv4.method static + + - name: Change ovn bridge + shell: nmcli conn mod ovs-if-{{ bridge_name }} ipv4.route-metric 50 + + - name: Change ovn bridge + shell: nmcli conn mod ovs-if-{{ bridge_name }} ipv4.gateway "10.1.16.1" + + - name: Change ovn bridge + shell: nmcli conn mod {{ iface }} ipv4.never-default yes + + - name: Change ovn bridge + shell: nmcli conn mod {{ iface }} ipv4.ignore-auto-dns yes + + - name: Change ovn bridge + shell: nmcli conn mod ovs-if-{{ bridge_name }} ipv4.dns "10.1.8.10" + + - name: Modules for crio + shell: modprobe br_netfilter; sysctl -w net.ipv4.ip_forward=1 + + - name: Run kubeadm + shell: kubeadm init --pod-network-cidr={{ podnetwork }} --service-cidr={{ svcnetwork }} --apiserver-advertise-address={{ ip2 }} > /tmp/kubeadm.out + + - name: Enable kubelet + shell: systemctl enable kubelet + + - name: Get token + shell: cat /tmp/kubeadm.out | grep -E '\-\-token' | awk '{print $5}' + register: kube_token + + - name: Recreate kube_token + shell: kubectl token delete {{ kube_token.stdout }} ; kubeadm token create + + - name: Register new kube token + shell: kubeadm token list | tail -n 1 | awk '{print $1}' + register: bootstrap_token + + - name: Get CA sha256 + shell: cat /tmp/kubeadm.out | grep -E 'sha256' | awk '{print $2}' + register: ca_token + + - name: Create Token file + shell: echo "{{ bootstrap_token.stdout }};{{ ca_token.stdout }}" > /root/token.out + + - name: Create .kube directory + shell: mkdir -p /root/.kube + + - name: Copy cfg to .kube dir + shell: cp -i /etc/kubernetes/admin.conf /root/.kube/config + + - name: Change ownership to kube directory + shell: chown $(id -u):$(id -g) /root/.kube/config + + - name: Create SDN namespace + shell: kubectl create namespace ovn-sdn + + - name: Reboot master + shell: shutdown -r now \ No newline at end of file diff --git a/05_k8s/ansible/ovn/03_install_nodes_ovn.yaml b/05_k8s/ansible/ovn/03_install_nodes_ovn.yaml new file mode 100644 index 0000000..0e36903 --- /dev/null +++ b/05_k8s/ansible/ovn/03_install_nodes_ovn.yaml @@ -0,0 +1,183 @@ +--- +- hosts: localhost + become: true + gather_facts: no + tasks: + + - name: Set variables + include: include/_setup_vars.yaml + + - name: Create snapshot for the host + shell: virsh snapshot-create-as --domain {{ fqdn }} --name "before k8s installation" + ignore_errors: yes + + - name: "Create ansible group for new hosts" + add_host: name="{{ ip1 }}" groups=newhost + + - name: "Create ansible group for new hosts" + add_host: name="{{ master }}" groups=master + +- hosts: master + become: true + gather_facts: no + tasks: + + - name: Set variables + include: include/_setup_vars.yaml + + - name: Create bootstrap token + shell: kubeadm token create + register: bootstrap_token + + - name: "Add K8S Token to dummy host" + add_host: + name: "K8S_TOKEN_HOLDER" + token: "{{ bootstrap_token.stdout }}" + +- hosts: newhost + become: true + gather_facts: no + tasks: + + - name: Set variables + include: include/_setup_vars.yaml + + - name: Disable SElinux + shell: setenforce 0 ; sed -i --follow-symlinks 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux + + - name: Make /etc/kubernetes directory and change the selinux context + shell: mkdir /etc/kubernetes ; semanage fcontext -a -t svirt_sandbox_file_t '/etc/kubernetes(/.*)?' + + - name: Make /var/lib/etcd and change the selinux context + shell: mkdir -p /var/lib/etcd ; semanage fcontext -a -t svirt_sandbox_file_t '/var/lib/etcd(/.*)?' + + - name: Restore contexts + shell: restorecon -vR /etc/kubernetes ; restorecon -vR /var/lib/etcd + + - name: Disable swap + shell: swapoff -a ; sed -i -E '/swap/d' /etc/fstab + + - name: Disable firewalld + shell: systemctl stop firewalld && systemctl disable firewalld + + - name: Install ovs + shell: yum install -y epel-release centos-release-nfv-common centos-release-nfv-openvswitch && yum install -y openvswitch3.3 libibverbs NetworkManager-ovs + + - name: Copy kubernetes repo definition to yum dir + copy: + src: include/kubernetes.repo + dest: /etc/yum.repos.d/kubernetes.repo + + - name: Copy crio repo definition to yum dir + copy: + src: include/crio.repo + dest: /etc/yum.repos.d/crio.repo + + - name: Install kubeadm, crio and wget + shell: yum install wget kubeadm cri-o kubelet libnetfilter_conntrack conntrack-tools socat kubectl -y + + - name: Restart and network manager + shell: systemctl restart NetworkManager + + - name: Start and enable openvswitch + shell: systemctl enable openvswitch ; systemctl start openvswitch + + - name: Enable crio + shell: systemctl restart crio && systemctl enable crio + + - name: Add bridge + shell: nmcli c add type ovs-bridge conn.interface {{ bridge_name }} con-name {{ bridge_name }} + + - name: Add bridge - new port + shell: nmcli c add type ovs-port conn.interface {{ bridge_name }} master {{ bridge_name }} con-name ovs-port-{{ bridge_name }} + + - name: Add bridge - slave + shell: nmcli c add type ovs-interface slave-type ovs-port conn.interface {{ bridge_name }} master ovs-port-{{ bridge_name }} con-name ovs-if-{{ bridge_name }} + + - name: Add bridge - second iface + shell: nmcli c add type ovs-port conn.interface {{ iface }} master {{ bridge_name }} con-name ovs-port-{{ iface }} + + - name: Add bridge - add ethernet iface + shell: nmcli c add type ethernet conn.interface {{ iface }} master ovs-port-{{ iface }} con-name ovs-if-{{ iface }} + + - name: Delete second connection + shell: nmcli conn delete {{ iface }} + + - name: Set autoconnect to bridge + shell: nmcli conn mod {{ bridge_name }} connection.autoconnect yes + + - name: Set autoconnect to bridge + shell: nmcli conn mod ovs-if-{{ bridge_name }} connection.autoconnect yes + + - name: Set autoconnect to bridge + shell: nmcli conn mod ovs-if-{{ iface }} connection.autoconnect yes + + - name: Set autoconnect to bridge + shell: nmcli conn mod ovs-port-{{ iface }} connection.autoconnect yes + + - name: Set autoconnect to bridge + shell: nmcli conn mod ovs-port-{{ bridge_name }} connection.autoconnect yes + + - name: Change ovn bridge + shell: nmcli conn mod ovs-if-{{ bridge_name }} ipv4.address {{ ip_address }} + + - name: Change ovn bridge + shell: nmcli conn mod ovs-if-{{ bridge_name }} ipv4.method static + + - name: Change ovn bridge + shell: nmcli conn mod ovs-if-{{ bridge_name }} ipv4.route-metric 50 + + - name: Change ovn bridge + shell: nmcli conn mod ovs-if-{{ bridge_name }} ipv4.gateway "10.1.16.1" + + - name: Change ovn bridge + shell: nmcli conn mod {{ iface }} ipv4.never-default yes + + - name: Change ovn bridge + shell: nmcli conn mod {{ iface }} ipv4.ignore-auto-dns yes + + - name: Change ovn bridge + shell: nmcli conn mod ovs-if-{{ bridge_name }} ipv4.dns "10.1.8.10" + + - name: Modules for crio + shell: modprobe br_netfilter; sysctl -w net.ipv4.ip_forward=1 + + - name: Copy ssh keys for root - HACK - must be changed! + copy: + src: /root/.ssh/id_ecdsa + dest: /root/.ssh/id_ecdsa + + - name: Copy ssh keys for root - HACK - must be changed! - changing perm + shell: chmod 0400 /root/.ssh/id_ecdsa + + - name: Get token file + shell: scp root@{{ master }}:/root/token.out /tmp/token.out + + - name: Get token + shell: cat /tmp/token.out | awk -F\; '{print $1}' + register: kube_token + + - name: Get CA token + shell: cat /tmp/token.out | awk -F\; '{print $2}' + register: ca_token + + - name: Enable kubelet + shell: systemctl enable kubelet + + - name: Join node to kubernetes cluster + shell: kubeadm join --token {{ hostvars['K8S_TOKEN_HOLDER']['token'] }} --discovery-token-ca-cert-hash {{ ca_token.stdout }} {{ master }}:6443 + + - name: Restart kubelet + shell: systemctl restart kubelet + + - name: Create .kube directory + shell: mkdir -p /root/.kube + + - name: Copy cfg to .kube dir + shell: scp root@{{ master }}:/etc/kubernetes/admin.conf /root/.kube/config + + - name: Change ownership to kube directory + shell: chown $(id -u):$(id -g) /root/.kube/config + + - name: Label node as a worker + shell: kubectl label node {{ fqdn }} node-role.kubernetes.io/worker=worker \ No newline at end of file diff --git a/05_k8s/ansible/ovn/_setup_vars.ovn.template b/05_k8s/ansible/ovn/_setup_vars.ovn.template new file mode 100644 index 0000000..d7e56c6 --- /dev/null +++ b/05_k8s/ansible/ovn/_setup_vars.ovn.template @@ -0,0 +1,46 @@ +- name: Set global variables + set_fact: + virbr1: "16" + virbr2: "64" + netsuffix: "XXX" + hostname: "ovnXXX" + domain: "lab.syscallx86.com" + mem: "4G" + ipaserver: "freeipa.lab.syscallx86.com" + ipaip: "10.1.8.10" + nfsserver: "nfsnode.lab.syscallx86.com" + home_export: "/nfsvg/home" + ldapbase: "dc=lab,dc=syscallx86,dc=com" + svcadmin: "admin" + adminpwd: "admin123" + template: "basevm" + template_dir: "/data/templates" + vms_dir: "/data/vms" + rootvg_size: 30 + +- name: Set ip1 + set_fact: + ip1: "10.1.{{ virbr1 }}.{{ netsuffix }}" + +- name: Set ip2 + set_fact: + ip2: "10.2.{{ virbr2 }}.{{ netsuffix }}" + +- name: Set FQDN + set_fact: + fqdn: "{{ hostname }}.{{ domain }}" + +- name: Set REALM + set_fact: + realm: "{{ domain|upper }}" + +- name: Set Kubernetes facts + set_fact: + podnetwork: "10.38.0.0/16" + svcnetwork: "10.49.0.0/16" + clusterdom: "cluster.local" + master: "ovn11.lab.syscallx86.com" + bridge_name: "br-ex" + if1: "enp1s0" + if2: "enp7s0" + ip_address: "10.2.{{ virbr2 }}.{{ netsuffix }}" \ No newline at end of file diff --git a/05_k8s/01_join_workers.sh b/05_k8s/ansible/vanila/01_join_workers.sh similarity index 100% rename from 05_k8s/01_join_workers.sh rename to 05_k8s/ansible/vanila/01_join_workers.sh diff --git a/05_k8s/01_make_nodes.sh b/05_k8s/ansible/vanila/01_make_nodes.sh similarity index 100% rename from 05_k8s/01_make_nodes.sh rename to 05_k8s/ansible/vanila/01_make_nodes.sh diff --git a/05_k8s/01_make_workers.sh b/05_k8s/ansible/vanila/01_make_workers.sh similarity index 73% rename from 05_k8s/01_make_workers.sh rename to 05_k8s/ansible/vanila/01_make_workers.sh index 9a63dc0..97e0fa5 100755 --- a/05_k8s/01_make_workers.sh +++ b/05_k8s/ansible/vanila/01_make_workers.sh @@ -2,10 +2,10 @@ echo "Creating nodes..." -i=23 -while [ "$i" -ne 25 ] +i=27 +while [ "$i" -ne 28 ] do - echo "node$i.lab.local" + echo "node$i.lab.syscallx86.com" arp -da 10.1.16.200 rm -rf /root/.ansible/cp/* rm -rf /root/.ansible/tmp/* @@ -14,6 +14,6 @@ do if [ $? -eq 1 ]; then exit 1 fi - ansible-playbook ansible/03_install_nodes.yaml + ansible-playbook ansible/03_install_nodes_antrea.yaml i=$((i + 1)) done diff --git a/05_k8s/01_prepare_master.sh b/05_k8s/ansible/vanila/01_prepare_master.sh similarity index 64% rename from 05_k8s/01_prepare_master.sh rename to 05_k8s/ansible/vanila/01_prepare_master.sh index 506fa79..f5d2bc7 100755 --- a/05_k8s/01_prepare_master.sh +++ b/05_k8s/ansible/vanila/01_prepare_master.sh @@ -8,14 +8,15 @@ echo "Creating master..." i=11 while [ "$i" -ne 12 ] do - echo "node$i.lab.local" + echo "node$i.lab.syscallx86.com" rm -rf /root/.ansible/cp/* rm -rf /root/.ansible/tmp/* cat ansible/include/_setup_vars.template | sed s/XXX/$i/g > ansible/include/_setup_vars.yaml - ansible-playbook ansible/01_prepare_nodes.yaml + #ansible-playbook ansible/01_prepare_nodes.yaml if [ $? -eq 1 ]; then exit 1 fi - ansible-playbook ansible/02_prepare_master.yaml + #ansible-playbook ansible/02_prepare_master.yaml + #ansible-playbook ansible/02_install_master_antrea_crio.yaml i=$((i + 1)) done diff --git a/05_k8s/ansible/vanila/02_install_master.yaml b/05_k8s/ansible/vanila/02_install_master.yaml new file mode 100644 index 0000000..33c0686 --- /dev/null +++ b/05_k8s/ansible/vanila/02_install_master.yaml @@ -0,0 +1,102 @@ +--- +- hosts: localhost + become: true + gather_facts: no + tasks: + + - name: Set variables + include: include/_setup_vars.yaml + + - name: "Create ansible group for new hosts" + add_host: name="{{ master }}" groups=master + +- hosts: master + become: true + gather_facts: no + tasks: + + - name: Set variables + include: include/_setup_vars.yaml + + - name: Make /etc/kubernetes directory and change the selinux context + shell: mkdir /etc/kubernetes ; semanage fcontext -a -t svirt_sandbox_file_t '/etc/kubernetes(/.*)?' + + - name: Make /var/lib/etcd and change the selinux context + shell: mkdir -p /var/lib/etcd ; semanage fcontext -a -t svirt_sandbox_file_t '/var/lib/etcd(/.*)?' + + - name: Restore contexts + shell: restorecon -vR /etc/kubernetes ; restorecon -vR /var/lib/etcd + + - name: Disable swap + shell: swapoff -a ; sed -i -E '/swap/d' /etc/fstab + + - name: Setup firewall rules + shell: firewall-cmd --permanent --add-port=6443/tcp --add-port=2379-2380/tcp --add-port=10250-10252/tcp --add-port=10255/tcp --add-port=8472/udp + + - name: Open BGP protocal on firewalld + shell: firewall-cmd --permanent --add-port=179/tcp + + - name: Setup masquarade and reload rules + shell: firewall-cmd --add-masquerade --permanent ; firewall-cmd --reload + + - name: Enable br_netfilter (probably not survive the reboot!!! - check in the future) + shell: modprobe br_netfilter; echo '1' > /proc/sys/net/bridge/bridge-nf-call-iptables + + - name: Copy kubernetes repo definition to yum dir + copy: + src: include/kubernetes.repo + dest: /etc/yum.repos.d/kubernetes.repo + + - name: Install kubeadm, docker and wget + shell: yum install wget kubeadm docker -y + + - name: Enable docker + shell: systemctl restart docker && systemctl enable docker + + - name: Enable kubelet + shell: systemctl restart kubelet && systemctl enable kubelet + + - name: Run kubeadm + shell: kubeadm init --pod-network-cidr={{ podnetwork }} --service-cidr={{ svcnetwork }} --apiserver-advertise-address={{ ip }} > /tmp/kubeadm.out + + - name: Get token + shell: cat /tmp/kubeadm.out | grep -E '\-\-token' | awk '{print $5}' + register: kube_token + + - name: Get CA sha256 + shell: cat /tmp/kubeadm.out | grep -E 'sha256' | awk '{print $2}' + register: ca_token + + - name: Create Token file + shell: echo "{{ kube_token.stdout }};{{ ca_token.stdout }}" > /root/token.out + + - name: Create .kube directory + shell: mkdir -p /root/.kube + + - name: Copy cfg to .kube dir + shell: cp -i /etc/kubernetes/admin.conf /root/.kube/config + + - name: Change ownership to kube directory + shell: chown $(id -u):$(id -g) /root/.kube/config + + - name: Create SDN namespace + shell: kubectl create namespace kube-sdn + + - name: Get calico manifest + shell: cd /root ; wget https://docs.projectcalico.org/manifests/calico.yaml + + - name: Change pod ip + replace: + path: /root/calico.yaml + regexp: '192.168.0.0/16' + replace: "{{ podnetwork }}" + + - name: Change namespace for calico + replace: + path: /root/calico.yaml + regexp: 'kube-system' + replace: "kube-sdn" + + + - name: Apply Calico SDN Manifest + shell: kubectl apply -f /root/calico.yaml diff --git a/05_k8s/02_make_registry.sh b/05_k8s/ansible/vanila/02_make_registry.sh similarity index 100% rename from 05_k8s/02_make_registry.sh rename to 05_k8s/ansible/vanila/02_make_registry.sh diff --git a/05_k8s/ansible/02_post_master.yaml b/05_k8s/ansible/vanila/02_post_master.yaml similarity index 100% rename from 05_k8s/ansible/02_post_master.yaml rename to 05_k8s/ansible/vanila/02_post_master.yaml diff --git a/05_k8s/02_prepare_master.sh b/05_k8s/ansible/vanila/02_prepare_master.sh similarity index 100% rename from 05_k8s/02_prepare_master.sh rename to 05_k8s/ansible/vanila/02_prepare_master.sh diff --git a/05_k8s/ansible/02_prepare_master.yaml b/05_k8s/ansible/vanila/02_prepare_master.yaml similarity index 100% rename from 05_k8s/ansible/02_prepare_master.yaml rename to 05_k8s/ansible/vanila/02_prepare_master.yaml diff --git a/05_k8s/ansible/03_install_nodes.yaml b/05_k8s/ansible/vanila/03_install_nodes.yaml similarity index 100% rename from 05_k8s/ansible/03_install_nodes.yaml rename to 05_k8s/ansible/vanila/03_install_nodes.yaml diff --git a/05_k8s/ansible/04_install_registry.yaml b/05_k8s/ansible/vanila/04_install_registry.yaml similarity index 100% rename from 05_k8s/ansible/04_install_registry.yaml rename to 05_k8s/ansible/vanila/04_install_registry.yaml diff --git a/05_k8s/99_make_nodes.sh b/05_k8s/ansible/vanila/99_make_nodes.sh similarity index 100% rename from 05_k8s/99_make_nodes.sh rename to 05_k8s/ansible/vanila/99_make_nodes.sh diff --git a/05_k8s/ansible/99_temp_calico.yaml b/05_k8s/ansible/vanila/99_temp_calico.yaml similarity index 100% rename from 05_k8s/ansible/99_temp_calico.yaml rename to 05_k8s/ansible/vanila/99_temp_calico.yaml diff --git a/05_k8s/ansible/99_temp_kubeadm.yaml b/05_k8s/ansible/vanila/99_temp_kubeadm.yaml similarity index 100% rename from 05_k8s/ansible/99_temp_kubeadm.yaml rename to 05_k8s/ansible/vanila/99_temp_kubeadm.yaml diff --git a/05_k8s/ansible/vanila/ovn-temp.sh b/05_k8s/ansible/vanila/ovn-temp.sh new file mode 100644 index 0000000..0b2cade --- /dev/null +++ b/05_k8s/ansible/vanila/ovn-temp.sh @@ -0,0 +1,22 @@ +nmcli c add type ovs-bridge conn.interface ${BRIDGE_NAME} con-name ${BRIDGE_NAME} +nmcli c add type ovs-port conn.interface ${BRIDGE_NAME} master ${BRIDGE_NAME} con-name ovs-port-${BRIDGE_NAME} +nmcli c add type ovs-interface slave-type ovs-port conn.interface ${BRIDGE_NAME} master ovs-port-${BRIDGE_NAME} con-name ovs-if-${BRIDGE_NAME} +nmcli c add type ovs-port conn.interface ${IF2} master ${BRIDGE_NAME} con-name ovs-port-${IF2} +nmcli c add type ethernet conn.interface ${IF2} master ovs-port-${IF2} con-name ovs-if-${IF2} +nmcli conn delete ${IF2} +nmcli conn mod ${BRIDGE_NAME} connection.autoconnect yes +nmcli conn mod ovs-if-${BRIDGE_NAME} connection.autoconnect yes +nmcli conn mod ovs-if-${IF2} connection.autoconnect yes +nmcli conn mod ovs-port-${IF2} connection.autoconnect yes +nmcli conn mod ovs-port-${BRIDGE_NAME} connection.autoconnect yes +nmcli conn mod ovs-if-${BRIDGE_NAME} ipv4.address ${IP_ADDRESS} +nmcli conn mod ovs-if-${BRIDGE_NAME} ipv4.method static +nmcli conn mod ovs-if-${BRIDGE_NAME} ipv4.route-metric 50 + +# move the default route to br-ex +BRIDGE_NAME=br-ex +nmcli conn mod ovs-if-${BRIDGE_NAME} ipv4.gateway "192.168.123.254" +nmcli conn mod ${IF1} ipv4.never-default yes +# Change DNS to 8.8.8.8 +nmcli conn mod ${IF1} ipv4.ignore-auto-dns yes +nmcli conn mod ovs-if-${BRIDGE_NAME} ipv4.dns "8.8.8.8" diff --git a/05_k8s/antrea/01_join_workers_antrea.sh b/05_k8s/antrea/01_join_workers_antrea.sh new file mode 100755 index 0000000..2387e3c --- /dev/null +++ b/05_k8s/antrea/01_join_workers_antrea.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +echo "Joining nodes to existing cluster..." + +i=56 +while [ "$i" -ne 59 ] +do + echo "node$i.lab.local" + arp -da 10.1.16.200 + rm -rf /root/.ansible/cp/* + rm -rf /root/.ansible/tmp/* + cat ansible/include/_setup_vars.antrea.template | sed s/XXX/$i/g > ansible/include/_setup_vars.yaml +# ansible-playbook ansible/01_prepare_nodes.yaml +# if [ $? -eq 1 ]; then +# exit 1 +# fi + ansible-playbook ansible/03_install_nodes_antrea.yaml + i=$((i + 1)) +done diff --git a/05_k8s/antrea/01_make_workers_antrea.sh b/05_k8s/antrea/01_make_workers_antrea.sh new file mode 100755 index 0000000..25f6334 --- /dev/null +++ b/05_k8s/antrea/01_make_workers_antrea.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +echo "Creating nodes..." + +i=55 +while [ "$i" -ne 60 ] +do + echo "node$i.lab.local" + arp -da 10.1.16.200 + rm -rf /root/.ansible/cp/* + rm -rf /root/.ansible/tmp/* + cat ansible/include/_setup_vars.antrea.template | sed s/XXX/$i/g > ansible/include/_setup_vars.yaml + ansible-playbook ansible/01_prepare_nodes.yaml + if [ $? -eq 1 ]; then + exit 1 + fi + #ansible-playbook ansible/03_install_nodes.yaml + i=$((i + 1)) +done diff --git a/05_k8s/antrea/gateway/interface.xml b/05_k8s/antrea/gateway/interface.xml new file mode 100644 index 0000000..605e098 --- /dev/null +++ b/05_k8s/antrea/gateway/interface.xml @@ -0,0 +1,5 @@ + + + + + diff --git a/05_k8s/nohup.out b/05_k8s/nohup.out deleted file mode 100644 index 511056e..0000000 --- a/05_k8s/nohup.out +++ /dev/null @@ -1,1591 +0,0 @@ -Creating nodes... -node21.lab.local -? (10.1.16.200) at 52:54:00:1d:db:72 [ether] on virbr16 -[WARNING]: Could not match supplied host pattern, ignoring: newhost - -PLAY [localhost] *************************************************************** - -TASK [Set global variables] **************************************************** -ok: [localhost] - -TASK [Set ip] ****************************************************************** -ok: [localhost] - -TASK [Set FQDN] **************************************************************** -ok: [localhost] - -TASK [Set REALM] *************************************************************** -ok: [localhost] - -TASK [Set Kubernetes facts] **************************************************** -ok: [localhost] - -TASK [Create ansible group for new hosts] ************************************** -changed: [localhost] - -TASK [Delete ssh keys for template] ******************************************** -[WARNING]: Consider using the replace, lineinfile or template module rather -than running 'sed'. If you need to use command because replace, lineinfile or -template is insufficient you can add 'warn: false' to this command task or set -'command_warnings=False' in ansible.cfg to get rid of this message. -changed: [localhost] - -TASK [Delete ssh keys for ip] ************************************************** -changed: [localhost] - -TASK [Create ansible group for ipa server] ************************************* -changed: [localhost] - -TASK [Create data directory] *************************************************** -[WARNING]: Consider using the file module with state=directory rather than -running 'mkdir'. If you need to use command because file is insufficient you -can add 'warn: false' to this command task or set 'command_warnings=False' in -ansible.cfg to get rid of this message. -changed: [localhost] - -TASK [Clone template] ********************************************************** -changed: [localhost] - -TASK [Change rootvg size] ****************************************************** -changed: [localhost] - -TASK [Set max memory] ********************************************************** -changed: [localhost] - -TASK [Set more memory] ********************************************************* -changed: [localhost] - -TASK [Start machine] *********************************************************** -changed: [localhost] - -PLAY [centos7] ***************************************************************** - -TASK [pause] ******************************************************************* -Pausing for 35 seconds -(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort) -ok: [centos7] - -TASK [Set global variables] **************************************************** -ok: [centos7] - -TASK [Set ip] ****************************************************************** -ok: [centos7] - -TASK [Set FQDN] **************************************************************** -ok: [centos7] - -TASK [Set REALM] *************************************************************** -ok: [centos7] - -TASK [Set Kubernetes facts] **************************************************** -ok: [centos7] - -TASK [Change hostname] ********************************************************* -changed: [centos7] - -TASK [Add hosts to hostname] *************************************************** -changed: [centos7] - -TASK [Resize partition] ******************************************************** -fatal: [centos7]: FAILED! => {"changed": true, "cmd": "printf 'd\\n2\\np\\nn\\np\\n2\\n\\n\\nt\\n2\\n8e\\nw' | fdisk /dev/vda", "delta": "0:00:00.019714", "end": "2021-02-26 11:49:50.330806", "msg": "non-zero return code", "rc": 1, "start": "2021-02-26 11:49:50.311092", "stderr": "", "stderr_lines": [], "stdout": "Welcome to fdisk (util-linux 2.23.2).\n\nChanges will remain in memory only, until you decide to write them.\nBe careful before using the write command.\n\n\nCommand (m for help): Partition number (1,2, default 2): Partition 2 is deleted\n\nCommand (m for help): \nDisk /dev/vda: 32.2 GB, 32212254720 bytes, 62914560 sectors\nUnits = sectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size (minimum/optimal): 512 bytes / 512 bytes\nDisk label type: dos\nDisk identifier: 0x00013b86\n\n Device Boot Start End Blocks Id System\n/dev/vda1 * 2048 2099199 1048576 83 Linux\n\nCommand (m for help): Partition type:\n p primary (1 primary, 0 extended, 3 free)\n e extended\nSelect (default p): Partition number (2-4, default 2): First sector (2099200-62914559, default 2099200): Using default value 2099200\nLast sector, +sectors or +size{K,M,G} (2099200-62914559, default 62914559): Using default value 62914559\nPartition 2 of type Linux and of size 29 GiB is set\n\nCommand (m for help): Partition number (1,2, default 2): Hex code (type L to list all codes): Changed type of partition 'Linux' to 'Linux LVM'\n\nCommand (m for help): The partition table has been altered!\n\nCalling ioctl() to re-read partition table.\n\nWARNING: Re-reading the partition table failed with error 16: Device or resource busy.\nThe kernel still uses the old table. The new table will be used at\nthe next reboot or after you run partprobe(8) or kpartx(8)\nSyncing disks.", "stdout_lines": ["Welcome to fdisk (util-linux 2.23.2).", "", "Changes will remain in memory only, until you decide to write them.", "Be careful before using the write command.", "", "", "Command (m for help): Partition number (1,2, default 2): Partition 2 is deleted", "", "Command (m for help): ", "Disk /dev/vda: 32.2 GB, 32212254720 bytes, 62914560 sectors", "Units = sectors of 1 * 512 = 512 bytes", "Sector size (logical/physical): 512 bytes / 512 bytes", "I/O size (minimum/optimal): 512 bytes / 512 bytes", "Disk label type: dos", "Disk identifier: 0x00013b86", "", " Device Boot Start End Blocks Id System", "/dev/vda1 * 2048 2099199 1048576 83 Linux", "", "Command (m for help): Partition type:", " p primary (1 primary, 0 extended, 3 free)", " e extended", "Select (default p): Partition number (2-4, default 2): First sector (2099200-62914559, default 2099200): Using default value 2099200", "Last sector, +sectors or +size{K,M,G} (2099200-62914559, default 62914559): Using default value 62914559", "Partition 2 of type Linux and of size 29 GiB is set", "", "Command (m for help): Partition number (1,2, default 2): Hex code (type L to list all codes): Changed type of partition 'Linux' to 'Linux LVM'", "", "Command (m for help): The partition table has been altered!", "", "Calling ioctl() to re-read partition table.", "", "WARNING: Re-reading the partition table failed with error 16: Device or resource busy.", "The kernel still uses the old table. The new table will be used at", "the next reboot or after you run partprobe(8) or kpartx(8)", "Syncing disks."]} -...ignoring - -TASK [Partprobe disks] ********************************************************* -changed: [centos7] - -TASK [PV resize] *************************************************************** -changed: [centos7] - -TASK [Add an Ethernet connection with static IP configuration] ***************** -changed: [centos7] - -TASK [Install additional packages] ********************************************* -[WARNING]: Consider using the yum module rather than running 'yum'. If you -need to use command because yum is insufficient you can add 'warn: false' to -this command task or set 'command_warnings=False' in ansible.cfg to get rid of -this message. -changed: [centos7] - -TASK [Enable make dir option for new users] ************************************ -changed: [centos7] - -TASK [Update sshd config - part 1] ********************************************* -changed: [centos7] - -TASK [Update sshd config - part 2] ********************************************* -changed: [centos7] - -TASK [Update ssh config - non strict host checking] **************************** -changed: [centos7] - -TASK [Create nfshome dir] ****************************************************** -changed: [centos7] - -TASK [Set nfs home boolean] **************************************************** -changed: [centos7] - -TASK [Prepare autofs master] *************************************************** -changed: [centos7] - -TASK [Create auto.nfshome] ***************************************************** -changed: [centos7] - -TASK [Set timezone to Prague] ************************************************** -changed: [centos7] - -PLAY [localhost] *************************************************************** - -TASK [Shutdown host] *********************************************************** -changed: [localhost] - -TASK [pause] ******************************************************************* -Pausing for 5 seconds -(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort) -ok: [localhost] - -TASK [Destroy domain] ********************************************************** -fatal: [localhost]: FAILED! => {"changed": true, "cmd": "virsh destroy node21.lab.local", "delta": "0:00:00.050621", "end": "2021-02-26 17:53:29.681599", "msg": "non-zero return code", "rc": 1, "start": "2021-02-26 17:53:29.630978", "stderr": "error: Failed to destroy domain node21.lab.local\nerror: Requested operation is not valid: domain is not running", "stderr_lines": ["error: Failed to destroy domain node21.lab.local", "error: Requested operation is not valid: domain is not running"], "stdout": "", "stdout_lines": []} -...ignoring - -TASK [Change virbr interface] ************************************************** -changed: [localhost] - -TASK [Start domain] ************************************************************ -changed: [localhost] - -PLAY [newhost] ***************************************************************** - -TASK [pause] ******************************************************************* -Pausing for 25 seconds -(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort) -ok: [10.1.16.21] - -TASK [Set global variables] **************************************************** -ok: [10.1.16.21] - -TASK [Set ip] ****************************************************************** -ok: [10.1.16.21] - -TASK [Set FQDN] **************************************************************** -ok: [10.1.16.21] - -TASK [Set REALM] *************************************************************** -ok: [10.1.16.21] - -TASK [Set Kubernetes facts] **************************************************** -ok: [10.1.16.21] - -TASK [Join machine to IPA domain] ********************************************** -changed: [10.1.16.21] - -TASK [Get the krb5 ticket] ***************************************************** -changed: [10.1.16.21] - -TASK [Add nfs server to the ipa server] **************************************** -changed: [10.1.16.21] - -TASK [Create nfs service for krb5 mount client] ******************************** -changed: [10.1.16.21] - -TASK [Enable and start nfs client] ********************************************* -changed: [10.1.16.21] - -TASK [Enable and start autofs] ************************************************* -changed: [10.1.16.21] - -PLAY RECAP ********************************************************************* -10.1.16.21 : ok=12 changed=6 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 -centos7 : ok=22 changed=16 unreachable=0 failed=0 skipped=0 rescued=0 ignored=1 -localhost : ok=20 changed=14 unreachable=0 failed=0 skipped=0 rescued=0 ignored=1 - -node22.lab.local -? (10.1.16.200) at 52:54:00:c2:f5:de [ether] on virbr16 -[WARNING]: Could not match supplied host pattern, ignoring: newhost - -PLAY [localhost] *************************************************************** - -TASK [Set global variables] **************************************************** -ok: [localhost] - -TASK [Set ip] ****************************************************************** -ok: [localhost] - -TASK [Set FQDN] **************************************************************** -ok: [localhost] - -TASK [Set REALM] *************************************************************** -ok: [localhost] - -TASK [Set Kubernetes facts] **************************************************** -ok: [localhost] - -TASK [Create ansible group for new hosts] ************************************** -changed: [localhost] - -TASK [Delete ssh keys for template] ******************************************** -[WARNING]: Consider using the replace, lineinfile or template module rather -than running 'sed'. If you need to use command because replace, lineinfile or -template is insufficient you can add 'warn: false' to this command task or set -'command_warnings=False' in ansible.cfg to get rid of this message. -changed: [localhost] - -TASK [Delete ssh keys for ip] ************************************************** -changed: [localhost] - -TASK [Create ansible group for ipa server] ************************************* -changed: [localhost] - -TASK [Create data directory] *************************************************** -[WARNING]: Consider using the file module with state=directory rather than -running 'mkdir'. If you need to use command because file is insufficient you -can add 'warn: false' to this command task or set 'command_warnings=False' in -ansible.cfg to get rid of this message. -changed: [localhost] - -TASK [Clone template] ********************************************************** -changed: [localhost] - -TASK [Change rootvg size] ****************************************************** -changed: [localhost] - -TASK [Set max memory] ********************************************************** -changed: [localhost] - -TASK [Set more memory] ********************************************************* -changed: [localhost] - -TASK [Start machine] *********************************************************** -changed: [localhost] - -PLAY [centos7] ***************************************************************** - -TASK [pause] ******************************************************************* -Pausing for 35 seconds -(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort) -ok: [centos7] - -TASK [Set global variables] **************************************************** -ok: [centos7] - -TASK [Set ip] ****************************************************************** -ok: [centos7] - -TASK [Set FQDN] **************************************************************** -ok: [centos7] - -TASK [Set REALM] *************************************************************** -ok: [centos7] - -TASK [Set Kubernetes facts] **************************************************** -ok: [centos7] - -TASK [Change hostname] ********************************************************* -changed: [centos7] - -TASK [Add hosts to hostname] *************************************************** -changed: [centos7] - -TASK [Resize partition] ******************************************************** -fatal: [centos7]: FAILED! => {"changed": true, "cmd": "printf 'd\\n2\\np\\nn\\np\\n2\\n\\n\\nt\\n2\\n8e\\nw' | fdisk /dev/vda", "delta": "0:00:00.021941", "end": "2021-02-26 11:56:31.127686", "msg": "non-zero return code", "rc": 1, "start": "2021-02-26 11:56:31.105745", "stderr": "", "stderr_lines": [], "stdout": "Welcome to fdisk (util-linux 2.23.2).\n\nChanges will remain in memory only, until you decide to write them.\nBe careful before using the write command.\n\n\nCommand (m for help): Partition number (1,2, default 2): Partition 2 is deleted\n\nCommand (m for help): \nDisk /dev/vda: 32.2 GB, 32212254720 bytes, 62914560 sectors\nUnits = sectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size (minimum/optimal): 512 bytes / 512 bytes\nDisk label type: dos\nDisk identifier: 0x00013b86\n\n Device Boot Start End Blocks Id System\n/dev/vda1 * 2048 2099199 1048576 83 Linux\n\nCommand (m for help): Partition type:\n p primary (1 primary, 0 extended, 3 free)\n e extended\nSelect (default p): Partition number (2-4, default 2): First sector (2099200-62914559, default 2099200): Using default value 2099200\nLast sector, +sectors or +size{K,M,G} (2099200-62914559, default 62914559): Using default value 62914559\nPartition 2 of type Linux and of size 29 GiB is set\n\nCommand (m for help): Partition number (1,2, default 2): Hex code (type L to list all codes): Changed type of partition 'Linux' to 'Linux LVM'\n\nCommand (m for help): The partition table has been altered!\n\nCalling ioctl() to re-read partition table.\n\nWARNING: Re-reading the partition table failed with error 16: Device or resource busy.\nThe kernel still uses the old table. The new table will be used at\nthe next reboot or after you run partprobe(8) or kpartx(8)\nSyncing disks.", "stdout_lines": ["Welcome to fdisk (util-linux 2.23.2).", "", "Changes will remain in memory only, until you decide to write them.", "Be careful before using the write command.", "", "", "Command (m for help): Partition number (1,2, default 2): Partition 2 is deleted", "", "Command (m for help): ", "Disk /dev/vda: 32.2 GB, 32212254720 bytes, 62914560 sectors", "Units = sectors of 1 * 512 = 512 bytes", "Sector size (logical/physical): 512 bytes / 512 bytes", "I/O size (minimum/optimal): 512 bytes / 512 bytes", "Disk label type: dos", "Disk identifier: 0x00013b86", "", " Device Boot Start End Blocks Id System", "/dev/vda1 * 2048 2099199 1048576 83 Linux", "", "Command (m for help): Partition type:", " p primary (1 primary, 0 extended, 3 free)", " e extended", "Select (default p): Partition number (2-4, default 2): First sector (2099200-62914559, default 2099200): Using default value 2099200", "Last sector, +sectors or +size{K,M,G} (2099200-62914559, default 62914559): Using default value 62914559", "Partition 2 of type Linux and of size 29 GiB is set", "", "Command (m for help): Partition number (1,2, default 2): Hex code (type L to list all codes): Changed type of partition 'Linux' to 'Linux LVM'", "", "Command (m for help): The partition table has been altered!", "", "Calling ioctl() to re-read partition table.", "", "WARNING: Re-reading the partition table failed with error 16: Device or resource busy.", "The kernel still uses the old table. The new table will be used at", "the next reboot or after you run partprobe(8) or kpartx(8)", "Syncing disks."]} -...ignoring - -TASK [Partprobe disks] ********************************************************* -changed: [centos7] - -TASK [PV resize] *************************************************************** -changed: [centos7] - -TASK [Add an Ethernet connection with static IP configuration] ***************** -changed: [centos7] - -TASK [Install additional packages] ********************************************* -[WARNING]: Consider using the yum module rather than running 'yum'. If you -need to use command because yum is insufficient you can add 'warn: false' to -this command task or set 'command_warnings=False' in ansible.cfg to get rid of -this message. -changed: [centos7] - -TASK [Enable make dir option for new users] ************************************ -changed: [centos7] - -TASK [Update sshd config - part 1] ********************************************* -changed: [centos7] - -TASK [Update sshd config - part 2] ********************************************* -changed: [centos7] - -TASK [Update ssh config - non strict host checking] **************************** -changed: [centos7] - -TASK [Create nfshome dir] ****************************************************** -changed: [centos7] - -TASK [Set nfs home boolean] **************************************************** -changed: [centos7] - -TASK [Prepare autofs master] *************************************************** -changed: [centos7] - -TASK [Create auto.nfshome] ***************************************************** -changed: [centos7] - -TASK [Set timezone to Prague] ************************************************** -changed: [centos7] - -PLAY [localhost] *************************************************************** - -TASK [Shutdown host] *********************************************************** -changed: [localhost] - -TASK [pause] ******************************************************************* -Pausing for 5 seconds -(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort) -ok: [localhost] - -TASK [Destroy domain] ********************************************************** -fatal: [localhost]: FAILED! => {"changed": true, "cmd": "virsh destroy node22.lab.local", "delta": "0:00:00.048335", "end": "2021-02-26 17:58:57.227828", "msg": "non-zero return code", "rc": 1, "start": "2021-02-26 17:58:57.179493", "stderr": "error: Failed to destroy domain node22.lab.local\nerror: Requested operation is not valid: domain is not running", "stderr_lines": ["error: Failed to destroy domain node22.lab.local", "error: Requested operation is not valid: domain is not running"], "stdout": "", "stdout_lines": []} -...ignoring - -TASK [Change virbr interface] ************************************************** -changed: [localhost] - -TASK [Start domain] ************************************************************ -changed: [localhost] - -PLAY [newhost] ***************************************************************** - -TASK [pause] ******************************************************************* -Pausing for 25 seconds -(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort) -ok: [10.1.16.22] - -TASK [Set global variables] **************************************************** -ok: [10.1.16.22] - -TASK [Set ip] ****************************************************************** -ok: [10.1.16.22] - -TASK [Set FQDN] **************************************************************** -ok: [10.1.16.22] - -TASK [Set REALM] *************************************************************** -ok: [10.1.16.22] - -TASK [Set Kubernetes facts] **************************************************** -ok: [10.1.16.22] - -TASK [Join machine to IPA domain] ********************************************** -changed: [10.1.16.22] - -TASK [Get the krb5 ticket] ***************************************************** -changed: [10.1.16.22] - -TASK [Add nfs server to the ipa server] **************************************** -changed: [10.1.16.22] - -TASK [Create nfs service for krb5 mount client] ******************************** -changed: [10.1.16.22] - -TASK [Enable and start nfs client] ********************************************* -changed: [10.1.16.22] - -TASK [Enable and start autofs] ************************************************* -changed: [10.1.16.22] - -PLAY RECAP ********************************************************************* -10.1.16.22 : ok=12 changed=6 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 -centos7 : ok=22 changed=16 unreachable=0 failed=0 skipped=0 rescued=0 ignored=1 -localhost : ok=20 changed=14 unreachable=0 failed=0 skipped=0 rescued=0 ignored=1 - -node23.lab.local -? (10.1.16.200) at 52:54:00:4c:e7:c8 [ether] on virbr16 -[WARNING]: Could not match supplied host pattern, ignoring: newhost - -PLAY [localhost] *************************************************************** - -TASK [Set global variables] **************************************************** -ok: [localhost] - -TASK [Set ip] ****************************************************************** -ok: [localhost] - -TASK [Set FQDN] **************************************************************** -ok: [localhost] - -TASK [Set REALM] *************************************************************** -ok: [localhost] - -TASK [Set Kubernetes facts] **************************************************** -ok: [localhost] - -TASK [Create ansible group for new hosts] ************************************** -changed: [localhost] - -TASK [Delete ssh keys for template] ******************************************** -[WARNING]: Consider using the replace, lineinfile or template module rather -than running 'sed'. If you need to use command because replace, lineinfile or -template is insufficient you can add 'warn: false' to this command task or set -'command_warnings=False' in ansible.cfg to get rid of this message. -changed: [localhost] - -TASK [Delete ssh keys for ip] ************************************************** -changed: [localhost] - -TASK [Create ansible group for ipa server] ************************************* -changed: [localhost] - -TASK [Create data directory] *************************************************** -[WARNING]: Consider using the file module with state=directory rather than -running 'mkdir'. If you need to use command because file is insufficient you -can add 'warn: false' to this command task or set 'command_warnings=False' in -ansible.cfg to get rid of this message. -changed: [localhost] - -TASK [Clone template] ********************************************************** -changed: [localhost] - -TASK [Change rootvg size] ****************************************************** -changed: [localhost] - -TASK [Set max memory] ********************************************************** -changed: [localhost] - -TASK [Set more memory] ********************************************************* -changed: [localhost] - -TASK [Start machine] *********************************************************** -changed: [localhost] - -PLAY [centos7] ***************************************************************** - -TASK [pause] ******************************************************************* -Pausing for 35 seconds -(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort) -ok: [centos7] - -TASK [Set global variables] **************************************************** -ok: [centos7] - -TASK [Set ip] ****************************************************************** -ok: [centos7] - -TASK [Set FQDN] **************************************************************** -ok: [centos7] - -TASK [Set REALM] *************************************************************** -ok: [centos7] - -TASK [Set Kubernetes facts] **************************************************** -ok: [centos7] - -TASK [Change hostname] ********************************************************* -changed: [centos7] - -TASK [Add hosts to hostname] *************************************************** -changed: [centos7] - -TASK [Resize partition] ******************************************************** -fatal: [centos7]: FAILED! => {"changed": true, "cmd": "printf 'd\\n2\\np\\nn\\np\\n2\\n\\n\\nt\\n2\\n8e\\nw' | fdisk /dev/vda", "delta": "0:00:00.022311", "end": "2021-02-26 12:01:59.615594", "msg": "non-zero return code", "rc": 1, "start": "2021-02-26 12:01:59.593283", "stderr": "", "stderr_lines": [], "stdout": "Welcome to fdisk (util-linux 2.23.2).\n\nChanges will remain in memory only, until you decide to write them.\nBe careful before using the write command.\n\n\nCommand (m for help): Partition number (1,2, default 2): Partition 2 is deleted\n\nCommand (m for help): \nDisk /dev/vda: 32.2 GB, 32212254720 bytes, 62914560 sectors\nUnits = sectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size (minimum/optimal): 512 bytes / 512 bytes\nDisk label type: dos\nDisk identifier: 0x00013b86\n\n Device Boot Start End Blocks Id System\n/dev/vda1 * 2048 2099199 1048576 83 Linux\n\nCommand (m for help): Partition type:\n p primary (1 primary, 0 extended, 3 free)\n e extended\nSelect (default p): Partition number (2-4, default 2): First sector (2099200-62914559, default 2099200): Using default value 2099200\nLast sector, +sectors or +size{K,M,G} (2099200-62914559, default 62914559): Using default value 62914559\nPartition 2 of type Linux and of size 29 GiB is set\n\nCommand (m for help): Partition number (1,2, default 2): Hex code (type L to list all codes): Changed type of partition 'Linux' to 'Linux LVM'\n\nCommand (m for help): The partition table has been altered!\n\nCalling ioctl() to re-read partition table.\n\nWARNING: Re-reading the partition table failed with error 16: Device or resource busy.\nThe kernel still uses the old table. The new table will be used at\nthe next reboot or after you run partprobe(8) or kpartx(8)\nSyncing disks.", "stdout_lines": ["Welcome to fdisk (util-linux 2.23.2).", "", "Changes will remain in memory only, until you decide to write them.", "Be careful before using the write command.", "", "", "Command (m for help): Partition number (1,2, default 2): Partition 2 is deleted", "", "Command (m for help): ", "Disk /dev/vda: 32.2 GB, 32212254720 bytes, 62914560 sectors", "Units = sectors of 1 * 512 = 512 bytes", "Sector size (logical/physical): 512 bytes / 512 bytes", "I/O size (minimum/optimal): 512 bytes / 512 bytes", "Disk label type: dos", "Disk identifier: 0x00013b86", "", " Device Boot Start End Blocks Id System", "/dev/vda1 * 2048 2099199 1048576 83 Linux", "", "Command (m for help): Partition type:", " p primary (1 primary, 0 extended, 3 free)", " e extended", "Select (default p): Partition number (2-4, default 2): First sector (2099200-62914559, default 2099200): Using default value 2099200", "Last sector, +sectors or +size{K,M,G} (2099200-62914559, default 62914559): Using default value 62914559", "Partition 2 of type Linux and of size 29 GiB is set", "", "Command (m for help): Partition number (1,2, default 2): Hex code (type L to list all codes): Changed type of partition 'Linux' to 'Linux LVM'", "", "Command (m for help): The partition table has been altered!", "", "Calling ioctl() to re-read partition table.", "", "WARNING: Re-reading the partition table failed with error 16: Device or resource busy.", "The kernel still uses the old table. The new table will be used at", "the next reboot or after you run partprobe(8) or kpartx(8)", "Syncing disks."]} -...ignoring - -TASK [Partprobe disks] ********************************************************* -changed: [centos7] - -TASK [PV resize] *************************************************************** -changed: [centos7] - -TASK [Add an Ethernet connection with static IP configuration] ***************** -changed: [centos7] - -TASK [Install additional packages] ********************************************* -[WARNING]: Consider using the yum module rather than running 'yum'. If you -need to use command because yum is insufficient you can add 'warn: false' to -this command task or set 'command_warnings=False' in ansible.cfg to get rid of -this message. -changed: [centos7] - -TASK [Enable make dir option for new users] ************************************ -changed: [centos7] - -TASK [Update sshd config - part 1] ********************************************* -changed: [centos7] - -TASK [Update sshd config - part 2] ********************************************* -changed: [centos7] - -TASK [Update ssh config - non strict host checking] **************************** -changed: [centos7] - -TASK [Create nfshome dir] ****************************************************** -changed: [centos7] - -TASK [Set nfs home boolean] **************************************************** -changed: [centos7] - -TASK [Prepare autofs master] *************************************************** -changed: [centos7] - -TASK [Create auto.nfshome] ***************************************************** -changed: [centos7] - -TASK [Set timezone to Prague] ************************************************** -changed: [centos7] - -PLAY [localhost] *************************************************************** - -TASK [Shutdown host] *********************************************************** -changed: [localhost] - -TASK [pause] ******************************************************************* -Pausing for 5 seconds -(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort) -ok: [localhost] - -TASK [Destroy domain] ********************************************************** -changed: [localhost] - -TASK [Change virbr interface] ************************************************** -changed: [localhost] - -TASK [Start domain] ************************************************************ -changed: [localhost] - -PLAY [newhost] ***************************************************************** - -TASK [pause] ******************************************************************* -Pausing for 25 seconds -(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort) -ok: [10.1.16.23] - -TASK [Set global variables] **************************************************** -ok: [10.1.16.23] - -TASK [Set ip] ****************************************************************** -ok: [10.1.16.23] - -TASK [Set FQDN] **************************************************************** -ok: [10.1.16.23] - -TASK [Set REALM] *************************************************************** -ok: [10.1.16.23] - -TASK [Set Kubernetes facts] **************************************************** -ok: [10.1.16.23] - -TASK [Join machine to IPA domain] ********************************************** -changed: [10.1.16.23] - -TASK [Get the krb5 ticket] ***************************************************** -changed: [10.1.16.23] - -TASK [Add nfs server to the ipa server] **************************************** -changed: [10.1.16.23] - -TASK [Create nfs service for krb5 mount client] ******************************** -changed: [10.1.16.23] - -TASK [Enable and start nfs client] ********************************************* -changed: [10.1.16.23] - -TASK [Enable and start autofs] ************************************************* -changed: [10.1.16.23] - -PLAY RECAP ********************************************************************* -10.1.16.23 : ok=12 changed=6 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 -centos7 : ok=22 changed=16 unreachable=0 failed=0 skipped=0 rescued=0 ignored=1 -localhost : ok=20 changed=14 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 - -node24.lab.local -? (10.1.16.200) at 52:54:00:ce:a1:1c [ether] on virbr16 -[WARNING]: Could not match supplied host pattern, ignoring: newhost - -PLAY [localhost] *************************************************************** - -TASK [Set global variables] **************************************************** -ok: [localhost] - -TASK [Set ip] ****************************************************************** -ok: [localhost] - -TASK [Set FQDN] **************************************************************** -ok: [localhost] - -TASK [Set REALM] *************************************************************** -ok: [localhost] - -TASK [Set Kubernetes facts] **************************************************** -ok: [localhost] - -TASK [Create ansible group for new hosts] ************************************** -changed: [localhost] - -TASK [Delete ssh keys for template] ******************************************** -[WARNING]: Consider using the replace, lineinfile or template module rather -than running 'sed'. If you need to use command because replace, lineinfile or -template is insufficient you can add 'warn: false' to this command task or set -'command_warnings=False' in ansible.cfg to get rid of this message. -changed: [localhost] - -TASK [Delete ssh keys for ip] ************************************************** -changed: [localhost] - -TASK [Create ansible group for ipa server] ************************************* -changed: [localhost] - -TASK [Create data directory] *************************************************** -[WARNING]: Consider using the file module with state=directory rather than -running 'mkdir'. If you need to use command because file is insufficient you -can add 'warn: false' to this command task or set 'command_warnings=False' in -ansible.cfg to get rid of this message. -changed: [localhost] - -TASK [Clone template] ********************************************************** -changed: [localhost] - -TASK [Change rootvg size] ****************************************************** -changed: [localhost] - -TASK [Set max memory] ********************************************************** -changed: [localhost] - -TASK [Set more memory] ********************************************************* -changed: [localhost] - -TASK [Start machine] *********************************************************** -changed: [localhost] - -PLAY [centos7] ***************************************************************** - -TASK [pause] ******************************************************************* -Pausing for 35 seconds -(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort) -ok: [centos7] - -TASK [Set global variables] **************************************************** -ok: [centos7] - -TASK [Set ip] ****************************************************************** -ok: [centos7] - -TASK [Set FQDN] **************************************************************** -ok: [centos7] - -TASK [Set REALM] *************************************************************** -ok: [centos7] - -TASK [Set Kubernetes facts] **************************************************** -ok: [centos7] - -TASK [Change hostname] ********************************************************* -changed: [centos7] - -TASK [Add hosts to hostname] *************************************************** -changed: [centos7] - -TASK [Resize partition] ******************************************************** -fatal: [centos7]: FAILED! => {"changed": true, "cmd": "printf 'd\\n2\\np\\nn\\np\\n2\\n\\n\\nt\\n2\\n8e\\nw' | fdisk /dev/vda", "delta": "0:00:00.024835", "end": "2021-02-26 12:07:53.819043", "msg": "non-zero return code", "rc": 1, "start": "2021-02-26 12:07:53.794208", "stderr": "", "stderr_lines": [], "stdout": "Welcome to fdisk (util-linux 2.23.2).\n\nChanges will remain in memory only, until you decide to write them.\nBe careful before using the write command.\n\n\nCommand (m for help): Partition number (1,2, default 2): Partition 2 is deleted\n\nCommand (m for help): \nDisk /dev/vda: 32.2 GB, 32212254720 bytes, 62914560 sectors\nUnits = sectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size (minimum/optimal): 512 bytes / 512 bytes\nDisk label type: dos\nDisk identifier: 0x00013b86\n\n Device Boot Start End Blocks Id System\n/dev/vda1 * 2048 2099199 1048576 83 Linux\n\nCommand (m for help): Partition type:\n p primary (1 primary, 0 extended, 3 free)\n e extended\nSelect (default p): Partition number (2-4, default 2): First sector (2099200-62914559, default 2099200): Using default value 2099200\nLast sector, +sectors or +size{K,M,G} (2099200-62914559, default 62914559): Using default value 62914559\nPartition 2 of type Linux and of size 29 GiB is set\n\nCommand (m for help): Partition number (1,2, default 2): Hex code (type L to list all codes): Changed type of partition 'Linux' to 'Linux LVM'\n\nCommand (m for help): The partition table has been altered!\n\nCalling ioctl() to re-read partition table.\n\nWARNING: Re-reading the partition table failed with error 16: Device or resource busy.\nThe kernel still uses the old table. The new table will be used at\nthe next reboot or after you run partprobe(8) or kpartx(8)\nSyncing disks.", "stdout_lines": ["Welcome to fdisk (util-linux 2.23.2).", "", "Changes will remain in memory only, until you decide to write them.", "Be careful before using the write command.", "", "", "Command (m for help): Partition number (1,2, default 2): Partition 2 is deleted", "", "Command (m for help): ", "Disk /dev/vda: 32.2 GB, 32212254720 bytes, 62914560 sectors", "Units = sectors of 1 * 512 = 512 bytes", "Sector size (logical/physical): 512 bytes / 512 bytes", "I/O size (minimum/optimal): 512 bytes / 512 bytes", "Disk label type: dos", "Disk identifier: 0x00013b86", "", " Device Boot Start End Blocks Id System", "/dev/vda1 * 2048 2099199 1048576 83 Linux", "", "Command (m for help): Partition type:", " p primary (1 primary, 0 extended, 3 free)", " e extended", "Select (default p): Partition number (2-4, default 2): First sector (2099200-62914559, default 2099200): Using default value 2099200", "Last sector, +sectors or +size{K,M,G} (2099200-62914559, default 62914559): Using default value 62914559", "Partition 2 of type Linux and of size 29 GiB is set", "", "Command (m for help): Partition number (1,2, default 2): Hex code (type L to list all codes): Changed type of partition 'Linux' to 'Linux LVM'", "", "Command (m for help): The partition table has been altered!", "", "Calling ioctl() to re-read partition table.", "", "WARNING: Re-reading the partition table failed with error 16: Device or resource busy.", "The kernel still uses the old table. The new table will be used at", "the next reboot or after you run partprobe(8) or kpartx(8)", "Syncing disks."]} -...ignoring - -TASK [Partprobe disks] ********************************************************* -changed: [centos7] - -TASK [PV resize] *************************************************************** -changed: [centos7] - -TASK [Add an Ethernet connection with static IP configuration] ***************** -changed: [centos7] - -TASK [Install additional packages] ********************************************* -[WARNING]: Consider using the yum module rather than running 'yum'. If you -need to use command because yum is insufficient you can add 'warn: false' to -this command task or set 'command_warnings=False' in ansible.cfg to get rid of -this message. -changed: [centos7] - -TASK [Enable make dir option for new users] ************************************ -changed: [centos7] - -TASK [Update sshd config - part 1] ********************************************* -changed: [centos7] - -TASK [Update sshd config - part 2] ********************************************* -changed: [centos7] - -TASK [Update ssh config - non strict host checking] **************************** -changed: [centos7] - -TASK [Create nfshome dir] ****************************************************** -changed: [centos7] - -TASK [Set nfs home boolean] **************************************************** -changed: [centos7] - -TASK [Prepare autofs master] *************************************************** -changed: [centos7] - -TASK [Create auto.nfshome] ***************************************************** -changed: [centos7] - -TASK [Set timezone to Prague] ************************************************** -changed: [centos7] - -PLAY [localhost] *************************************************************** - -TASK [Shutdown host] *********************************************************** -changed: [localhost] - -TASK [pause] ******************************************************************* -Pausing for 5 seconds -(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort) -ok: [localhost] - -TASK [Destroy domain] ********************************************************** -fatal: [localhost]: FAILED! => {"changed": true, "cmd": "virsh destroy node24.lab.local", "delta": "0:00:00.048485", "end": "2021-02-26 18:10:19.035705", "msg": "non-zero return code", "rc": 1, "start": "2021-02-26 18:10:18.987220", "stderr": "error: Failed to destroy domain node24.lab.local\nerror: Requested operation is not valid: domain is not running", "stderr_lines": ["error: Failed to destroy domain node24.lab.local", "error: Requested operation is not valid: domain is not running"], "stdout": "", "stdout_lines": []} -...ignoring - -TASK [Change virbr interface] ************************************************** -changed: [localhost] - -TASK [Start domain] ************************************************************ -changed: [localhost] - -PLAY [newhost] ***************************************************************** - -TASK [pause] ******************************************************************* -Pausing for 25 seconds -(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort) -ok: [10.1.16.24] - -TASK [Set global variables] **************************************************** -ok: [10.1.16.24] - -TASK [Set ip] ****************************************************************** -ok: [10.1.16.24] - -TASK [Set FQDN] **************************************************************** -ok: [10.1.16.24] - -TASK [Set REALM] *************************************************************** -ok: [10.1.16.24] - -TASK [Set Kubernetes facts] **************************************************** -ok: [10.1.16.24] - -TASK [Join machine to IPA domain] ********************************************** -changed: [10.1.16.24] - -TASK [Get the krb5 ticket] ***************************************************** -changed: [10.1.16.24] - -TASK [Add nfs server to the ipa server] **************************************** -changed: [10.1.16.24] - -TASK [Create nfs service for krb5 mount client] ******************************** -changed: [10.1.16.24] - -TASK [Enable and start nfs client] ********************************************* -changed: [10.1.16.24] - -TASK [Enable and start autofs] ************************************************* -changed: [10.1.16.24] - -PLAY RECAP ********************************************************************* -10.1.16.24 : ok=12 changed=6 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 -centos7 : ok=22 changed=16 unreachable=0 failed=0 skipped=0 rescued=0 ignored=1 -localhost : ok=20 changed=14 unreachable=0 failed=0 skipped=0 rescued=0 ignored=1 - -node25.lab.local -? (10.1.16.200) at 52:54:00:60:9d:7d [ether] on virbr16 -[WARNING]: Could not match supplied host pattern, ignoring: newhost - -PLAY [localhost] *************************************************************** - -TASK [Set global variables] **************************************************** -ok: [localhost] - -TASK [Set ip] ****************************************************************** -ok: [localhost] - -TASK [Set FQDN] **************************************************************** -ok: [localhost] - -TASK [Set REALM] *************************************************************** -ok: [localhost] - -TASK [Set Kubernetes facts] **************************************************** -ok: [localhost] - -TASK [Create ansible group for new hosts] ************************************** -changed: [localhost] - -TASK [Delete ssh keys for template] ******************************************** -[WARNING]: Consider using the replace, lineinfile or template module rather -than running 'sed'. If you need to use command because replace, lineinfile or -template is insufficient you can add 'warn: false' to this command task or set -'command_warnings=False' in ansible.cfg to get rid of this message. -changed: [localhost] - -TASK [Delete ssh keys for ip] ************************************************** -changed: [localhost] - -TASK [Create ansible group for ipa server] ************************************* -changed: [localhost] - -TASK [Create data directory] *************************************************** -[WARNING]: Consider using the file module with state=directory rather than -running 'mkdir'. If you need to use command because file is insufficient you -can add 'warn: false' to this command task or set 'command_warnings=False' in -ansible.cfg to get rid of this message. -changed: [localhost] - -TASK [Clone template] ********************************************************** -changed: [localhost] - -TASK [Change rootvg size] ****************************************************** -changed: [localhost] - -TASK [Set max memory] ********************************************************** -changed: [localhost] - -TASK [Set more memory] ********************************************************* -changed: [localhost] - -TASK [Start machine] *********************************************************** -changed: [localhost] - -PLAY [centos7] ***************************************************************** - -TASK [pause] ******************************************************************* -Pausing for 35 seconds -(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort) -ok: [centos7] - -TASK [Set global variables] **************************************************** -ok: [centos7] - -TASK [Set ip] ****************************************************************** -ok: [centos7] - -TASK [Set FQDN] **************************************************************** -ok: [centos7] - -TASK [Set REALM] *************************************************************** -ok: [centos7] - -TASK [Set Kubernetes facts] **************************************************** -ok: [centos7] - -TASK [Change hostname] ********************************************************* -changed: [centos7] - -TASK [Add hosts to hostname] *************************************************** -changed: [centos7] - -TASK [Resize partition] ******************************************************** -fatal: [centos7]: FAILED! => {"changed": true, "cmd": "printf 'd\\n2\\np\\nn\\np\\n2\\n\\n\\nt\\n2\\n8e\\nw' | fdisk /dev/vda", "delta": "0:00:00.032234", "end": "2021-02-26 12:13:25.873140", "msg": "non-zero return code", "rc": 1, "start": "2021-02-26 12:13:25.840906", "stderr": "", "stderr_lines": [], "stdout": "Welcome to fdisk (util-linux 2.23.2).\n\nChanges will remain in memory only, until you decide to write them.\nBe careful before using the write command.\n\n\nCommand (m for help): Partition number (1,2, default 2): Partition 2 is deleted\n\nCommand (m for help): \nDisk /dev/vda: 32.2 GB, 32212254720 bytes, 62914560 sectors\nUnits = sectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size (minimum/optimal): 512 bytes / 512 bytes\nDisk label type: dos\nDisk identifier: 0x00013b86\n\n Device Boot Start End Blocks Id System\n/dev/vda1 * 2048 2099199 1048576 83 Linux\n\nCommand (m for help): Partition type:\n p primary (1 primary, 0 extended, 3 free)\n e extended\nSelect (default p): Partition number (2-4, default 2): First sector (2099200-62914559, default 2099200): Using default value 2099200\nLast sector, +sectors or +size{K,M,G} (2099200-62914559, default 62914559): Using default value 62914559\nPartition 2 of type Linux and of size 29 GiB is set\n\nCommand (m for help): Partition number (1,2, default 2): Hex code (type L to list all codes): Changed type of partition 'Linux' to 'Linux LVM'\n\nCommand (m for help): The partition table has been altered!\n\nCalling ioctl() to re-read partition table.\n\nWARNING: Re-reading the partition table failed with error 16: Device or resource busy.\nThe kernel still uses the old table. The new table will be used at\nthe next reboot or after you run partprobe(8) or kpartx(8)\nSyncing disks.", "stdout_lines": ["Welcome to fdisk (util-linux 2.23.2).", "", "Changes will remain in memory only, until you decide to write them.", "Be careful before using the write command.", "", "", "Command (m for help): Partition number (1,2, default 2): Partition 2 is deleted", "", "Command (m for help): ", "Disk /dev/vda: 32.2 GB, 32212254720 bytes, 62914560 sectors", "Units = sectors of 1 * 512 = 512 bytes", "Sector size (logical/physical): 512 bytes / 512 bytes", "I/O size (minimum/optimal): 512 bytes / 512 bytes", "Disk label type: dos", "Disk identifier: 0x00013b86", "", " Device Boot Start End Blocks Id System", "/dev/vda1 * 2048 2099199 1048576 83 Linux", "", "Command (m for help): Partition type:", " p primary (1 primary, 0 extended, 3 free)", " e extended", "Select (default p): Partition number (2-4, default 2): First sector (2099200-62914559, default 2099200): Using default value 2099200", "Last sector, +sectors or +size{K,M,G} (2099200-62914559, default 62914559): Using default value 62914559", "Partition 2 of type Linux and of size 29 GiB is set", "", "Command (m for help): Partition number (1,2, default 2): Hex code (type L to list all codes): Changed type of partition 'Linux' to 'Linux LVM'", "", "Command (m for help): The partition table has been altered!", "", "Calling ioctl() to re-read partition table.", "", "WARNING: Re-reading the partition table failed with error 16: Device or resource busy.", "The kernel still uses the old table. The new table will be used at", "the next reboot or after you run partprobe(8) or kpartx(8)", "Syncing disks."]} -...ignoring - -TASK [Partprobe disks] ********************************************************* -changed: [centos7] - -TASK [PV resize] *************************************************************** -changed: [centos7] - -TASK [Add an Ethernet connection with static IP configuration] ***************** -changed: [centos7] - -TASK [Install additional packages] ********************************************* -[WARNING]: Consider using the yum module rather than running 'yum'. If you -need to use command because yum is insufficient you can add 'warn: false' to -this command task or set 'command_warnings=False' in ansible.cfg to get rid of -this message. -changed: [centos7] - -TASK [Enable make dir option for new users] ************************************ -changed: [centos7] - -TASK [Update sshd config - part 1] ********************************************* -changed: [centos7] - -TASK [Update sshd config - part 2] ********************************************* -changed: [centos7] - -TASK [Update ssh config - non strict host checking] **************************** -changed: [centos7] - -TASK [Create nfshome dir] ****************************************************** -changed: [centos7] - -TASK [Set nfs home boolean] **************************************************** -changed: [centos7] - -TASK [Prepare autofs master] *************************************************** -changed: [centos7] - -TASK [Create auto.nfshome] ***************************************************** -changed: [centos7] - -TASK [Set timezone to Prague] ************************************************** -changed: [centos7] - -PLAY [localhost] *************************************************************** - -TASK [Shutdown host] *********************************************************** -changed: [localhost] - -TASK [pause] ******************************************************************* -Pausing for 5 seconds -(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort) -ok: [localhost] - -TASK [Destroy domain] ********************************************************** -fatal: [localhost]: FAILED! => {"changed": true, "cmd": "virsh destroy node25.lab.local", "delta": "0:00:00.062108", "end": "2021-02-26 18:15:46.057230", "msg": "non-zero return code", "rc": 1, "start": "2021-02-26 18:15:45.995122", "stderr": "error: Failed to destroy domain node25.lab.local\nerror: Requested operation is not valid: domain is not running", "stderr_lines": ["error: Failed to destroy domain node25.lab.local", "error: Requested operation is not valid: domain is not running"], "stdout": "", "stdout_lines": []} -...ignoring - -TASK [Change virbr interface] ************************************************** -changed: [localhost] - -TASK [Start domain] ************************************************************ -changed: [localhost] - -PLAY [newhost] ***************************************************************** - -TASK [pause] ******************************************************************* -Pausing for 25 seconds -(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort) -ok: [10.1.16.25] - -TASK [Set global variables] **************************************************** -ok: [10.1.16.25] - -TASK [Set ip] ****************************************************************** -ok: [10.1.16.25] - -TASK [Set FQDN] **************************************************************** -ok: [10.1.16.25] - -TASK [Set REALM] *************************************************************** -ok: [10.1.16.25] - -TASK [Set Kubernetes facts] **************************************************** -ok: [10.1.16.25] - -TASK [Join machine to IPA domain] ********************************************** -changed: [10.1.16.25] - -TASK [Get the krb5 ticket] ***************************************************** -changed: [10.1.16.25] - -TASK [Add nfs server to the ipa server] **************************************** -changed: [10.1.16.25] - -TASK [Create nfs service for krb5 mount client] ******************************** -changed: [10.1.16.25] - -TASK [Enable and start nfs client] ********************************************* -changed: [10.1.16.25] - -TASK [Enable and start autofs] ************************************************* -changed: [10.1.16.25] - -PLAY RECAP ********************************************************************* -10.1.16.25 : ok=12 changed=6 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 -centos7 : ok=22 changed=16 unreachable=0 failed=0 skipped=0 rescued=0 ignored=1 -localhost : ok=20 changed=14 unreachable=0 failed=0 skipped=0 rescued=0 ignored=1 - -node26.lab.local -? (10.1.16.200) at 52:54:00:63:b0:32 [ether] on virbr16 -[WARNING]: Could not match supplied host pattern, ignoring: newhost - -PLAY [localhost] *************************************************************** - -TASK [Set global variables] **************************************************** -ok: [localhost] - -TASK [Set ip] ****************************************************************** -ok: [localhost] - -TASK [Set FQDN] **************************************************************** -ok: [localhost] - -TASK [Set REALM] *************************************************************** -ok: [localhost] - -TASK [Set Kubernetes facts] **************************************************** -ok: [localhost] - -TASK [Create ansible group for new hosts] ************************************** -changed: [localhost] - -TASK [Delete ssh keys for template] ******************************************** -[WARNING]: Consider using the replace, lineinfile or template module rather -than running 'sed'. If you need to use command because replace, lineinfile or -template is insufficient you can add 'warn: false' to this command task or set -'command_warnings=False' in ansible.cfg to get rid of this message. -changed: [localhost] - -TASK [Delete ssh keys for ip] ************************************************** -changed: [localhost] - -TASK [Create ansible group for ipa server] ************************************* -changed: [localhost] - -TASK [Create data directory] *************************************************** -[WARNING]: Consider using the file module with state=directory rather than -running 'mkdir'. If you need to use command because file is insufficient you -can add 'warn: false' to this command task or set 'command_warnings=False' in -ansible.cfg to get rid of this message. -changed: [localhost] - -TASK [Clone template] ********************************************************** -changed: [localhost] - -TASK [Change rootvg size] ****************************************************** -changed: [localhost] - -TASK [Set max memory] ********************************************************** -changed: [localhost] - -TASK [Set more memory] ********************************************************* -changed: [localhost] - -TASK [Start machine] *********************************************************** -changed: [localhost] - -PLAY [centos7] ***************************************************************** - -TASK [pause] ******************************************************************* -Pausing for 35 seconds -(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort) -ok: [centos7] - -TASK [Set global variables] **************************************************** -ok: [centos7] - -TASK [Set ip] ****************************************************************** -ok: [centos7] - -TASK [Set FQDN] **************************************************************** -ok: [centos7] - -TASK [Set REALM] *************************************************************** -ok: [centos7] - -TASK [Set Kubernetes facts] **************************************************** -ok: [centos7] - -TASK [Change hostname] ********************************************************* -changed: [centos7] - -TASK [Add hosts to hostname] *************************************************** -changed: [centos7] - -TASK [Resize partition] ******************************************************** -fatal: [centos7]: FAILED! => {"changed": true, "cmd": "printf 'd\\n2\\np\\nn\\np\\n2\\n\\n\\nt\\n2\\n8e\\nw' | fdisk /dev/vda", "delta": "0:00:00.019392", "end": "2021-02-26 12:18:48.976053", "msg": "non-zero return code", "rc": 1, "start": "2021-02-26 12:18:48.956661", "stderr": "", "stderr_lines": [], "stdout": "Welcome to fdisk (util-linux 2.23.2).\n\nChanges will remain in memory only, until you decide to write them.\nBe careful before using the write command.\n\n\nCommand (m for help): Partition number (1,2, default 2): Partition 2 is deleted\n\nCommand (m for help): \nDisk /dev/vda: 32.2 GB, 32212254720 bytes, 62914560 sectors\nUnits = sectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size (minimum/optimal): 512 bytes / 512 bytes\nDisk label type: dos\nDisk identifier: 0x00013b86\n\n Device Boot Start End Blocks Id System\n/dev/vda1 * 2048 2099199 1048576 83 Linux\n\nCommand (m for help): Partition type:\n p primary (1 primary, 0 extended, 3 free)\n e extended\nSelect (default p): Partition number (2-4, default 2): First sector (2099200-62914559, default 2099200): Using default value 2099200\nLast sector, +sectors or +size{K,M,G} (2099200-62914559, default 62914559): Using default value 62914559\nPartition 2 of type Linux and of size 29 GiB is set\n\nCommand (m for help): Partition number (1,2, default 2): Hex code (type L to list all codes): Changed type of partition 'Linux' to 'Linux LVM'\n\nCommand (m for help): The partition table has been altered!\n\nCalling ioctl() to re-read partition table.\n\nWARNING: Re-reading the partition table failed with error 16: Device or resource busy.\nThe kernel still uses the old table. The new table will be used at\nthe next reboot or after you run partprobe(8) or kpartx(8)\nSyncing disks.", "stdout_lines": ["Welcome to fdisk (util-linux 2.23.2).", "", "Changes will remain in memory only, until you decide to write them.", "Be careful before using the write command.", "", "", "Command (m for help): Partition number (1,2, default 2): Partition 2 is deleted", "", "Command (m for help): ", "Disk /dev/vda: 32.2 GB, 32212254720 bytes, 62914560 sectors", "Units = sectors of 1 * 512 = 512 bytes", "Sector size (logical/physical): 512 bytes / 512 bytes", "I/O size (minimum/optimal): 512 bytes / 512 bytes", "Disk label type: dos", "Disk identifier: 0x00013b86", "", " Device Boot Start End Blocks Id System", "/dev/vda1 * 2048 2099199 1048576 83 Linux", "", "Command (m for help): Partition type:", " p primary (1 primary, 0 extended, 3 free)", " e extended", "Select (default p): Partition number (2-4, default 2): First sector (2099200-62914559, default 2099200): Using default value 2099200", "Last sector, +sectors or +size{K,M,G} (2099200-62914559, default 62914559): Using default value 62914559", "Partition 2 of type Linux and of size 29 GiB is set", "", "Command (m for help): Partition number (1,2, default 2): Hex code (type L to list all codes): Changed type of partition 'Linux' to 'Linux LVM'", "", "Command (m for help): The partition table has been altered!", "", "Calling ioctl() to re-read partition table.", "", "WARNING: Re-reading the partition table failed with error 16: Device or resource busy.", "The kernel still uses the old table. The new table will be used at", "the next reboot or after you run partprobe(8) or kpartx(8)", "Syncing disks."]} -...ignoring - -TASK [Partprobe disks] ********************************************************* -changed: [centos7] - -TASK [PV resize] *************************************************************** -changed: [centos7] - -TASK [Add an Ethernet connection with static IP configuration] ***************** -changed: [centos7] - -TASK [Install additional packages] ********************************************* -[WARNING]: Consider using the yum module rather than running 'yum'. If you -need to use command because yum is insufficient you can add 'warn: false' to -this command task or set 'command_warnings=False' in ansible.cfg to get rid of -this message. -changed: [centos7] - -TASK [Enable make dir option for new users] ************************************ -changed: [centos7] - -TASK [Update sshd config - part 1] ********************************************* -changed: [centos7] - -TASK [Update sshd config - part 2] ********************************************* -changed: [centos7] - -TASK [Update ssh config - non strict host checking] **************************** -changed: [centos7] - -TASK [Create nfshome dir] ****************************************************** -changed: [centos7] - -TASK [Set nfs home boolean] **************************************************** -changed: [centos7] - -TASK [Prepare autofs master] *************************************************** -changed: [centos7] - -TASK [Create auto.nfshome] ***************************************************** -changed: [centos7] - -TASK [Set timezone to Prague] ************************************************** -changed: [centos7] - -PLAY [localhost] *************************************************************** - -TASK [Shutdown host] *********************************************************** -changed: [localhost] - -TASK [pause] ******************************************************************* -Pausing for 5 seconds -(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort) -ok: [localhost] - -TASK [Destroy domain] ********************************************************** -fatal: [localhost]: FAILED! => {"changed": true, "cmd": "virsh destroy node26.lab.local", "delta": "0:00:00.048196", "end": "2021-02-26 18:21:36.573014", "msg": "non-zero return code", "rc": 1, "start": "2021-02-26 18:21:36.524818", "stderr": "error: Failed to destroy domain node26.lab.local\nerror: Requested operation is not valid: domain is not running", "stderr_lines": ["error: Failed to destroy domain node26.lab.local", "error: Requested operation is not valid: domain is not running"], "stdout": "", "stdout_lines": []} -...ignoring - -TASK [Change virbr interface] ************************************************** -changed: [localhost] - -TASK [Start domain] ************************************************************ -changed: [localhost] - -PLAY [newhost] ***************************************************************** - -TASK [pause] ******************************************************************* -Pausing for 25 seconds -(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort) -ok: [10.1.16.26] - -TASK [Set global variables] **************************************************** -ok: [10.1.16.26] - -TASK [Set ip] ****************************************************************** -ok: [10.1.16.26] - -TASK [Set FQDN] **************************************************************** -ok: [10.1.16.26] - -TASK [Set REALM] *************************************************************** -ok: [10.1.16.26] - -TASK [Set Kubernetes facts] **************************************************** -ok: [10.1.16.26] - -TASK [Join machine to IPA domain] ********************************************** -changed: [10.1.16.26] - -TASK [Get the krb5 ticket] ***************************************************** -changed: [10.1.16.26] - -TASK [Add nfs server to the ipa server] **************************************** -changed: [10.1.16.26] - -TASK [Create nfs service for krb5 mount client] ******************************** -changed: [10.1.16.26] - -TASK [Enable and start nfs client] ********************************************* -changed: [10.1.16.26] - -TASK [Enable and start autofs] ************************************************* -changed: [10.1.16.26] - -PLAY RECAP ********************************************************************* -10.1.16.26 : ok=12 changed=6 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 -centos7 : ok=22 changed=16 unreachable=0 failed=0 skipped=0 rescued=0 ignored=1 -localhost : ok=20 changed=14 unreachable=0 failed=0 skipped=0 rescued=0 ignored=1 - -node27.lab.local -? (10.1.16.200) at 52:54:00:06:be:6d [ether] on virbr16 -[WARNING]: Could not match supplied host pattern, ignoring: newhost - -PLAY [localhost] *************************************************************** - -TASK [Set global variables] **************************************************** -ok: [localhost] - -TASK [Set ip] ****************************************************************** -ok: [localhost] - -TASK [Set FQDN] **************************************************************** -ok: [localhost] - -TASK [Set REALM] *************************************************************** -ok: [localhost] - -TASK [Set Kubernetes facts] **************************************************** -ok: [localhost] - -TASK [Create ansible group for new hosts] ************************************** -changed: [localhost] - -TASK [Delete ssh keys for template] ******************************************** -[WARNING]: Consider using the replace, lineinfile or template module rather -than running 'sed'. If you need to use command because replace, lineinfile or -template is insufficient you can add 'warn: false' to this command task or set -'command_warnings=False' in ansible.cfg to get rid of this message. -changed: [localhost] - -TASK [Delete ssh keys for ip] ************************************************** -changed: [localhost] - -TASK [Create ansible group for ipa server] ************************************* -changed: [localhost] - -TASK [Create data directory] *************************************************** -[WARNING]: Consider using the file module with state=directory rather than -running 'mkdir'. If you need to use command because file is insufficient you -can add 'warn: false' to this command task or set 'command_warnings=False' in -ansible.cfg to get rid of this message. -changed: [localhost] - -TASK [Clone template] ********************************************************** -changed: [localhost] - -TASK [Change rootvg size] ****************************************************** -changed: [localhost] - -TASK [Set max memory] ********************************************************** -changed: [localhost] - -TASK [Set more memory] ********************************************************* -changed: [localhost] - -TASK [Start machine] *********************************************************** -changed: [localhost] - -PLAY [centos7] ***************************************************************** - -TASK [pause] ******************************************************************* -Pausing for 35 seconds -(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort) -ok: [centos7] - -TASK [Set global variables] **************************************************** -ok: [centos7] - -TASK [Set ip] ****************************************************************** -ok: [centos7] - -TASK [Set FQDN] **************************************************************** -ok: [centos7] - -TASK [Set REALM] *************************************************************** -ok: [centos7] - -TASK [Set Kubernetes facts] **************************************************** -ok: [centos7] - -TASK [Change hostname] ********************************************************* -changed: [centos7] - -TASK [Add hosts to hostname] *************************************************** -changed: [centos7] - -TASK [Resize partition] ******************************************************** -fatal: [centos7]: FAILED! => {"changed": true, "cmd": "printf 'd\\n2\\np\\nn\\np\\n2\\n\\n\\nt\\n2\\n8e\\nw' | fdisk /dev/vda", "delta": "0:00:00.023526", "end": "2021-02-26 12:24:44.383526", "msg": "non-zero return code", "rc": 1, "start": "2021-02-26 12:24:44.360000", "stderr": "", "stderr_lines": [], "stdout": "Welcome to fdisk (util-linux 2.23.2).\n\nChanges will remain in memory only, until you decide to write them.\nBe careful before using the write command.\n\n\nCommand (m for help): Partition number (1,2, default 2): Partition 2 is deleted\n\nCommand (m for help): \nDisk /dev/vda: 32.2 GB, 32212254720 bytes, 62914560 sectors\nUnits = sectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size (minimum/optimal): 512 bytes / 512 bytes\nDisk label type: dos\nDisk identifier: 0x00013b86\n\n Device Boot Start End Blocks Id System\n/dev/vda1 * 2048 2099199 1048576 83 Linux\n\nCommand (m for help): Partition type:\n p primary (1 primary, 0 extended, 3 free)\n e extended\nSelect (default p): Partition number (2-4, default 2): First sector (2099200-62914559, default 2099200): Using default value 2099200\nLast sector, +sectors or +size{K,M,G} (2099200-62914559, default 62914559): Using default value 62914559\nPartition 2 of type Linux and of size 29 GiB is set\n\nCommand (m for help): Partition number (1,2, default 2): Hex code (type L to list all codes): Changed type of partition 'Linux' to 'Linux LVM'\n\nCommand (m for help): The partition table has been altered!\n\nCalling ioctl() to re-read partition table.\n\nWARNING: Re-reading the partition table failed with error 16: Device or resource busy.\nThe kernel still uses the old table. The new table will be used at\nthe next reboot or after you run partprobe(8) or kpartx(8)\nSyncing disks.", "stdout_lines": ["Welcome to fdisk (util-linux 2.23.2).", "", "Changes will remain in memory only, until you decide to write them.", "Be careful before using the write command.", "", "", "Command (m for help): Partition number (1,2, default 2): Partition 2 is deleted", "", "Command (m for help): ", "Disk /dev/vda: 32.2 GB, 32212254720 bytes, 62914560 sectors", "Units = sectors of 1 * 512 = 512 bytes", "Sector size (logical/physical): 512 bytes / 512 bytes", "I/O size (minimum/optimal): 512 bytes / 512 bytes", "Disk label type: dos", "Disk identifier: 0x00013b86", "", " Device Boot Start End Blocks Id System", "/dev/vda1 * 2048 2099199 1048576 83 Linux", "", "Command (m for help): Partition type:", " p primary (1 primary, 0 extended, 3 free)", " e extended", "Select (default p): Partition number (2-4, default 2): First sector (2099200-62914559, default 2099200): Using default value 2099200", "Last sector, +sectors or +size{K,M,G} (2099200-62914559, default 62914559): Using default value 62914559", "Partition 2 of type Linux and of size 29 GiB is set", "", "Command (m for help): Partition number (1,2, default 2): Hex code (type L to list all codes): Changed type of partition 'Linux' to 'Linux LVM'", "", "Command (m for help): The partition table has been altered!", "", "Calling ioctl() to re-read partition table.", "", "WARNING: Re-reading the partition table failed with error 16: Device or resource busy.", "The kernel still uses the old table. The new table will be used at", "the next reboot or after you run partprobe(8) or kpartx(8)", "Syncing disks."]} -...ignoring - -TASK [Partprobe disks] ********************************************************* -changed: [centos7] - -TASK [PV resize] *************************************************************** -changed: [centos7] - -TASK [Add an Ethernet connection with static IP configuration] ***************** -changed: [centos7] - -TASK [Install additional packages] ********************************************* -[WARNING]: Consider using the yum module rather than running 'yum'. If you -need to use command because yum is insufficient you can add 'warn: false' to -this command task or set 'command_warnings=False' in ansible.cfg to get rid of -this message. -changed: [centos7] - -TASK [Enable make dir option for new users] ************************************ -changed: [centos7] - -TASK [Update sshd config - part 1] ********************************************* -changed: [centos7] - -TASK [Update sshd config - part 2] ********************************************* -changed: [centos7] - -TASK [Update ssh config - non strict host checking] **************************** -changed: [centos7] - -TASK [Create nfshome dir] ****************************************************** -changed: [centos7] - -TASK [Set nfs home boolean] **************************************************** -changed: [centos7] - -TASK [Prepare autofs master] *************************************************** -changed: [centos7] - -TASK [Create auto.nfshome] ***************************************************** -changed: [centos7] - -TASK [Set timezone to Prague] ************************************************** -changed: [centos7] - -PLAY [localhost] *************************************************************** - -TASK [Shutdown host] *********************************************************** -changed: [localhost] - -TASK [pause] ******************************************************************* -Pausing for 5 seconds -(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort) -ok: [localhost] - -TASK [Destroy domain] ********************************************************** -changed: [localhost] - -TASK [Change virbr interface] ************************************************** -changed: [localhost] - -TASK [Start domain] ************************************************************ -changed: [localhost] - -PLAY [newhost] ***************************************************************** - -TASK [pause] ******************************************************************* -Pausing for 25 seconds -(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort) -ok: [10.1.16.27] - -TASK [Set global variables] **************************************************** -ok: [10.1.16.27] - -TASK [Set ip] ****************************************************************** -ok: [10.1.16.27] - -TASK [Set FQDN] **************************************************************** -ok: [10.1.16.27] - -TASK [Set REALM] *************************************************************** -ok: [10.1.16.27] - -TASK [Set Kubernetes facts] **************************************************** -ok: [10.1.16.27] - -TASK [Join machine to IPA domain] ********************************************** -changed: [10.1.16.27] - -TASK [Get the krb5 ticket] ***************************************************** -changed: [10.1.16.27] - -TASK [Add nfs server to the ipa server] **************************************** -changed: [10.1.16.27] - -TASK [Create nfs service for krb5 mount client] ******************************** -changed: [10.1.16.27] - -TASK [Enable and start nfs client] ********************************************* -changed: [10.1.16.27] - -TASK [Enable and start autofs] ************************************************* -changed: [10.1.16.27] - -PLAY RECAP ********************************************************************* -10.1.16.27 : ok=12 changed=6 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 -centos7 : ok=22 changed=16 unreachable=0 failed=0 skipped=0 rescued=0 ignored=1 -localhost : ok=20 changed=14 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 - -node28.lab.local -? (10.1.16.200) at 52:54:00:bd:31:7a [ether] on virbr16 -[WARNING]: Could not match supplied host pattern, ignoring: newhost - -PLAY [localhost] *************************************************************** - -TASK [Set global variables] **************************************************** -ok: [localhost] - -TASK [Set ip] ****************************************************************** -ok: [localhost] - -TASK [Set FQDN] **************************************************************** -ok: [localhost] - -TASK [Set REALM] *************************************************************** -ok: [localhost] - -TASK [Set Kubernetes facts] **************************************************** -ok: [localhost] - -TASK [Create ansible group for new hosts] ************************************** -changed: [localhost] - -TASK [Delete ssh keys for template] ******************************************** -[WARNING]: Consider using the replace, lineinfile or template module rather -than running 'sed'. If you need to use command because replace, lineinfile or -template is insufficient you can add 'warn: false' to this command task or set -'command_warnings=False' in ansible.cfg to get rid of this message. -changed: [localhost] - -TASK [Delete ssh keys for ip] ************************************************** -changed: [localhost] - -TASK [Create ansible group for ipa server] ************************************* -changed: [localhost] - -TASK [Create data directory] *************************************************** -[WARNING]: Consider using the file module with state=directory rather than -running 'mkdir'. If you need to use command because file is insufficient you -can add 'warn: false' to this command task or set 'command_warnings=False' in -ansible.cfg to get rid of this message. -changed: [localhost] - -TASK [Clone template] ********************************************************** -changed: [localhost] - -TASK [Change rootvg size] ****************************************************** -changed: [localhost] - -TASK [Set max memory] ********************************************************** -changed: [localhost] - -TASK [Set more memory] ********************************************************* -changed: [localhost] - -TASK [Start machine] *********************************************************** -changed: [localhost] - -PLAY [centos7] ***************************************************************** - -TASK [pause] ******************************************************************* -Pausing for 35 seconds -(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort) -ok: [centos7] - -TASK [Set global variables] **************************************************** -ok: [centos7] - -TASK [Set ip] ****************************************************************** -ok: [centos7] - -TASK [Set FQDN] **************************************************************** -ok: [centos7] - -TASK [Set REALM] *************************************************************** -ok: [centos7] - -TASK [Set Kubernetes facts] **************************************************** -ok: [centos7] - -TASK [Change hostname] ********************************************************* -changed: [centos7] - -TASK [Add hosts to hostname] *************************************************** -changed: [centos7] - -TASK [Resize partition] ******************************************************** -fatal: [centos7]: FAILED! => {"changed": true, "cmd": "printf 'd\\n2\\np\\nn\\np\\n2\\n\\n\\nt\\n2\\n8e\\nw' | fdisk /dev/vda", "delta": "0:00:00.026227", "end": "2021-02-26 12:30:47.559651", "msg": "non-zero return code", "rc": 1, "start": "2021-02-26 12:30:47.533424", "stderr": "", "stderr_lines": [], "stdout": "Welcome to fdisk (util-linux 2.23.2).\n\nChanges will remain in memory only, until you decide to write them.\nBe careful before using the write command.\n\n\nCommand (m for help): Partition number (1,2, default 2): Partition 2 is deleted\n\nCommand (m for help): \nDisk /dev/vda: 32.2 GB, 32212254720 bytes, 62914560 sectors\nUnits = sectors of 1 * 512 = 512 bytes\nSector size (logical/physical): 512 bytes / 512 bytes\nI/O size (minimum/optimal): 512 bytes / 512 bytes\nDisk label type: dos\nDisk identifier: 0x00013b86\n\n Device Boot Start End Blocks Id System\n/dev/vda1 * 2048 2099199 1048576 83 Linux\n\nCommand (m for help): Partition type:\n p primary (1 primary, 0 extended, 3 free)\n e extended\nSelect (default p): Partition number (2-4, default 2): First sector (2099200-62914559, default 2099200): Using default value 2099200\nLast sector, +sectors or +size{K,M,G} (2099200-62914559, default 62914559): Using default value 62914559\nPartition 2 of type Linux and of size 29 GiB is set\n\nCommand (m for help): Partition number (1,2, default 2): Hex code (type L to list all codes): Changed type of partition 'Linux' to 'Linux LVM'\n\nCommand (m for help): The partition table has been altered!\n\nCalling ioctl() to re-read partition table.\n\nWARNING: Re-reading the partition table failed with error 16: Device or resource busy.\nThe kernel still uses the old table. The new table will be used at\nthe next reboot or after you run partprobe(8) or kpartx(8)\nSyncing disks.", "stdout_lines": ["Welcome to fdisk (util-linux 2.23.2).", "", "Changes will remain in memory only, until you decide to write them.", "Be careful before using the write command.", "", "", "Command (m for help): Partition number (1,2, default 2): Partition 2 is deleted", "", "Command (m for help): ", "Disk /dev/vda: 32.2 GB, 32212254720 bytes, 62914560 sectors", "Units = sectors of 1 * 512 = 512 bytes", "Sector size (logical/physical): 512 bytes / 512 bytes", "I/O size (minimum/optimal): 512 bytes / 512 bytes", "Disk label type: dos", "Disk identifier: 0x00013b86", "", " Device Boot Start End Blocks Id System", "/dev/vda1 * 2048 2099199 1048576 83 Linux", "", "Command (m for help): Partition type:", " p primary (1 primary, 0 extended, 3 free)", " e extended", "Select (default p): Partition number (2-4, default 2): First sector (2099200-62914559, default 2099200): Using default value 2099200", "Last sector, +sectors or +size{K,M,G} (2099200-62914559, default 62914559): Using default value 62914559", "Partition 2 of type Linux and of size 29 GiB is set", "", "Command (m for help): Partition number (1,2, default 2): Hex code (type L to list all codes): Changed type of partition 'Linux' to 'Linux LVM'", "", "Command (m for help): The partition table has been altered!", "", "Calling ioctl() to re-read partition table.", "", "WARNING: Re-reading the partition table failed with error 16: Device or resource busy.", "The kernel still uses the old table. The new table will be used at", "the next reboot or after you run partprobe(8) or kpartx(8)", "Syncing disks."]} -...ignoring - -TASK [Partprobe disks] ********************************************************* -changed: [centos7] - -TASK [PV resize] *************************************************************** -changed: [centos7] - -TASK [Add an Ethernet connection with static IP configuration] ***************** -changed: [centos7] - -TASK [Install additional packages] ********************************************* -[WARNING]: Consider using the yum module rather than running 'yum'. If you -need to use command because yum is insufficient you can add 'warn: false' to -this command task or set 'command_warnings=False' in ansible.cfg to get rid of -this message. -changed: [centos7] - -TASK [Enable make dir option for new users] ************************************ -changed: [centos7] - -TASK [Update sshd config - part 1] ********************************************* -changed: [centos7] - -TASK [Update sshd config - part 2] ********************************************* -changed: [centos7] - -TASK [Update ssh config - non strict host checking] **************************** -changed: [centos7] - -TASK [Create nfshome dir] ****************************************************** -changed: [centos7] - -TASK [Set nfs home boolean] **************************************************** -changed: [centos7] - -TASK [Prepare autofs master] *************************************************** -changed: [centos7] - -TASK [Create auto.nfshome] ***************************************************** -changed: [centos7] - -TASK [Set timezone to Prague] ************************************************** -changed: [centos7] - -PLAY [localhost] *************************************************************** - -TASK [Shutdown host] *********************************************************** -changed: [localhost] - -TASK [pause] ******************************************************************* -Pausing for 5 seconds -(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort) -ok: [localhost] - -TASK [Destroy domain] ********************************************************** -fatal: [localhost]: FAILED! => {"changed": true, "cmd": "virsh destroy node28.lab.local", "delta": "0:00:00.051838", "end": "2021-02-26 18:34:48.532247", "msg": "non-zero return code", "rc": 1, "start": "2021-02-26 18:34:48.480409", "stderr": "error: Failed to destroy domain node28.lab.local\nerror: Requested operation is not valid: domain is not running", "stderr_lines": ["error: Failed to destroy domain node28.lab.local", "error: Requested operation is not valid: domain is not running"], "stdout": "", "stdout_lines": []} -...ignoring - -TASK [Change virbr interface] ************************************************** -changed: [localhost] - -TASK [Start domain] ************************************************************ -changed: [localhost] - -PLAY [newhost] ***************************************************************** - -TASK [pause] ******************************************************************* -Pausing for 25 seconds -(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort) -ok: [10.1.16.28] - -TASK [Set global variables] **************************************************** -ok: [10.1.16.28] - -TASK [Set ip] ****************************************************************** -ok: [10.1.16.28] - -TASK [Set FQDN] **************************************************************** -ok: [10.1.16.28] - -TASK [Set REALM] *************************************************************** -ok: [10.1.16.28] - -TASK [Set Kubernetes facts] **************************************************** -ok: [10.1.16.28] - -TASK [Join machine to IPA domain] ********************************************** -changed: [10.1.16.28] - -TASK [Get the krb5 ticket] ***************************************************** -changed: [10.1.16.28] - -TASK [Add nfs server to the ipa server] **************************************** -changed: [10.1.16.28] - -TASK [Create nfs service for krb5 mount client] ******************************** -changed: [10.1.16.28] - -TASK [Enable and start nfs client] ********************************************* -changed: [10.1.16.28] - -TASK [Enable and start autofs] ************************************************* -changed: [10.1.16.28] - -PLAY RECAP ********************************************************************* -10.1.16.28 : ok=12 changed=6 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 -centos7 : ok=22 changed=16 unreachable=0 failed=0 skipped=0 rescued=0 ignored=1 -localhost : ok=20 changed=14 unreachable=0 failed=0 skipped=0 rescued=0 ignored=1 - diff --git a/05_k8s/ovn/01_make_workers_ovn.sh b/05_k8s/ovn/01_make_workers_ovn.sh new file mode 100755 index 0000000..7d07c9a --- /dev/null +++ b/05_k8s/ovn/01_make_workers_ovn.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +echo "Creating nodes..." + +i=52 +while [ "$i" -ne 53 ] +do + echo "ovn$i.lab.syscallx86.com" + rm -rf /root/.ansible/cp/* + rm -rf /root/.ansible/tmp/* + cat ansible/include/_setup_vars.ovn.template | sed s/XXX/$i/g > ansible/include/_setup_vars.yaml + #ansible-playbook ansible/01_prepare_nodes_ovn.yaml + if [ $? -eq 1 ]; then + exit 1 + fi + #ansible-playbook ansible/02_prepare_master.yaml + #ansible-playbook ansible/02_install_master_ovn_crio.yaml + #ansible-playbook ansible/03_install_nodes_ovn_crio_network.yaml + ansible-playbook ansible/03_install_nodes_k8s.yaml + i=$((i + 1)) +done diff --git a/05_k8s/ovn/01_prepare_master_ovn.sh b/05_k8s/ovn/01_prepare_master_ovn.sh new file mode 100755 index 0000000..d2f105e --- /dev/null +++ b/05_k8s/ovn/01_prepare_master_ovn.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# This script is just creating master without kubeadm and post instalation phase + + +echo "Creating master..." + +i=11 +while [ "$i" -ne 12 ] +do + echo "ovn$i.lab.syscallx86.com" + rm -rf /root/.ansible/cp/* + rm -rf /root/.ansible/tmp/* + cat ansible/include/_setup_vars.ovn.template | sed s/XXX/$i/g > ansible/include/_setup_vars.yaml + #ansible-playbook ansible/01_prepare_nodes_ovn.yaml + if [ $? -eq 1 ]; then + exit 1 + fi + ansible-playbook ansible/02_install_master_ovn_crio_network.yaml + i=$((i + 1)) +done diff --git a/06_registry/ansible/02_install_registry.yaml b/06_registry/ansible/02_install_registry.yaml index 9fc5bbf..9ecb544 100644 --- a/06_registry/ansible/02_install_registry.yaml +++ b/06_registry/ansible/02_install_registry.yaml @@ -10,6 +10,10 @@ - name: "Create ansible group for new hosts" add_host: name="{{ ip }}" groups=newhost + - name: Create snapshot for the host + shell: virsh snapshot-create-as --domain {{ fqdn }} --name "before registry installation" + ignore_errors: yes + - name: Create docker registry data disk shell: qemu-img create -f qcow2 {{ vms_dir }}/{{ fqdn }}/datavg.qcow2 {{ disksize }} @@ -103,4 +107,4 @@ -e REGISTRY_HTTP_TLS_CERTIFICATE=/var/lib/registry/certs/{{ fqdn }}.pem \ -e REGISTRY_HTTP_TLS_KEY=/var/lib/registry/certs/{{ fqdn }}.key \ -e REGISTRY_STORAGE_DELETE_ENABLED=true \ - registry + registry \ No newline at end of file diff --git a/06_registry/ansible/include/_setup_vars.yaml b/06_registry/ansible/include/_setup_vars.yaml index bb2e292..2e26eba 100644 --- a/06_registry/ansible/include/_setup_vars.yaml +++ b/06_registry/ansible/include/_setup_vars.yaml @@ -3,16 +3,16 @@ virbr: "8" netsuffix: "21" hostname: "registry" - domain: "lab.local" + domain: "lab.syscallx86.com" mem: "2G" - ipaserver: "freeipa.lab.local" - nfsserver: "nfsnode.lab.local" + ipaserver: "freeipa.lab.syscallx86.com" + nfsserver: "nfsnode.lab.syscallx86.com" home_export: "/nfsvg/home" ipaip: "10.1.8.10" ldapbase: "dc=lab,dc=local" svcadmin: "admin" adminpwd: "admin123" - template: "t_centos7" + template: "basevm" template_dir: "/data/templates" vms_dir: "/data/vms" rootvg_size: 30 diff --git a/06_registry/ansible/include/crio.repo b/06_registry/ansible/include/crio.repo new file mode 100644 index 0000000..015a54d --- /dev/null +++ b/06_registry/ansible/include/crio.repo @@ -0,0 +1,6 @@ +[cri-o] +name=CRI-O +baseurl=https://pkgs.k8s.io/addons:/cri-o:/stable:/v1.30/rpm/ +enabled=1 +gpgcheck=1 +gpgkey=https://pkgs.k8s.io/addons:/cri-o:/stable:/v1.30/rpm/repodata/repomd.xml.key diff --git a/07_buildnode/ansible/02_install_build.yaml b/07_buildnode/ansible/02_install_build.yaml index ca3fe7a..7173176 100644 --- a/07_buildnode/ansible/02_install_build.yaml +++ b/07_buildnode/ansible/02_install_build.yaml @@ -50,17 +50,14 @@ After=network-online.target Wants=network-online.target - - name: Change docker.socket systemd group - shell: sed -i -E "s/SocketGroup\=docker/SocketGroup\=a_docker/g" /usr/lib/systemd/system/docker.socket - - name: Enable and start docker shell: systemctl enable docker ; systemctl start docker - name: Get go install package - shell: wget https://dl.google.com/go/go1.13.6.linux-amd64.tar.gz -O /usr/local/go1.13.6.linux-amd64.tar.gz + shell: wget https://dl.google.com/go/go1.22.5.linux-amd64.tar.gz -O /usr/local/go1.22.5.linux-amd64.tar.gz - name: Extract GO package - shell: cd /usr/local ; tar xvfz ./go1.13.6.linux-amd64.tar.gz ; mv go go1.13.6.linux-amd64 ; ln -s go1.13.6.linux-amd64 go + shell: cd /usr/local ; tar xvfz ./go1.22.5.linux-amd64.tar.gz ; mv go go1.22.5.linux-amd64 ; ln -s go1.22.5.linux-amd64 go - name: Setup /etc/environment shell: echo "PATH=$PATH:/usr/local/go/bin" >> /etc/environment diff --git a/07_buildnode/ansible/include/_setup_vars.yaml b/07_buildnode/ansible/include/_setup_vars.yaml index a6e160b..66a770b 100644 --- a/07_buildnode/ansible/include/_setup_vars.yaml +++ b/07_buildnode/ansible/include/_setup_vars.yaml @@ -1,18 +1,18 @@ - name: Set global variables set_fact: virbr: "8" - netsuffix: "22" - hostname: "build" - domain: "lab.local" + netsuffix: "52" + hostname: "jump" + domain: "lab.syscallx86.com" mem: "4G" - ipaserver: "freeipa.lab.local" - nfsserver: "nfsnode.lab.local" + ipaserver: "freeipa.lab.syscallx86.com" + nfsserver: "nfsnode.lab.syscallx86.com" home_export: "/nfsvg/home" ipaip: "10.1.8.10" ldapbase: "dc=lab,dc=local" svcadmin: "admin" adminpwd: "admin123" - template: "t_centos7" + template: "basevm" template_dir: "/data/templates" vms_dir: "/data/vms" rootvg_size: 40 @@ -33,4 +33,4 @@ - name: Set disksize set_fact: - disksize: "40G" + disksize: "40" diff --git a/03_okdv3/01_master/include/_setup_vars.yaml b/07_buildnode/ansible/include/_setup_vars.yaml.build similarity index 60% rename from 03_okdv3/01_master/include/_setup_vars.yaml rename to 07_buildnode/ansible/include/_setup_vars.yaml.build index c6951a6..a49e387 100644 --- a/03_okdv3/01_master/include/_setup_vars.yaml +++ b/07_buildnode/ansible/include/_setup_vars.yaml.build @@ -1,19 +1,21 @@ - name: Set global variables set_fact: - virbr: "16" - netsuffix: "11" - hostname: "node11" - domain: "lab.local" - mem: "16G" - ipaserver: "freeipa.lab.local" + virbr: "8" + netsuffix: "22" + hostname: "build" + domain: "lab.syscallx86.com" + mem: "4G" + ipaserver: "freeipa.lab.syscallx86.com" + nfsserver: "nfsnode.lab.syscallx86.com" + home_export: "/nfsvg/home" ipaip: "10.1.8.10" ldapbase: "dc=lab,dc=local" svcadmin: "admin" adminpwd: "admin123" - template: "t_centos7" + template: "basevm" template_dir: "/data/templates" vms_dir: "/data/vms" - rootvg_size: 30 + rootvg_size: 40 - name: Set ip set_fact: @@ -31,4 +33,4 @@ - name: Set disksize set_fact: - disksize: "40G" + disksize: "40" diff --git a/10_nfs/client/ansible/01_prepare_nodes.yaml b/09_apigw/consul/ansible/01_prepare_nodes.yaml similarity index 100% rename from 10_nfs/client/ansible/01_prepare_nodes.yaml rename to 09_apigw/consul/ansible/01_prepare_nodes.yaml diff --git a/09_apigw/consul/ansible/02_install_consul.yaml b/09_apigw/consul/ansible/02_install_consul.yaml new file mode 100644 index 0000000..349b3c0 --- /dev/null +++ b/09_apigw/consul/ansible/02_install_consul.yaml @@ -0,0 +1,45 @@ +--- +- hosts: localhost + become: true + gather_facts: no + tasks: + + - name: Set variables + include: include/_setup_vars.yaml + + - name: Create snapshot for the host + shell: virsh snapshot-create-as --domain {{ fqdn }} --name "before Consul installation" + ignore_errors: yes + + - name: "Create ansible group for new hosts" + add_host: name="{{ ip }}" groups=newhost + + +- hosts: newhost + become: true + gather_facts: no + tasks: + + + - name: Set variables + include: include/_setup_vars.yaml + + - name: Install yum utils + shell: yum install -y yum-utils + + - name: Add hashicorp repo + shell: yum-config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo + + - name: Install consul and envoy + shell: yum install -y consul hashicorp-envoy + + - name: Copy consul bootstrap file + copy: + src: include/consul.hcl + dest: /etc/consul.d/consul.hcl + + - name: Enable consul agent and start it + shell: systemctl enable consul ; systemctl start consul + + - name: Add ui port + shell: firewall-cmd --add-port=8080/tcp --permanent ; firewall-cmd --reload diff --git a/03_okdv3/02_infra/include/_setup_vars.yaml b/09_apigw/consul/ansible/include/_setup_vars.yaml similarity index 63% rename from 03_okdv3/02_infra/include/_setup_vars.yaml rename to 09_apigw/consul/ansible/include/_setup_vars.yaml index d3ca6bf..0817c1a 100644 --- a/03_okdv3/02_infra/include/_setup_vars.yaml +++ b/09_apigw/consul/ansible/include/_setup_vars.yaml @@ -1,20 +1,23 @@ - name: Set global variables set_fact: - virbr: "16" - netsuffix: "18" - hostname: "node18" - domain: "lab.local" - mem: "16G" - ipaserver: "freeipa.lab.local" + virbr: "8" + netsuffix: "254" + hostname: "apigw" + domain: "lab.syscallx86.com" + mem: "2G" + ipaserver: "freeipa.lab.syscallx86.com" + nfsserver: "nfsnode.lab.syscallx86.com" + home_export: "/nfsvg/home" ipaip: "10.1.8.10" ldapbase: "dc=lab,dc=local" svcadmin: "admin" adminpwd: "admin123" - template: "t_centos7" + template: "basevm" template_dir: "/data/templates" vms_dir: "/data/vms" rootvg_size: 30 + - name: Set ip set_fact: ip: "10.1.{{ virbr }}.{{ netsuffix }}" @@ -31,4 +34,4 @@ - name: Set disksize set_fact: - disksize: "40G" + disksize: "30" diff --git a/09_apigw/consul/ansible/include/consul.hcl b/09_apigw/consul/ansible/include/consul.hcl new file mode 100644 index 0000000..b195c98 --- /dev/null +++ b/09_apigw/consul/ansible/include/consul.hcl @@ -0,0 +1,6 @@ +data_dir = "/opt/consul" +client_addr = "0.0.0.0" +retry_join = ["10.1.8.26"] # Adresa vašeho Consul serveru +enable_central_service_config = true +encrypt = "5idcXNSN1IESUpVGNBVsqDfEMc0HbX5hDa3I5ld5uMg=" +datacenter = "primary" diff --git a/09_apigw/consul/ansible/include/hashicorp.repo b/09_apigw/consul/ansible/include/hashicorp.repo new file mode 120000 index 0000000..70c8cd6 --- /dev/null +++ b/09_apigw/consul/ansible/include/hashicorp.repo @@ -0,0 +1 @@ +../../../../99_newhost/repos/hashicorp.repo \ No newline at end of file diff --git a/09_apigw/simpleapi/build/simpleapi b/09_apigw/simpleapi/build/simpleapi deleted file mode 100755 index 5ce3d17..0000000 Binary files a/09_apigw/simpleapi/build/simpleapi and /dev/null differ diff --git a/10_nfs/client/ansible/02_install_nfsnode.yaml b/10_nfs/client/ansible/02_install_nfsnode.yaml deleted file mode 100644 index 64e8440..0000000 --- a/10_nfs/client/ansible/02_install_nfsnode.yaml +++ /dev/null @@ -1,70 +0,0 @@ ---- -- hosts: localhost - become: true - gather_facts: no - tasks: - - - name: Set variables - include: include/_setup_vars.yaml - - - name: "Create ansible group for new hosts" - add_host: name="{{ ip }}" groups=newhost - - - name: Create nfs home data disk - shell: qemu-img create -f qcow2 {{ vms_dir }}/{{ fqdn }}/nfsvg.qcow2 {{ disksize }} - - - name: Attach disk to machine - shell: virsh attach-disk {{ fqdn }} --source {{ vms_dir }}/{{ fqdn }}/nfsvg.qcow2 --target vdb --subdriver qcow2 --targetbus virtio --persistent - - - name: Autostart of the machine - shell: virsh autostart {{ fqdn }} - -- hosts: newhost - become: true - gather_facts: no - tasks: - - - name: Set variables - include: include/_setup_vars.yaml - - - name: Setup firewall rules - shell: firewall-cmd --permanent --add-service={mountd,nfs,rpc-bind} ; firewall-cmd --reload - - - name: Install prerequisites - shell: yum install -y nfs-utils policycoreutils-python-2.5-33.el7.x86_64 - - - name: Create datavg and logical volume - shell: pvcreate /dev/vdb ; vgcreate nfsvg /dev/vdb ; lvcreate -n home -L20G nfsvg - - - name: Create fs - shell: mkfs.ext4 /dev/nfsvg/home - - - name: make directory /nfsvg/home - shell: mkdir -p /nfsvg/home - - - name: Add /nfshome to fstab - shell: echo '/dev/mapper/nfsvg-home /nfsvg/home ext4 noatime,nodiratime 1 2' >> /etc/fstab - - - name: Mount /nfsvg/home - shell: mount /nfsvg/home - - - name: Set selinux context - shell: semanage fcontext -a -t nfs_t "/nfsvg(/.*)?" ; restorecon -Rv /nfsvg/ - - - name: Get the krb5 ticket - shell: echo "{{ adminpwd }}" | kinit {{ svcadmin }} - - - name: Add nfs service - shell: ipa service-add nfs/{{ fqdn }}@{{ realm }} --force - - - name: Get host keytab - shell: ipa-getkeytab -p host/{{ fqdn }} -k /etc/krb5.keytab - - - name: Get nfs keytab - shell: ipa-getkeytab -p nfs/{{ fqdn }} -k /etc/krb5.keytab - - - name: Set nfs exports - shell: echo '/nfsvg/home *(rw,sec=krb5p,sync)' >> /etc/exports ; exportfs -r - - - name: Enable and start nfs services - shell: systemctl start nfs-server ; systemctl enable nfs-server diff --git a/10_nfs/server/ansible/02_install_nfsnode.yaml.bckp b/10_nfs/server/ansible/02_install_nfsnode.yaml.bckp deleted file mode 100644 index 64e8440..0000000 --- a/10_nfs/server/ansible/02_install_nfsnode.yaml.bckp +++ /dev/null @@ -1,70 +0,0 @@ ---- -- hosts: localhost - become: true - gather_facts: no - tasks: - - - name: Set variables - include: include/_setup_vars.yaml - - - name: "Create ansible group for new hosts" - add_host: name="{{ ip }}" groups=newhost - - - name: Create nfs home data disk - shell: qemu-img create -f qcow2 {{ vms_dir }}/{{ fqdn }}/nfsvg.qcow2 {{ disksize }} - - - name: Attach disk to machine - shell: virsh attach-disk {{ fqdn }} --source {{ vms_dir }}/{{ fqdn }}/nfsvg.qcow2 --target vdb --subdriver qcow2 --targetbus virtio --persistent - - - name: Autostart of the machine - shell: virsh autostart {{ fqdn }} - -- hosts: newhost - become: true - gather_facts: no - tasks: - - - name: Set variables - include: include/_setup_vars.yaml - - - name: Setup firewall rules - shell: firewall-cmd --permanent --add-service={mountd,nfs,rpc-bind} ; firewall-cmd --reload - - - name: Install prerequisites - shell: yum install -y nfs-utils policycoreutils-python-2.5-33.el7.x86_64 - - - name: Create datavg and logical volume - shell: pvcreate /dev/vdb ; vgcreate nfsvg /dev/vdb ; lvcreate -n home -L20G nfsvg - - - name: Create fs - shell: mkfs.ext4 /dev/nfsvg/home - - - name: make directory /nfsvg/home - shell: mkdir -p /nfsvg/home - - - name: Add /nfshome to fstab - shell: echo '/dev/mapper/nfsvg-home /nfsvg/home ext4 noatime,nodiratime 1 2' >> /etc/fstab - - - name: Mount /nfsvg/home - shell: mount /nfsvg/home - - - name: Set selinux context - shell: semanage fcontext -a -t nfs_t "/nfsvg(/.*)?" ; restorecon -Rv /nfsvg/ - - - name: Get the krb5 ticket - shell: echo "{{ adminpwd }}" | kinit {{ svcadmin }} - - - name: Add nfs service - shell: ipa service-add nfs/{{ fqdn }}@{{ realm }} --force - - - name: Get host keytab - shell: ipa-getkeytab -p host/{{ fqdn }} -k /etc/krb5.keytab - - - name: Get nfs keytab - shell: ipa-getkeytab -p nfs/{{ fqdn }} -k /etc/krb5.keytab - - - name: Set nfs exports - shell: echo '/nfsvg/home *(rw,sec=krb5p,sync)' >> /etc/exports ; exportfs -r - - - name: Enable and start nfs services - shell: systemctl start nfs-server ; systemctl enable nfs-server diff --git a/10_nfs/server/ansible/04_add_homesdir.yaml b/10_nfs/server/ansible/04_add_homesdir.yaml deleted file mode 120000 index 1c125a0..0000000 --- a/10_nfs/server/ansible/04_add_homesdir.yaml +++ /dev/null @@ -1 +0,0 @@ -../../../02_freeipa/ansible/04_add_homesdir.yaml \ No newline at end of file diff --git a/18_vault/01_prepare_nodes.yaml b/18_vault/01_prepare_nodes.yaml new file mode 120000 index 0000000..c37ca09 --- /dev/null +++ b/18_vault/01_prepare_nodes.yaml @@ -0,0 +1 @@ +../99_newhost/ansible/01_prepare_nodes.yaml \ No newline at end of file diff --git a/03_okdv3/03_compute/include/_setup_vars.yaml b/18_vault/include/_setup_vars.yaml similarity index 53% rename from 03_okdv3/03_compute/include/_setup_vars.yaml rename to 18_vault/include/_setup_vars.yaml index e1077ce..f81dfe4 100644 --- a/03_okdv3/03_compute/include/_setup_vars.yaml +++ b/18_vault/include/_setup_vars.yaml @@ -1,26 +1,27 @@ - name: Set global variables set_fact: - virbr: "16" - netsuffix: "24" - hostname: "node24" - domain: "lab.local" - mem: "8G" - ipaserver: "freeipa.lab.local" + virbr: "8" + netsuffix: "25" + hostname: "vault" + domain: "lab.syscallx86.com" + mem: "2G" + ipaserver: "freeipa.lab.syscallx86.com" ipaip: "10.1.8.10" - ldapbase: "dc=lab,dc=local" + ldapbase: "dc=lab,dc=syscallx86,dc=com" svcadmin: "admin" adminpwd: "admin123" - template: "t_centos7" - template_dir: "/data/templates" + template: "basevm" + template_dir: "/data/vms/templates" vms_dir: "/data/vms" rootvg_size: 30 + nfsserver: "nfsnode.lab.syscallx86.com" + home_export: "/nfsvg/home" + - name: Set ip set_fact: ip: "10.1.{{ virbr }}.{{ netsuffix }}" - - - name: Set FQDN set_fact: fqdn: "{{ hostname }}.{{ domain }}" @@ -31,4 +32,4 @@ - name: Set disksize set_fact: - disksize: "40G" + disksize: "51G" diff --git a/03_okdv3/02_infra/include/_setup_vars.template b/18_vault/include/_setup_vars.yaml.old similarity index 53% rename from 03_okdv3/02_infra/include/_setup_vars.template rename to 18_vault/include/_setup_vars.yaml.old index 4f23ca0..f81dfe4 100644 --- a/03_okdv3/02_infra/include/_setup_vars.template +++ b/18_vault/include/_setup_vars.yaml.old @@ -1,26 +1,27 @@ - name: Set global variables set_fact: - virbr: "16" - netsuffix: "1XXX" - hostname: "node1XXX" - domain: "lab.local" - mem: "16G" - ipaserver: "freeipa.lab.local" + virbr: "8" + netsuffix: "25" + hostname: "vault" + domain: "lab.syscallx86.com" + mem: "2G" + ipaserver: "freeipa.lab.syscallx86.com" ipaip: "10.1.8.10" - ldapbase: "dc=lab,dc=local" + ldapbase: "dc=lab,dc=syscallx86,dc=com" svcadmin: "admin" adminpwd: "admin123" - template: "t_centos7" - template_dir: "/data/templates" + template: "basevm" + template_dir: "/data/vms/templates" vms_dir: "/data/vms" rootvg_size: 30 + nfsserver: "nfsnode.lab.syscallx86.com" + home_export: "/nfsvg/home" + - name: Set ip set_fact: ip: "10.1.{{ virbr }}.{{ netsuffix }}" - - - name: Set FQDN set_fact: fqdn: "{{ hostname }}.{{ domain }}" @@ -31,4 +32,4 @@ - name: Set disksize set_fact: - disksize: "40G" + disksize: "51G" diff --git a/19_consul/01_prepare_nodes.yaml b/19_consul/01_prepare_nodes.yaml new file mode 120000 index 0000000..c37ca09 --- /dev/null +++ b/19_consul/01_prepare_nodes.yaml @@ -0,0 +1 @@ +../99_newhost/ansible/01_prepare_nodes.yaml \ No newline at end of file diff --git a/19_consul/02_install_consul.yaml b/19_consul/02_install_consul.yaml new file mode 100644 index 0000000..a5ac97a --- /dev/null +++ b/19_consul/02_install_consul.yaml @@ -0,0 +1,51 @@ +--- +- hosts: localhost + become: true + gather_facts: no + tasks: + + - name: Set variables + include: include/_setup_vars.yaml + + - name: Create snapshot for the host + shell: virsh snapshot-create-as --domain {{ fqdn }} --name "before Consul installation" + + - name: "Create ansible group for new hosts" + add_host: name="{{ ip }}" groups=newhost + + +- hosts: newhost + become: true + gather_facts: no + tasks: + + + - name: Set variables + include: include/_setup_vars.yaml + + - name: Install yum utils + shell: yum install -y yum-utils + + - name: Add hashicorp repo + shell: yum-config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo + + - name: Install yum utils + shell: yum install -y consul + + - name: Add ui port + shell: firewall-cmd --add-port=8080/tcp --permanent ; firewall-cmd --reload + + +- hosts: localhost + become: true + gather_facts: no + tasks: + + - name: Set variables + include: include/_setup_vars.yaml + + - name: Delete snapshot for the host + shell: virsh snapshot-delete --domain {{ fqdn }} --snapshotname "before Consul installation" + + +firewall-cmd --add-port=8080/tcp --permanent ; firewall-cmd --reload \ No newline at end of file diff --git a/19_consul/include/_setup_vars.yaml b/19_consul/include/_setup_vars.yaml new file mode 100644 index 0000000..18364f6 --- /dev/null +++ b/19_consul/include/_setup_vars.yaml @@ -0,0 +1,35 @@ +- name: Set global variables + set_fact: + virbr: "8" + netsuffix: "26" + hostname: "consul" + domain: "lab.syscallx86.com" + mem: "2G" + ipaserver: "freeipa.lab.syscallx86.com" + ipaip: "10.1.8.10" + ldapbase: "dc=lab,dc=syscallx86,dc=com" + svcadmin: "admin" + adminpwd: "admin123" + template: "basevm" + template_dir: "/data/vms/templates" + vms_dir: "/data/vms" + rootvg_size: 20 + nfsserver: "nfsnode.lab.syscallx86.com" + home_export: "/nfsvg/home" + + +- name: Set ip + set_fact: + ip: "10.1.{{ virbr }}.{{ netsuffix }}" + +- name: Set FQDN + set_fact: + fqdn: "{{ hostname }}.{{ domain }}" + +- name: Set REALM + set_fact: + realm: "{{ domain|upper }}" + +- name: Set disksize + set_fact: + disksize: "51G" diff --git a/20_application/01_prepare_nodes.yaml b/20_application/01_prepare_nodes.yaml new file mode 120000 index 0000000..c37ca09 --- /dev/null +++ b/20_application/01_prepare_nodes.yaml @@ -0,0 +1 @@ +../99_newhost/ansible/01_prepare_nodes.yaml \ No newline at end of file diff --git a/20_application/02_deploy_simpleoidc.yaml b/20_application/02_deploy_simpleoidc.yaml new file mode 100644 index 0000000..092259b --- /dev/null +++ b/20_application/02_deploy_simpleoidc.yaml @@ -0,0 +1,38 @@ +--- +- hosts: localhost + become: true + gather_facts: no + tasks: + + - name: Set variables + include: include/_setup_vars.yaml + + - name: Create snapshot for the host + shell: virsh snapshot-create-as --domain {{ fqdn }} --name "before SimpleApi installation" + ignore_errors: yes + + - name: "Create ansible group for new hosts" + add_host: name="{{ ip }}" groups=newhost + + +- hosts: newhost + become: true + gather_facts: no + tasks: + + - name: Set variables + include: include/_setup_vars.yaml + + - name: New application user - Maybe in ipa + shell: useradd -r -s /bin/false svcsimple + + - name: Copy crio repo definition to yum dir + copy: + src: include/simpleoidc.service + dest: /usr/lib/systemd/system/ + + - name: Setup firewall rules + shell: firewall-cmd --permanent --add-port=6080/tcp + + - name: Enable and start simpleoidc + shell: systemctl enable simpleoidc ; systemctl start simpleoidc \ No newline at end of file diff --git a/20_application/03_install_consulclient.yaml b/20_application/03_install_consulclient.yaml new file mode 100644 index 0000000..110fef2 --- /dev/null +++ b/20_application/03_install_consulclient.yaml @@ -0,0 +1,65 @@ +--- +- hosts: localhost + become: true + gather_facts: no + tasks: + + - name: Set variables + include: include/_setup_vars.yaml + + - name: Create snapshot for the host + shell: virsh snapshot-create-as --domain {{ fqdn }} --name "before Consul installation" + ignore_errors: yes + + - name: "Create ansible group for new hosts" + add_host: name="{{ ip }}" groups=newhost + + +- hosts: newhost + become: true + gather_facts: no + tasks: + + + - name: Set variables + include: include/_setup_vars.yaml + + - name: Setup firewall rules + shell: firewall-cmd --permanent --add-port=6080/tcp --add-port 6080/tcp --add-port 8502/tcp --add-port 21000/tcp + + - name: Install yum utils + shell: yum install -y yum-utils + + - name: Add hashicorp repo + shell: yum-config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo + + - name: Install yum consul and envoy proxy + shell: yum install -y consul hashicorp-envoy.x86_64 + + - name: Make certs dir + shell: mkdir -p /etc/consul.d/certs ; chown R consul.consul /etc/consul.d + + - name: Mame Envoy dir + shell: mkdir /etc/envoy + + - name: Copy consul client definition + copy: + src: include/client.hcl + dest: /etc/consul.d/ + + - name: Copy webservice client definition + copy: + src: include/client.hcl + dest: /etc/consul.d/ + +- hosts: localhost + become: true + gather_facts: no + tasks: + + - name: Set variables + include: include/_setup_vars.yaml + + - name: Delete snapshot for the host + shell: virsh snapshot-delete --domain {{ fqdn }} --snapshotname "before Consul installation" + diff --git a/20_application/include/_setup_vars.yaml b/20_application/include/_setup_vars.yaml new file mode 100644 index 0000000..212ef80 --- /dev/null +++ b/20_application/include/_setup_vars.yaml @@ -0,0 +1,35 @@ +- name: Set global variables + set_fact: + virbr: "8" + netsuffix: "42" + hostname: "api02" + domain: "lab.syscallx86.com" + mem: "2G" + ipaserver: "freeipa.lab.syscallx86.com" + ipaip: "10.1.8.10" + ldapbase: "dc=lab,dc=syscallx86,dc=com" + svcadmin: "admin" + adminpwd: "admin123" + template: "basevm" + template_dir: "/data/vms/templates" + vms_dir: "/data/vms" + rootvg_size: 20 + nfsserver: "nfsnode.lab.syscallx86.com" + home_export: "/nfsvg/home" + + +- name: Set ip + set_fact: + ip: "10.1.{{ virbr }}.{{ netsuffix }}" + +- name: Set FQDN + set_fact: + fqdn: "{{ hostname }}.{{ domain }}" + +- name: Set REALM + set_fact: + realm: "{{ domain|upper }}" + +- name: Set disksize + set_fact: + disksize: "20G" diff --git a/20_application/include/client.hcl b/20_application/include/client.hcl new file mode 100644 index 0000000..e69de29 diff --git a/20_application/include/simpleoidc.service b/20_application/include/simpleoidc.service new file mode 100644 index 0000000..cedc4db --- /dev/null +++ b/20_application/include/simpleoidc.service @@ -0,0 +1,12 @@ +[Unit] +Description=Simple api for testing purpose + +[Service] +User=svcsimple +WorkingDirectory=/tmp +ExecStart=/usr/local/bin/simpleoidc +Restart=always +RestartSec=3 + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/20_application/include/web-service.hcl b/20_application/include/web-service.hcl new file mode 100644 index 0000000..285a276 --- /dev/null +++ b/20_application/include/web-service.hcl @@ -0,0 +1,15 @@ +service { + name = "web" + id = "web-1" + port = 8080 + + connect { + sidecar_service {} + } + + check { + name = "HTTP Health Check" + http = "http://localhost:8080/health" + interval = "10s" + } +} \ No newline at end of file diff --git a/21_ovn/README.md b/21_ovn/README.md new file mode 100644 index 0000000..fafdc68 --- /dev/null +++ b/21_ovn/README.md @@ -0,0 +1,58 @@ +#### Introduction + +Basic files related to ovn-kubernetes + +#### Node config + +```ovn11.lab.syscallx86.com + +1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 + inet 127.0.0.1/8 scope host lo + valid_lft forever preferred_lft forever + inet6 ::1/128 scope host + valid_lft forever preferred_lft forever +2: enp1s0: mtu 1500 qdisc fq_codel master ovs-system state UP group default qlen 1000 + link/ether 52:54:00:ab:84:eb brd ff:ff:ff:ff:ff:ff +3: ovs-system: mtu 1500 qdisc noop state DOWN group default qlen 1000 + link/ether d6:c5:4e:86:9f:4a brd ff:ff:ff:ff:ff:ff +5: genev_sys_6081: mtu 65000 qdisc noqueue master ovs-system state UNKNOWN group default qlen 1000 + link/ether e2:f8:a8:44:72:e8 brd ff:ff:ff:ff:ff:ff + inet6 fe80::e0f8:a8ff:fe44:72e8/64 scope link + valid_lft forever preferred_lft forever +6: ovn-k8s-mp0: mtu 1400 qdisc noqueue state UNKNOWN group default qlen 1000 + link/ether 16:67:05:17:34:4d brd ff:ff:ff:ff:ff:ff + inet 10.38.1.2/24 brd 10.38.1.255 scope global ovn-k8s-mp0 + valid_lft forever preferred_lft forever +7: br-int: mtu 1400 qdisc noqueue state UNKNOWN group default qlen 1000 + link/ether ca:ef:76:3a:ce:3d brd ff:ff:ff:ff:ff:ff +8: br-ex: mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000 + link/ether 32:a1:53:6c:41:4c brd ff:ff:ff:ff:ff:ff + inet 10.1.16.11/32 scope global noprefixroute br-ex + valid_lft forever preferred_lft forever + inet 169.254.169.2/29 brd 169.254.169.7 scope global br-ex + valid_lft forever preferred_lft forever + inet6 fe80::57b3:c74c:21f6:41ad/64 scope link noprefixroute + valid_lft forever preferred_lft forever +``` + +Just one ethernet interface, br-int has to be created manualy via "ovs-vsctl add-br br-int" + +#### Important notes + +- you have to explicitly enable egress features by adding env variable to ovnkube-master deployment + +``` + - name: OVN_EGRESSIP_ENABLE + value: "true" +``` + +- you have to disable ssl comunication on master, databases, and ovnkube-node daemon: + + +``` + - name: OVN_SSL_ENABLE + value: "no" +``` + +It needs to be more investigation, root cause is probable self signed certificate generated by diff --git a/21_ovn/generated/images/Dockerfile.fedora b/21_ovn/generated/images/Dockerfile.fedora new file mode 100644 index 0000000..7dd10b1 --- /dev/null +++ b/21_ovn/generated/images/Dockerfile.fedora @@ -0,0 +1,71 @@ +# +# This is the OpenShift ovn overlay network image. +# it provides an overlay network using ovs/ovn/ovn-kube +# +# The standard name for this image is ovn-kube + +# Notes: +# This is for a development build where the ovn-kubernetes utilities +# are built locally and included in the image (instead of the rpm) +# + +FROM fedora:39 + +USER root + +ENV PYTHONDONTWRITEBYTECODE yes + +ARG ovnver=ovn-24.03.2-19.fc39 +# Automatically populated when using docker buildx +ARG TARGETPLATFORM +ARG BUILDPLATFORM + +RUN echo "Running on $BUILDPLATFORM, building for $TARGETPLATFORM" + +# install needed rpms - openvswitch must be 2.10.4 or higher +RUN INSTALL_PKGS=" \ + python3-pip python3-pyyaml bind-utils procps-ng openssl numactl-libs firewalld-filesystem \ + libpcap hostname kubernetes-client util-linux \ + ovn ovn-central ovn-host python3-openvswitch tcpdump openvswitch-test python3-pyOpenSSL \ + iptables iproute iputils strace socat koji \ + libreswan openvswitch-ipsec \ + " && \ + dnf install --best --refresh -y --setopt=tsflags=nodocs $INSTALL_PKGS && \ + dnf clean all && rm -rf /var/cache/dnf/* +RUN ln -s /usr/bin/python3 /usr/libexec/platform-python + +RUN mkdir -p /var/run/openvswitch + +RUN if [ "$TARGETPLATFORM" = "linux/amd64" ] || [ -z "$TARGETPLATFORM"] ; then koji download-build $ovnver --arch=x86_64 ; \ + else koji download-build $ovnver --arch=aarch64 ; fi + +RUN rpm -Uhv --nodeps --force *.rpm + +# Built in ../../go_controller, then the binaries are copied here. +# put things where they are in the pkg +RUN mkdir -p /usr/libexec/cni/ +COPY ovnkube ovn-kube-util ovndbchecker hybrid-overlay-node ovnkube-identity /usr/bin/ +COPY ovn-k8s-cni-overlay /usr/libexec/cni/ovn-k8s-cni-overlay + +# ovnkube.sh is the entry point. This script examines environment +# variables to direct operation and configure ovn +COPY ovnkube.sh /root/ +COPY ovndb-raft-functions.sh /root/ + +# copy git commit number into image +COPY git_info /root + +# iptables wrappers +COPY ./iptables-scripts/iptables /usr/sbin/ +COPY ./iptables-scripts/iptables-save /usr/sbin/ +COPY ./iptables-scripts/iptables-restore /usr/sbin/ +COPY ./iptables-scripts/ip6tables /usr/sbin/ +COPY ./iptables-scripts/ip6tables-save /usr/sbin/ +COPY ./iptables-scripts/ip6tables-restore /usr/sbin/ + +LABEL io.k8s.display-name="ovn-kubernetes" \ + io.k8s.description="This is a Kubernetes network plugin that provides an overlay network using OVN." \ + maintainer="Tim Rozet " + +WORKDIR /root +ENTRYPOINT /root/ovnkube.sh diff --git a/21_ovn/generated/images/Dockerfile.fedora.dev b/21_ovn/generated/images/Dockerfile.fedora.dev new file mode 100644 index 0000000..6e9ec9c --- /dev/null +++ b/21_ovn/generated/images/Dockerfile.fedora.dev @@ -0,0 +1,102 @@ +# +# This Dockerfile builds the development image of Kubernetes OVN CNI networking +# stack. It provides the OVN-Kubernetes CNI plugin (OVN-Kubernetes) and all the +# required binaries from OVN and OVS. By default OVN and OVS binaries are built +# using the master branch of the respective projects. +# +# NOTE: +# 1) Binaries are built using the version specified using OVN-BRANCH, +# OVS-BRANCH args below in the Dockerfile. By default the branch is set to +# master, so it will build OVN and OVS binaries from the master branch code. +# Please change the branch name if image needs to be build with different +# branch. +# +# 2) This image is only for development environment, so please DO NOT DEPLOY +# this image in any production environment. +# + +FROM fedora:39 AS ovnbuilder + +USER root + +ENV PYTHONDONTWRITEBYTECODE yes + +# Install tools that are required for building ovs/ovn. +RUN INSTALL_PKGS="git rpm-build dnf-plugins-core" && \ + dnf install --best --refresh -y --setopt=tsflags=nodocs $INSTALL_PKGS + +# Clone OVS Source Code. +ARG OVS_REPO=https://github.com/openvswitch/ovs.git +ARG OVS_BRANCH=main +WORKDIR /root +RUN git clone $OVS_REPO --single-branch --branch=$OVS_BRANCH + +# Build OVS rpms. +WORKDIR /root/ovs +RUN sed -e 's/@VERSION@/0.0.1/' rhel/openvswitch-fedora.spec.in > /tmp/ovs.spec +RUN dnf builddep -y /tmp/ovs.spec +RUN ./boot.sh +RUN ./configure +RUN make rpm-fedora +RUN rm rpm/rpmbuild/RPMS/x86_64/*debug* +RUN rm rpm/rpmbuild/RPMS/x86_64/*devel* +RUN git log -n 1 + +# Clone OVN Source Code. +ARG OVN_REPO=https://github.com/ovn-org/ovn.git +ARG OVN_BRANCH=main +WORKDIR /root +RUN git clone $OVN_REPO --single-branch --branch=$OVN_BRANCH + +# Build OVN rpms. +WORKDIR /root/ovn/ +RUN sed -e 's/@VERSION@/0.0.1/' rhel/ovn-fedora.spec.in > /tmp/ovn.spec +RUN dnf builddep -y /tmp/ovn.spec +RUN ./boot.sh +RUN ./configure --with-ovs-source=/root/ovs/ +RUN make rpm-fedora +RUN rm rpm/rpmbuild/RPMS/x86_64/*debug* +RUN rm rpm/rpmbuild/RPMS/x86_64/*docker* +RUN git log -n 1 + +# Build the final image +FROM fedora:39 + +# Install needed dependencies. +RUN INSTALL_PKGS=" \ + iptables iproute iputils hostname unbound-libs kubernetes-client kmod" && \ + dnf install --best --refresh -y --setopt=tsflags=nodocs $INSTALL_PKGS && \ + dnf clean all && rm -rf /var/cache/dnf/* + +RUN mkdir -p /var/run/openvswitch + +# Install openvswitch and ovn rpms built in previous stages. +COPY --from=ovnbuilder /root/ovn/rpm/rpmbuild/RPMS/x86_64/*rpm ./ +COPY --from=ovnbuilder /root/ovs/rpm/rpmbuild/RPMS/x86_64/*rpm ./ +COPY --from=ovnbuilder /root/ovs/rpm/rpmbuild/RPMS/noarch/*rpm ./ +RUN dnf install -y *.rpm && rm -f *.rpm + +# Install ovn-kubernetes binaries built in previous stage. +RUN mkdir -p /usr/libexec/cni/ +COPY ovnkube /usr/bin/ +COPY ovn-kube-util /usr/bin/ +COPY ovndbchecker /usr/bin/ +COPY hybrid-overlay-node /usr/bin +COPY ovnkube-identity /usr/bin/ +COPY ovn-k8s-cni-overlay /usr/libexec/cni/ovn-k8s-cni-overlay + +# ovnkube.sh is the entry point. This script examines environment +# variables to direct operation and configure ovn. +COPY ovnkube.sh /root/ +COPY ovndb-raft-functions.sh /root/ +COPY iptables-scripts /usr/sbin/ + +RUN getent group openvswitch >/dev/null || groupadd -r openvswitch +RUN getent passwd openvswitch >/dev/null || useradd -r -g openvswitch -d / -s /sbin/nologin -c "Open vSwitch Daemons" openvswitch + +LABEL io.k8s.display-name="ovn-kubernetes-master" \ + io.k8s.description="OVN based Kubernetes CNI Plugin stack. Image contains latest code of all the components in the stack (OVN-kubernetes, OVN, OVS)." \ + maintainer="Anil Vishnoi (vishnoianil@gmail.com)" + +WORKDIR /root +ENTRYPOINT /root/ovnkube.sh diff --git a/21_ovn/generated/images/Dockerfile.ubuntu b/21_ovn/generated/images/Dockerfile.ubuntu new file mode 100644 index 0000000..684ce2c --- /dev/null +++ b/21_ovn/generated/images/Dockerfile.ubuntu @@ -0,0 +1,55 @@ +# +# The standard name for this image is ovn-kube-ubuntu + +# Notes: +# This is for a development build where the ovn-kubernetes utilities +# are built in this Dockerfile and included in the image (instead of the deb package) +# +# +# So this file will change over time. + +FROM ubuntu:24.04 + +USER root + +RUN apt-get update && apt-get install -y iproute2 curl software-properties-common util-linux + +RUN curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add - + +# Install OVS and OVN packages. +RUN apt-get update && apt-get install -y openvswitch-switch openvswitch-common ovn-central ovn-common ovn-host + +RUN curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" \ + && install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl + +RUN mkdir -p /var/run/openvswitch + +# Built in ../../go_controller, then the binaries are copied here. +# put things where they are in the pkg +RUN mkdir -p /usr/libexec/cni/ +COPY ovnkube ovn-kube-util ovndbchecker hybrid-overlay-node ovnkube-identity /usr/bin/ +COPY ovn-k8s-cni-overlay /usr/libexec/cni/ovn-k8s-cni-overlay + +# ovnkube.sh is the entry point. This script examines environment +# variables to direct operation and configure ovn +COPY ovnkube.sh /root/ +COPY ovndb-raft-functions.sh /root/ +# override the pkg's ovn_k8s.conf with this local copy +COPY ovn_k8s.conf /etc/openvswitch/ovn_k8s.conf + +# copy git commit number into image +COPY git_info /root + +# iptables wrappers +COPY ./iptables-scripts/iptables /usr/sbin/ +COPY ./iptables-scripts/iptables-save /usr/sbin/ +COPY ./iptables-scripts/iptables-restore /usr/sbin/ +COPY ./iptables-scripts/ip6tables /usr/sbin/ +COPY ./iptables-scripts/ip6tables-save /usr/sbin/ +COPY ./iptables-scripts/ip6tables-restore /usr/sbin/ + +LABEL io.k8s.display-name="ovn-kubernetes" \ + io.k8s.description="ovnkube ubuntu image" + +WORKDIR /root +ENTRYPOINT /root/ovnkube.sh diff --git a/21_ovn/generated/images/Makefile b/21_ovn/generated/images/Makefile new file mode 100644 index 0000000..124b8c5 --- /dev/null +++ b/21_ovn/generated/images/Makefile @@ -0,0 +1,82 @@ +# build image for ovn overlay network cni plugin + +# ovnkube-db.yaml, ovnkube-node.yaml, and onvkube-master.yaml use this image. +# This image is built from files in this directory and pushed to +# a docker registry that is accesseble on each node. + +# For a user created registry, the registry must be setup ahead of time. +# The registry is configured in /etc/containers/registries.conf +# on each node in both "registries:" and "insecure_registries:" sections. + +all: ubuntu fedora + +SLASH = - +ARCH = $(subst aarch64,arm64,$(subst x86_64,amd64,$(patsubst i%86,386,$(shell uname -m)))) +IMAGE_ARCH = $(SLASH)$(ARCH) +DOCKERFILE_ARCH = +ifeq ($(ARCH),arm64) + DOCKERFILE_ARCH=.arm64 +endif +OVS_BRANCH ?= master +OVN_BRANCH ?= main +OCI_BIN ?= docker + +# The image of ovnkube/ovn-daemonset-ubuntu should be multi-arched before using it on arm64 +ubuntu: bld + ${OCI_BIN} build -t ovn-kube-ubuntu$(IMAGE_ARCH) -f Dockerfile.ubuntu$(DOCKERFILE_ARCH) . +ifeq ($(ARCH),amd64) + ${OCI_BIN} tag "ovn-kube-ubuntu$(IMAGE_ARCH):latest" \ + "ovn-kube-ubuntu:latest" +endif + # This is the default in the ovnkube*.yaml files + # ${OCI_BIN} login -u ovnkube docker.io/ovnkube + # ${OCI_BIN} push docker.io/ovnkube/ovn-daemonset-ubuntu:latest + ./daemonset.sh --image=docker.io/ovnkube/ovn-daemonset-ubuntu:latest + +fedora: bld + ${OCI_BIN} build -t ovn-kube-fedora -f Dockerfile.fedora . + # ${OCI_BIN} login -u ovnkube docker.io/ovnkube + # ${OCI_BIN} push docker.io/ovnkube/ovn-daemonset-fedora:latest + ./daemonset.sh --image=docker.io/ovnkube/ovn-daemonset-fedora:latest + +fedora-dev: bld + ${OCI_BIN} build \ + --build-arg OVS_BRANCH=$(OVS_BRANCH) \ + --build-arg OVN_BRANCH=$(OVN_BRANCH) \ + -t ovn-kube-fedora-dev -f Dockerfile.fedora.dev . + # ${OCI_BIN} login -u ovnkube docker.io/ovnkube + # ${OCI_BIN} push docker.io/ovnkube/ovn-daemonset-fedora:latest + ./daemonset.sh --image=docker.io/ovnkube/ovn-daemonset-fedora:latest \ + --net-cidr=10.244.0.0/16 \ + --svc-cidr=10.96.0.0/12 \ + --gateway-mode="local" \ + --master-loglevel="5" \ + --node-loglevel="5" \ + --ovn-loglevel-northd="-vconsole:info -vfile:info" \ + --ovn-loglevel-nb="-vconsole:info -vfile:info" \ + --ovn-loglevel-sb="-vconsole:info -vfile:info" \ + --ovn-loglevel-controller="-vconsole:info" \ + --ovn_nb_raft_election_timer="1000" \ + --ovn_sb_raft_election_timer="1000" + +DOCKER_IMAGE_TAG = latest + +# Multi-arch the ubuntu based image with fat-manifest +ubuntu-image-multi-arch: + ./push_manifest.sh ovn-daemonset-ubuntu $(DOCKER_IMAGE_TAG) + +# This target expands the daemonset yaml templates into final form +# Use CLI flags or environment variables to customize its behavior. +daemonsetyaml: + ./daemonset.sh + +.PHONY: ../../go-controller/_output/go/bin/ovnkube + +../../go-controller/_output/go/bin/ovnkube: + cd ../../go-controller ; make + +BRANCH = $(shell git rev-parse --symbolic-full-name HEAD) +COMMIT = $(shell git rev-parse HEAD) +bld: ../../go-controller/_output/go/bin/ovnkube + cp -r ../../go-controller/_output/go/bin/* . + echo "ref: ${BRANCH} commit: ${COMMIT}" > git_info diff --git a/21_ovn/generated/images/daemonset.out b/21_ovn/generated/images/daemonset.out new file mode 100644 index 0000000..cec3cc5 --- /dev/null +++ b/21_ovn/generated/images/daemonset.out @@ -0,0 +1,760 @@ ++ set -e ++ command -v jinjanate ++ OVN_OUTPUT_DIR= ++ OVN_IMAGE= ++ OVN_IMAGE_PULL_POLICY= ++ OVN_NET_CIDR= ++ OVN_SVC_CIDR= ++ OVN_K8S_APISERVER= ++ OVN_GATEWAY_MODE= ++ OVN_GATEWAY_OPTS= ++ OVN_DUMMY_GATEWAY_BRIDGE= ++ OVN_DB_REPLICAS= ++ OVN_MTU= ++ OVN_SSL_ENABLE= ++ OVN_UNPRIVILEGED_MODE= ++ MASTER_LOGLEVEL= ++ NODE_LOGLEVEL= ++ DBCHECKER_LOGLEVEL= ++ OVN_LOGLEVEL_NORTHD= ++ OVN_LOGLEVEL_NB= ++ OVN_LOGLEVEL_SB= ++ OVN_LOGLEVEL_CONTROLLER= ++ OVN_LOGLEVEL_NBCTLD= ++ OVNKUBE_LOGFILE_MAXSIZE= ++ OVNKUBE_LOGFILE_MAXBACKUPS= ++ OVNKUBE_LOGFILE_MAXAGE= ++ OVNKUBE_LIBOVSDB_CLIENT_LOGFILE= ++ OVN_ACL_LOGGING_RATE_LIMIT= ++ OVN_MASTER_COUNT= ++ OVN_REMOTE_PROBE_INTERVAL= ++ OVN_MONITOR_ALL= ++ OVN_OFCTRL_WAIT_BEFORE_CLEAR= ++ OVN_ENABLE_LFLOW_CACHE= ++ OVN_LFLOW_CACHE_LIMIT= ++ OVN_LFLOW_CACHE_LIMIT_KB= ++ OVN_HYBRID_OVERLAY_ENABLE= ++ OVN_DISABLE_SNAT_MULTIPLE_GWS= ++ OVN_DISABLE_FORWARDING= ++ OVN_DISABLE_PKT_MTU_CHECK= ++ OVN_EMPTY_LB_EVENTS= ++ OVN_MULTICAST_ENABLE= ++ OVN_ADMIN_NETWORK_POLICY_ENABLE= ++ OVN_EGRESSIP_ENABLE= ++ OVN_EGRESSIP_HEALTHCHECK_PORT= ++ OVN_EGRESSFIREWALL_ENABLE= ++ OVN_EGRESSQOS_ENABLE= ++ OVN_EGRESSSERVICE_ENABLE= ++ OVN_DISABLE_OVN_IFACE_ID_VER=false ++ OVN_MULTI_NETWORK_ENABLE= ++ OVN_NETWORK_SEGMENTATION_ENABLE= ++ OVN_V4_JOIN_SUBNET= ++ OVN_V6_JOIN_SUBNET= ++ OVN_V4_MASQUERADE_SUBNET= ++ OVN_V6_MASQUERADE_SUBNET= ++ OVN_V4_TRANSIT_SWITCH_SUBNET= ++ OVN_V6_TRANSIT_SWITCH_SUBNET= ++ OVN_NETFLOW_TARGETS= ++ OVN_SFLOW_TARGETS= ++ OVN_IPFIX_TARGETS= ++ OVN_IPFIX_SAMPLING= ++ OVN_IPFIX_CACHE_MAX_FLOWS= ++ OVN_IPFIX_CACHE_ACTIVE_TIMEOUT= ++ OVN_HOST_NETWORK_NAMESPACE= ++ OVN_EX_GW_NETWORK_INTERFACE= ++ OVNKUBE_NODE_MGMT_PORT_NETDEV= ++ OVNKUBE_CONFIG_DURATION_ENABLE= ++ OVNKUBE_METRICS_SCALE_ENABLE= ++ OVN_STATELESS_NETPOL_ENABLE=false ++ OVN_ENABLE_INTERCONNECT= ++ OVN_ENABLE_OVNKUBE_IDENTITY=true ++ OVN_ENABLE_PERSISTENT_IPS= ++ OVN_ENABLE_SVC_TEMPLATE_SUPPORT=true ++ OVN_ENABLE_DNSNAMERESOLVER=false ++ IN_UPGRADE= ++ OVN_NORTHD_BACKOFF_INTERVAL= ++ '[' --image=registry.lab.syscallx86.com/ovn-daemonset-fedora:latest '!=' '' ']' +++ echo --image=registry.lab.syscallx86.com/ovn-daemonset-fedora:latest +++ awk -F= '{print $1}' ++ PARAM=--image +++ echo --image=registry.lab.syscallx86.com/ovn-daemonset-fedora:latest +++ cut -d= -f2- ++ VALUE=registry.lab.syscallx86.com/ovn-daemonset-fedora:latest ++ case $PARAM in ++ OVN_IMAGE=registry.lab.syscallx86.com/ovn-daemonset-fedora:latest ++ shift ++ '[' --net-cidr=10.38.0.0/16 '!=' '' ']' +++ echo --net-cidr=10.38.0.0/16 +++ awk -F= '{print $1}' ++ PARAM=--net-cidr +++ echo --net-cidr=10.38.0.0/16 +++ cut -d= -f2- ++ VALUE=10.38.0.0/16 ++ case $PARAM in ++ OVN_NET_CIDR=10.38.0.0/16 ++ shift ++ '[' --svc-cidr=10.49.0.0/16 '!=' '' ']' +++ echo --svc-cidr=10.49.0.0/16 +++ awk -F= '{print $1}' ++ PARAM=--svc-cidr +++ echo --svc-cidr=10.49.0.0/16 +++ cut -d= -f2- ++ VALUE=10.49.0.0/16 ++ case $PARAM in ++ OVN_SVC_CIDR=10.49.0.0/16 ++ shift ++ '[' --gateway-mode=local '!=' '' ']' +++ echo --gateway-mode=local +++ awk -F= '{print $1}' ++ PARAM=--gateway-mode +++ echo --gateway-mode=local +++ cut -d= -f2- ++ VALUE=local ++ case $PARAM in ++ OVN_GATEWAY_MODE=local ++ shift ++ '[' --k8s-apiserver=https://10.1.16.11:6443 '!=' '' ']' +++ echo --k8s-apiserver=https://10.1.16.11:6443 +++ awk -F= '{print $1}' ++ PARAM=--k8s-apiserver +++ echo --k8s-apiserver=https://10.1.16.11:6443 +++ cut -d= -f2- ++ VALUE=https://10.1.16.11:6443 ++ case $PARAM in ++ OVN_K8S_APISERVER=https://10.1.16.11:6443 ++ shift ++ '[' '' '!=' '' ']' ++ '[' -z ']' ++ output_dir=../yaml ++ echo 'output_dir: ../yaml' ++ image=registry.lab.syscallx86.com/ovn-daemonset-fedora:latest ++ echo 'image: registry.lab.syscallx86.com/ovn-daemonset-fedora:latest' ++ ovnkube_image=registry.lab.syscallx86.com/ovn-daemonset-fedora:latest ++ echo 'ovnkube_image: registry.lab.syscallx86.com/ovn-daemonset-fedora:latest' ++ image_pull_policy=IfNotPresent ++ echo 'imagePullPolicy: IfNotPresent' ++ ovn_gateway_mode=local ++ echo 'ovn_gateway_mode: local' ++ ovn_gateway_opts= ++ echo 'ovn_gateway_opts: ' ++ ovn_dummy_gateway_bridge= ++ echo 'ovn_dummy_gateway_bridge: ' ++ enable_ipsec=false ++ echo 'enable_ipsec: false' ++ ovn_db_replicas=3 ++ echo 'ovn_db_replicas: 3' ++ ovn_db_minAvailable=2 ++ echo 'ovn_db_minAvailable: 2' ++ master_loglevel=4 ++ echo 'master_loglevel: 4' ++ node_loglevel=5 ++ echo 'node_loglevel: 5' ++ db_checker_loglevel=4 ++ echo 'db_checker_loglevel: 4' ++ ovn_loglevel_northd='-vconsole:info -vfile:info' ++ echo 'ovn_loglevel_northd: -vconsole:info -vfile:info' ++ ovn_loglevel_nb='-vconsole:info -vfile:info' ++ echo 'ovn_loglevel_nb: -vconsole:info -vfile:info' ++ ovn_loglevel_sb='-vconsole:info -vfile:info' ++ echo 'ovn_loglevel_sb: -vconsole:info -vfile:info' ++ ovn_loglevel_controller=-vconsole:dbg ++ echo 'ovn_loglevel_controller: -vconsole:dbg' ++ ovnkube_logfile_maxsize=100 ++ echo 'ovnkube_logfile_maxsize: 100' ++ ovnkube_logfile_maxbackups=5 ++ echo 'ovnkube_logfile_maxbackups: 5' ++ ovnkube_logfile_maxage=5 ++ echo 'ovnkube_logfile_maxage: 5' ++ ovnkube_libovsdb_client_logfile= ++ echo 'ovnkube_libovsdb_client_logfile: ' ++ ovn_acl_logging_rate_limit=20 ++ echo 'ovn_acl_logging_rate_limit: 20' ++ ovn_hybrid_overlay_enable= ++ echo 'ovn_hybrid_overlay_enable: ' ++ ovn_admin_network_policy_enable= ++ echo 'ovn_admin_network_policy_enable: ' ++ ovn_egress_ip_enable= ++ echo 'ovn_egress_ip_enable: ' ++ ovn_egress_ip_healthcheck_port= ++ echo 'ovn_egress_ip_healthcheck_port: ' ++ ovn_egress_firewall_enable= ++ echo 'ovn_egress_firewall_enable: ' ++ ovn_egress_qos_enable= ++ echo 'ovn_egress_qos_enable: ' ++ ovn_egress_service_enable= ++ echo 'ovn_egress_service_enable: ' ++ ovn_disable_ovn_iface_id_ver=false ++ echo 'ovn_disable_ovn_iface_id_ver: false' ++ ovn_multi_network_enable= ++ echo 'ovn_multi_network_enable: ' ++ ovn_network_segmentation_enable= ++ echo 'ovn_network_segmentation_enable: ' ++ ovn_hybrid_overlay_net_cidr= ++ echo 'ovn_hybrid_overlay_net_cidr: ' ++ ovn_disable_snat_multiple_gws= ++ echo 'ovn_disable_snat_multiple_gws: ' ++ ovn_disable_forwarding= ++ echo 'ovn_disable_forwarding: ' ++ ovn_encap_port= ++ echo 'ovn_encap_port: ' ++ ovn_disable_pkt_mtu_check= ++ echo 'ovn_disable_pkt_mtu_check: ' ++ ovn_empty_lb_events= ++ echo 'ovn_empty_lb_events: ' ++ ovn_ssl_en=no ++ echo 'ovn_ssl_enable: no' ++ ovn_unprivileged_mode=no ++ echo 'ovn_unprivileged_mode: no' ++ ovn_nb_raft_election_timer=1000 ++ echo 'ovn_nb_raft_election_timer: 1000' ++ ovn_sb_raft_election_timer=1000 ++ echo 'ovn_sb_raft_election_timer: 1000' ++ ovn_master_count=1 ++ echo 'ovn_master_count: 1' ++ ovn_remote_probe_interval=100000 ++ echo 'ovn_remote_probe_interval: 100000' ++ ovn_monitor_all= ++ echo 'ovn_monitor_all: ' ++ ovn_ofctrl_wait_before_clear= ++ echo 'ovn_ofctrl_wait_before_clear: ' ++ ovn_enable_lflow_cache= ++ echo 'ovn_enable_lflow_cache: ' ++ ovn_lflow_cache_limit= ++ echo 'ovn_lflow_cache_limit: ' ++ ovn_lflow_cache_limit_kb= ++ echo 'ovn_lflow_cache_limit_kb: ' ++ ovn_nb_port=6641 ++ echo 'ovn_nb_port: 6641' ++ ovn_sb_port=6642 ++ echo 'ovn_sb_port: 6642' ++ ovn_nb_raft_port=6643 ++ echo 'ovn_nb_raft_port: 6643' ++ ovn_sb_raft_port=6644 ++ echo 'ovn_sb_raft_port: 6644' ++ ovn_multicast_enable= ++ echo 'ovn_multicast_enable: ' ++ ovn_v4_join_subnet= ++ echo 'ovn_v4_join_subnet: ' ++ ovn_v6_join_subnet= ++ echo 'ovn_v6_join_subnet: ' ++ ovn_v4_masquerade_subnet= ++ echo 'ovn_v4_masquerade_subnet: ' ++ ovn_v6_masquerade_subnet= ++ echo 'ovn_v6_masquerade_subnet: ' ++ ovn_v4_transit_switch_subnet= ++ echo 'ovn_v4_transit_switch_subnet: ' ++ ovn_v6_transit_switch_subnet= ++ echo 'ovn_v6_transit_switch_subnet: ' ++ ovn_netflow_targets= ++ echo 'ovn_netflow_targets: ' ++ ovn_sflow_targets= ++ echo 'ovn_sflow_targets: ' ++ ovn_ipfix_targets= ++ echo 'ovn_ipfix_targets: ' ++ ovn_ipfix_sampling= ++ echo 'ovn_ipfix_sampling: ' ++ ovn_ipfix_cache_max_flows= ++ echo 'ovn_ipfix_cache_max_flows: ' ++ ovn_ipfix_cache_active_timeout= ++ echo 'ovn_ipfix_cache_active_timeout: ' ++ ovn_ex_gw_networking_interface= ++ echo 'ovn_ex_gw_networking_interface: ' ++ ovnkube_node_mgmt_port_netdev= ++ echo 'ovnkube_node_mgmt_port_netdev: ' ++ ovnkube_config_duration_enable= ++ echo 'ovnkube_config_duration_enable: ' ++ ovnkube_metrics_scale_enable= ++ echo 'ovnkube_metrics_scale_enable: ' ++ ovn_stateless_netpol_enable=false ++ echo 'ovn_stateless_netpol_enable: false' ++ ovnkube_compact_mode_enable=false ++ echo 'ovnkube_compact_mode_enable: false' ++ ovn_enable_interconnect= ++ echo 'ovn_enable_interconnect: ' ++ ovn_enable_multi_external_gateway= ++ echo 'ovn_enable_multi_external_gateway: ' ++ ovn_enable_ovnkube_identity=true ++ echo 'ovn_enable_ovnkube_identity: true' ++ ovn_northd_backoff_interval= ++ echo 'ovn_northd_backoff_interval: ' ++ ovn_enable_persistent_ips= ++ echo 'ovn_enable_persistent_ips: ' ++ ovn_enable_svc_template_support=true ++ echo 'ovn_enable_svc_template_support: true' ++ ovn_enable_dnsnameresolver=false ++ echo 'ovn_enable_dnsnameresolver: false' ++ ovn_image=registry.lab.syscallx86.com/ovn-daemonset-fedora:latest ++ ovnkube_compact_mode_enable=false ++ ovn_image_pull_policy=IfNotPresent ++ ovn_unprivileged_mode=no ++ ovn_gateway_mode=local ++ ovn_gateway_opts= ++ ovn_dummy_gateway_bridge= ++ ovnkube_node_loglevel=5 ++ ovn_loglevel_controller=-vconsole:dbg ++ ovnkube_logfile_maxsize=100 ++ ovnkube_logfile_maxbackups=5 ++ ovnkube_logfile_maxage=5 ++ ovn_hybrid_overlay_net_cidr= ++ ovn_hybrid_overlay_enable= ++ ovn_disable_snat_multiple_gws= ++ ovn_disable_forwarding= ++ ovn_encap_port= ++ ovn_disable_pkt_mtu_check= ++ ovn_v4_join_subnet= ++ ovn_v6_join_subnet= ++ ovn_v4_masquerade_subnet= ++ ovn_v6_masquerade_subnet= ++ ovn_multicast_enable= ++ ovn_admin_network_policy_enable= ++ ovn_egress_ip_enable= ++ ovn_egress_ip_healthcheck_port= ++ ovn_multi_network_enable= ++ ovn_network_segmentation_enable= ++ ovn_egress_service_enable= ++ ovn_ssl_en=no ++ ovn_remote_probe_interval=100000 ++ ovn_monitor_all= ++ ovn_ofctrl_wait_before_clear= ++ ovn_enable_lflow_cache= ++ ovn_lflow_cache_limit= ++ ovn_lflow_cache_limit_kb= ++ ovn_netflow_targets= ++ ovn_sflow_targets= ++ ovn_ipfix_targets= ++ ovn_ipfix_sampling= ++ ovn_ipfix_cache_max_flows= ++ ovn_ipfix_cache_active_timeout= ++ ovn_ex_gw_networking_interface= ++ ovn_disable_ovn_iface_id_ver=false ++ ovnkube_node_mgmt_port_netdev= ++ ovn_enable_interconnect= ++ ovn_enable_multi_external_gateway= ++ ovn_enable_ovnkube_identity=true ++ ovnkube_app_name=ovnkube-node ++ jinjanate ../templates/ovnkube-node.yaml.j2 -o ../yaml/ovnkube-node.yaml +jinjanate 24.3.0, Jinja2 2.11.3 ++ ovn_image=registry.lab.syscallx86.com/ovn-daemonset-fedora:latest ++ ovnkube_compact_mode_enable=false ++ ovn_image_pull_policy=IfNotPresent ++ ovn_unprivileged_mode=no ++ ovn_gateway_mode=local ++ ovn_gateway_opts= ++ ovn_dummy_gateway_bridge= ++ ovnkube_node_loglevel=5 ++ ovn_loglevel_controller=-vconsole:dbg ++ ovnkube_logfile_maxsize=100 ++ ovnkube_logfile_maxbackups=5 ++ ovnkube_logfile_maxage=5 ++ ovn_hybrid_overlay_net_cidr= ++ ovn_hybrid_overlay_enable= ++ ovn_disable_snat_multiple_gws= ++ ovn_disable_forwarding= ++ ovn_encap_port= ++ ovn_disable_pkt_mtu_check= ++ ovn_v4_join_subnet= ++ ovn_v6_join_subnet= ++ ovn_v4_masquerade_subnet= ++ ovn_v6_masquerade_subnet= ++ ovn_multicast_enable= ++ ovn_admin_network_policy_enable= ++ ovn_egress_ip_enable= ++ ovn_egress_ip_healthcheck_port= ++ ovn_multi_network_enable= ++ ovn_network_segmentation_enable= ++ ovn_egress_service_enable= ++ ovn_ssl_en=no ++ ovn_remote_probe_interval=100000 ++ ovn_monitor_all= ++ ovn_ofctrl_wait_before_clear= ++ ovn_enable_lflow_cache= ++ ovn_lflow_cache_limit= ++ ovn_lflow_cache_limit_kb= ++ ovn_netflow_targets= ++ ovn_sflow_targets= ++ ovn_ipfix_targets= ++ ovn_ipfix_sampling= ++ ovn_ipfix_cache_max_flows= ++ ovn_ipfix_cache_active_timeout= ++ ovn_ex_gw_networking_interface= ++ ovn_disable_ovn_iface_id_ver=false ++ ovnkube_node_mgmt_port_netdev= ++ ovn_enable_interconnect= ++ ovn_enable_multi_external_gateway= ++ ovn_enable_ovnkube_identity=true ++ ovnkube_app_name=ovnkube-node-dpu ++ jinjanate ../templates/ovnkube-node.yaml.j2 -o ../yaml/ovnkube-node-dpu.yaml +jinjanate 24.3.0, Jinja2 2.11.3 ++ ovn_image=registry.lab.syscallx86.com/ovn-daemonset-fedora:latest ++ ovnkube_compact_mode_enable=false ++ ovn_image_pull_policy=IfNotPresent ++ kind= ++ ovn_unprivileged_mode=no ++ ovn_gateway_mode=local ++ ovn_gateway_opts= ++ ovn_dummy_gateway_bridge= ++ ovnkube_node_loglevel=5 ++ ovn_loglevel_controller=-vconsole:dbg ++ ovnkube_logfile_maxsize=100 ++ ovnkube_logfile_maxbackups=5 ++ ovnkube_logfile_maxage=5 ++ ovn_hybrid_overlay_net_cidr= ++ ovn_hybrid_overlay_enable= ++ ovn_disable_snat_multiple_gws= ++ ovn_disable_forwarding= ++ ovn_encap_port= ++ ovn_disable_pkt_mtu_check= ++ ovn_v4_join_subnet= ++ ovn_v6_join_subnet= ++ ovn_v4_masquerade_subnet= ++ ovn_v6_masquerade_subnet= ++ ovn_multicast_enable= ++ ovn_admin_network_policy_enable= ++ ovn_egress_ip_enable= ++ ovn_egress_ip_healthcheck_port= ++ ovn_egress_service_enable= ++ ovn_netflow_targets= ++ ovn_sflow_targets= ++ ovn_ipfix_targets= ++ ovn_ipfix_sampling= ++ ovn_ipfix_cache_max_flows= ++ ovn_ipfix_cache_active_timeout= ++ ovn_ex_gw_networking_interface= ++ ovnkube_node_mgmt_port_netdev= ++ ovn_enable_ovnkube_identity=true ++ ovnkube_app_name=ovnkube-node-dpu-host ++ jinjanate ../templates/ovnkube-node.yaml.j2 -o ../yaml/ovnkube-node-dpu-host.yaml +jinjanate 24.3.0, Jinja2 2.11.3 ++ ovn_image=registry.lab.syscallx86.com/ovn-daemonset-fedora:latest ++ ovn_image_pull_policy=IfNotPresent ++ ovnkube_master_loglevel=4 ++ ovn_loglevel_northd='-vconsole:info -vfile:info' ++ ovnkube_logfile_maxsize=100 ++ ovnkube_logfile_maxbackups=5 ++ ovnkube_logfile_maxage=5 ++ ovnkube_libovsdb_client_logfile= ++ ovnkube_config_duration_enable= ++ ovnkube_metrics_scale_enable= ++ ovn_acl_logging_rate_limit=20 ++ ovn_hybrid_overlay_net_cidr= ++ ovn_hybrid_overlay_enable= ++ ovn_disable_snat_multiple_gws= ++ ovn_disable_forwarding= ++ ovn_encap_port= ++ ovn_disable_pkt_mtu_check= ++ ovn_empty_lb_events= ++ ovn_v4_join_subnet= ++ ovn_v6_join_subnet= ++ ovn_v4_masquerade_subnet= ++ ovn_v6_masquerade_subnet= ++ ovn_multicast_enable= ++ ovn_admin_network_policy_enable= ++ ovn_egress_ip_enable= ++ ovn_egress_ip_healthcheck_port= ++ ovn_egress_firewall_enable= ++ ovn_egress_qos_enable= ++ ovn_multi_network_enable= ++ ovn_network_segmentation_enable= ++ ovn_egress_service_enable= ++ ovn_ssl_en=no ++ ovn_master_count=1 ++ ovn_gateway_mode=local ++ ovn_gateway_opts= ++ ovn_dummy_gateway_bridge= ++ ovn_ex_gw_networking_interface= ++ ovn_stateless_netpol_enable= ++ ovnkube_compact_mode_enable=false ++ ovn_unprivileged_mode=no ++ ovn_enable_multi_external_gateway= ++ ovn_enable_ovnkube_identity=true ++ ovn_enable_persistent_ips= ++ ovn_enable_svc_template_support=true ++ ovn_enable_dnsnameresolver=false ++ jinjanate ../templates/ovnkube-master.yaml.j2 -o ../yaml/ovnkube-master.yaml +jinjanate 24.3.0, Jinja2 2.11.3 ++ ovn_image=registry.lab.syscallx86.com/ovn-daemonset-fedora:latest ++ ovn_image_pull_policy=IfNotPresent ++ ovnkube_master_loglevel=4 ++ ovn_loglevel_northd='-vconsole:info -vfile:info' ++ ovnkube_logfile_maxsize=100 ++ ovnkube_logfile_maxbackups=5 ++ ovnkube_logfile_maxage=5 ++ ovnkube_config_duration_enable= ++ ovnkube_metrics_scale_enable= ++ ovn_acl_logging_rate_limit=20 ++ ovn_hybrid_overlay_net_cidr= ++ ovn_hybrid_overlay_enable= ++ ovn_disable_snat_multiple_gws= ++ ovn_disable_pkt_mtu_check= ++ ovn_empty_lb_events= ++ ovn_v4_join_subnet= ++ ovn_v6_join_subnet= ++ ovn_v4_masquerade_subnet= ++ ovn_v6_masquerade_subnet= ++ ovn_multicast_enable= ++ ovn_admin_network_policy_enable= ++ ovn_egress_ip_enable= ++ ovn_egress_ip_healthcheck_port= ++ ovn_egress_firewall_enable= ++ ovn_egress_qos_enable= ++ ovn_multi_network_enable= ++ ovn_network_segmentation_enable= ++ ovn_egress_service_enable= ++ ovn_ssl_en=no ++ ovn_master_count=1 ++ ovn_gateway_mode=local ++ ovn_ex_gw_networking_interface= ++ ovn_enable_interconnect= ++ ovn_enable_multi_external_gateway= ++ ovn_enable_ovnkube_identity=true ++ ovn_v4_transit_switch_subnet= ++ ovn_v6_transit_switch_subnet= ++ ovn_enable_persistent_ips= ++ ovn_enable_dnsnameresolver=false ++ jinjanate ../templates/ovnkube-control-plane.yaml.j2 -o ../yaml/ovnkube-control-plane.yaml +jinjanate 24.3.0, Jinja2 2.11.3 ++ ovn_image=registry.lab.syscallx86.com/ovn-daemonset-fedora:latest ++ ovn_image_pull_policy=IfNotPresent ++ ovn_loglevel_nb='-vconsole:info -vfile:info' ++ ovn_loglevel_sb='-vconsole:info -vfile:info' ++ ovn_ssl_en=no ++ ovn_nb_port=6641 ++ ovn_sb_port=6642 ++ enable_ipsec=false ++ ovn_northd_backoff_interval= ++ jinjanate ../templates/ovnkube-db.yaml.j2 -o ../yaml/ovnkube-db.yaml +jinjanate 24.3.0, Jinja2 2.11.3 ++ ovn_image=registry.lab.syscallx86.com/ovn-daemonset-fedora:latest ++ ovn_image_pull_policy=IfNotPresent ++ ovn_db_replicas=3 ++ ovn_db_minAvailable=2 ++ ovn_loglevel_nb='-vconsole:info -vfile:info' ++ ovn_loglevel_sb='-vconsole:info -vfile:info' ++ ovn_dbchecker_loglevel=4 ++ ovnkube_logfile_maxsize=100 ++ ovnkube_logfile_maxbackups=5 ++ ovnkube_logfile_maxage=5 ++ ovn_ssl_en=no ++ ovn_nb_raft_election_timer=1000 ++ ovn_sb_raft_election_timer=1000 ++ ovn_nb_port=6641 ++ ovn_sb_port=6642 ++ ovn_nb_raft_port=6643 ++ ovn_sb_raft_port=6644 ++ enable_ipsec=false ++ ovn_northd_backoff_interval= ++ jinjanate ../templates/ovnkube-db-raft.yaml.j2 -o ../yaml/ovnkube-db-raft.yaml +jinjanate 24.3.0, Jinja2 2.11.3 ++ ovn_image=registry.lab.syscallx86.com/ovn-daemonset-fedora:latest ++ ovn_image_pull_policy=IfNotPresent ++ ovn_unprivileged_mode=no ++ ovn_gateway_mode=local ++ ovn_gateway_opts= ++ ovnkube_node_loglevel=5 ++ ovnkube_local_loglevel=5 ++ ovn_loglevel_controller=-vconsole:dbg ++ ovnkube_logfile_maxsize=100 ++ ovnkube_logfile_maxbackups=5 ++ ovnkube_logfile_maxage=5 ++ ovnkube_libovsdb_client_logfile= ++ ovnkube_config_duration_enable= ++ ovnkube_metrics_scale_enable= ++ ovn_hybrid_overlay_net_cidr= ++ ovn_hybrid_overlay_enable= ++ ovn_disable_snat_multiple_gws= ++ ovn_disable_forwarding= ++ ovn_encap_port= ++ ovn_disable_pkt_mtu_check= ++ ovn_v4_join_subnet= ++ ovn_v6_join_subnet= ++ ovn_v4_masquerade_subnet= ++ ovn_v6_masquerade_subnet= ++ ovn_multicast_enable= ++ ovn_admin_network_policy_enable= ++ ovn_egress_ip_enable= ++ ovn_egress_ip_healthcheck_port= ++ ovn_egress_firewall_enable= ++ ovn_egress_qos_enable= ++ ovn_multi_network_enable= ++ ovn_network_segmentation_enable= ++ ovn_egress_service_enable= ++ ovn_ssl_en=no ++ ovn_remote_probe_interval=100000 ++ ovn_monitor_all= ++ ovn_ofctrl_wait_before_clear= ++ ovn_enable_lflow_cache= ++ ovn_lflow_cache_limit= ++ ovn_lflow_cache_limit_kb= ++ ovn_netflow_targets= ++ ovn_sflow_targets= ++ ovn_ipfix_targets= ++ ovn_ipfix_sampling= ++ ovn_ipfix_cache_max_flows= ++ ovn_ipfix_cache_active_timeout= ++ ovn_ex_gw_networking_interface= ++ ovnkube_node_mgmt_port_netdev= ++ ovn_disable_ovn_iface_id_ver=false ++ ovnkube_master_loglevel=4 ++ ovn_loglevel_northd='-vconsole:info -vfile:info' ++ ovn_loglevel_nbctld= ++ ovn_acl_logging_rate_limit=20 ++ ovn_empty_lb_events= ++ ovn_loglevel_nb='-vconsole:info -vfile:info' ++ ovn_loglevel_sb='-vconsole:info -vfile:info' ++ ovn_enable_interconnect= ++ ovn_enable_multi_external_gateway= ++ ovn_enable_ovnkube_identity=true ++ ovn_northd_backoff_interval= ++ ovn_enable_persistent_ips= ++ ovn_enable_svc_template_support=true ++ ovn_enable_dnsnameresolver=false ++ jinjanate ../templates/ovnkube-single-node-zone.yaml.j2 -o ../yaml/ovnkube-single-node-zone.yaml +jinjanate 24.3.0, Jinja2 2.11.3 ++ ovn_image=registry.lab.syscallx86.com/ovn-daemonset-fedora:latest ++ ovn_image_pull_policy=IfNotPresent ++ ovn_unprivileged_mode=no ++ ovn_gateway_mode=local ++ ovn_gateway_opts= ++ ovnkube_node_loglevel=5 ++ ovnkube_local_loglevel=5 ++ ovn_loglevel_controller=-vconsole:dbg ++ ovnkube_logfile_maxsize=100 ++ ovnkube_logfile_maxbackups=5 ++ ovnkube_logfile_maxage=5 ++ ovnkube_libovsdb_client_logfile= ++ ovnkube_config_duration_enable= ++ ovnkube_metrics_scale_enable= ++ ovn_hybrid_overlay_net_cidr= ++ ovn_hybrid_overlay_enable= ++ ovn_disable_snat_multiple_gws= ++ ovn_encap_port= ++ ovn_disable_pkt_mtu_check= ++ ovn_v4_join_subnet= ++ ovn_v6_join_subnet= ++ ovn_v4_masquerade_subnet= ++ ovn_v6_masquerade_subnet= ++ ovn_multicast_enable= ++ ovn_admin_network_policy_enable= ++ ovn_egress_ip_enable= ++ ovn_egress_ip_healthcheck_port= ++ ovn_egress_service_enable= ++ ovn_egress_firewall_enable= ++ ovn_egress_qos_enable= ++ ovn_multi_network_enable= ++ ovn_network_segmentation_enable= ++ ovn_ssl_en=no ++ ovn_remote_probe_interval=100000 ++ ovn_monitor_all= ++ ovn_ofctrl_wait_before_clear= ++ ovn_enable_lflow_cache= ++ ovn_lflow_cache_limit= ++ ovn_lflow_cache_limit_kb= ++ ovn_netflow_targets= ++ ovn_sflow_targets= ++ ovn_ipfix_targets= ++ ovn_ipfix_sampling= ++ ovn_ipfix_cache_max_flows= ++ ovn_ipfix_cache_active_timeout= ++ ovn_ex_gw_networking_interface= ++ ovnkube_node_mgmt_port_netdev= ++ ovn_disable_ovn_iface_id_ver=false ++ ovnkube_master_loglevel=4 ++ ovn_loglevel_northd='-vconsole:info -vfile:info' ++ ovn_loglevel_nbctld= ++ ovn_acl_logging_rate_limit=20 ++ ovn_empty_lb_events= ++ ovn_loglevel_nb='-vconsole:info -vfile:info' ++ ovn_loglevel_sb='-vconsole:info -vfile:info' ++ ovn_enable_interconnect= ++ ovn_enable_multi_external_gateway= ++ ovn_enable_ovnkube_identity=true ++ ovn_northd_backoff_interval= ++ ovn_enable_persistent_ips= ++ ovn_enable_svc_template_support=true ++ ovn_enable_dnsnameresolver=false ++ jinjanate ../templates/ovnkube-zone-controller.yaml.j2 -o ../yaml/ovnkube-zone-controller.yaml +jinjanate 24.3.0, Jinja2 2.11.3 ++ ovn_image=registry.lab.syscallx86.com/ovn-daemonset-fedora:latest ++ ovn_image_pull_policy=IfNotPresent ++ ovn_unprivileged_mode=no ++ jinjanate ../templates/ovs-node.yaml.j2 -o ../yaml/ovs-node.yaml +jinjanate 24.3.0, Jinja2 2.11.3 ++ ovnkube_certs_dir=/tmp/ovnkube-certs ++ ovnkube_webhook_name=ovnkube-webhook ++ mkdir -p /tmp/ovnkube-certs ++ path_prefix=/tmp/ovnkube-certs/ovnkube-webhook ++ '[' true = true ']' ++ openssl req -x509 -newkey rsa:4096 -nodes -keyout /tmp/ovnkube-certs/ovnkube-webhook-ca.key -out /tmp/ovnkube-certs/ovnkube-webhook-ca.crt -days 400 -subj /CN=self-signed-ca +..........+..............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+.......+...............+..+.+.....+.+......+..+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*......+...+......+.....+.+...+.....+......+.......+...+..+....+...+..+.+..+...+.............+...........+..........+..................+.....+...+.......+..+...+.......+.....+.........+.......+.....+.......+...............+...+..+.......+..........................+.........+.........+.+...........+............+.........................+......+..+....+...+......+....................+.+........+......+..........+..+....+......+..............+.+.....+...+....+...+..................+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +....+.+.........+..+....+.....+.........+.+..+...+.+........+...+....+.........+..............+...+.......+...........+.+..............+.........+......+.+......+...+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.........+.......+...+.....+..........+......+.....+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*......+..+.+........+......+....+...........+...+.......+.........+..+..................+...............+..........+..+.......+..+.+..+..........+..+...............+......+.......+..+...+.+.........+...+...+..+...+.+......+...+............+..+.......+...............+...+...+........+................+........+.+.....+.........+...+....+.....+.+...+......+.....+.+.....+............+......+.......+.................+.+......+........+.......+.........+.....+.......+...+.....+......+...+..........+...+.........+............................................+....+......+.........+..+...............+......+....+.....+..........+...+..+.........+....+..+...+.+......+.....+...+...+......................+...+..+......+........................+.............+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +----- ++ openssl req -newkey rsa:4096 -nodes -keyout /tmp/ovnkube-certs/ovnkube-webhook.key -out /tmp/ovnkube-certs/ovnkube-webhook.csr -subj /CN=localhost +......+..................+...............+.......+.....+.+...+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+................+............+...+........+......+....+.....+......+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+...+...........+......+......+.........+.+.....+.........+.+...+.....+.......+.......................+.+........+..........+..+.+........+.+.........+.....+............+.........+.+.................+...+....+.....+.........+.+..............+......+...+.............+............+.......................+............+.+...........+......+...+.........+...+.........................+..+.+..+....+.....+.+..+...+.......+...+............+......+...........+....+.....+.+..............+......+.+..................+.....+....+........+....+.....+....+.....+.......+....................+....+...+...........+.+.....+.+...+...........+....+.........+...........+.+.....+.+...+.....+................+...+......+..+....+...........+.......+..+.+..+.+...........+.+..+..........+.......................+.......+..+....+..+....+..............+...................+............+.....+.+...+......+......+..+...+...+......+......+.......+............+...+.....+...+...+.........+.+..+.......+.....+.....................+.......+..+...+.......+....................+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +....+.....+....+.....+..........+............+.........+...+...+..............+.+..............+...+...+...+..........+.....+......+..........+.....+.+........+.+...+.....+...+...+....+........+.......+......+......+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+..+.......+...+........+.........+.+...+.....+....+...+..+..........+..+......+...+.+...........+....+..............+.+.....+....+.........+.....+..........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..................+.+..+....+........+......+.......+...+..+....+........+..........+.....................+......+...............+........+...+...+.......+...+...............+............+.....+.........+.+...........................+........+...+.+......+..+...+............+.+...........+.+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +----- ++ openssl x509 -req -in /tmp/ovnkube-certs/ovnkube-webhook.csr -CA /tmp/ovnkube-certs/ovnkube-webhook-ca.crt -CAkey /tmp/ovnkube-certs/ovnkube-webhook-ca.key -extfile /dev/fd/63 -CAcreateserial -out /tmp/ovnkube-certs/ovnkube-webhook.crt -days 365 +++ printf subjectAltName=DNS:localhost +Certificate request self-signature ok +subject=CN = localhost ++ ovn_image=registry.lab.syscallx86.com/ovn-daemonset-fedora:latest ++ ovn_image_pull_policy=IfNotPresent ++ ovn_master_count=1 ++ ovnkube_master_loglevel=4 ++ ovn_enable_interconnect= +++ cat /tmp/ovnkube-certs/ovnkube-webhook-ca.crt +++ base64 -w0 ++ webhook_ca_bundle=LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZFekNDQXZ1Z0F3SUJBZ0lVYzF1ZHNUNkhqMEN4UEhQcU8rT1kvbHZGOWcwd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0dURVhNQlVHQTFVRUF3d09jMlZzWmkxemFXZHVaV1F0WTJFd0hoY05NalF3T0RJek1EZ3lNVFF6V2hjTgpNalV3T1RJM01EZ3lNVFF6V2pBWk1SY3dGUVlEVlFRRERBNXpaV3htTFhOcFoyNWxaQzFqWVRDQ0FpSXdEUVlKCktvWklodmNOQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCQUs3U2pWTXE3ajBYY3gzaDhPWDZtSVB1MlFlWFZGR1kKOWxEVkJ2cUdMbDYyWkhMbTJYY1ExZUpuNmhudUtoYUt3NEo5cVhtOXFnQTg2bXUyOVBaeU55dXdrSFE4L1FqMAo5WFFMMGFYelM4TWJ0bXM4RkFGcVVzb2U3QS94MElUT2lQN0k3VVUwQytxMkhqY3FiRitLVUpqdkdsN2FDbFRlCkY5Q2d5YUJwampPWUVkUUdnOTBVbDllMHk2MUZjZnh5blVzMFRZek4ra0tjY1Q0Yy94QW1qaFY0UW1lVG5xMkEKK0N5SnZhYk9lN2RySFFBemhUdjFjblFjVkltd01kUE02aFg5cHY2UG9YSWVXdTZIbWdvbTVFNzBCZUZPQXA5aQo1NldoaVgxQmZ6ZzlxTTJvQnM2cGYyYTVXYnI2RjBjNjY3aUFmRGZlWkowMkR6Q2pKTUE5NnVwd2FjZXc3bXRXCi9BSnJ6NTl0dzlwb1RYOUZXd0tCOXA5bWpUaUsrTVhDUGtnK2tYS3pXWno1d1o5ZUxnT3dsZjlPMVJyd1hueGYKb3gyRkpUbkRETUtQeCtWUTlHQjRjQUZ3b2tENThLTVI2bHBBOTBsNHQ4MmN1SjF3Q1cwTWlySUhlOWtSS1RkMApZZnJkbmt2cjNYeEFuVERLT2lVVEF1Qnc5QWMyTERsMHNtSEpOaTQvYzQ0WHdDT1BXSHVUNmNZelZIZmxaRWZjCi9EZ3dFK2ZKZmVzd2RmdStBQmFvWWczdm50dlpJZHJCaVUrZEtRQWM2NW9QblJ3SllaWmx0cHJ6QU54K0dKWlEKa3lwVW8rKzQ4WVcrZElqb1llTU9QS3hyenAydVNGK0tZNFJtNXovclNKUGZkZUxZZmlDVTZ6b2dWdkp1T3hLUQpLK3lDZis5dm84YkxBZ01CQUFHalV6QlJNQjBHQTFVZERnUVdCQlRKUWtQdW1XUWQwb0FtNy95VWFxYnR1S281Cm9EQWZCZ05WSFNNRUdEQVdnQlRKUWtQdW1XUWQwb0FtNy95VWFxYnR1S281b0RBUEJnTlZIUk1CQWY4RUJUQUQKQVFIL01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQ0FRQk9GdXAyZ3YzcVJGcmlhU28wRW1LRTJselcyclVWVUR4dgpBZlFnV01jRXRMQTRPL0JmZFJmaEdGTXVMWGdVWm9CVy9kWVhCUndIQnhXdDhVVGtLNDZ2NFI1ckdzblF4cWQ2ClMxVnF6dUtzTmI4ZzdwRFA3NzJ5WStjbWVLSVdVek52bUhDWmdOK2w1dzMrVnB5ZnpFa0JyWUh6WERkWkIrSFMKaEVTUWo1d1N3YWJsVjM3dTVlUVVsSHFpelJYdVZ3ZFhWWmxrS0VhTkdjWG9zL1d1NjZXcytXVklrMzUvR0phQQp4cUNYanFhR3FkTmhsSmpLY2FEQ0hHV2swdmxQUVcrUStWcXkrMXVqZ0UrY0ZaTUJkbFZxNU9vVG1CbzFSUVVkCi9WRXo4OC9waU9FdG1RSHB4a1VtUWF5VlY2N3BPclZJdG5uMkdKbmkzNkFUWEtWR0dXSDNPMFZ5WlpJTnpRSmgKNnQvMk1NY0EvcWNjTXZmeFRyY3ozaEVlRCtna0VNSWpFeVp2UjluM2hQR1VkY21oaUpqY0JwamMzTi80S3RwMApMc3lndGxQUVJQS0RWTG9nekp5MFdDSldiWEtkSmZhUXJoTklheVgzK2ZTRHRFbUw5TmpPQ3IyblZkUGdkNEtmCnVySWNQN0UreFdJZk1YMzB6RkpVZ29VYXp0a3pHYTZMMnhDYldrMUZ6dUJ4WDZLUW83S2hYRTVWelA2MDdjVjUKZXUxbHFJZCt5MnB1V21NMzZhVGE1TDMrckhLMlJpT1pxTDk3dEkwR1lJTUtDVzQrT0kyUDFuWVJ5Sko3alNMMgp1NGxMMXhvNXFuTzhCVjFIV0FROHVMSDBXSEFvN1QzaWE0cTJkTVhwOW5xNjNmc25XNmFlYnVIaFl3bjhCLzU0CnVTcjVHcldVd2c9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== +++ cat /tmp/ovnkube-certs/ovnkube-webhook.key +++ base64 -w0 ++ webhook_key=LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRd0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1Mwd2dna3BBZ0VBQW9JQ0FRRHo4TDRqdWJ0L3dWQU8KT256UjRCbFV2WkJKditQNGVjcjd4K2h2czJKRTYzU1N6SnhPYW5YQ3BnT1NnaC9vRGltRDU0cWJxV3ZnVWlxawpxZHdOWnFJWUIxUHZJSUNlYWJ0ektscmtwTGhYSktjd3k0T2o2REJ4K0tDUGk0NnZwT3JrZ0tvYitmNDJnaEh6CkVxWDdHR0pTQmY2VWJWT2VlK0ZuN0Eyc01Td3RiSksvZ1FlTUp5bHlJWWYvaDJndlVKRi92VG5MVEw0cDNSdkYKZnVSSnpsUzk0YzYzaGhVZEsxWDduUnM2OGxQQTlmYkVnTlQ4Y2VQcDQ0Mjd2K0E3ZjJTRFhQMnovNUlnakZBUQpBSlFMd1orWWlyV1plZ3JHVTh5RTdBRUhYZFlwVkFvT2JvTG9zcyt0Ky8vYWhHKy9ZOTRoZzBKRE91VGVIOU9ZCms0elFDK2RhTkE0NzdzWCtzcGhsTisxM3NHVy8xazQ3ZzEwNEtGdENPWWd4V2lOR01nVkJCbWJ2ODFSYnBPL0oKeFlBZnNMRzA3MldKL29UeXhaZUdTdFJoTnF0V0JGaHNwVFdNMUdSRnR0dksvbnEzMzFrL1FUQUZYaFFJWTZIKwpFWi91ZHRtSnhNbkplekQ4dHZCMXVlNWxURW0xK3o5R2UxYXlvbmxMbFF5a2U0Q1dWcWkyU1VjVEQ1YWZFOW1UCnVuUlF6aWdZVjZKVUdFalV0dU9zZ3MwVGhhM1BFQUdWakFKS3AxUVNUOVpQRjF2dGljdHRNN0I2c2ZSMnk1UU4KMlA2N1J0ZHhRSGd5TVB6alN0NXlPM3FFbmhZMUgweWZZSVU2T1ZIcEFKUkM0dVhDejRIcW1pVWRDY2lOS3psdgpjZnhZbE52YklsaW5QQ0Y4aVFQK1ZXamduNXRIZVFJREFRQUJBb0lDQUNPMWJvZjVSTWF2VENKQkVvdUFkQVRSCkdRR0t1dnJoRFVNdElNdlZKUUgwdTZSUG1tUHFOcUhQUG4rZ1Y3NVc4R0hVTDVpWXhPZFo3ODhaNUZINzM2ZUgKenhRV25HMVVDZklTVmFyWnAvaHRyNkczY09ZNTgzbURqVEZtR3ZXQVBUaEUwMkgwQnZBQXUxTHJQR3ZVeG5PKwpWK1Z2V1ltK0ZhRnFUeGdSUEtmTG1IRzdHQmsrbEZVV0xudkwzUWJzRXRoeG9UZXUzTGx4R2dNZmo1aDBRVGhvCmlTT1pWNWJsQkptb0JsZnJLREo3YnV1VjlsZWI3bUtMQW5EazVoU2ZrZDJlNjY2QkwybGZVTXIrNHEwVDQySm4KajZ6UFRpdDVFZHUxVm5NM0c4WUIvTlRlL1gvRnlSdnRZeWNnTXVGLzQ0RGhYMzVLN1R6TXlPTXhXakFNUmduSApvTnhLYVpIZGdOZ3JTQ1h5YXlhYWZtOWo2blJCelN1cUxKenNwZzhLRkZhSDF4bWFzN29LTm1VemlwNWwvajBZCkNnUEY4NFFVbUJHcndBdnZXQ3I0dmhjY09Nb3NzdXhRTlVPQUJMQnoyclJaRVN4bHU0N2dYaTdwYkZ6NmNRekMKWjVGYXkwSjUybUdKZnk5dk8zbmpKMERuQWlyV1VyV1Y5OER2YVFFVjJ2ajg2dlVJeHEvVnUzWVhyQUdaSitkagphTnZ2c0t3RENGaEc0ZzFMV2g1N1FJZTJ6cGpOaS9DbzF6MUdNZlc1VkxQQUVZQytjbHB1MDZPb2F6WWEvZHZJCndRTWQ4L0dFdnVPZlJJV2ZMRXhSV0hXRldTNitMaEZTTURVUTcwajF1MEJUc1pTZVp0czBiM0l5YWhKaUtwUnEKZ1R4RnFJK1pxNy8zZGxvMkNzUFBBb0lCQVFEOUZYSi9qaFVnT3RrZURlTWFZbyt3WlMzdjJiZFE3bEwxamhYUQpFc1Y4NU5qVFZRbmkrK0lPR2pkeXUwa2lnV29RL3AyYVdBMm9Sb2ZBSHJIQmFPWHRaUHBWZ2ZSMEExRkpjTVJwCmdRaGlzUFg1SktTV2hXQmt4Nlh1RnAycmVhOFlGV0lnK29IWmQrU1plZXl4SkxNdWJOZlVmbVFXaG9RTGVjUVAKVkpPdGpGK2dJUjVvenRjVnVVU2tKUklBR2Z2bTJvampKNXF4Z1JQK0V5WWl5My9HSWNSUkxtaHYzUnFkMWxDYwo1MlRlZThTZXI0dG5GemtBdGNHRFNkZDhLMWF1NXl6bWNXSzY0d3lzMVl4ODUyVXlGTzBHeXNEZ2ZtbERDT2tJCllCNXZPcnpaL0RqWENNRVRHVmtpYVRlU0FlRmxOcW1md0RodDVsazhXZUNUMXlmSEFvSUJBUUQyd0ZMNVA3aysKWlhSbTB0dnBtWXJwajlLRzRmTUV4elhCNVJQT25qVC96cDJKbXVMaFc3bGFuelFua2pTVzVjWGtMU2Z0QlROWgo2ZFpmYjBKcDdkb21pSDkvcExIT3JXN1RxSmhkMEJ5SWJ6cVkrb3A2RjdndWlYU1U5MEpqejJydSt4a1cra0kxCjNqTGFWYnR0UXpjQlhFaTV5Z3hHZ0FZd1BNN0F2TW5kcWl3TVV0UEwzY1E0RFFWQ29WallTZVdsL3gySFZFaFIKajM5NEFKSUZNandsVFhQVEFKNGdjVkYzOXAvb3piNDdKTlBOMlVYYjYzc2I4cStNRGJXVTUwdm4yMlQ3eS9KVAo1MStUWFIraGxCNzlXcnkvMVFYYjd1NU5RUlNoTGpaZUtoQnBoN3ZrTkE5T0tHd3ZvRHlPaUovN2dSbmNCd205CmZ4U2UvbjIxQ3BhL0FvSUJBUURVWTZaV0k0L1pIMm5NRGcxenZCa29DSkZYZ3hlVGhKMzhVd1E5UFRPZEQ1UmoKTGkrQTNLK2w5QnhxWFlBUHhCbVdMNGRsMnRXRFRjVm8xcG1JWFpidjlka2IzMWFkOFpiTEVpYlMvNlZnNVc5WAphWWZ5aGZZU1BYWWo2N2pnQ2R1R1U1T3BaM0dIWmxWaTgyNU9ieVVzSmMydkYyNjVkS1BsMllkTzhrU0kxWS8rCm15eWcra3lJZjVWNlIxM20xZWVQb2dCVTJZeTV3RUJkN2dZSUYwMmdvZi9WdlNPS0ZUemNEdHBTQXVLa3o2dC8KSElUWnZDUnJVeDBXSitiOTNvVDlmU1l5TWgrUUJURkM3bWZhL25udllKNVdIOXRqeXRKZG5tR3FWTGZWMHE1ZwpKWW94ODdmTVptNW1NWFNnUkpHNlZmaGVCM3VUeDBkR0hZc1pwdXRMQW9JQkFFK2dudVlhWDFBNGMwamZVT0pnCmowaHlCakZLNXg2cW5ybDBrR0RFQXp4dDA3N2RRY3dSeW8zcEJHNmtxdDNyUm1JdEJFNWp1RCtTeTRBK3FrTCsKNDhBOW1rOTV1WHVGMGxieGVFSUY3NzlEamJoaVdaK3UyZHdDdGFHQTdXYkNQN0xoU3laMEdqdkIrYzBsajNkaQpFblVZNzhzczNhcytrMENyenRpNTA3YjV2SDg1bDJtWnBrR2tTZ2RIaENGQUw2RFM1QmVRNWttVHNrSHFoVFN5CkVtRERUdFpQdzdlYWVmenBsSThQSGcxK0ErL1E1czlpZlhiMmFSb2NMblhmOGtuZkxnWm51VXJFUnI2S2RiT3gKMWhKU1hzalZHSy94dWVzcVRscjVTOGcxY05odFdmLzVvTnJMQnFhVDRoYnBGaCtXZU43ZFVwSlpXVEU1MVIxQQpUb2NDZ2dFQkFKS2FodTltYTMvV2RyS2M5MnpwdmRqb1dPMW5yWXJVZlozbytMazB2aTRVcjNBaUt1ZlkrN1RtCmMwRmM0R3VmdEtTTndFTlpSRDJJZ01LUFhJNVQrczhVVkZCdzFZOVlPWHN2T1JzMU0xOVVuYkxqNkphbjd3dk0KZEp1TCtKRXNIMGtPMm1GQ0FzLzdPbGpCMXBha1M2UDBYd0FnVjhHaDYrblNxQUlrNUxUVG9aWS82STE4bG16RwpHMFo0aGdzZkxEM25wQUJNdlR2N2x6TUdkY3ZwQlBJVkxyVEJDZ2gyemlFUmt1N1lYdkpTNXJnZVVheHdQQkVhCkdqcWQyUGFzaTIrTyt0dUlobytpZXoxWkdrUWJGSUFwT25mTDBZZ2MzT3A5RHhzNXJ5bHFpa01tTGxSNzV5S2MKZkxqNHJBczdBZEVjWTlwT1MvcGhvTExMdWxLOTA2MD0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= +++ cat /tmp/ovnkube-certs/ovnkube-webhook.crt +++ base64 -w0 ++ webhook_cert=LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZFekNDQXZ1Z0F3SUJBZ0lVYnRySU54VFdGMUwrck9NY2pZSjJTQVFnUTNZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0dURVhNQlVHQTFVRUF3d09jMlZzWmkxemFXZHVaV1F0WTJFd0hoY05NalF3T0RJek1EZ3lNVFEyV2hjTgpNalV3T0RJek1EZ3lNVFEyV2pBVU1SSXdFQVlEVlFRRERBbHNiMk5oYkdodmMzUXdnZ0lpTUEwR0NTcUdTSWIzCkRRRUJBUVVBQTRJQ0R3QXdnZ0lLQW9JQ0FRRHo4TDRqdWJ0L3dWQU9PbnpSNEJsVXZaQkp2K1A0ZWNyN3graHYKczJKRTYzU1N6SnhPYW5YQ3BnT1NnaC9vRGltRDU0cWJxV3ZnVWlxa3Fkd05acUlZQjFQdklJQ2VhYnR6S2xyawpwTGhYSktjd3k0T2o2REJ4K0tDUGk0NnZwT3JrZ0tvYitmNDJnaEh6RXFYN0dHSlNCZjZVYlZPZWUrRm43QTJzCk1Td3RiSksvZ1FlTUp5bHlJWWYvaDJndlVKRi92VG5MVEw0cDNSdkZmdVJKemxTOTRjNjNoaFVkSzFYN25SczYKOGxQQTlmYkVnTlQ4Y2VQcDQ0Mjd2K0E3ZjJTRFhQMnovNUlnakZBUUFKUUx3WitZaXJXWmVnckdVOHlFN0FFSApYZFlwVkFvT2JvTG9zcyt0Ky8vYWhHKy9ZOTRoZzBKRE91VGVIOU9ZazR6UUMrZGFOQTQ3N3NYK3NwaGxOKzEzCnNHVy8xazQ3ZzEwNEtGdENPWWd4V2lOR01nVkJCbWJ2ODFSYnBPL0p4WUFmc0xHMDcyV0ovb1R5eFplR1N0UmgKTnF0V0JGaHNwVFdNMUdSRnR0dksvbnEzMzFrL1FUQUZYaFFJWTZIK0VaL3VkdG1KeE1uSmV6RDh0dkIxdWU1bApURW0xK3o5R2UxYXlvbmxMbFF5a2U0Q1dWcWkyU1VjVEQ1YWZFOW1UdW5SUXppZ1lWNkpVR0VqVXR1T3NnczBUCmhhM1BFQUdWakFKS3AxUVNUOVpQRjF2dGljdHRNN0I2c2ZSMnk1UU4yUDY3UnRkeFFIZ3lNUHpqU3Q1eU8zcUUKbmhZMUgweWZZSVU2T1ZIcEFKUkM0dVhDejRIcW1pVWRDY2lOS3psdmNmeFlsTnZiSWxpblBDRjhpUVArVldqZwpuNXRIZVFJREFRQUJvMWd3VmpBVUJnTlZIUkVFRFRBTGdnbHNiMk5oYkdodmMzUXdIUVlEVlIwT0JCWUVGTk9MClpnWXhNb1JqTFg1WW4zbFZzNFFJbWd0Mk1COEdBMVVkSXdRWU1CYUFGTWxDUSs2WlpCM1NnQ2J2L0pScXB1MjQKcWptZ01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQ0FRQ1JSNHN5NEw4ZW8zMmZZWXR3dTlsM3REVEsyREZ4T3pFawphazJYd3RoS3ZVU05RNHg4WHFId2J6dG85NjYvUjZTN1hNaVNzUUpRS3ZycU1pcjJOZVRhTE5uU082eGJOcE55Cm80R0RtV09BRHBUQnRiU2lOb1dkczliVlROaHkyVTA5d1Z0L1UybFEyMHFXaEJ6d0tGalZQb0hRVUJXbTZTZysKaHhBR2tSaUFkcngwYjRUSVkrck5FemhSdDFwTHZsN2I5cTU2eHJPZFFPWFRsTHF2Wk91cWt2RUdSR3BESEhrRQpVVGFDZzcxT0prZitka1hkWEttYzRYUEhqcnlLdmI5bW90Z2FmTzJ5dUlzeWx0RTBSeHV2STcvZGZQd1YyS2pTClJsOGpnRzN6Qmp4NFFiSk84YXlHV0w2MGpHZEo1bnZrWDUvdmh3MFo3a0xYbzhOeVJ5ellCSUhQVUlmSlNxeFcKOVZ0Vk1PcmlkN3R1czVKeXhBb1NlY05FSzVwbCt6NXFDbldKZmRSY3dtRjZoS21rdGVQK2JYdVdjeU5idVNoOQpnRXRZVzh2dktlQUg5aXlmZGFORWZkcmJ0NEhjS01jaDhGbzZETCt3MDBuek1kZ3lyR2ZyeEVMWmJESDVKRDhIClFrQ0c1cVQ2S081K1IzV21wVFo2RndBSVFqNXcxU2tvTG5xdFdISVJTUVVnczdTS2lYVUdYMVI2dnZ6eHRZaWwKZHhIZU9WbGY4WmlvRGp4VEx2T1l4Tjk2OVdoTDlRT3Q1VjJFL0twYzkvZ0poVDI1VVBYZmJRTWxTbkNZN1k1SAptSmwxTi9LQW81THVDRlZzVmhESitES0xodUJFYm9kemorcHJhS2drdUNzcmpHWlNiaTY0bHgyeFFyV0ExWHZDCktGcGRhdjdGbmc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== ++ ovn_enable_multi_node_zone= ++ ovn_hybrid_overlay_enable= ++ jinjanate ../templates/ovnkube-identity.yaml.j2 -o ../yaml/ovnkube-identity.yaml +jinjanate 24.3.0, Jinja2 2.11.3 ++ false ++ net_cidr=10.38.0.0/16 ++ svc_cidr=10.49.0.0/16 ++ k8s_apiserver=https://10.1.16.11:6443 ++ mtu=1400 ++ host_network_namespace=ovn-host-network ++ in_upgrade=false ++ echo 'net_cidr: 10.38.0.0/16' ++ echo 'svc_cidr: 10.49.0.0/16' ++ echo 'k8s_apiserver: https://10.1.16.11:6443' ++ echo 'mtu: 1400' ++ echo 'host_network_namespace: ovn-host-network' ++ echo 'in_upgrade: false' ++ net_cidr=10.38.0.0/16 ++ svc_cidr=10.49.0.0/16 ++ mtu_value=1400 ++ k8s_apiserver=https://10.1.16.11:6443 ++ host_network_namespace=ovn-host-network ++ in_upgrade=false ++ jinjanate ../templates/ovn-setup.yaml.j2 -o ../yaml/ovn-setup.yaml +jinjanate 24.3.0, Jinja2 2.11.3 ++ ovn_enable_interconnect= ++ ovn_enable_ovnkube_identity=true ++ ovn_enable_dnsnameresolver=false ++ jinjanate ../templates/rbac-ovnkube-node.yaml.j2 -o ../yaml/rbac-ovnkube-node.yaml +jinjanate 24.3.0, Jinja2 2.11.3 ++ ovn_network_segmentation_enable= ++ ovn_enable_dnsnameresolver=false ++ jinjanate ../templates/rbac-ovnkube-cluster-manager.yaml.j2 -o ../yaml/rbac-ovnkube-cluster-manager.yaml +jinjanate 24.3.0, Jinja2 2.11.3 ++ ovn_network_segmentation_enable= ++ ovn_enable_dnsnameresolver=false ++ jinjanate ../templates/rbac-ovnkube-master.yaml.j2 -o ../yaml/rbac-ovnkube-master.yaml +jinjanate 24.3.0, Jinja2 2.11.3 ++ cp ../templates/rbac-ovnkube-identity.yaml.j2 ../yaml/rbac-ovnkube-identity.yaml ++ cp ../templates/rbac-ovnkube-db.yaml.j2 ../yaml/rbac-ovnkube-db.yaml ++ cp ../templates/ovnkube-monitor.yaml.j2 ../yaml/ovnkube-monitor.yaml ++ cp ../templates/k8s.ovn.org_egressfirewalls.yaml.j2 ../yaml/k8s.ovn.org_egressfirewalls.yaml ++ cp ../templates/k8s.ovn.org_egressips.yaml.j2 ../yaml/k8s.ovn.org_egressips.yaml ++ cp ../templates/k8s.ovn.org_egressqoses.yaml.j2 ../yaml/k8s.ovn.org_egressqoses.yaml ++ cp ../templates/k8s.ovn.org_egressservices.yaml.j2 ../yaml/k8s.ovn.org_egressservices.yaml ++ cp ../templates/k8s.ovn.org_adminpolicybasedexternalroutes.yaml.j2 ../yaml/k8s.ovn.org_adminpolicybasedexternalroutes.yaml ++ cp ../templates/k8s.ovn.org_userdefinednetworks.yaml.j2 ../yaml/k8s.ovn.org_userdefinednetworks.yaml ++ exit 0 diff --git a/21_ovn/generated/images/daemonset.sh b/21_ovn/generated/images/daemonset.sh new file mode 100755 index 0000000..28c4609 --- /dev/null +++ b/21_ovn/generated/images/daemonset.sh @@ -0,0 +1,1015 @@ +#!/bin/bash +set -x + +#Always exit on errors +set -e + +install_jinjanator_renderer() { + # ensure jinjanator renderer installed + pip install wheel --user + pip freeze | grep jinjanator || pip install "jinjanator[yaml]" --user + export PATH=~/.local/bin:$PATH +} + +# The script renders j2 templates into yaml files in ../yaml/ + +# ensure jinjanator renderer installed +if ! command -v jinjanate >/dev/null 2>&1 ; then + if ! command -v pip >/dev/null 2>&1 ; then + echo "Dependency not met: 'jinjanator' not installed and cannot install with 'pip'" + exit 1 + fi + echo "'jinjanate' not found, installing with 'pip'" + install_jinjanator_renderer +fi + +OVN_OUTPUT_DIR="" +OVN_IMAGE="" +OVN_IMAGE_PULL_POLICY="" +OVN_NET_CIDR="" +OVN_SVC_CIDR="" +OVN_K8S_APISERVER="" +OVN_GATEWAY_MODE="" +OVN_GATEWAY_OPTS="" +OVN_DUMMY_GATEWAY_BRIDGE="" +OVN_DB_REPLICAS="" +OVN_MTU="" +OVN_SSL_ENABLE="" +OVN_UNPRIVILEGED_MODE="" +MASTER_LOGLEVEL="" +NODE_LOGLEVEL="" +DBCHECKER_LOGLEVEL="" +OVN_LOGLEVEL_NORTHD="" +OVN_LOGLEVEL_NB="" +OVN_LOGLEVEL_SB="" +OVN_LOGLEVEL_CONTROLLER="" +OVN_LOGLEVEL_NBCTLD="" +OVNKUBE_LOGFILE_MAXSIZE="" +OVNKUBE_LOGFILE_MAXBACKUPS="" +OVNKUBE_LOGFILE_MAXAGE="" +OVNKUBE_LIBOVSDB_CLIENT_LOGFILE="" +OVN_ACL_LOGGING_RATE_LIMIT="" +OVN_MASTER_COUNT="" +OVN_REMOTE_PROBE_INTERVAL="" +OVN_MONITOR_ALL="" +OVN_OFCTRL_WAIT_BEFORE_CLEAR="" +OVN_ENABLE_LFLOW_CACHE="" +OVN_LFLOW_CACHE_LIMIT="" +OVN_LFLOW_CACHE_LIMIT_KB="" +OVN_HYBRID_OVERLAY_ENABLE="" +OVN_DISABLE_SNAT_MULTIPLE_GWS="" +OVN_DISABLE_FORWARDING="" +OVN_DISABLE_PKT_MTU_CHECK="" +OVN_EMPTY_LB_EVENTS="" +OVN_MULTICAST_ENABLE="" +OVN_ADMIN_NETWORK_POLICY_ENABLE="" +OVN_EGRESSIP_ENABLE= +OVN_EGRESSIP_HEALTHCHECK_PORT= +OVN_EGRESSFIREWALL_ENABLE= +OVN_EGRESSQOS_ENABLE= +OVN_EGRESSSERVICE_ENABLE= +OVN_DISABLE_OVN_IFACE_ID_VER="false" +OVN_MULTI_NETWORK_ENABLE= +OVN_NETWORK_SEGMENTATION_ENABLE= +OVN_V4_JOIN_SUBNET="" +OVN_V6_JOIN_SUBNET="" +OVN_V4_MASQUERADE_SUBNET="" +OVN_V6_MASQUERADE_SUBNET="" +OVN_V4_TRANSIT_SWITCH_SUBNET="" +OVN_V6_TRANSIT_SWITCH_SUBNET="" +OVN_NETFLOW_TARGETS="" +OVN_SFLOW_TARGETS="" +OVN_IPFIX_TARGETS="" +OVN_IPFIX_SAMPLING="" +OVN_IPFIX_CACHE_MAX_FLOWS="" +OVN_IPFIX_CACHE_ACTIVE_TIMEOUT="" +OVN_HOST_NETWORK_NAMESPACE="" +OVN_EX_GW_NETWORK_INTERFACE="" +OVNKUBE_NODE_MGMT_PORT_NETDEV="" +OVNKUBE_CONFIG_DURATION_ENABLE= +OVNKUBE_METRICS_SCALE_ENABLE= +OVN_STATELESS_NETPOL_ENABLE="false" +OVN_ENABLE_INTERCONNECT= +OVN_ENABLE_OVNKUBE_IDENTITY="true" +OVN_ENABLE_PERSISTENT_IPS= +OVN_ENABLE_SVC_TEMPLATE_SUPPORT="true" +OVN_ENABLE_DNSNAMERESOLVER="false" +# IN_UPGRADE is true only if called by upgrade-ovn.sh during the upgrade test, +# it will render only the parts in ovn-setup.yaml related to RBAC permissions. +IN_UPGRADE= +# northd-backoff-interval, in ms +OVN_NORTHD_BACKOFF_INTERVAL= + +# Parse parameters given as arguments to this script. +while [ "$1" != "" ]; do + PARAM=$(echo $1 | awk -F= '{print $1}') + VALUE=$(echo $1 | cut -d= -f2-) + case $PARAM in + --output-directory) + OVN_OUTPUT_DIR=$VALUE + ;; + --image) + OVN_IMAGE=$VALUE + ;; + --ovnkube-image) + OVNKUBE_IMAGE=$VALUE + ;; + --image-pull-policy) + OVN_IMAGE_PULL_POLICY=$VALUE + ;; + --gateway-mode) + OVN_GATEWAY_MODE=$VALUE + ;; + --gateway-options) + OVN_GATEWAY_OPTS=$VALUE + ;; + --dummy-gateway-bridge) + OVN_DUMMY_GATEWAY_BRIDGE=$VALUE + ;; + --enable-ipsec) + ENABLE_IPSEC=$VALUE + ;; + --ovn-monitor-all) + OVN_MONITOR_ALL=$VALUE + ;; + --ovn-ofctrl-wait-before-clear) + OVN_OFCTRL_WAIT_BEFORE_CLEAR=$VALUE + ;; + --ovn-enable-lflow-cache) + OVN_ENABLE_LFLOW_CACHE=$VALUE + ;; + --ovn-lflow-cache-limit) + OVN_LFLOW_CACHE_LIMIT=$VALUE + ;; + --ovn-lflow-cache-limit-kb) + OVN_LFLOW_CACHE_LIMIT_KB=$VALUE + ;; + --net-cidr) + OVN_NET_CIDR=$VALUE + ;; + --svc-cidr) + OVN_SVC_CIDR=$VALUE + ;; + --k8s-apiserver) + OVN_K8S_APISERVER=$VALUE + ;; + --db-replicas) + OVN_DB_REPLICAS=$VALUE + ;; + --mtu) + OVN_MTU=$VALUE + ;; + --ovn-unprivileged-mode) + OVN_UNPRIVILEGED_MODE=$VALUE + ;; + --master-loglevel) + MASTER_LOGLEVEL=$VALUE + ;; + --node-loglevel) + NODE_LOGLEVEL=$VALUE + ;; + --dbchecker-loglevel) + DBCHECKER_LOGLEVEL=$VALUE + ;; + --ovn-loglevel-northd) + OVN_LOGLEVEL_NORTHD=$VALUE + ;; + --ovn-loglevel-nb) + OVN_LOGLEVEL_NB=$VALUE + ;; + --ovn-loglevel-sb) + OVN_LOGLEVEL_SB=$VALUE + ;; + --ovn-loglevel-controller) + OVN_LOGLEVEL_CONTROLLER=$VALUE + ;; + --ovnkube-logfile-maxsize) + OVNKUBE_LOGFILE_MAXSIZE=$VALUE + ;; + --ovnkube-logfile-maxbackups) + OVNKUBE_LOGFILE_MAXBACKUPS=$VALUE + ;; + --ovnkube-logfile-maxage) + OVNKUBE_LOGFILE_MAXAGE=$VALUE + ;; + --ovnkube-libovsdb-client-logfile) + OVNKUBE_LIBOVSDB_CLIENT_LOGFILE=$VALUE + ;; + --acl-logging-rate-limit) + OVN_ACL_LOGGING_RATE_LIMIT=$VALUE + ;; + --ssl) + OVN_SSL_ENABLE="yes" + ;; + --ovn_nb_raft_election_timer) + OVN_NB_RAFT_ELECTION_TIMER=$VALUE + ;; + --ovn_sb_raft_election_timer) + OVN_SB_RAFT_ELECTION_TIMER=$VALUE + ;; + --ovn-master-count) + OVN_MASTER_COUNT=$VALUE + ;; + --ovn-nb-port) + OVN_NB_PORT=$VALUE + ;; + --ovn-sb-port) + OVN_SB_PORT=$VALUE + ;; + --ovn-nb-raft-port) + OVN_NB_RAFT_PORT=$VALUE + ;; + --ovn-sb-raft-port) + OVN_SB_RAFT_PORT=$VALUE + ;; + --hybrid-enabled) + OVN_HYBRID_OVERLAY_ENABLE=$VALUE + ;; + --disable-snat-multiple-gws) + OVN_DISABLE_SNAT_MULTIPLE_GWS=$VALUE + ;; + --disable-forwarding) + OVN_DISABLE_FORWARDING=$VALUE + ;; + --ovn-encap-port) + OVN_ENCAP_PORT=$VALUE + ;; + --disable-pkt-mtu-check) + OVN_DISABLE_PKT_MTU_CHECK=$VALUE + ;; + --ovn-empty-lb-events) + OVN_EMPTY_LB_EVENTS=$VALUE + ;; + --multicast-enabled) + OVN_MULTICAST_ENABLE=$VALUE + ;; + --admin-network-policy-enable) + OVN_ADMIN_NETWORK_POLICY_ENABLE=$VALUE + ;; + --egress-ip-enable) + OVN_EGRESSIP_ENABLE=$VALUE + ;; + --egress-ip-healthcheck-port) + OVN_EGRESSIP_HEALTHCHECK_PORT=$VALUE + ;; + --disabe-ovn-iface-id-ver) + OVN_DISABLE_OVN_IFACE_ID_VER=$VALUE + ;; + --egress-firewall-enable) + OVN_EGRESSFIREWALL_ENABLE=$VALUE + ;; + --egress-qos-enable) + OVN_EGRESSQOS_ENABLE=$VALUE + ;; + --multi-network-enable) + OVN_MULTI_NETWORK_ENABLE=$VALUE + ;; + --network-segmentation-enable) + OVN_NETWORK_SEGMENTATION_ENABLE=$VALUE + ;; + --egress-service-enable) + OVN_EGRESSSERVICE_ENABLE=$VALUE + ;; + --v4-join-subnet) + OVN_V4_JOIN_SUBNET=$VALUE + ;; + --v6-join-subnet) + OVN_V6_JOIN_SUBNET=$VALUE + ;; + --v4-masquerade-subnet) + OVN_V4_MASQUERADE_SUBNET=$VALUE + ;; + --v6-masquerade-subnet) + OVN_V6_MASQUERADE_SUBNET=$VALUE + ;; + --v4-transit-switch-subnet) + OVN_V4_TRANSIT_SWITCH_SUBNET=$VALUE + ;; + --v6-transit-switch-subnet) + OVN_V6_TRANSIT_SWITCH_SUBNET=$VALUE + ;; + --netflow-targets) + OVN_NETFLOW_TARGETS=$VALUE + ;; + --sflow-targets) + OVN_SFLOW_TARGETS=$VALUE + ;; + --ipfix-targets) + OVN_IPFIX_TARGETS=$VALUE + ;; + --ipfix-sampling) + OVN_IPFIX_SAMPLING=$VALUE + ;; + --ipfix-cache-max-flows) + OVN_IPFIX_CACHE_MAX_FLOWS=$VALUE + ;; + --ipfix-cache-active-timeout) + OVN_IPFIX_CACHE_ACTIVE_TIMEOUT=$VALUE + ;; + --host-network-namespace) + OVN_HOST_NETWORK_NAMESPACE=$VALUE + ;; + --ex-gw-network-interface) + OVN_EX_GW_NETWORK_INTERFACE=$VALUE + ;; + --ovnkube-node-mgmt-port-netdev) + OVNKUBE_NODE_MGMT_PORT_NETDEV=$VALUE + ;; + --ovnkube-node-mgmt-port-dp-resource-name) + OVNKUBE_NODE_MGMT_PORT_DP_RESOURCE_NAME=$VALUE + ;; + --ovnkube-config-duration-enable) + OVNKUBE_CONFIG_DURATION_ENABLE=$VALUE + ;; + --ovnkube-metrics-scale-enable) + OVNKUBE_METRICS_SCALE_ENABLE=$VALUE + ;; + --in-upgrade) + IN_UPGRADE=true + ;; + --stateless-netpol-enable) + OVN_STATELESS_NETPOL_ENABLE=$VALUE + ;; + --compact-mode) + COMPACT_MODE=$VALUE + ;; + --enable-interconnect) + OVN_ENABLE_INTERCONNECT=$VALUE + ;; + --enable-multi-external-gateway) + OVN_ENABLE_MULTI_EXTERNAL_GATEWAY=$VALUE + ;; + --enable-ovnkube-identity) + OVN_ENABLE_OVNKUBE_IDENTITY=$VALUE + ;; + --ovn-northd-backoff-interval) + OVN_NORTHD_BACKOFF_INTERVAL=$VALUE + ;; + --enable-persistent-ips) + OVN_ENABLE_PERSISTENT_IPS=$VALUE + ;; + --enable-svc-template-support) + OVN_ENABLE_SVC_TEMPLATE_SUPPORT=$VALUE + ;; + --enable-dnsnameresolver) + OVN_ENABLE_DNSNAMERESOLVER=$VALUE + ;; + *) + echo "WARNING: unknown parameter \"$PARAM\"" + exit 1 + ;; + esac + shift +done + +# Create the daemonsets with the desired image +# They are expanded into daemonsets in the specified +# output directory. +if [ -z ${OVN_OUTPUT_DIR} ] ; then + output_dir="../yaml" +else + output_dir=${OVN_OUTPUT_DIR} + if [ ! -d ${OVN_OUTPUT_DIR} ]; then + mkdir $output_dir + fi +fi +echo "output_dir: $output_dir" + +image=${OVN_IMAGE:-"docker.io/ovnkube/ovn-daemonset:latest"} +echo "image: ${image}" + +ovnkube_image=${OVNKUBE_IMAGE:-${image}} +echo "ovnkube_image: ${ovnkube_image}" + +image_pull_policy=${OVN_IMAGE_PULL_POLICY:-"IfNotPresent"} +echo "imagePullPolicy: ${image_pull_policy}" + +ovn_gateway_mode=${OVN_GATEWAY_MODE} +echo "ovn_gateway_mode: ${ovn_gateway_mode}" + +ovn_gateway_opts=${OVN_GATEWAY_OPTS} +echo "ovn_gateway_opts: ${ovn_gateway_opts}" + +ovn_dummy_gateway_bridge=${OVN_DUMMY_GATEWAY_BRIDGE} +echo "ovn_dummy_gateway_bridge: ${ovn_dummy_gateway_bridge}" + +enable_ipsec=${ENABLE_IPSEC:-false} +echo "enable_ipsec: ${enable_ipsec}" + +ovn_db_replicas=${OVN_DB_REPLICAS:-3} +echo "ovn_db_replicas: ${ovn_db_replicas}" +ovn_db_minAvailable=$(((${ovn_db_replicas} + 1) / 2)) +echo "ovn_db_minAvailable: ${ovn_db_minAvailable}" +master_loglevel=${MASTER_LOGLEVEL:-"4"} +echo "master_loglevel: ${master_loglevel}" +node_loglevel=${NODE_LOGLEVEL:-"5"} +echo "node_loglevel: ${node_loglevel}" +db_checker_loglevel=${DBCHECKER_LOGLEVEL:-"4"} +echo "db_checker_loglevel: ${db_checker_loglevel}" +ovn_loglevel_northd=${OVN_LOGLEVEL_NORTHD:-"-vconsole:info -vfile:info"} +echo "ovn_loglevel_northd: ${ovn_loglevel_northd}" +ovn_loglevel_nb=${OVN_LOGLEVEL_NB:-"-vconsole:info -vfile:info"} +echo "ovn_loglevel_nb: ${ovn_loglevel_nb}" +ovn_loglevel_sb=${OVN_LOGLEVEL_SB:-"-vconsole:info -vfile:info"} +echo "ovn_loglevel_sb: ${ovn_loglevel_sb}" +ovn_loglevel_controller=${OVN_LOGLEVEL_CONTROLLER:-"-vconsole:dbg"} +echo "ovn_loglevel_controller: ${ovn_loglevel_controller}" +ovnkube_logfile_maxsize=${OVNKUBE_LOGFILE_MAXSIZE:-"100"} +echo "ovnkube_logfile_maxsize: ${ovnkube_logfile_maxsize}" +ovnkube_logfile_maxbackups=${OVNKUBE_LOGFILE_MAXBACKUPS:-"5"} +echo "ovnkube_logfile_maxbackups: ${ovnkube_logfile_maxbackups}" +ovnkube_logfile_maxage=${OVNKUBE_LOGFILE_MAXAGE:-"5"} +echo "ovnkube_logfile_maxage: ${ovnkube_logfile_maxage}" +ovnkube_libovsdb_client_logfile=${OVNKUBE_LIBOVSDB_CLIENT_LOGFILE} +echo "ovnkube_libovsdb_client_logfile: ${ovnkube_libovsdb_client_logfile}" +ovn_acl_logging_rate_limit=${OVN_ACL_LOGGING_RATE_LIMIT:-"20"} +echo "ovn_acl_logging_rate_limit: ${ovn_acl_logging_rate_limit}" +ovn_hybrid_overlay_enable=${OVN_HYBRID_OVERLAY_ENABLE} +echo "ovn_hybrid_overlay_enable: ${ovn_hybrid_overlay_enable}" +ovn_admin_network_policy_enable=${OVN_ADMIN_NETWORK_POLICY_ENABLE} +echo "ovn_admin_network_policy_enable: ${ovn_admin_network_policy_enable}" +ovn_egress_ip_enable=${OVN_EGRESSIP_ENABLE} +echo "ovn_egress_ip_enable: ${ovn_egress_ip_enable}" +ovn_egress_ip_healthcheck_port=${OVN_EGRESSIP_HEALTHCHECK_PORT} +echo "ovn_egress_ip_healthcheck_port: ${ovn_egress_ip_healthcheck_port}" +ovn_egress_firewall_enable=${OVN_EGRESSFIREWALL_ENABLE} +echo "ovn_egress_firewall_enable: ${ovn_egress_firewall_enable}" +ovn_egress_qos_enable=${OVN_EGRESSQOS_ENABLE} +echo "ovn_egress_qos_enable: ${ovn_egress_qos_enable}" +ovn_egress_service_enable=${OVN_EGRESSSERVICE_ENABLE} +echo "ovn_egress_service_enable: ${ovn_egress_service_enable}" +ovn_disable_ovn_iface_id_ver=${OVN_DISABLE_OVN_IFACE_ID_VER} +echo "ovn_disable_ovn_iface_id_ver: ${ovn_disable_ovn_iface_id_ver}" +ovn_multi_network_enable=${OVN_MULTI_NETWORK_ENABLE} +echo "ovn_multi_network_enable: ${ovn_multi_network_enable}" +ovn_network_segmentation_enable=${OVN_NETWORK_SEGMENTATION_ENABLE} +echo "ovn_network_segmentation_enable: ${ovn_network_segmentation_enable}" +ovn_hybrid_overlay_net_cidr=${OVN_HYBRID_OVERLAY_NET_CIDR} +echo "ovn_hybrid_overlay_net_cidr: ${ovn_hybrid_overlay_net_cidr}" +ovn_disable_snat_multiple_gws=${OVN_DISABLE_SNAT_MULTIPLE_GWS} +echo "ovn_disable_snat_multiple_gws: ${ovn_disable_snat_multiple_gws}" +ovn_disable_forwarding=${OVN_DISABLE_FORWARDING} +echo "ovn_disable_forwarding: ${ovn_disable_forwarding}" +ovn_encap_port=${OVN_ENCAP_PORT} +echo "ovn_encap_port: ${ovn_encap_port}" +ovn_disable_pkt_mtu_check=${OVN_DISABLE_PKT_MTU_CHECK} +echo "ovn_disable_pkt_mtu_check: ${ovn_disable_pkt_mtu_check}" +ovn_empty_lb_events=${OVN_EMPTY_LB_EVENTS} +echo "ovn_empty_lb_events: ${ovn_empty_lb_events}" +ovn_ssl_en=${OVN_SSL_ENABLE:-"no"} +echo "ovn_ssl_enable: ${ovn_ssl_en}" +ovn_unprivileged_mode=${OVN_UNPRIVILEGED_MODE:-"no"} +echo "ovn_unprivileged_mode: ${ovn_unprivileged_mode}" +ovn_nb_raft_election_timer=${OVN_NB_RAFT_ELECTION_TIMER:-1000} +echo "ovn_nb_raft_election_timer: ${ovn_nb_raft_election_timer}" +ovn_sb_raft_election_timer=${OVN_SB_RAFT_ELECTION_TIMER:-1000} +echo "ovn_sb_raft_election_timer: ${ovn_sb_raft_election_timer}" +ovn_master_count=${OVN_MASTER_COUNT:-"1"} +echo "ovn_master_count: ${ovn_master_count}" +ovn_remote_probe_interval=${OVN_REMOTE_PROBE_INTERVAL:-"100000"} +echo "ovn_remote_probe_interval: ${ovn_remote_probe_interval}" +ovn_monitor_all=${OVN_MONITOR_ALL} +echo "ovn_monitor_all: ${ovn_monitor_all}" +ovn_ofctrl_wait_before_clear=${OVN_OFCTRL_WAIT_BEFORE_CLEAR} +echo "ovn_ofctrl_wait_before_clear: ${ovn_ofctrl_wait_before_clear}" +ovn_enable_lflow_cache=${OVN_ENABLE_LFLOW_CACHE} +echo "ovn_enable_lflow_cache: ${ovn_enable_lflow_cache}" +ovn_lflow_cache_limit=${OVN_LFLOW_CACHE_LIMIT} +echo "ovn_lflow_cache_limit: ${ovn_lflow_cache_limit}" +ovn_lflow_cache_limit_kb=${OVN_LFLOW_CACHE_LIMIT_KB} +echo "ovn_lflow_cache_limit_kb: ${ovn_lflow_cache_limit_kb}" +ovn_nb_port=${OVN_NB_PORT:-6641} +echo "ovn_nb_port: ${ovn_nb_port}" +ovn_sb_port=${OVN_SB_PORT:-6642} +echo "ovn_sb_port: ${ovn_sb_port}" +ovn_nb_raft_port=${OVN_NB_RAFT_PORT:-6643} +echo "ovn_nb_raft_port: ${ovn_nb_raft_port}" +ovn_sb_raft_port=${OVN_SB_RAFT_PORT:-6644} +echo "ovn_sb_raft_port: ${ovn_sb_raft_port}" +ovn_multicast_enable=${OVN_MULTICAST_ENABLE} +echo "ovn_multicast_enable: ${ovn_multicast_enable}" +ovn_v4_join_subnet=${OVN_V4_JOIN_SUBNET} +echo "ovn_v4_join_subnet: ${ovn_v4_join_subnet}" +ovn_v6_join_subnet=${OVN_V6_JOIN_SUBNET} +echo "ovn_v6_join_subnet: ${ovn_v6_join_subnet}" +ovn_v4_masquerade_subnet=${OVN_V4_MASQUERADE_SUBNET} +echo "ovn_v4_masquerade_subnet: ${ovn_v4_masquerade_subnet}" +ovn_v6_masquerade_subnet=${OVN_V6_MASQUERADE_SUBNET} +echo "ovn_v6_masquerade_subnet: ${ovn_v6_masquerade_subnet}" +ovn_v4_transit_switch_subnet=${OVN_V4_TRANSIT_SWITCH_SUBNET} +echo "ovn_v4_transit_switch_subnet: ${ovn_v4_transit_switch_subnet}" +ovn_v6_transit_switch_subnet=${OVN_V6_TRANSIT_SWITCH_SUBNET} +echo "ovn_v6_transit_switch_subnet: ${ovn_v6_transit_switch_subnet}" +ovn_netflow_targets=${OVN_NETFLOW_TARGETS} +echo "ovn_netflow_targets: ${ovn_netflow_targets}" +ovn_sflow_targets=${OVN_SFLOW_TARGETS} +echo "ovn_sflow_targets: ${ovn_sflow_targets}" +ovn_ipfix_targets=${OVN_IPFIX_TARGETS} +echo "ovn_ipfix_targets: ${ovn_ipfix_targets}" +ovn_ipfix_sampling=${OVN_IPFIX_SAMPLING} +echo "ovn_ipfix_sampling: ${ovn_ipfix_sampling}" +ovn_ipfix_cache_max_flows=${OVN_IPFIX_CACHE_MAX_FLOWS} +echo "ovn_ipfix_cache_max_flows: ${ovn_ipfix_cache_max_flows}" +ovn_ipfix_cache_active_timeout=${OVN_IPFIX_CACHE_ACTIVE_TIMEOUT} +echo "ovn_ipfix_cache_active_timeout: ${ovn_ipfix_cache_active_timeout}" +ovn_ex_gw_networking_interface=${OVN_EX_GW_NETWORK_INTERFACE} +echo "ovn_ex_gw_networking_interface: ${ovn_ex_gw_networking_interface}" +ovnkube_node_mgmt_port_netdev=${OVNKUBE_NODE_MGMT_PORT_NETDEV} +echo "ovnkube_node_mgmt_port_netdev: ${ovnkube_node_mgmt_port_netdev}" +ovnkube_config_duration_enable=${OVNKUBE_CONFIG_DURATION_ENABLE} +echo "ovnkube_config_duration_enable: ${ovnkube_config_duration_enable}" +ovnkube_metrics_scale_enable=${OVNKUBE_METRICS_SCALE_ENABLE} +echo "ovnkube_metrics_scale_enable: ${ovnkube_metrics_scale_enable}" +ovn_stateless_netpol_enable=${OVN_STATELESS_NETPOL_ENABLE} +echo "ovn_stateless_netpol_enable: ${ovn_stateless_netpol_enable}" +ovnkube_compact_mode_enable=${COMPACT_MODE:-"false"} +echo "ovnkube_compact_mode_enable: ${ovnkube_compact_mode_enable}" +ovn_enable_interconnect=${OVN_ENABLE_INTERCONNECT} +echo "ovn_enable_interconnect: ${ovn_enable_interconnect}" +ovn_enable_multi_external_gateway=${OVN_ENABLE_MULTI_EXTERNAL_GATEWAY} +echo "ovn_enable_multi_external_gateway: ${ovn_enable_multi_external_gateway}" + +ovn_enable_ovnkube_identity=${OVN_ENABLE_OVNKUBE_IDENTITY} +echo "ovn_enable_ovnkube_identity: ${ovn_enable_ovnkube_identity}" + +ovn_northd_backoff_interval=${OVN_NORTHD_BACKOFF_INTERVAL} +echo "ovn_northd_backoff_interval: ${ovn_northd_backoff_interval}" + +ovn_enable_persistent_ips=${OVN_ENABLE_PERSISTENT_IPS} +echo "ovn_enable_persistent_ips: ${ovn_enable_persistent_ips}" + +ovn_enable_svc_template_support=${OVN_ENABLE_SVC_TEMPLATE_SUPPORT} +echo "ovn_enable_svc_template_support: ${ovn_enable_svc_template_support}" + +ovn_enable_dnsnameresolver=${OVN_ENABLE_DNSNAMERESOLVER} +echo "ovn_enable_dnsnameresolver: ${ovn_enable_dnsnameresolver}" + +ovn_image=${ovnkube_image} \ + ovnkube_compact_mode_enable=${ovnkube_compact_mode_enable} \ + ovn_image_pull_policy=${image_pull_policy} \ + ovn_unprivileged_mode=${ovn_unprivileged_mode} \ + ovn_gateway_mode=${ovn_gateway_mode} \ + ovn_gateway_opts=${ovn_gateway_opts} \ + ovn_dummy_gateway_bridge=${ovn_dummy_gateway_bridge} \ + ovnkube_node_loglevel=${node_loglevel} \ + ovn_loglevel_controller=${ovn_loglevel_controller} \ + ovnkube_logfile_maxsize=${ovnkube_logfile_maxsize} \ + ovnkube_logfile_maxbackups=${ovnkube_logfile_maxbackups} \ + ovnkube_logfile_maxage=${ovnkube_logfile_maxage} \ + ovn_hybrid_overlay_net_cidr=${ovn_hybrid_overlay_net_cidr} \ + ovn_hybrid_overlay_enable=${ovn_hybrid_overlay_enable} \ + ovn_disable_snat_multiple_gws=${ovn_disable_snat_multiple_gws} \ + ovn_disable_forwarding=${ovn_disable_forwarding} \ + ovn_encap_port=${ovn_encap_port} \ + ovn_disable_pkt_mtu_check=${ovn_disable_pkt_mtu_check} \ + ovn_v4_join_subnet=${ovn_v4_join_subnet} \ + ovn_v6_join_subnet=${ovn_v6_join_subnet} \ + ovn_v4_masquerade_subnet=${ovn_v4_masquerade_subnet} \ + ovn_v6_masquerade_subnet=${ovn_v6_masquerade_subnet} \ + ovn_multicast_enable=${ovn_multicast_enable} \ + ovn_admin_network_policy_enable=${ovn_admin_network_policy_enable} \ + ovn_egress_ip_enable=${ovn_egress_ip_enable} \ + ovn_egress_ip_healthcheck_port=${ovn_egress_ip_healthcheck_port} \ + ovn_multi_network_enable=${ovn_multi_network_enable} \ + ovn_network_segmentation_enable=${ovn_network_segmentation_enable} \ + ovn_egress_service_enable=${ovn_egress_service_enable} \ + ovn_ssl_en=${ovn_ssl_en} \ + ovn_remote_probe_interval=${ovn_remote_probe_interval} \ + ovn_monitor_all=${ovn_monitor_all} \ + ovn_ofctrl_wait_before_clear=${ovn_ofctrl_wait_before_clear} \ + ovn_enable_lflow_cache=${ovn_enable_lflow_cache} \ + ovn_lflow_cache_limit=${ovn_lflow_cache_limit} \ + ovn_lflow_cache_limit_kb=${ovn_lflow_cache_limit_kb} \ + ovn_netflow_targets=${ovn_netflow_targets} \ + ovn_sflow_targets=${ovn_sflow_targets} \ + ovn_ipfix_targets=${ovn_ipfix_targets} \ + ovn_ipfix_sampling=${ovn_ipfix_sampling} \ + ovn_ipfix_cache_max_flows=${ovn_ipfix_cache_max_flows} \ + ovn_ipfix_cache_active_timeout=${ovn_ipfix_cache_active_timeout} \ + ovn_ex_gw_networking_interface=${ovn_ex_gw_networking_interface} \ + ovn_disable_ovn_iface_id_ver=${ovn_disable_ovn_iface_id_ver} \ + ovnkube_node_mgmt_port_netdev=${ovnkube_node_mgmt_port_netdev} \ + ovn_enable_interconnect=${ovn_enable_interconnect} \ + ovn_enable_multi_external_gateway=${ovn_enable_multi_external_gateway} \ + ovn_enable_ovnkube_identity=${ovn_enable_ovnkube_identity} \ + ovnkube_app_name=ovnkube-node \ + jinjanate ../templates/ovnkube-node.yaml.j2 -o ${output_dir}/ovnkube-node.yaml + +ovn_image=${ovnkube_image} \ + ovnkube_compact_mode_enable=${ovnkube_compact_mode_enable} \ + ovn_image_pull_policy=${image_pull_policy} \ + ovn_unprivileged_mode=${ovn_unprivileged_mode} \ + ovn_gateway_mode=${ovn_gateway_mode} \ + ovn_gateway_opts=${ovn_gateway_opts} \ + ovn_dummy_gateway_bridge=${ovn_dummy_gateway_bridge} \ + ovnkube_node_loglevel=${node_loglevel} \ + ovn_loglevel_controller=${ovn_loglevel_controller} \ + ovnkube_logfile_maxsize=${ovnkube_logfile_maxsize} \ + ovnkube_logfile_maxbackups=${ovnkube_logfile_maxbackups} \ + ovnkube_logfile_maxage=${ovnkube_logfile_maxage} \ + ovn_hybrid_overlay_net_cidr=${ovn_hybrid_overlay_net_cidr} \ + ovn_hybrid_overlay_enable=${ovn_hybrid_overlay_enable} \ + ovn_disable_snat_multiple_gws=${ovn_disable_snat_multiple_gws} \ + ovn_disable_forwarding=${ovn_disable_forwarding} \ + ovn_encap_port=${ovn_encap_port} \ + ovn_disable_pkt_mtu_check=${ovn_disable_pkt_mtu_check} \ + ovn_v4_join_subnet=${ovn_v4_join_subnet} \ + ovn_v6_join_subnet=${ovn_v6_join_subnet} \ + ovn_v4_masquerade_subnet=${ovn_v4_masquerade_subnet} \ + ovn_v6_masquerade_subnet=${ovn_v6_masquerade_subnet} \ + ovn_multicast_enable=${ovn_multicast_enable} \ + ovn_admin_network_policy_enable=${ovn_admin_network_policy_enable} \ + ovn_egress_ip_enable=${ovn_egress_ip_enable} \ + ovn_egress_ip_healthcheck_port=${ovn_egress_ip_healthcheck_port} \ + ovn_multi_network_enable=${ovn_multi_network_enable} \ + ovn_network_segmentation_enable=${ovn_network_segmentation_enable} \ + ovn_egress_service_enable=${ovn_egress_service_enable} \ + ovn_ssl_en=${ovn_ssl_en} \ + ovn_remote_probe_interval=${ovn_remote_probe_interval} \ + ovn_monitor_all=${ovn_monitor_all} \ + ovn_ofctrl_wait_before_clear=${ovn_ofctrl_wait_before_clear} \ + ovn_enable_lflow_cache=${ovn_enable_lflow_cache} \ + ovn_lflow_cache_limit=${ovn_lflow_cache_limit} \ + ovn_lflow_cache_limit_kb=${ovn_lflow_cache_limit_kb} \ + ovn_netflow_targets=${ovn_netflow_targets} \ + ovn_sflow_targets=${ovn_sflow_targets} \ + ovn_ipfix_targets=${ovn_ipfix_targets} \ + ovn_ipfix_sampling=${ovn_ipfix_sampling} \ + ovn_ipfix_cache_max_flows=${ovn_ipfix_cache_max_flows} \ + ovn_ipfix_cache_active_timeout=${ovn_ipfix_cache_active_timeout} \ + ovn_ex_gw_networking_interface=${ovn_ex_gw_networking_interface} \ + ovn_disable_ovn_iface_id_ver=${ovn_disable_ovn_iface_id_ver} \ + ovnkube_node_mgmt_port_netdev=${ovnkube_node_mgmt_port_netdev} \ + ovn_enable_interconnect=${ovn_enable_interconnect} \ + ovn_enable_multi_external_gateway=${ovn_enable_multi_external_gateway} \ + ovn_enable_ovnkube_identity=${ovn_enable_ovnkube_identity} \ + ovnkube_app_name=ovnkube-node-dpu \ + jinjanate ../templates/ovnkube-node.yaml.j2 -o ${output_dir}/ovnkube-node-dpu.yaml + +# ovnkube node for dpu-host daemonset +# TODO: we probably dont need all of these when running on dpu host +ovn_image=${image} \ + ovnkube_compact_mode_enable=${ovnkube_compact_mode_enable} \ + ovn_image_pull_policy=${image_pull_policy} \ + kind=${KIND} \ + ovn_unprivileged_mode=${ovn_unprivileged_mode} \ + ovn_gateway_mode=${ovn_gateway_mode} \ + ovn_gateway_opts=${ovn_gateway_opts} \ + ovn_dummy_gateway_bridge=${ovn_dummy_gateway_bridge} \ + ovnkube_node_loglevel=${node_loglevel} \ + ovn_loglevel_controller=${ovn_loglevel_controller} \ + ovnkube_logfile_maxsize=${ovnkube_logfile_maxsize} \ + ovnkube_logfile_maxbackups=${ovnkube_logfile_maxbackups} \ + ovnkube_logfile_maxage=${ovnkube_logfile_maxage} \ + ovn_hybrid_overlay_net_cidr=${ovn_hybrid_overlay_net_cidr} \ + ovn_hybrid_overlay_enable=${ovn_hybrid_overlay_enable} \ + ovn_disable_snat_multiple_gws=${ovn_disable_snat_multiple_gws} \ + ovn_disable_forwarding=${ovn_disable_forwarding} \ + ovn_encap_port=${ovn_encap_port} \ + ovn_disable_pkt_mtu_check=${ovn_disable_pkt_mtu_check} \ + ovn_v4_join_subnet=${ovn_v4_join_subnet} \ + ovn_v6_join_subnet=${ovn_v6_join_subnet} \ + ovn_v4_masquerade_subnet=${ovn_v4_masquerade_subnet} \ + ovn_v6_masquerade_subnet=${ovn_v6_masquerade_subnet} \ + ovn_multicast_enable=${ovn_multicast_enable} \ + ovn_admin_network_policy_enable=${ovn_admin_network_policy_enable} \ + ovn_egress_ip_enable=${ovn_egress_ip_enable} \ + ovn_egress_ip_healthcheck_port=${ovn_egress_ip_healthcheck_port} \ + ovn_egress_service_enable=${ovn_egress_service_enable} \ + ovn_netflow_targets=${ovn_netflow_targets} \ + ovn_sflow_targets=${ovn_sflow_targets} \ + ovn_ipfix_targets=${ovn_ipfix_targets} \ + ovn_ipfix_sampling=${ovn_ipfix_sampling} \ + ovn_ipfix_cache_max_flows=${ovn_ipfix_cache_max_flows} \ + ovn_ipfix_cache_active_timeout=${ovn_ipfix_cache_active_timeout} \ + ovn_ex_gw_networking_interface=${ovn_ex_gw_networking_interface} \ + ovnkube_node_mgmt_port_netdev=${ovnkube_node_mgmt_port_netdev} \ + ovn_enable_ovnkube_identity=${ovn_enable_ovnkube_identity} \ + ovnkube_app_name=ovnkube-node-dpu-host \ + jinjanate ../templates/ovnkube-node.yaml.j2 -o ${output_dir}/ovnkube-node-dpu-host.yaml + +ovn_image=${ovnkube_image} \ + ovn_image_pull_policy=${image_pull_policy} \ + ovnkube_master_loglevel=${master_loglevel} \ + ovn_loglevel_northd=${ovn_loglevel_northd} \ + ovnkube_logfile_maxsize=${ovnkube_logfile_maxsize} \ + ovnkube_logfile_maxbackups=${ovnkube_logfile_maxbackups} \ + ovnkube_logfile_maxage=${ovnkube_logfile_maxage} \ + ovnkube_libovsdb_client_logfile=${ovnkube_libovsdb_client_logfile} \ + ovnkube_config_duration_enable=${ovnkube_config_duration_enable} \ + ovnkube_metrics_scale_enable=${ovnkube_metrics_scale_enable} \ + ovn_acl_logging_rate_limit=${ovn_acl_logging_rate_limit} \ + ovn_hybrid_overlay_net_cidr=${ovn_hybrid_overlay_net_cidr} \ + ovn_hybrid_overlay_enable=${ovn_hybrid_overlay_enable} \ + ovn_disable_snat_multiple_gws=${ovn_disable_snat_multiple_gws} \ + ovn_disable_forwarding=${ovn_disable_forwarding} \ + ovn_encap_port=${ovn_encap_port} \ + ovn_disable_pkt_mtu_check=${ovn_disable_pkt_mtu_check} \ + ovn_empty_lb_events=${ovn_empty_lb_events} \ + ovn_v4_join_subnet=${ovn_v4_join_subnet} \ + ovn_v6_join_subnet=${ovn_v6_join_subnet} \ + ovn_v4_masquerade_subnet=${ovn_v4_masquerade_subnet} \ + ovn_v6_masquerade_subnet=${ovn_v6_masquerade_subnet} \ + ovn_multicast_enable=${ovn_multicast_enable} \ + ovn_admin_network_policy_enable=${ovn_admin_network_policy_enable} \ + ovn_egress_ip_enable=${ovn_egress_ip_enable} \ + ovn_egress_ip_healthcheck_port=${ovn_egress_ip_healthcheck_port} \ + ovn_egress_firewall_enable=${ovn_egress_firewall_enable} \ + ovn_egress_qos_enable=${ovn_egress_qos_enable} \ + ovn_multi_network_enable=${ovn_multi_network_enable} \ + ovn_network_segmentation_enable=${ovn_network_segmentation_enable} \ + ovn_egress_service_enable=${ovn_egress_service_enable} \ + ovn_ssl_en=${ovn_ssl_en} \ + ovn_master_count=${ovn_master_count} \ + ovn_gateway_mode=${ovn_gateway_mode} \ + ovn_gateway_opts=${ovn_gateway_opts} \ + ovn_dummy_gateway_bridge=${ovn_dummy_gateway_bridge} \ + ovn_ex_gw_networking_interface=${ovn_ex_gw_networking_interface} \ + ovn_stateless_netpol_enable=${ovn_netpol_acl_enable} \ + ovnkube_compact_mode_enable=${ovnkube_compact_mode_enable} \ + ovn_unprivileged_mode=${ovn_unprivileged_mode} \ + ovn_enable_multi_external_gateway=${ovn_enable_multi_external_gateway} \ + ovn_enable_ovnkube_identity=${ovn_enable_ovnkube_identity} \ + ovn_enable_persistent_ips=${ovn_enable_persistent_ips} \ + ovn_enable_svc_template_support=${ovn_enable_svc_template_support} \ + ovn_enable_dnsnameresolver=${ovn_enable_dnsnameresolver} \ + jinjanate ../templates/ovnkube-master.yaml.j2 -o ${output_dir}/ovnkube-master.yaml + +ovn_image=${ovnkube_image} \ + ovn_image_pull_policy=${image_pull_policy} \ + ovnkube_master_loglevel=${master_loglevel} \ + ovn_loglevel_northd=${ovn_loglevel_northd} \ + ovnkube_logfile_maxsize=${ovnkube_logfile_maxsize} \ + ovnkube_logfile_maxbackups=${ovnkube_logfile_maxbackups} \ + ovnkube_logfile_maxage=${ovnkube_logfile_maxage} \ + ovnkube_config_duration_enable=${ovnkube_config_duration_enable} \ + ovnkube_metrics_scale_enable=${ovnkube_metrics_scale_enable} \ + ovn_acl_logging_rate_limit=${ovn_acl_logging_rate_limit} \ + ovn_hybrid_overlay_net_cidr=${ovn_hybrid_overlay_net_cidr} \ + ovn_hybrid_overlay_enable=${ovn_hybrid_overlay_enable} \ + ovn_disable_snat_multiple_gws=${ovn_disable_snat_multiple_gws} \ + ovn_disable_pkt_mtu_check=${ovn_disable_pkt_mtu_check} \ + ovn_empty_lb_events=${ovn_empty_lb_events} \ + ovn_v4_join_subnet=${ovn_v4_join_subnet} \ + ovn_v6_join_subnet=${ovn_v6_join_subnet} \ + ovn_v4_masquerade_subnet=${ovn_v4_masquerade_subnet} \ + ovn_v6_masquerade_subnet=${ovn_v6_masquerade_subnet} \ + ovn_multicast_enable=${ovn_multicast_enable} \ + ovn_admin_network_policy_enable=${ovn_admin_network_policy_enable} \ + ovn_egress_ip_enable=${ovn_egress_ip_enable} \ + ovn_egress_ip_healthcheck_port=${ovn_egress_ip_healthcheck_port} \ + ovn_egress_firewall_enable=${ovn_egress_firewall_enable} \ + ovn_egress_qos_enable=${ovn_egress_qos_enable} \ + ovn_multi_network_enable=${ovn_multi_network_enable} \ + ovn_network_segmentation_enable=${ovn_network_segmentation_enable} \ + ovn_egress_service_enable=${ovn_egress_service_enable} \ + ovn_ssl_en=${ovn_ssl_en} \ + ovn_master_count=${ovn_master_count} \ + ovn_gateway_mode=${ovn_gateway_mode} \ + ovn_ex_gw_networking_interface=${ovn_ex_gw_networking_interface} \ + ovn_enable_interconnect=${ovn_enable_interconnect} \ + ovn_enable_multi_external_gateway=${ovn_enable_multi_external_gateway} \ + ovn_enable_ovnkube_identity=${ovn_enable_ovnkube_identity} \ + ovn_v4_transit_switch_subnet=${ovn_v4_transit_switch_subnet} \ + ovn_v6_transit_switch_subnet=${ovn_v6_transit_switch_subnet} \ + ovn_enable_persistent_ips=${ovn_enable_persistent_ips} \ + ovn_enable_dnsnameresolver=${ovn_enable_dnsnameresolver} \ + jinjanate ../templates/ovnkube-control-plane.yaml.j2 -o ${output_dir}/ovnkube-control-plane.yaml + +ovn_image=${image} \ + ovn_image_pull_policy=${image_pull_policy} \ + ovn_loglevel_nb=${ovn_loglevel_nb} \ + ovn_loglevel_sb=${ovn_loglevel_sb} \ + ovn_ssl_en=${ovn_ssl_en} \ + ovn_nb_port=${ovn_nb_port} \ + ovn_sb_port=${ovn_sb_port} \ + enable_ipsec=${enable_ipsec} \ + ovn_northd_backoff_interval=${ovn_northd_backoff_interval} \ + jinjanate ../templates/ovnkube-db.yaml.j2 -o ${output_dir}/ovnkube-db.yaml + +ovn_image=${image} \ + ovn_image_pull_policy=${image_pull_policy} \ + ovn_db_replicas=${ovn_db_replicas} \ + ovn_db_minAvailable=${ovn_db_minAvailable} \ + ovn_loglevel_nb=${ovn_loglevel_nb} ovn_loglevel_sb=${ovn_loglevel_sb} \ + ovn_dbchecker_loglevel=${db_checker_loglevel} \ + ovnkube_logfile_maxsize=${ovnkube_logfile_maxsize} \ + ovnkube_logfile_maxbackups=${ovnkube_logfile_maxbackups} \ + ovnkube_logfile_maxage=${ovnkube_logfile_maxage} \ + ovn_ssl_en=${ovn_ssl_en} \ + ovn_nb_raft_election_timer=${ovn_nb_raft_election_timer} \ + ovn_sb_raft_election_timer=${ovn_sb_raft_election_timer} \ + ovn_nb_port=${ovn_nb_port} \ + ovn_sb_port=${ovn_sb_port} \ + ovn_nb_raft_port=${ovn_nb_raft_port} \ + ovn_sb_raft_port=${ovn_sb_raft_port} \ + enable_ipsec=${enable_ipsec} \ + ovn_northd_backoff_interval=${ovn_northd_backoff_interval} \ + jinjanate ../templates/ovnkube-db-raft.yaml.j2 -o ${output_dir}/ovnkube-db-raft.yaml + +ovn_image=${ovnkube_image} \ + ovn_image_pull_policy=${image_pull_policy} \ + ovn_unprivileged_mode=${ovn_unprivileged_mode} \ + ovn_gateway_mode=${ovn_gateway_mode} \ + ovn_gateway_opts=${ovn_gateway_opts} \ + ovnkube_node_loglevel=${node_loglevel} \ + ovnkube_local_loglevel=${node_loglevel} \ + ovn_loglevel_controller=${ovn_loglevel_controller} \ + ovnkube_logfile_maxsize=${ovnkube_logfile_maxsize} \ + ovnkube_logfile_maxbackups=${ovnkube_logfile_maxbackups} \ + ovnkube_logfile_maxage=${ovnkube_logfile_maxage} \ + ovnkube_libovsdb_client_logfile=${ovnkube_libovsdb_client_logfile} \ + ovnkube_config_duration_enable=${ovnkube_config_duration_enable} \ + ovnkube_metrics_scale_enable=${ovnkube_metrics_scale_enable} \ + ovn_hybrid_overlay_net_cidr=${ovn_hybrid_overlay_net_cidr} \ + ovn_hybrid_overlay_enable=${ovn_hybrid_overlay_enable} \ + ovn_disable_snat_multiple_gws=${ovn_disable_snat_multiple_gws} \ + ovn_disable_forwarding=${ovn_disable_forwarding} \ + ovn_encap_port=${ovn_encap_port} \ + ovn_disable_pkt_mtu_check=${ovn_disable_pkt_mtu_check} \ + ovn_v4_join_subnet=${ovn_v4_join_subnet} \ + ovn_v6_join_subnet=${ovn_v6_join_subnet} \ + ovn_v4_masquerade_subnet=${ovn_v4_masquerade_subnet} \ + ovn_v6_masquerade_subnet=${ovn_v6_masquerade_subnet} \ + ovn_multicast_enable=${ovn_multicast_enable} \ + ovn_admin_network_policy_enable=${ovn_admin_network_policy_enable} \ + ovn_egress_ip_enable=${ovn_egress_ip_enable} \ + ovn_egress_ip_healthcheck_port=${ovn_egress_ip_healthcheck_port} \ + ovn_egress_firewall_enable=${ovn_egress_firewall_enable} \ + ovn_egress_qos_enable=${ovn_egress_qos_enable} \ + ovn_multi_network_enable=${ovn_multi_network_enable} \ + ovn_network_segmentation_enable=${ovn_network_segmentation_enable} \ + ovn_egress_service_enable=${ovn_egress_service_enable} \ + ovn_ssl_en=${ovn_ssl_en} \ + ovn_remote_probe_interval=${ovn_remote_probe_interval} \ + ovn_monitor_all=${ovn_monitor_all} \ + ovn_ofctrl_wait_before_clear=${ovn_ofctrl_wait_before_clear} \ + ovn_enable_lflow_cache=${ovn_enable_lflow_cache} \ + ovn_lflow_cache_limit=${ovn_lflow_cache_limit} \ + ovn_lflow_cache_limit_kb=${ovn_lflow_cache_limit_kb} \ + ovn_netflow_targets=${ovn_netflow_targets} \ + ovn_sflow_targets=${ovn_sflow_targets} \ + ovn_ipfix_targets=${ovn_ipfix_targets} \ + ovn_ipfix_sampling=${ovn_ipfix_sampling} \ + ovn_ipfix_cache_max_flows=${ovn_ipfix_cache_max_flows} \ + ovn_ipfix_cache_active_timeout=${ovn_ipfix_cache_active_timeout} \ + ovn_ex_gw_networking_interface=${ovn_ex_gw_networking_interface} \ + ovnkube_node_mgmt_port_netdev=${ovnkube_node_mgmt_port_netdev} \ + ovn_disable_ovn_iface_id_ver=${ovn_disable_ovn_iface_id_ver} \ + ovnkube_master_loglevel=${master_loglevel} \ + ovn_loglevel_northd=${ovn_loglevel_northd} \ + ovn_loglevel_nbctld=${ovn_loglevel_nbctld} \ + ovn_acl_logging_rate_limit=${ovn_acl_logging_rate_limit} \ + ovn_empty_lb_events=${ovn_empty_lb_events} \ + ovn_loglevel_nb=${ovn_loglevel_nb} ovn_loglevel_sb=${ovn_loglevel_sb} \ + ovn_enable_interconnect=${ovn_enable_interconnect} \ + ovn_enable_multi_external_gateway=${ovn_enable_multi_external_gateway} \ + ovn_enable_ovnkube_identity=${ovn_enable_ovnkube_identity} \ + ovn_northd_backoff_interval=${ovn_northd_backoff_interval} \ + ovn_enable_persistent_ips=${ovn_enable_persistent_ips} \ + ovn_enable_svc_template_support=${ovn_enable_svc_template_support} \ + ovn_enable_dnsnameresolver=${ovn_enable_dnsnameresolver} \ + jinjanate ../templates/ovnkube-single-node-zone.yaml.j2 -o ${output_dir}/ovnkube-single-node-zone.yaml + +ovn_image=${ovnkube_image} \ + ovn_image_pull_policy=${image_pull_policy} \ + ovn_unprivileged_mode=${ovn_unprivileged_mode} \ + ovn_gateway_mode=${ovn_gateway_mode} \ + ovn_gateway_opts=${ovn_gateway_opts} \ + ovnkube_node_loglevel=${node_loglevel} \ + ovnkube_local_loglevel=${node_loglevel} \ + ovn_loglevel_controller=${ovn_loglevel_controller} \ + ovnkube_logfile_maxsize=${ovnkube_logfile_maxsize} \ + ovnkube_logfile_maxbackups=${ovnkube_logfile_maxbackups} \ + ovnkube_logfile_maxage=${ovnkube_logfile_maxage} \ + ovnkube_libovsdb_client_logfile=${ovnkube_libovsdb_client_logfile} \ + ovnkube_config_duration_enable=${ovnkube_config_duration_enable} \ + ovnkube_metrics_scale_enable=${ovnkube_metrics_scale_enable} \ + ovn_hybrid_overlay_net_cidr=${ovn_hybrid_overlay_net_cidr} \ + ovn_hybrid_overlay_enable=${ovn_hybrid_overlay_enable} \ + ovn_disable_snat_multiple_gws=${ovn_disable_snat_multiple_gws} \ + ovn_encap_port=${ovn_encap_port} \ + ovn_disable_pkt_mtu_check=${ovn_disable_pkt_mtu_check} \ + ovn_v4_join_subnet=${ovn_v4_join_subnet} \ + ovn_v6_join_subnet=${ovn_v6_join_subnet} \ + ovn_v4_masquerade_subnet=${ovn_v4_masquerade_subnet} \ + ovn_v6_masquerade_subnet=${ovn_v6_masquerade_subnet} \ + ovn_multicast_enable=${ovn_multicast_enable} \ + ovn_admin_network_policy_enable=${ovn_admin_network_policy_enable} \ + ovn_egress_ip_enable=${ovn_egress_ip_enable} \ + ovn_egress_ip_healthcheck_port=${ovn_egress_ip_healthcheck_port} \ + ovn_egress_service_enable=${ovn_egress_service_enable} \ + ovn_egress_firewall_enable=${ovn_egress_firewall_enable} \ + ovn_egress_qos_enable=${ovn_egress_qos_enable} \ + ovn_multi_network_enable=${ovn_multi_network_enable} \ + ovn_network_segmentation_enable=${ovn_network_segmentation_enable} \ + ovn_ssl_en=${ovn_ssl_en} \ + ovn_remote_probe_interval=${ovn_remote_probe_interval} \ + ovn_monitor_all=${ovn_monitor_all} \ + ovn_ofctrl_wait_before_clear=${ovn_ofctrl_wait_before_clear} \ + ovn_enable_lflow_cache=${ovn_enable_lflow_cache} \ + ovn_lflow_cache_limit=${ovn_lflow_cache_limit} \ + ovn_lflow_cache_limit_kb=${ovn_lflow_cache_limit_kb} \ + ovn_netflow_targets=${ovn_netflow_targets} \ + ovn_sflow_targets=${ovn_sflow_targets} \ + ovn_ipfix_targets=${ovn_ipfix_targets} \ + ovn_ipfix_sampling=${ovn_ipfix_sampling} \ + ovn_ipfix_cache_max_flows=${ovn_ipfix_cache_max_flows} \ + ovn_ipfix_cache_active_timeout=${ovn_ipfix_cache_active_timeout} \ + ovn_ex_gw_networking_interface=${ovn_ex_gw_networking_interface} \ + ovnkube_node_mgmt_port_netdev=${ovnkube_node_mgmt_port_netdev} \ + ovn_disable_ovn_iface_id_ver=${ovn_disable_ovn_iface_id_ver} \ + ovnkube_master_loglevel=${master_loglevel} \ + ovn_loglevel_northd=${ovn_loglevel_northd} \ + ovn_loglevel_nbctld=${ovn_loglevel_nbctld} \ + ovn_acl_logging_rate_limit=${ovn_acl_logging_rate_limit} \ + ovn_empty_lb_events=${ovn_empty_lb_events} \ + ovn_loglevel_nb=${ovn_loglevel_nb} ovn_loglevel_sb=${ovn_loglevel_sb} \ + ovn_enable_interconnect=${ovn_enable_interconnect} \ + ovn_enable_multi_external_gateway=${ovn_enable_multi_external_gateway} \ + ovn_enable_ovnkube_identity=${ovn_enable_ovnkube_identity} \ + ovn_northd_backoff_interval=${ovn_enable_backoff_interval} \ + ovn_enable_persistent_ips=${ovn_enable_persistent_ips} \ + ovn_enable_svc_template_support=${ovn_enable_svc_template_support} \ + ovn_enable_dnsnameresolver=${ovn_enable_dnsnameresolver} \ + jinjanate ../templates/ovnkube-zone-controller.yaml.j2 -o ${output_dir}/ovnkube-zone-controller.yaml + +ovn_image=${image} \ + ovn_image_pull_policy=${image_pull_policy} \ + ovn_unprivileged_mode=${ovn_unprivileged_mode} \ + jinjanate ../templates/ovs-node.yaml.j2 -o ${output_dir}/ovs-node.yaml + +ovnkube_certs_dir="/tmp/ovnkube-certs" +ovnkube_webhook_name="ovnkube-webhook" +mkdir -p ${ovnkube_certs_dir} +path_prefix="${ovnkube_certs_dir}/${ovnkube_webhook_name}" + +if [ "${ovn_enable_ovnkube_identity}" = "true" ]; then + # Create self signed CA and webhook cert + # NOTE: The CA and certificate are not renewed after they expire, this should only be used in development environments + openssl req -x509 -newkey rsa:4096 -nodes -keyout "${path_prefix}-ca.key" -out "${path_prefix}-ca.crt" -days 400 -subj "/CN=self-signed-ca" + openssl req -newkey rsa:4096 -nodes -keyout "${path_prefix}.key" -out "${path_prefix}.csr" -subj "/CN=localhost" + openssl x509 -req -in "${path_prefix}.csr" -CA "${path_prefix}-ca.crt" -CAkey "${path_prefix}-ca.key" -extfile <(printf "subjectAltName=DNS:localhost") -CAcreateserial -out "${path_prefix}.crt" -days 365 +fi + +ovn_image=${ovnkube_image} \ + ovn_image_pull_policy=${image_pull_policy} \ + ovn_master_count=${ovn_master_count} \ + ovnkube_master_loglevel=${master_loglevel} \ + ovn_enable_interconnect=${ovn_enable_interconnect} \ + webhook_ca_bundle=$(cat "${path_prefix}-ca.crt" | base64 -w0) \ + webhook_key=$(cat "${path_prefix}.key" | base64 -w0) \ + webhook_cert=$(cat "${path_prefix}.crt" | base64 -w0) \ + ovn_enable_multi_node_zone=${ovn_enable_multi_node_zone} \ + ovn_hybrid_overlay_enable=${ovn_hybrid_overlay_enable} \ + jinjanate ../templates/ovnkube-identity.yaml.j2 -o ${output_dir}/ovnkube-identity.yaml + +if ${enable_ipsec}; then + ovn_image=${image} \ + jinjanate ../templates/ovn-ipsec.yaml.j2 -o ${output_dir}/ovn-ipsec.yaml +fi + +# ovn-setup.yaml +net_cidr=${OVN_NET_CIDR:-"10.128.0.0/14/23"} +svc_cidr=${OVN_SVC_CIDR:-"172.30.0.0/16"} +k8s_apiserver=${OVN_K8S_APISERVER:-"10.0.2.16:6443"} +mtu=${OVN_MTU:-1400} +host_network_namespace=${OVN_HOST_NETWORK_NAMESPACE:-ovn-host-network} +in_upgrade=${IN_UPGRADE:-false} +echo "net_cidr: ${net_cidr}" +echo "svc_cidr: ${svc_cidr}" +echo "k8s_apiserver: ${k8s_apiserver}" +echo "mtu: ${mtu}" +echo "host_network_namespace: ${host_network_namespace}" +echo "in_upgrade: ${in_upgrade}" + +net_cidr=${net_cidr} svc_cidr=${svc_cidr} \ + mtu_value=${mtu} k8s_apiserver=${k8s_apiserver} \ + host_network_namespace=${host_network_namespace} \ + in_upgrade=${in_upgrade} \ + jinjanate ../templates/ovn-setup.yaml.j2 -o ${output_dir}/ovn-setup.yaml + +ovn_enable_interconnect=${ovn_enable_interconnect} \ +ovn_enable_ovnkube_identity=${ovn_enable_ovnkube_identity} \ +ovn_enable_dnsnameresolver=${ovn_enable_dnsnameresolver} \ + jinjanate ../templates/rbac-ovnkube-node.yaml.j2 -o ${output_dir}/rbac-ovnkube-node.yaml + +ovn_network_segmentation_enable=${ovn_network_segmentation_enable} \ +ovn_enable_dnsnameresolver=${ovn_enable_dnsnameresolver} \ + jinjanate ../templates/rbac-ovnkube-cluster-manager.yaml.j2 -o ${output_dir}/rbac-ovnkube-cluster-manager.yaml + +ovn_network_segmentation_enable=${ovn_network_segmentation_enable} \ +ovn_enable_dnsnameresolver=${ovn_enable_dnsnameresolver} \ + jinjanate ../templates/rbac-ovnkube-master.yaml.j2 -o ${output_dir}/rbac-ovnkube-master.yaml + +cp ../templates/rbac-ovnkube-identity.yaml.j2 ${output_dir}/rbac-ovnkube-identity.yaml +cp ../templates/rbac-ovnkube-db.yaml.j2 ${output_dir}/rbac-ovnkube-db.yaml +cp ../templates/ovnkube-monitor.yaml.j2 ${output_dir}/ovnkube-monitor.yaml +cp ../templates/k8s.ovn.org_egressfirewalls.yaml.j2 ${output_dir}/k8s.ovn.org_egressfirewalls.yaml +cp ../templates/k8s.ovn.org_egressips.yaml.j2 ${output_dir}/k8s.ovn.org_egressips.yaml +cp ../templates/k8s.ovn.org_egressqoses.yaml.j2 ${output_dir}/k8s.ovn.org_egressqoses.yaml +cp ../templates/k8s.ovn.org_egressservices.yaml.j2 ${output_dir}/k8s.ovn.org_egressservices.yaml +cp ../templates/k8s.ovn.org_adminpolicybasedexternalroutes.yaml.j2 ${output_dir}/k8s.ovn.org_adminpolicybasedexternalroutes.yaml +cp ../templates/k8s.ovn.org_userdefinednetworks.yaml.j2 ${output_dir}/k8s.ovn.org_userdefinednetworks.yaml + +exit 0 diff --git a/21_ovn/generated/images/git_info b/21_ovn/generated/images/git_info new file mode 100644 index 0000000..d2c2889 --- /dev/null +++ b/21_ovn/generated/images/git_info @@ -0,0 +1 @@ +ref: refs/heads/master commit: 82192051174db3d73fb84d938109ffbaf5578974 diff --git a/21_ovn/generated/images/ovn_k8s.conf b/21_ovn/generated/images/ovn_k8s.conf new file mode 100644 index 0000000..d494fb8 --- /dev/null +++ b/21_ovn/generated/images/ovn_k8s.conf @@ -0,0 +1,15 @@ +[Default] +mtu=1400 +conntrack-zone=64000 + +[Logging] +logfile=/var/log/openvswitch/ovn-k8s-cni-overlay.log +loglevel=5 + +[CNI] +conf-dir=/etc/cni/net.d +plugin=ovn-k8s-cni-overlay + +[Kubernetes] +cacert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt + diff --git a/21_ovn/generated/images/ovnkube.sh b/21_ovn/generated/images/ovnkube.sh new file mode 100755 index 0000000..facd908 --- /dev/null +++ b/21_ovn/generated/images/ovnkube.sh @@ -0,0 +1,2755 @@ +#!/bin/bash +#set -euo pipefail + +# Enable verbose shell output if OVNKUBE_SH_VERBOSE is set to 'true' +if [[ "${OVNKUBE_SH_VERBOSE:-}" == "true" ]]; then + set -x +fi + +# source the functions in ovndb-raft-functions.sh +. /root/ovndb-raft-functions.sh + +# This script is the entrypoint to the image. +# Supports version 1.0.0 daemonsets +# Keep the daemonset versioning aligned with the ovnkube release versions +# Commands ($1 values) +# ovs-server Runs the ovs daemons - ovsdb-server and ovs-switchd (v3) +# run-ovn-northd Runs ovn-northd as a process does not run nb_ovsdb or sb_ovsdb (v3) +# nb-ovsdb Runs nb_ovsdb as a process (no detach or monitor) (v3) +# sb-ovsdb Runs sb_ovsdb as a process (no detach or monitor) (v3) +# ovn-master Runs ovnkube in master mode (v3) +# ovn-identity Runs ovnkube-identity (v3) +# ovn-controller Runs ovn controller (v3) +# ovn-node Runs ovnkube in node mode (v3) +# cleanup-ovn-node Runs ovnkube to cleanup the node (v3) +# cleanup-ovs-server Cleanup ovs-server (v3) +# display Displays log files +# display_env Displays environment variables +# ovn_debug Displays ovn/ovs configuration and flows + +# NOTE: The script/image must be compatible with the daemonset. +# This script supports version 1.0.0 daemonsets +# When called, it starts all needed daemons. +# Currently the version here is used to match with the image version +# It must be updated during every release + +# ==================== +# Environment variables are used to customize operation +# K8S_APISERVER - hostname:port (URL)of the real apiserver, not the service address - v3 +# OVN_NET_CIDR - the network cidr - v3 +# OVN_SVC_CIDR - the cluster-service-cidr - v3 +# OVN_KUBERNETES_NAMESPACE - k8s namespace - v3 +# K8S_NODE - hostname of the node - v3 +# +# OVN_DAEMONSET_VERSION - version match daemonset and image - v1.0.0 +# K8S_TOKEN - the apiserver token. Automatically detected when running in a pod - v3 +# K8S_CACERT - the apiserver CA. Automatically detected when running in a pod - v3 +# OVN_CONTROLLER_OPTS - the options for ovn-ctl +# OVN_NORTHD_OPTS - the options for the ovn northbound db +# OVN_GATEWAY_MODE - the gateway mode (shared or local) - v3 +# OVN_GATEWAY_OPTS - the options for the ovn gateway +# OVN_GATEWAY_ROUTER_SUBNET - the gateway router subnet (shared mode, DPU only) - v3 +# OVNKUBE_LOGLEVEL - log level for ovnkube (0..5, default 4) - v3 +# OVN_LOGLEVEL_NORTHD - log level (ovn-ctl default: -vconsole:emer -vsyslog:err -vfile:info) - v3 +# OVN_LOGLEVEL_NB - log level (ovn-ctl default: -vconsole:off -vfile:info) - v3 +# OVN_LOGLEVEL_SB - log level (ovn-ctl default: -vconsole:off -vfile:info) - v3 +# OVN_LOGLEVEL_CONTROLLER - log level (ovn-ctl default: -vconsole:off -vfile:info) - v3 +# OVN_LOGLEVEL_NBCTLD - log level (ovn-ctl default: -vconsole:off -vfile:info) - v3 +# OVNKUBE_LOGFILE_MAXSIZE - log file max size in MB(default 100 MB) +# OVNKUBE_LOGFILE_MAXBACKUPS - log file max backups (default 5) +# OVNKUBE_LOGFILE_MAXAGE - log file max age in days (default 5 days) +# OVNKUBE_LIBOVSDB_CLIENT_LOGFILE - separate log file for libovsdb client (default: do not separate from logfile) +# OVN_ACL_LOGGING_RATE_LIMIT - specify default ACL logging rate limit in messages per second (default: 20) +# OVN_NB_PORT - ovn north db port (default 6641) +# OVN_SB_PORT - ovn south db port (default 6642) +# OVN_NB_RAFT_PORT - ovn north db raft port (default 6643) +# OVN_SB_RAFT_PORT - ovn south db raft port (default 6644) +# OVN_NB_RAFT_ELECTION_TIMER - ovn north db election timer in ms (default 1000) +# OVN_SB_RAFT_ELECTION_TIMER - ovn south db election timer in ms (default 1000) +# OVN_SSL_ENABLE - use SSL transport to NB/SB db and northd (default: no) +# OVN_REMOTE_PROBE_INTERVAL - ovn remote probe interval in ms (default 100000) +# OVN_MONITOR_ALL - ovn-controller monitor all data in SB DB +# OVN_OFCTRL_WAIT_BEFORE_CLEAR - ovn-controller wait time in ms before clearing OpenFlow rules during start up +# OVN_ENABLE_LFLOW_CACHE - enable ovn-controller lflow-cache +# OVN_LFLOW_CACHE_LIMIT - maximum number of logical flow cache entries of ovn-controller +# OVN_LFLOW_CACHE_LIMIT_KB - maximum size of the logical flow cache of ovn-controller +# OVN_ADMIN_NETWORK_POLICY_ENABLE - enable admin network policy for ovn-kubernetes +# OVN_EGRESSIP_ENABLE - enable egress IP for ovn-kubernetes +# OVN_EGRESSIP_HEALTHCHECK_PORT - egress IP node check to use grpc on this port (0 ==> dial to port 9 instead) +# OVN_EGRESSFIREWALL_ENABLE - enable egressFirewall for ovn-kubernetes +# OVN_EGRESSQOS_ENABLE - enable egress QoS for ovn-kubernetes +# OVN_EGRESSSERVICE_ENABLE - enable egress Service for ovn-kubernetes +# OVN_UNPRIVILEGED_MODE - execute CNI ovs/netns commands from host (default no) +# OVNKUBE_NODE_MODE - ovnkube node mode of operation, one of: full, dpu, dpu-host (default: full) +# OVNKUBE_NODE_MGMT_PORT_NETDEV - ovnkube node management port netdev. +# OVNKUBE_NODE_MGMT_PORT_DP_RESOURCE_NAME - ovnkube node management port device plugin resource +# OVN_ENCAP_IP - encap IP to be used for OVN traffic on the node. mandatory in case ovnkube-node-mode=="dpu" +# OVN_HOST_NETWORK_NAMESPACE - namespace to classify host network traffic for applying network policies +# OVN_DISABLE_FORWARDING - disable forwarding on OVNK controlled interfaces +# OVN_ENABLE_MULTI_EXTERNAL_GATEWAY - enable multi external gateway for ovn-kubernetes +# OVN_ENABLE_OVNKUBE_IDENTITY - enable per node certificate ovn-kubernetes +# OVN_METRICS_MASTER_PORT - metrics port which will be exposed by ovnkube-master (default 9409) +# OVN_METRICS_WORKER_PORT - metrics port which will be exposed by ovnkube-node (default 9410) +# OVN_METRICS_BIND_PORT - port for the OVN metrics server to serve on (default 9476) +# OVN_METRICS_EXPORTER_PORT - ovs-metrics exporter port (default 9310) +# OVN_KUBERNETES_CONNTRACK_ZONE - Conntrack zone number used for openflow rules (default 64000) +# OVN_NORTHD_BACKOFF_INTERVAL - ovn northd backoff interval in ms (default 300) +# OVN_ENABLE_SVC_TEMPLATE_SUPPORT - enable svc template support +# OVN_ENABLE_DNSNAMERESOLVER - enable dns name resolver support + +# The argument to the command is the operation to be performed +# ovn-master ovn-controller ovn-node display display_env ovn_debug +# a cmd must be provided, there is no default +cmd=${1:-""} + +# ovn daemon log levels +ovn_loglevel_northd=${OVN_LOGLEVEL_NORTHD:-"-vconsole:info"} +ovn_loglevel_nb=${OVN_LOGLEVEL_NB:-"-vconsole:info"} +ovn_loglevel_sb=${OVN_LOGLEVEL_SB:-"-vconsole:info"} +ovn_loglevel_controller=${OVN_LOGLEVEL_CONTROLLER:-"-vconsole:info"} + +ovnkubelogdir=/var/log/ovn-kubernetes + +# logfile rotation parameters +ovnkube_logfile_maxsize=${OVNKUBE_LOGFILE_MAXSIZE:-"100"} +ovnkube_logfile_maxbackups=${OVNKUBE_LOGFILE_MAXBACKUPS:-"5"} +ovnkube_logfile_maxage=${OVNKUBE_LOGFILE_MAXAGE:-"5"} + +# logfile for libovsdb client. When not specified, the ovsdb client logs +# are not separated from the "main" --logfile used by ovnkube +ovnkube_libovsdb_client_logfile=${OVNKUBE_LIBOVSDB_CLIENT_LOGFILE:-} + +# ovnkube.sh version (Update during each release) +ovnkube_version="1.0.0" + +# The daemonset version must be compatible with this script. +# The default when OVN_DAEMONSET_VERSION is not set is version 3 +ovn_daemonset_version=${OVN_DAEMONSET_VERSION:-"1.0.0"} + +# hostname is the host's hostname when using host networking, +# This is useful on the master +# otherwise it is the container ID (useful for debugging). +ovn_pod_host=${K8S_NODE:-$(hostname)} + +# The ovs user id, by default it is going to be root:root +ovs_user_id=${OVS_USER_ID:-""} + +# ovs options +ovs_options=${OVS_OPTIONS:-""} + +if [[ -f /var/run/secrets/kubernetes.io/serviceaccount/token ]]; then + k8s_token=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) +else + k8s_token=${K8S_TOKEN} +fi + +# certs and private keys for k8s and OVN +K8S_CACERT=${K8S_CACERT:-/var/run/secrets/kubernetes.io/serviceaccount/ca.crt} + +ovn_ca_cert=/ovn-cert/ca-cert.pem +ovn_nb_pk=/ovn-cert/ovnnb-privkey.pem +ovn_nb_cert=/ovn-cert/ovnnb-cert.pem +ovn_sb_pk=/ovn-cert/ovnsb-privkey.pem +ovn_sb_cert=/ovn-cert/ovnsb-cert.pem +ovn_northd_pk=/ovn-cert/ovnnorthd-privkey.pem +ovn_northd_cert=/ovn-cert/ovnnorthd-cert.pem +ovn_controller_pk=/ovn-cert/ovncontroller-privkey.pem +ovn_controller_cert=/ovn-cert/ovncontroller-cert.pem +ovn_controller_cname="ovncontroller" + +transport="tcp" +ovndb_ctl_ssl_opts="" +if [[ "yes" == ${OVN_SSL_ENABLE} ]]; then + transport="ssl" + ovndb_ctl_ssl_opts="-p ${ovn_controller_pk} -c ${ovn_controller_cert} -C ${ovn_ca_cert}" +fi + +# ovn-northd - /etc/sysconfig/ovn-northd +ovn_northd_opts=${OVN_NORTHD_OPTS:-""} + +# ovn-controller +ovn_controller_opts=${OVN_CONTROLLER_OPTS:-""} + +# set the log level for ovnkube +ovnkube_loglevel=${OVNKUBE_LOGLEVEL:-4} + +# by default it is going to be a shared gateway mode, however this can be overridden to any of the other +# two gateway modes that we support using `images/daemonset.sh` tool +ovn_gateway_mode=${OVN_GATEWAY_MODE:-"shared"} +ovn_gateway_opts=${OVN_GATEWAY_OPTS:-""} +ovn_gateway_router_subnet=${OVN_GATEWAY_ROUTER_SUBNET:-""} + +net_cidr=${OVN_NET_CIDR:-10.128.0.0/14/23} +svc_cidr=${OVN_SVC_CIDR:-172.30.0.0/16} +mtu=${OVN_MTU:-1400} +routable_mtu=${OVN_ROUTABLE_MTU:-} + +# set metrics endpoint bind to K8S_NODE_IP. +metrics_endpoint_ip=${K8S_NODE_IP:-0.0.0.0} +metrics_endpoint_ip=$(bracketify $metrics_endpoint_ip) + +# set metrics master port +metrics_master_port=${OVN_METRICS_MASTER_PORT:-9409} + +# set metrics worker port +metrics_worker_port=${OVN_METRICS_WORKER_PORT:-9410} + +# set metrics bind port +metrics_bind_port=${OVN_METRICS_BIND_PORT:-9476} + +# set metrics exporter port +metrics_exporter_port=${OVN_METRICS_EXPORTER_PORT:-9310} + +ovn_kubernetes_namespace=${OVN_KUBERNETES_NAMESPACE:-ovn-kubernetes} +# namespace used for classifying host network traffic +ovn_host_network_namespace=${OVN_HOST_NETWORK_NAMESPACE:-ovn-host-network} + +# host on which ovnkube-db POD is running and this POD contains both +# OVN NB and SB DB running in their own container. +ovn_db_host=${K8S_NODE_IP:-""} + +# OVN_NB_PORT - ovn north db port (default 6641) +ovn_nb_port=${OVN_NB_PORT:-6641} +# OVN_SB_PORT - ovn south db port (default 6642) +ovn_sb_port=${OVN_SB_PORT:-6642} +# OVN_NB_RAFT_PORT - ovn north db port used for raft communication (default 6643) +ovn_nb_raft_port=${OVN_NB_RAFT_PORT:-6643} +# OVN_SB_RAFT_PORT - ovn south db port used for raft communication (default 6644) +ovn_sb_raft_port=${OVN_SB_RAFT_PORT:-6644} +# OVN_ENCAP_PORT - GENEVE UDP port (default 6081) +ovn_encap_port=${OVN_ENCAP_PORT:-6081} +# OVN_NB_RAFT_ELECTION_TIMER - ovn north db election timer in ms (default 1000) +ovn_nb_raft_election_timer=${OVN_NB_RAFT_ELECTION_TIMER:-1000} +# OVN_SB_RAFT_ELECTION_TIMER - ovn south db election timer in ms (default 1000) +ovn_sb_raft_election_timer=${OVN_SB_RAFT_ELECTION_TIMER:-1000} + +ovn_hybrid_overlay_enable=${OVN_HYBRID_OVERLAY_ENABLE:-} +ovn_hybrid_overlay_net_cidr=${OVN_HYBRID_OVERLAY_NET_CIDR:-} +ovn_disable_snat_multiple_gws=${OVN_DISABLE_SNAT_MULTIPLE_GWS:-} +ovn_disable_forwarding=${OVN_DISABLE_FORWARDING:-} +ovn_disable_pkt_mtu_check=${OVN_DISABLE_PKT_MTU_CHECK:-} +ovn_empty_lb_events=${OVN_EMPTY_LB_EVENTS:-} +# OVN_V4_JOIN_SUBNET - v4 join subnet +ovn_v4_join_subnet=${OVN_V4_JOIN_SUBNET:-} +# OVN_V6_JOIN_SUBNET - v6 join subnet +ovn_v6_join_subnet=${OVN_V6_JOIN_SUBNET:-} +# OVN_V4_MASQUERADE_SUBNET - v4 masquerade subnet +ovn_v4_masquerade_subnet=${OVN_V4_MASQUERADE_SUBNET:-} +# OVN_V6_MASQUERADE_SUBNET - v6 masquerade subnet +ovn_v6_masquerade_subnet=${OVN_V6_MASQUERADE_SUBNET:-} +# OVN_V4_TRANSIT_SWITCH_SUBNET - v4 Transit switch subnet +ovn_v4_transit_switch_subnet=${OVN_V4_TRANSIT_SWITCH_SUBNET:-} +# OVN_V6_TRANSIT_SWITCH_SUBNET - v6 Transit switch subnet +ovn_v6_transit_switch_subnet=${OVN_V6_TRANSIT_SWITCH_SUBNET:-} +#OVN_REMOTE_PROBE_INTERVAL - ovn remote probe interval in ms (default 100000) +ovn_remote_probe_interval=${OVN_REMOTE_PROBE_INTERVAL:-100000} +#OVN_MONITOR_ALL - ovn-controller monitor all data in SB DB +ovn_monitor_all=${OVN_MONITOR_ALL:-} +#OVN_OFCTRL_WAIT_BEFORE_CLEAR - ovn-controller wait time in ms before clearing OpenFlow rules during start up +ovn_ofctrl_wait_before_clear=${OVN_OFCTRL_WAIT_BEFORE_CLEAR:-} +ovn_enable_lflow_cache=${OVN_ENABLE_LFLOW_CACHE:-} +ovn_lflow_cache_limit=${OVN_LFLOW_CACHE_LIMIT:-} +ovn_lflow_cache_limit_kb=${OVN_LFLOW_CACHE_LIMIT_KB:-} +ovn_multicast_enable=${OVN_MULTICAST_ENABLE:-} +ovn_admin_network_policy_enable=${OVN_ADMIN_NETWORK_POLICY_ENABLE:=false} +#OVN_EGRESSIP_ENABLE - enable egress IP for ovn-kubernetes +ovn_egressip_enable=${OVN_EGRESSIP_ENABLE:-false} +#OVN_EGRESSIP_HEALTHCHECK_PORT - egress IP node check to use grpc on this port +ovn_egress_ip_healthcheck_port=${OVN_EGRESSIP_HEALTHCHECK_PORT:-9107} +#OVN_EGRESSFIREWALL_ENABLE - enable egressFirewall for ovn-kubernetes +ovn_egressfirewall_enable=${OVN_EGRESSFIREWALL_ENABLE:-false} +#OVN_EGRESSQOS_ENABLE - enable egress QoS for ovn-kubernetes +ovn_egressqos_enable=${OVN_EGRESSQOS_ENABLE:-false} +#OVN_EGRESSSERVICE_ENABLE - enable egress Service for ovn-kubernetes +ovn_egressservice_enable=${OVN_EGRESSSERVICE_ENABLE:-false} +#OVN_DISABLE_OVN_IFACE_ID_VER - disable usage of the OVN iface-id-ver option +ovn_disable_ovn_iface_id_ver=${OVN_DISABLE_OVN_IFACE_ID_VER:-false} +#OVN_MULTI_NETWORK_ENABLE - enable multiple network support for ovn-kubernetes +ovn_multi_network_enable=${OVN_MULTI_NETWORK_ENABLE:-false} +#OVN_NETWORK_SEGMENTATION_ENABLE - enable user defined primary networks for ovn-kubernetes +ovn_network_segmentation_enable=${OVN_NETWORK_SEGMENTATION_ENABLE:=false} +ovn_acl_logging_rate_limit=${OVN_ACL_LOGGING_RATE_LIMIT:-"20"} +ovn_netflow_targets=${OVN_NETFLOW_TARGETS:-} +ovn_sflow_targets=${OVN_SFLOW_TARGETS:-} +ovn_ipfix_targets=${OVN_IPFIX_TARGETS:-} +ovn_ipfix_sampling=${OVN_IPFIX_SAMPLING:-} \ +ovn_ipfix_cache_max_flows=${OVN_IPFIX_CACHE_MAX_FLOWS:-} \ +ovn_ipfix_cache_active_timeout=${OVN_IPFIX_CACHE_ACTIVE_TIMEOUT:-} \ +#OVN_STATELESS_NETPOL_ENABLE - enable stateless network policy for ovn-kubernetes +ovn_stateless_netpol_enable=${OVN_STATELESS_NETPOL_ENABLE:-false} +#OVN_ENABLE_INTERCONNECT - enable interconnect with multiple zones +ovn_enable_interconnect=${OVN_ENABLE_INTERCONNECT:-false} +#OVN_ENABLE_MULTI_EXTERNAL_GATEWAY - enable multi external gateway +ovn_enable_multi_external_gateway=${OVN_ENABLE_MULTI_EXTERNAL_GATEWAY:-false} +#OVN_ENABLE_OVNKUBE_IDENTITY - enable per node cert +ovn_enable_ovnkube_identity=${OVN_ENABLE_OVNKUBE_IDENTITY:-true} +#OVN_ENABLE_PERSISTENT_IPS - enable IPAM for virtualization workloads (KubeVirt persistent IPs) +ovn_enable_persistent_ips=${OVN_ENABLE_PERSISTENT_IPS:-false} + +# OVNKUBE_NODE_MODE - is the mode which ovnkube node operates +ovnkube_node_mode=${OVNKUBE_NODE_MODE:-"full"} +# OVNKUBE_NODE_MGMT_PORT_NETDEV - is the net device to be used for management port +ovnkube_node_mgmt_port_netdev=${OVNKUBE_NODE_MGMT_PORT_NETDEV:-} +# OVNKUBE_NODE_MGMT_PORT_DP_RESOURCE_NAME - is the device plugin resource name that has +# allocated interfaces to be used for the management port +ovnkube_node_mgmt_port_dp_resource_name=${OVNKUBE_NODE_MGMT_PORT_DP_RESOURCE_NAME:-} +ovnkube_config_duration_enable=${OVNKUBE_CONFIG_DURATION_ENABLE:-false} +ovnkube_metrics_scale_enable=${OVNKUBE_METRICS_SCALE_ENABLE:-false} +# OVN_ENCAP_IP - encap IP to be used for OVN traffic on the node +ovn_encap_ip=${OVN_ENCAP_IP:-} +# OVN_KUBERNETES_CONNTRACK_ZONE - conntrack zone number used for openflow rules (default 64000) +ovn_conntrack_zone=${OVN_KUBERNETES_CONNTRACK_ZONE:-64000} + +ovn_ex_gw_network_interface=${OVN_EX_GW_NETWORK_INTERFACE:-} +# OVNKUBE_COMPACT_MODE_ENABLE indicate if ovnkube run master and node in one process +ovnkube_compact_mode_enable=${OVNKUBE_COMPACT_MODE_ENABLE:-false} +# OVN_NORTHD_BACKOFF_INTERVAL - northd backoff interval in ms +# defualt is 300; no backoff delay if set to 0 +ovn_northd_backoff_interval=${OVN_NORTHD_BACKOFF_INTERVAL:-"300"} +# OVN_ENABLE_SVC_TEMPLATE_SUPPORT - enable svc template support +ovn_enable_svc_template_support=${OVN_ENABLE_SVC_TEMPLATE_SUPPORT:-true} +# OVN_ENABLE_DNSNAMERESOLVER - enable dns name resolver support +ovn_enable_dnsnameresolver=${OVN_ENABLE_DNSNAMERESOLVER:-false} + +# Determine the ovn rundir. +if [[ -f /usr/bin/ovn-appctl ]]; then + # ovn-appctl is present. Use new ovn run dir path. + OVN_RUNDIR=/var/run/ovn + OVNCTL_PATH=/usr/share/ovn/scripts/ovn-ctl + OVN_LOGDIR=/var/log/ovn + OVN_ETCDIR=/etc/ovn +else + # ovn-appctl is not present. Use openvswitch run dir path. + OVN_RUNDIR=/var/run/openvswitch + OVNCTL_PATH=/usr/share/openvswitch/scripts/ovn-ctl + OVN_LOGDIR=/var/log/openvswitch + OVN_ETCDIR=/etc/openvswitch +fi + +OVS_RUNDIR=/var/run/openvswitch +OVS_LOGDIR=/var/log/openvswitch + +# ========================================= + +setup_ovs_permissions() { + if [ ${ovs_user_id:-XX} != "XX" ]; then + chown -R ${ovs_user_id} /etc/openvswitch + chown -R ${ovs_user_id} ${OVS_RUNDIR} + chown -R ${ovs_user_id} ${OVS_LOGDIR} + chown -R ${ovs_user_id} ${OVN_ETCDIR} + chown -R ${ovs_user_id} ${OVN_RUNDIR} + chown -R ${ovs_user_id} ${OVN_LOGDIR} + fi +} + +run_as_ovs_user_if_needed() { + setup_ovs_permissions + + if [ ${ovs_user_id:-XX} != "XX" ]; then + local uid=$(id -u "${ovs_user_id%:*}") + local gid=$(id -g "${ovs_user_id%:*}") + local groups=$(id -G "${ovs_user_id%:*}" | tr ' ' ',') + + setpriv --reuid $uid --regid $gid --groups $groups "$@" + echo "run as: setpriv --reuid $uid --regid $gid --groups $groups $@" + else + "$@" + echo "run as: $@" + fi +} + +# wait_for_event [attempts=] function_to_call [arguments_to_function] +# +# Processes running inside the container should immediately start, so we +# shouldn't be making 80 attempts (default value). The "attempts=" +# argument will help us in configuring that value. +wait_for_event() { + retries=0 + sleeper=1 + attempts=80 + if [[ $1 =~ ^attempts= ]]; then + eval $1 + shift + fi + while true; do + $@ + if [[ $? != 0 ]]; then + ((retries += 1)) + if [[ "${retries}" -gt ${attempts} ]]; then + echo "error: $@ did not come up, exiting" + exit 1 + fi + echo "info: Waiting for $@ to come up, waiting ${sleeper}s ..." + sleep ${sleeper} + sleeper=5 + else + if [[ "${retries}" != 0 ]]; then + echo "$@ came up in ${retries} ${sleeper} sec tries" + fi + break + fi + done +} + +# The ovnkube-db kubernetes service must be populated with OVN DB service endpoints +# before various OVN K8s containers can come up. This functions checks for that. +# If OVN dbs are configured to listen only on unix sockets, then there will not be +# OVN DB service endpoints. +ready_to_start_node() { + get_ovn_db_vars + if [[ $ovn_nbdb == "local" ]]; then + return 0 + fi + + ovnkube_db_ep=$(get_ovnkube_zone_db_ep) + echo "Getting the ${ovnkube_db_ep} ep" + # See if ep is available ... + IFS=" " read -a ovn_db_hosts <<<"$(kubectl --server=${K8S_APISERVER} --token=${k8s_token} --certificate-authority=${K8S_CACERT} \ + get ep -n ${ovn_kubernetes_namespace} ${ovnkube_db_ep} -o=jsonpath='{range .subsets[0].addresses[*]}{.ip}{" "}')" + if [[ ${#ovn_db_hosts[@]} == 0 ]]; then + return 1 + fi + get_ovn_db_vars + return 0 +} +# wait_for_event ready_to_start_node + +# check that daemonset version is among expected versions +check_ovn_daemonset_version() { + ok=$1 + for v in ${ok}; do + if [[ $v == ${ovn_daemonset_version} ]]; then + return 0 + fi + done + echo "VERSION MISMATCH expect ${ok}, daemonset is version ${ovn_daemonset_version}" + exit 1 +} + +get_ovn_db_vars() { + ovn_nbdb_str="" + ovn_sbdb_str="" + for i in "${ovn_db_hosts[@]}"; do + if [ -n "$ovn_nbdb_str" ]; then + ovn_nbdb_str=${ovn_nbdb_str}"," + ovn_sbdb_str=${ovn_sbdb_str}"," + fi + ip=$(bracketify $i) + ovn_nbdb_str=${ovn_nbdb_str}${transport}://${ip}:${ovn_nb_port} + ovn_sbdb_str=${ovn_sbdb_str}${transport}://${ip}:${ovn_sb_port} + done + # OVN_NORTH and OVN_SOUTH override derived host + ovn_nbdb=${OVN_NORTH:-$ovn_nbdb_str} + ovn_sbdb=${OVN_SOUTH:-$ovn_sbdb_str} + + echo ovn_nbdb=$ovn_nbdb + echo ovn_sbdb=$ovn_sbdb + # ovsdb server connection method :: + ovn_nbdb_conn=$(echo ${ovn_nbdb} | sed 's;//;;g') + ovn_sbdb_conn=$(echo ${ovn_sbdb} | sed 's;//;;g') +} + +# OVS must be up before OVN comes up. +# This checks if OVS is up and running +ovs_ready() { + for daemon in $(echo ovsdb-server ovs-vswitchd); do + pidfile=${OVS_RUNDIR}/${daemon}.pid + if [[ -f ${pidfile} ]]; then + check_health $daemon $(cat $pidfile) + if [[ $? == 0 ]]; then + continue + fi + fi + return 1 + done + return 0 +} + +# Verify that the process is running either by checking for the PID in `ps` output +# or by using `ovs-appctl` utility for the processes that support it. +# $1 is the name of the process +process_ready() { + case ${1} in + "ovsdb-server" | "ovs-vswitchd") + pidfile=${OVS_RUNDIR}/${1}.pid + ;; + *) + pidfile=${OVN_RUNDIR}/${1}.pid + ;; + esac + + if [[ -f ${pidfile} ]]; then + check_health $1 $(cat $pidfile) + if [[ $? == 0 ]]; then + return 0 + fi + fi + return 1 +} + +# continuously checks if process is healthy. Exits if process terminates. +# $1 is the name of the process +# $2 is the pid of an another process to kill before exiting +process_healthy() { + case ${1} in + "ovsdb-server" | "ovs-vswitchd") + pid=$(cat ${OVS_RUNDIR}/${1}.pid) + ;; + *) + pid=$(cat ${OVN_RUNDIR}/${1}.pid) + ;; + esac + + while true; do + check_health $1 ${pid} + if [[ $? != 0 ]]; then + echo "=============== pid ${pid} terminated ========== " + # kill the tail -f + if [[ $2 != "" ]]; then + kill $2 + fi + exit 6 + fi + sleep 15 + done +} + +# checks for the health of the process either using `ps` or `ovs-appctl` +# $1 is the name of the process +# $2 is the process pid +check_health() { + ctl_file="" + case ${1} in + "ovnkube" | "ovnkube-master" | "ovn-dbchecker" | "ovnkube-cluster-manager" | "ovnkube-controller" | "ovnkube-controller-with-node" | "ovnkube-identity" ) + # just check for presence of pid + ;; + "ovnnb_db" | "ovnsb_db") + ctl_file=${OVN_RUNDIR}/${1}.ctl + ;; + "ovn-northd" | "ovn-controller") + ctl_file=${OVN_RUNDIR}/${1}.${2}.ctl + ;; + "ovsdb-server" | "ovs-vswitchd") + ctl_file=${OVS_RUNDIR}/${1}.${2}.ctl + ;; + *) + echo "Unknown service ${1} specified. Exiting.. " + exit 1 + ;; + esac + + if [[ ${ctl_file} == "" ]]; then + # no control file, so just do the PID check + pid=${2} + pidTest=$(ps ax | awk '{ print $1 }' | grep "^${pid:-XX}$") + if [[ ${pid:-XX} == ${pidTest} ]]; then + return 0 + fi + else + # use ovs-appctl to do the check + ovs-appctl -t ${ctl_file} version >/dev/null + if [[ $? == 0 ]]; then + return 0 + fi + fi + + return 1 +} + +display_file() { + if [[ -f $3 ]]; then + echo "====================== $1 pid " + cat $2 + echo "====================== $1 log " + cat $3 + echo " " + fi +} + +# pid and log file for each container +display() { + echo "==================== display for ${ovn_pod_host} =================== " + date + display_file "nb-ovsdb" ${OVN_RUNDIR}/ovnnb_db.pid ${OVN_LOGDIR}/ovsdb-server-nb.log + display_file "sb-ovsdb" ${OVN_RUNDIR}/ovnsb_db.pid ${OVN_LOGDIR}/ovsdb-server-sb.log + display_file "run-ovn-northd" ${OVN_RUNDIR}/ovn-northd.pid ${OVN_LOGDIR}/ovn-northd.log + display_file "ovn-master" ${OVN_RUNDIR}/ovnkube-master.pid ${ovnkubelogdir}/ovnkube-master.log + display_file "ovs-vswitchd" ${OVS_RUNDIR}/ovs-vswitchd.pid ${OVS_LOGDIR}/ovs-vswitchd.log + display_file "ovsdb-server" ${OVS_RUNDIR}/ovsdb-server.pid ${OVS_LOGDIR}/ovsdb-server.log + display_file "ovn-controller" ${OVN_RUNDIR}/ovn-controller.pid ${OVN_LOGDIR}/ovn-controller.log + display_file "ovnkube" ${OVN_RUNDIR}/ovnkube.pid ${ovnkubelogdir}/ovnkube.log + display_file "ovn-dbchecker" ${OVN_RUNDIR}/ovn-dbchecker.pid ${OVN_LOGDIR}/ovn-dbchecker.log +} + +setup_cni() { + cp -f /usr/libexec/cni/ovn-k8s-cni-overlay /opt/cni/bin/ovn-k8s-cni-overlay +} + +display_version() { + echo " =================== hostname: ${ovn_pod_host}" + echo " =================== daemonset version ${ovn_daemonset_version}" + if [[ -f /root/git_info ]]; then + disp_ver=$(cat /root/git_info) + echo " =================== Image built from ovn-kubernetes ${disp_ver}" + return + fi +} + +display_env() { + echo OVS_USER_ID ${ovs_user_id} + echo OVS_OPTIONS ${ovs_options} + echo OVN_NORTH ${ovn_nbdb} + echo OVN_NORTHD_OPTS ${ovn_northd_opts} + echo OVN_SOUTH ${ovn_sbdb} + echo OVN_CONTROLLER_OPTS ${ovn_controller_opts} + echo OVN_LOGLEVEL_CONTROLLER ${ovn_loglevel_controller} + echo OVN_GATEWAY_MODE ${ovn_gateway_mode} + echo OVN_GATEWAY_OPTS ${ovn_gateway_opts} + echo OVN_GATEWAY_ROUTER_SUBNET ${ovn_gateway_router_subnet} + echo OVN_NET_CIDR ${net_cidr} + echo OVN_SVC_CIDR ${svc_cidr} + echo OVN_NB_PORT ${ovn_nb_port} + echo OVN_SB_PORT ${ovn_sb_port} + echo K8S_APISERVER ${K8S_APISERVER} + echo OVNKUBE_LOGLEVEL ${ovnkube_loglevel} + echo OVN_DAEMONSET_VERSION ${ovn_daemonset_version} + echo OVNKUBE_NODE_MODE ${ovnkube_node_mode} + echo OVN_ENCAP_IP ${ovn_encap_ip} + echo OVN_KUBERNETES_CONNTRACK_ZONE ${ovn_conntrack_zone} + echo ovnkube.sh version ${ovnkube_version} + echo OVN_HOST_NETWORK_NAMESPACE ${ovn_host_network_namespace} +} + +ovn_debug() { + wait_for_event attempts=3 ready_to_start_node + echo "ovn_nbdb ${ovn_nbdb} ovn_sbdb ${ovn_sbdb}" + echo "ovn_nbdb_conn ${ovn_nbdb_conn}" + echo "ovn_sbdb_conn ${ovn_sbdb_conn}" + + # get ovs/ovn info from the node for debug purposes + echo "=========== ovn_debug hostname: ${ovn_pod_host} =============" + echo "=========== ovn-nbctl --db=${ovn_nbdb_conn} show =============" + ovn-nbctl --db=${ovn_nbdb_conn} show + echo " " + echo "=========== ovn-nbctl list ACL =============" + ovn-nbctl --db=${ovn_nbdb_conn} list ACL + echo " " + echo "=========== ovn-nbctl list address_set =============" + ovn-nbctl --db=${ovn_nbdb_conn} list address_set + echo " " + echo "=========== ovs-vsctl show =============" + ovs-vsctl show + echo " " + echo "=========== ovs-ofctl -O OpenFlow13 dump-ports br-int =============" + ovs-ofctl -O OpenFlow13 dump-ports br-int + echo " " + echo "=========== ovs-ofctl -O OpenFlow13 dump-ports-desc br-int =============" + ovs-ofctl -O OpenFlow13 dump-ports-desc br-int + echo " " + echo "=========== ovs-ofctl dump-flows br-int =============" + ovs-ofctl dump-flows br-int + echo " " + echo "=========== ovn-sbctl --db=${ovn_sbdb_conn} show =============" + ovn-sbctl --db=${ovn_sbdb_conn} show + echo " " + echo "=========== ovn-sbctl --db=${ovn_sbdb_conn} lflow-list =============" + ovn-sbctl --db=${ovn_sbdb_conn} lflow-list + echo " " + echo "=========== ovn-sbctl --db=${ovn_sbdb_conn} list datapath =============" + ovn-sbctl --db=${ovn_sbdb_conn} list datapath + echo " " + echo "=========== ovn-sbctl --db=${ovn_sbdb_conn} list port_binding =============" + ovn-sbctl --db=${ovn_sbdb_conn} list port_binding +} + +ovs-server() { + # start ovs ovsdb-server and ovs-vswitchd + set -euo pipefail + + # if another process is listening on the cni-server socket, wait until it exits + trap 'kill $(jobs -p); exit 0' TERM + retries=0 + while true; do + if /usr/share/openvswitch/scripts/ovs-ctl status >/dev/null; then + echo "warning: Another process is currently managing OVS, waiting 10s ..." 2>&1 + sleep 10 & + wait + ((retries += 1)) + else + break + fi + if [[ "${retries}" -gt 60 ]]; then + echo "error: Another process is currently managing OVS, exiting" 2>&1 + exit 1 + fi + done + rm -f ${OVS_RUNDIR}/ovs-vswitchd.pid + rm -f ${OVS_RUNDIR}/ovsdb-server.pid + + # launch OVS + function quit() { + /usr/share/openvswitch/scripts/ovs-ctl stop + exit 1 + } + trap quit SIGTERM + + setup_ovs_permissions + + USER_ARGS="" + if [ ${ovs_user_id:-XX} != "XX" ]; then + USER_ARGS="--ovs-user=${ovs_user_id}" + fi + + /usr/share/openvswitch/scripts/ovs-ctl start --no-ovs-vswitchd \ + --system-id=random ${ovs_options} ${USER_ARGS} "$@" + + # Reduce stack size to 2M from default 8M as per below commit on Openvswitch + # https://github.com/openvswitch/ovs/commit/b82a90e266e1246fe2973db97c95df22558174ea + # added while troubleshooting on https://bugzilla.redhat.com/show_bug.cgi?id=1572797 + ulimit -s 2048 + + /usr/share/openvswitch/scripts/ovs-ctl start --no-ovsdb-server \ + --system-id=random ${ovs_options} ${USER_ARGS} "$@" + + if [[ $(nproc) -gt 32 ]]; then + echo "Warning: Higher memory allocation by ovs-vswitchd is expected due to high number of n-handler-threads and n-revalidator-threads" + fi + + tail --follow=name ${OVS_LOGDIR}/ovs-vswitchd.log ${OVS_LOGDIR}/ovsdb-server.log & + ovs_tail_pid=$! + sleep 10 + while true; do + if ! /usr/share/openvswitch/scripts/ovs-ctl status >/dev/null; then + echo "OVS seems to have crashed, exiting" + kill ${ovs_tail_pid} + quit + fi + sleep 15 + done +} + +cleanup-ovs-server() { + echo "=============== time: $(date +%d-%m-%H:%M:%S:%N) cleanup-ovs-server (wait for ovn-node to exit) =======" + retries=0 + while [[ ${retries} -lt 80 ]]; do + if [[ ! -e ${OVN_RUNDIR}/ovnkube.pid ]]; then + break + fi + echo "=============== time: $(date +%d-%m-%H:%M:%S:%N) cleanup-ovs-server ovn-node still running, wait) =======" + sleep 1 + ((retries += 1)) + done + echo "=============== time: $(date +%d-%m-%H:%M:%S:%N) cleanup-ovs-server (ovs-ctl stop) =======" + /usr/share/openvswitch/scripts/ovs-ctl stop +} + +# set the ovnkube_db endpoint for other pods to query the OVN DB IP +set_ovnkube_db_ep() { + ips=("$@") + + ovn_zone=$(get_node_zone) + ovnkube_db_ep=$(get_ovnkube_zone_db_ep) + echo "=============== setting ${ovnkube_db_ep} endpoints to ${ips[@]}" + # create a new endpoint for the headless onvkube-db service without selectors + kubectl --server=${K8S_APISERVER} --token=${k8s_token} --certificate-authority=${K8S_CACERT} apply -f - </dev/null 2>&1; exit 0' TERM + check_ovn_daemonset_version "1.0.0" + rm -f ${OVN_RUNDIR}/ovn-northd.pid + rm -f ${OVN_RUNDIR}/ovn-northd.*.ctl + + echo "=============== run-ovn-northd (wait for ready_to_start_node)" + wait_for_event ready_to_start_node + + echo "=============== run_ovn_northd ========== MASTER ONLY" + echo "ovn_nbdb ${ovn_nbdb} ovn_sbdb ${ovn_sbdb}" + echo "ovn_northd_opts=${ovn_northd_opts}" + echo "ovn_loglevel_northd=${ovn_loglevel_northd}" + + # no monitor (and no detach), start northd which connects to the + # ovnkube-db service + local ovn_northd_ssl_opts="" + [[ "yes" == ${OVN_SSL_ENABLE} ]] && { + ovn_northd_ssl_opts=" + --ovn-northd-ssl-key=${ovn_northd_pk} + --ovn-northd-ssl-cert=${ovn_northd_cert} + --ovn-northd-ssl-ca-cert=${ovn_ca_cert} + " + } + + ovn_dbs="" + if [[ $ovn_nbdb != "local" ]]; then + ovn_dbs="--ovn-northd-nb-db=${ovn_nbdb_conn}" + fi + if [[ $ovn_sbdb != "local" ]]; then + ovn_dbs="${ovn_dbs} --ovn-northd-sb-db=${ovn_sbdb_conn}" + fi + + run_as_ovs_user_if_needed \ + ${OVNCTL_PATH} start_northd \ + --no-monitor --ovn-manage-ovsdb=no \ + ${ovn_dbs} \ + ${ovn_northd_ssl_opts} \ + --ovn-northd-log="${ovn_loglevel_northd}" \ + ${ovn_northd_opts} + + wait_for_event attempts=3 process_ready ovn-northd + echo "=============== run_ovn_northd ========== RUNNING" + + tail --follow=name ${OVN_LOGDIR}/ovn-northd.log & + ovn_tail_pid=$! + + process_healthy ovn-northd ${ovn_tail_pid} + exit 8 +} + +# v1.0.0 - run ovnkube-identity +ovnkube-identity() { + trap 'kill $(jobs -p); exit 0' TERM + check_ovn_daemonset_version "1.0.0" + rm -f ${OVN_RUNDIR}/ovnkube-identity.pid + + ovnkube_enable_interconnect_flag= + if [[ ${ovn_enable_interconnect} == "true" ]]; then + ovnkube_enable_interconnect_flag="--enable-interconnect" + fi + + ovnkube_enable_hybrid_overlay_flag= + if [[ ${ovn_hybrid_overlay_enable} == "true" ]]; then + ovnkube_enable_hybrid_overlay_flag="--enable-hybrid-overlay" + fi + + # extra-allowed-user: + # ovnkube-master service account - required for compact mode + # ovnkube-cluster-manager service account - required for multi-homing + exec /usr/bin/ovnkube-identity --k8s-apiserver="${K8S_APISERVER}" \ + --webhook-cert-dir="/etc/webhook-cert" \ + ${ovnkube_enable_interconnect_flag} \ + ${ovnkube_enable_hybrid_overlay_flag} \ + --extra-allowed-user="system:serviceaccount:ovn-kubernetes:ovnkube-cluster-manager" \ + --extra-allowed-user="system:serviceaccount:ovn-kubernetes:ovnkube-master" \ + --loglevel="${ovnkube_loglevel}" + + exit 9 +} + +# v1.0.0 - run ovnkube --master (both cluster-manager and ovnkube-controller) +ovn-master() { + trap 'kill $(jobs -p); exit 0' TERM + check_ovn_daemonset_version "1.0.0" + rm -f ${OVN_RUNDIR}/ovnkube-master.pid + + echo "=============== ovn-master (wait for ready_to_start_node) ========== MASTER ONLY" + wait_for_event ready_to_start_node + echo "ovn_nbdb ${ovn_nbdb} ovn_sbdb ${ovn_sbdb}" + + # wait for northd to start + wait_for_event process_ready ovn-northd + + # wait for ovs-servers to start since ovn-master sets some fields in OVS DB + echo "=============== ovn-master - (wait for ovs)" + wait_for_event ovs_ready + + hybrid_overlay_flags= + if [[ ${ovn_hybrid_overlay_enable} == "true" ]]; then + hybrid_overlay_flags="--enable-hybrid-overlay" + if [[ -n "${ovn_hybrid_overlay_net_cidr}" ]]; then + hybrid_overlay_flags="${hybrid_overlay_flags} --hybrid-overlay-cluster-subnets=${ovn_hybrid_overlay_net_cidr}" + fi + fi + disable_snat_multiple_gws_flag= + if [[ ${ovn_disable_snat_multiple_gws} == "true" ]]; then + disable_snat_multiple_gws_flag="--disable-snat-multiple-gws" + fi + + disable_forwarding_flag= + if [[ ${ovn_disable_forwarding} == "true" ]]; then + disable_forwarding_flag="--disable-forwarding" + fi + + disable_pkt_mtu_check_flag= + if [[ ${ovn_disable_pkt_mtu_check} == "true" ]]; then + disable_pkt_mtu_check_flag="--disable-pkt-mtu-check" + fi + + empty_lb_events_flag= + if [[ ${ovn_empty_lb_events} == "true" ]]; then + empty_lb_events_flag="--ovn-empty-lb-events" + fi + + ovn_v4_join_subnet_opt= + if [[ -n ${ovn_v4_join_subnet} ]]; then + ovn_v4_join_subnet_opt="--gateway-v4-join-subnet=${ovn_v4_join_subnet}" + fi + + ovn_v6_join_subnet_opt= + if [[ -n ${ovn_v6_join_subnet} ]]; then + ovn_v6_join_subnet_opt="--gateway-v6-join-subnet=${ovn_v6_join_subnet}" + fi + + ovn_v4_masquerade_subnet_opt= + if [[ -n ${ovn_v4_masquerade_subnet} ]]; then + ovn_v4_masquerade_subnet_opt="--gateway-v4-masquerade-subnet=${ovn_v4_masquerade_subnet}" + fi + + ovn_v6_masquerade_subnet_opt= + if [[ -n ${ovn_v6_masquerade_subnet} ]]; then + ovn_v6_masquerade_subnet_opt="--gateway-v6-masquerade-subnet=${ovn_v6_masquerade_subnet}" + fi + + local ovn_master_ssl_opts="" + [[ "yes" == ${OVN_SSL_ENABLE} ]] && { + ovn_master_ssl_opts=" + --nb-client-privkey ${ovn_controller_pk} + --nb-client-cert ${ovn_controller_cert} + --nb-client-cacert ${ovn_ca_cert} + --nb-cert-common-name ${ovn_controller_cname} + --sb-client-privkey ${ovn_controller_pk} + --sb-client-cert ${ovn_controller_cert} + --sb-client-cacert ${ovn_ca_cert} + --sb-cert-common-name ${ovn_controller_cname} + " + } + + libovsdb_client_logfile_flag= + if [[ -n ${ovnkube_libovsdb_client_logfile} ]]; then + libovsdb_client_logfile_flag="--libovsdblogfile ${ovnkube_libovsdb_client_logfile}" + fi + + ovn_acl_logging_rate_limit_flag= + if [[ -n ${ovn_acl_logging_rate_limit} ]]; then + ovn_acl_logging_rate_limit_flag="--acl-logging-rate-limit ${ovn_acl_logging_rate_limit}" + fi + + multicast_enabled_flag= + if [[ ${ovn_multicast_enable} == "true" ]]; then + multicast_enabled_flag="--enable-multicast" + fi + + anp_enabled_flag= + if [[ ${ovn_admin_network_policy_enable} == "true" ]]; then + anp_enabled_flag="--enable-admin-network-policy" + fi + + egressip_enabled_flag= + if [[ ${ovn_egressip_enable} == "true" ]]; then + egressip_enabled_flag="--enable-egress-ip" + fi + + egressip_healthcheck_port_flag= + if [[ -n "${ovn_egress_ip_healthcheck_port}" ]]; then + egressip_healthcheck_port_flag="--egressip-node-healthcheck-port=${ovn_egress_ip_healthcheck_port}" + fi + + egressfirewall_enabled_flag= + if [[ ${ovn_egressfirewall_enable} == "true" ]]; then + egressfirewall_enabled_flag="--enable-egress-firewall" + fi + echo "egressfirewall_enabled_flag=${egressfirewall_enabled_flag}" + + egressqos_enabled_flag= + if [[ ${ovn_egressqos_enable} == "true" ]]; then + egressqos_enabled_flag="--enable-egress-qos" + fi + + multi_network_enabled_flag= + if [[ ${ovn_multi_network_enable} == "true" ]]; then + multi_network_enabled_flag="--enable-multi-network --enable-multi-networkpolicy" + fi + echo "multi_network_enabled_flag=${multi_network_enabled_flag}" + + network_segmentation_enabled_flag= + if [[ ${ovn_network_segmentation_enable} == "true" ]]; then + network_segmentation_enabled_flag="--enable-multi-network --enable-network-segmentation" + fi + echo "network_segmentation_enabled_flag=${network_segmentation_enabled_flag}" + + egressservice_enabled_flag= + if [[ ${ovn_egressservice_enable} == "true" ]]; then + egressservice_enabled_flag="--enable-egress-service" + fi + echo "egressservice_enabled_flag=${egressservice_enabled_flag}" + + ovnkube_master_metrics_bind_address="${metrics_endpoint_ip}:9409" + ovnkube_master_metrics_bind_address="${metrics_endpoint_ip}:${metrics_master_port}" + local ovnkube_metrics_tls_opts="" + if [[ ${OVNKUBE_METRICS_PK} != "" && ${OVNKUBE_METRICS_CERT} != "" ]]; then + ovnkube_metrics_tls_opts=" + --node-server-privkey ${OVNKUBE_METRICS_PK} + --node-server-cert ${OVNKUBE_METRICS_CERT} + " + fi + + ovnkube_config_duration_enable_flag= + if [[ ${ovnkube_config_duration_enable} == "true" ]]; then + ovnkube_config_duration_enable_flag="--metrics-enable-config-duration" + fi + echo "ovnkube_config_duration_enable_flag: ${ovnkube_config_duration_enable_flag}" + + ovnkube_metrics_scale_enable_flag= + if [[ ${ovnkube_metrics_scale_enable} == "true" ]]; then + ovnkube_metrics_scale_enable_flag="--metrics-enable-scale --metrics-enable-pprof" + fi + echo "ovnkube_metrics_scale_enable_flag: ${ovnkube_metrics_scale_enable_flag}" + + ovn_stateless_netpol_enable_flag= + if [[ ${ovn_stateless_netpol_enable} == "true" ]]; then + ovn_stateless_netpol_enable_flag="--enable-stateless-netpol" + fi + echo "ovn_stateless_netpol_enable_flag: ${ovn_stateless_netpol_enable_flag}" + + ovnkube_enable_multi_external_gateway_flag= + if [[ ${ovn_enable_multi_external_gateway} == "true" ]]; then + ovnkube_enable_multi_external_gateway_flag="--enable-multi-external-gateway" + fi + echo "ovnkube_enable_multi_external_gateway_flag=${ovnkube_enable_multi_external_gateway_flag}" + + ovn_enable_svc_template_support_flag= + if [[ ${ovn_enable_svc_template_support} == "true" ]]; then + ovn_enable_svc_template_support_flag="--enable-svc-template-support" + fi + echo "ovn_enable_svc_template_support_flag=${ovn_enable_svc_template_support_flag}" + + init_node_flags= + if [[ ${ovnkube_compact_mode_enable} == "true" ]]; then + init_node_flags="--init-node ${K8S_NODE} --nodeport" + echo "init_node_flags: ${init_node_flags}" + echo "=============== ovn-master ========== MASTER and NODE" + else + echo "=============== ovn-master ========== MASTER ONLY" + fi + + persistent_ips_enabled_flag= + if [[ ${ovn_enable_persistent_ips} == "true" ]]; then + persistent_ips_enabled_flag="--enable-persistent-ips" + fi + echo "persistent_ips_enabled_flag: ${persistent_ips_enabled_flag}" + + ovn_enable_dnsnameresolver_flag= + if [[ ${ovn_enable_dnsnameresolver} == "true" ]]; then + ovn_enable_dnsnameresolver_flag="--enable-dns-name-resolver" + fi + echo "ovn_enable_dnsnameresolver_flag=${ovn_enable_dnsnameresolver_flag}" + + /usr/bin/ovnkube --init-master ${K8S_NODE} \ + ${anp_enabled_flag} \ + ${disable_forwarding_flag} \ + ${disable_snat_multiple_gws_flag} \ + ${egressfirewall_enabled_flag} \ + ${egressip_enabled_flag} \ + ${egressip_healthcheck_port_flag} \ + ${egressqos_enabled_flag} \ + ${egressservice_enabled_flag} \ + ${empty_lb_events_flag} \ + ${hybrid_overlay_flags} \ + ${init_node_flags} \ + ${libovsdb_client_logfile_flag} \ + ${multicast_enabled_flag} \ + ${multi_network_enabled_flag} \ + ${network_segmentation_enabled_flag} \ + ${ovn_acl_logging_rate_limit_flag} \ + ${ovn_enable_svc_template_support_flag} \ + ${ovnkube_config_duration_enable_flag} \ + ${ovnkube_enable_multi_external_gateway_flag} \ + ${ovnkube_metrics_scale_enable_flag} \ + ${ovnkube_metrics_tls_opts} \ + ${ovn_master_ssl_opts} \ + ${ovn_stateless_netpol_enable_flag} \ + ${ovn_v4_join_subnet_opt} \ + ${ovn_v4_masquerade_subnet_opt} \ + ${ovn_v6_join_subnet_opt} \ + ${ovn_v6_masquerade_subnet_opt} \ + ${persistent_ips_enabled_flag} \ + ${ovn_enable_dnsnameresolver_flag} \ + --cluster-subnets ${net_cidr} --k8s-service-cidr=${svc_cidr} \ + --gateway-mode=${ovn_gateway_mode} ${ovn_gateway_opts} \ + --host-network-namespace ${ovn_host_network_namespace} \ + --logfile-maxage=${ovnkube_logfile_maxage} \ + --logfile-maxbackups=${ovnkube_logfile_maxbackups} \ + --logfile-maxsize=${ovnkube_logfile_maxsize} \ + --logfile /var/log/ovn-kubernetes/ovnkube-master.log \ + --loglevel=${ovnkube_loglevel} \ + --metrics-bind-address ${ovnkube_master_metrics_bind_address} \ + --metrics-enable-pprof \ + --nb-address=${ovn_nbdb} --sb-address=${ovn_sbdb} \ + --pidfile ${OVN_RUNDIR}/ovnkube-master.pid & + + echo "=============== ovn-master ========== running" + wait_for_event attempts=3 process_ready ovnkube-master + if [[ ${ovnkube_compact_mode_enable} == "true" ]] && [[ ${ovnkube_node_mode} != "dpu" ]]; then + setup_cni + fi + + process_healthy ovnkube-master + exit 9 +} + +# v1.0.0 - run ovnkube --ovnkube-controller +ovnkube-controller() { + trap 'kill $(jobs -p); exit 0' TERM + check_ovn_daemonset_version "1.0.0" + rm -f ${OVN_RUNDIR}/ovnkube-controller.pid + + echo "=============== ovnkube-controller (wait for ready_to_start_node) ==========" + wait_for_event ready_to_start_node + echo "ovn_nbdb ${ovn_nbdb} ovn_sbdb ${ovn_sbdb}" + + # wait for northd to start + wait_for_event process_ready ovn-northd + + # wait for ovs-servers to start since ovn-master sets some fields in OVS DB + echo "=============== ovnkube-controller - (wait for ovs)" + wait_for_event ovs_ready + + hybrid_overlay_flags= + if [[ ${ovn_hybrid_overlay_enable} == "true" ]]; then + hybrid_overlay_flags="--enable-hybrid-overlay" + if [[ -n "${ovn_hybrid_overlay_net_cidr}" ]]; then + hybrid_overlay_flags="${hybrid_overlay_flags} --hybrid-overlay-cluster-subnets=${ovn_hybrid_overlay_net_cidr}" + fi + fi + echo "hybrid_overlay_flags=${hybrid_overlay_flags}" + + disable_snat_multiple_gws_flag= + if [[ ${ovn_disable_snat_multiple_gws} == "true" ]]; then + disable_snat_multiple_gws_flag="--disable-snat-multiple-gws" + fi + echo "disable_snat_multiple_gws_flag=${disable_snat_multiple_gws_flag}" + + ovn_encap_port_flag= + if [[ -n "${ovn_encap_port}" ]]; then + ovn_encap_port_flag="--encap-port=${ovn_encap_port}" + fi + echo "ovn_encap_port_flag=${ovn_encap_port_flag}" + + disable_pkt_mtu_check_flag= + if [[ ${ovn_disable_pkt_mtu_check} == "true" ]]; then + disable_pkt_mtu_check_flag="--disable-pkt-mtu-check" + fi + echo "disable_pkt_mtu_check_flag=${disable_pkt_mtu_check_flag}" + + empty_lb_events_flag= + if [[ ${ovn_empty_lb_events} == "true" ]]; then + empty_lb_events_flag="--ovn-empty-lb-events" + fi + echo "empty_lb_events_flag=${empty_lb_events_flag}" + + ovn_v4_join_subnet_opt= + if [[ -n ${ovn_v4_join_subnet} ]]; then + ovn_v4_join_subnet_opt="--gateway-v4-join-subnet=${ovn_v4_join_subnet}" + fi + echo "ovn_v4_join_subnet_opt=${ovn_v4_join_subnet_opt}" + + ovn_v6_join_subnet_opt= + if [[ -n ${ovn_v6_join_subnet} ]]; then + ovn_v6_join_subnet_opt="--gateway-v6-join-subnet=${ovn_v6_join_subnet}" + fi + echo "ovn_v6_join_subnet_opt=${ovn_v6_join_subnet_opt}" + + ovn_v4_masquerade_subnet_opt= + if [[ -n ${ovn_v4_masquerade_subnet} ]]; then + ovn_v4_masquerade_subnet_opt="--gateway-v4-masquerade-subnet=${ovn_v4_masquerade_subnet}" + fi + echo "ovn_v4_masquerade_subnet_opt=${ovn_v4_masquerade_subnet_opt}" + + ovn_v6_masquerade_subnet_opt= + if [[ -n ${ovn_v6_masquerade_subnet} ]]; then + ovn_v6_masquerade_subnet_opt="--gateway-v6-masquerade-subnet=${ovn_v6_masquerade_subnet}" + fi + echo "ovn_v6_masquerade_subnet_opt=${ovn_v6_masquerade_subnet_opt}" + + local ovn_master_ssl_opts="" + [[ "yes" == ${OVN_SSL_ENABLE} ]] && { + ovn_master_ssl_opts=" + --nb-client-privkey ${ovn_controller_pk} + --nb-client-cert ${ovn_controller_cert} + --nb-client-cacert ${ovn_ca_cert} + --nb-cert-common-name ${ovn_controller_cname} + --sb-client-privkey ${ovn_controller_pk} + --sb-client-cert ${ovn_controller_cert} + --sb-client-cacert ${ovn_ca_cert} + --sb-cert-common-name ${ovn_controller_cname} + " + } + echo "ovn_master_ssl_opts=${ovn_master_ssl_opts}" + + libovsdb_client_logfile_flag= + if [[ -n ${ovnkube_libovsdb_client_logfile} ]]; then + libovsdb_client_logfile_flag="--libovsdblogfile ${ovnkube_libovsdb_client_logfile}" + fi + + ovn_acl_logging_rate_limit_flag= + if [[ -n ${ovn_acl_logging_rate_limit} ]]; then + ovn_acl_logging_rate_limit_flag="--acl-logging-rate-limit ${ovn_acl_logging_rate_limit}" + fi + echo "ovn_acl_logging_rate_limit_flag=${ovn_acl_logging_rate_limit_flag}" + + multicast_enabled_flag= + if [[ ${ovn_multicast_enable} == "true" ]]; then + multicast_enabled_flag="--enable-multicast" + fi + echo "multicast_enabled_flag=${multicast_enabled_flag}" + + anp_enabled_flag= + if [[ ${ovn_admin_network_policy_enable} == "true" ]]; then + anp_enabled_flag="--enable-admin-network-policy" + fi + echo "anp_enabled_flag=${anp_enabled_flag}" + + egressip_enabled_flag= + if [[ ${ovn_egressip_enable} == "true" ]]; then + egressip_enabled_flag="--enable-egress-ip" + fi + echo "egressip_enabled_flag=${egressip_enabled_flag}" + + egressip_healthcheck_port_flag= + if [[ -n "${ovn_egress_ip_healthcheck_port}" ]]; then + egressip_healthcheck_port_flag="--egressip-node-healthcheck-port=${ovn_egress_ip_healthcheck_port}" + fi + echo "egressip_healthcheck_port_flag=${egressip_healthcheck_port_flag}" + + egressfirewall_enabled_flag= + if [[ ${ovn_egressfirewall_enable} == "true" ]]; then + egressfirewall_enabled_flag="--enable-egress-firewall" + fi + echo "egressfirewall_enabled_flag=${egressfirewall_enabled_flag}" + + egressqos_enabled_flag= + if [[ ${ovn_egressqos_enable} == "true" ]]; then + egressqos_enabled_flag="--enable-egress-qos" + fi + echo "egressqos_enabled_flag=${egressqos_enabled_flag}" + + multi_network_enabled_flag= + if [[ ${ovn_multi_network_enable} == "true" ]]; then + multi_network_enabled_flag="--enable-multi-network --enable-multi-networkpolicy" + fi + echo "multi_network_enabled_flag=${multi_network_enabled_flag}" + + network_segmentation_enabled_flag= + if [[ ${ovn_network_segmentation_enable} == "true" ]]; then + network_segmentation_enabled_flag="--enable-multi-network --enable-network-segmentation" + fi + echo "network_segmentation_enabled_flag=${network_segmentation_enabled_flag}" + + egressservice_enabled_flag= + if [[ ${ovn_egressservice_enable} == "true" ]]; then + egressservice_enabled_flag="--enable-egress-service" + fi + echo "egressservice_enabled_flag=${egressservice_enabled_flag}" + + ovnkube_master_metrics_bind_address="${metrics_endpoint_ip}:${metrics_master_port}" + echo "ovnkube_master_metrics_bind_address=${ovnkube_master_metrics_bind_address}" + + local ovnkube_metrics_tls_opts="" + if [[ ${OVNKUBE_METRICS_PK} != "" && ${OVNKUBE_METRICS_CERT} != "" ]]; then + ovnkube_metrics_tls_opts=" + --node-server-privkey ${OVNKUBE_METRICS_PK} + --node-server-cert ${OVNKUBE_METRICS_CERT} + " + fi + echo "ovnkube_metrics_tls_opts=${ovnkube_metrics_tls_opts}" + + ovnkube_config_duration_enable_flag= + if [[ ${ovnkube_config_duration_enable} == "true" ]]; then + ovnkube_config_duration_enable_flag="--metrics-enable-config-duration" + fi + echo "ovnkube_config_duration_enable_flag: ${ovnkube_config_duration_enable_flag}" + + ovn_zone=$(get_node_zone) + echo "ovnkube-controller's configured zone is ${ovn_zone}" + + ovn_dbs="" + if [[ $ovn_nbdb != "local" ]]; then + ovn_dbs="--nb-address=${ovn_nbdb}" + fi + if [[ $ovn_sbdb != "local" ]]; then + ovn_dbs="${ovn_dbs} --sb-address=${ovn_sbdb}" + fi + + ovnkube_enable_interconnect_flag= + if [[ ${ovn_enable_interconnect} == "true" ]]; then + ovnkube_enable_interconnect_flag="--enable-interconnect" + fi + echo "ovnkube_enable_interconnect_flag: ${ovnkube_enable_interconnect_flag}" + + ovnkube_enable_multi_external_gateway_flag= + if [[ ${ovn_enable_multi_external_gateway} == "true" ]]; then + ovnkube_enable_multi_external_gateway_flag="--enable-multi-external-gateway" + fi + echo "ovnkube_enable_multi_external_gateway_flag=${ovnkube_enable_multi_external_gateway_flag}" + + ovnkube_metrics_scale_enable_flag= + if [[ ${ovnkube_metrics_scale_enable} == "true" ]]; then + ovnkube_metrics_scale_enable_flag="--metrics-enable-scale --metrics-enable-pprof" + fi + echo "ovnkube_metrics_scale_enable_flag: ${ovnkube_metrics_scale_enable_flag}" + + ovnkube_local_cert_flags= + if [[ ${ovn_enable_ovnkube_identity} == "true" ]]; then + bootstrap_kubeconfig="/host-kubernetes/kubelet.conf" + if [ -f "${bootstrap_kubeconfig}" ]; then + ovnkube_local_cert_flags=" + --bootstrap-kubeconfig ${bootstrap_kubeconfig} + --cert-dir /var/run/ovn-kubernetes/certs + " + else + echo "bootstrap kubeconfig file: ${bootstrap_kubeconfig} doesn't exist, + skipping bootstrap-kubeconfig/cert-dir parameters" + fi + fi + echo "ovnkube_local_cert_flags=${ovnkube_local_cert_flags}" + + ovn_enable_svc_template_support_flag= + if [[ ${ovn_enable_svc_template_support} == "true" ]]; then + ovn_enable_svc_template_support_flag="--enable-svc-template-support" + fi + echo "ovn_enable_svc_template_support_flag=${ovn_enable_svc_template_support_flag}" + + ovn_enable_dnsnameresolver_flag= + if [[ ${ovn_enable_dnsnameresolver} == "true" ]]; then + ovn_enable_dnsnameresolver_flag="--enable-dns-name-resolver" + fi + echo "ovn_enable_dnsnameresolver_flag=${ovn_enable_dnsnameresolver_flag}" + + echo "=============== ovnkube-controller ========== MASTER ONLY" + /usr/bin/ovnkube --init-ovnkube-controller ${K8S_NODE} \ + ${anp_enabled_flag} \ + ${disable_snat_multiple_gws_flag} \ + ${egressfirewall_enabled_flag} \ + ${egressip_enabled_flag} \ + ${egressip_healthcheck_port_flag} \ + ${egressqos_enabled_flag} \ + ${egressservice_enabled_flag} \ + ${empty_lb_events_flag} \ + ${hybrid_overlay_flags} \ + ${libovsdb_client_logfile_flag} \ + ${multicast_enabled_flag} \ + ${multi_network_enabled_flag} \ + ${network_segmentation_enabled_flag} \ + ${ovn_acl_logging_rate_limit_flag} \ + ${ovn_dbs} \ + ${ovn_enable_svc_template_support_flag} \ + ${ovnkube_config_duration_enable_flag} \ + ${ovnkube_enable_interconnect_flag} \ + ${ovnkube_local_cert_flags} \ + ${ovnkube_enable_multi_external_gateway_flag} \ + ${ovnkube_metrics_scale_enable_flag} \ + ${ovnkube_metrics_tls_opts} \ + ${ovn_encap_port_flag} \ + ${ovn_master_ssl_opts} \ + ${ovn_v4_join_subnet_opt} \ + ${ovn_v4_masquerade_subnet_opt} \ + ${ovn_v6_join_subnet_opt} \ + ${ovn_v6_masquerade_subnet_opt} \ + ${ovn_enable_dnsnameresolver_flag} \ + --cluster-subnets ${net_cidr} --k8s-service-cidr=${svc_cidr} \ + --gateway-mode=${ovn_gateway_mode} \ + --host-network-namespace ${ovn_host_network_namespace} \ + --logfile-maxage=${ovnkube_logfile_maxage} \ + --logfile-maxbackups=${ovnkube_logfile_maxbackups} \ + --logfile-maxsize=${ovnkube_logfile_maxsize} \ + --logfile /var/log/ovn-kubernetes/ovnkube-controller.log \ + --loglevel=${ovnkube_loglevel} \ + --metrics-bind-address ${ovnkube_master_metrics_bind_address} \ + --metrics-enable-pprof \ + --pidfile ${OVN_RUNDIR}/ovnkube-controller.pid \ + --zone ${ovn_zone} & + + echo "=============== ovnkube-controller ========== running" + wait_for_event attempts=3 process_ready ovnkube-controller + + process_healthy ovnkube-controller + exit 9 +} + +ovnkube-controller-with-node() { + trap 'kill $(jobs -p) ; rm -f /etc/cni/net.d/10-ovn-kubernetes.conf ; exit 0' TERM + check_ovn_daemonset_version "1.0.0" + rm -f ${OVN_RUNDIR}/ovnkube-controller-with-node.pid + + if [[ ${ovnkube_node_mode} != "dpu-host" ]]; then + echo "=============== ovnkube-controller-with-node - (wait for ovs)" + wait_for_event ovs_ready + fi + + echo "=============== ovnkube-controller-with-node (wait for ready_to_start_node) ==========" + wait_for_event ready_to_start_node + echo "ovn_nbdb ${ovn_nbdb} ovn_sbdb ${ovn_sbdb} ovn_nbdb_conn ${ovn_nbdb_conn}" + + # wait for northd to start + wait_for_event process_ready ovn-northd + + # wait for ovs-servers to start since ovn-master sets some fields in OVS DB + echo "=============== ovnkube-controller-with-node - (wait for ovs)" + wait_for_event ovs_ready + + if [[ ${ovnkube_node_mode} != "dpu-host" ]]; then + echo "=============== ovnkube-controller-with-node - (ovn-node wait for ovn-controller.pid)" + wait_for_event process_ready ovn-controller + fi + + ovn_routable_mtu_flag= + if [[ -n "${routable_mtu}" ]]; then + routable_mtu_flag="--routable-mtu ${routable_mtu}" + fi + + hybrid_overlay_flags= + if [[ ${ovn_hybrid_overlay_enable} == "true" ]]; then + hybrid_overlay_flags="--enable-hybrid-overlay" + if [[ -n "${ovn_hybrid_overlay_net_cidr}" ]]; then + hybrid_overlay_flags="${hybrid_overlay_flags} --hybrid-overlay-cluster-subnets=${ovn_hybrid_overlay_net_cidr}" + fi + fi + echo "hybrid_overlay_flags=${hybrid_overlay_flags}" + + disable_snat_multiple_gws_flag= + if [[ ${ovn_disable_snat_multiple_gws} == "true" ]]; then + disable_snat_multiple_gws_flag="--disable-snat-multiple-gws" + fi + echo "disable_snat_multiple_gws_flag=${disable_snat_multiple_gws_flag}" + + disable_forwarding_flag= + if [[ ${ovn_disable_forwarding} == "true" ]]; then + disable_forwarding_flag="--disable-forwarding" + fi + + ovn_encap_port_flag= + if [[ -n "${ovn_encap_port}" ]]; then + ovn_encap_port_flag="--encap-port=${ovn_encap_port}" + fi + echo "ovn_encap_port_flag=${ovn_encap_port_flag}" + + disable_pkt_mtu_check_flag= + if [[ ${ovn_disable_pkt_mtu_check} == "true" ]]; then + disable_pkt_mtu_check_flag="--disable-pkt-mtu-check" + fi + echo "disable_pkt_mtu_check_flag=${disable_pkt_mtu_check_flag}" + + empty_lb_events_flag= + if [[ ${ovn_empty_lb_events} == "true" ]]; then + empty_lb_events_flag="--ovn-empty-lb-events" + fi + echo "empty_lb_events_flag=${empty_lb_events_flag}" + + ovn_v4_join_subnet_opt= + if [[ -n ${ovn_v4_join_subnet} ]]; then + ovn_v4_join_subnet_opt="--gateway-v4-join-subnet=${ovn_v4_join_subnet}" + fi + echo "ovn_v4_join_subnet_opt=${ovn_v4_join_subnet_opt}" + + ovn_v6_join_subnet_opt= + if [[ -n ${ovn_v6_join_subnet} ]]; then + ovn_v6_join_subnet_opt="--gateway-v6-join-subnet=${ovn_v6_join_subnet}" + fi + echo "ovn_v6_join_subnet_opt=${ovn_v6_join_subnet_opt}" + + local ssl_opts="" + + [[ "yes" == ${OVN_SSL_ENABLE} ]] && { + ssl_opts=" + --nb-client-privkey ${ovn_controller_pk} + --nb-client-cert ${ovn_controller_cert} + --nb-client-cacert ${ovn_ca_cert} + --nb-cert-common-name ${ovn_controller_cname} + --sb-client-privkey ${ovn_controller_pk} + --sb-client-cert ${ovn_controller_cert} + --sb-client-cacert ${ovn_ca_cert} + --sb-cert-common-name ${ovn_controller_cname} + " + } + echo "ssl_opts=${ssl_opts}" + + ovn_acl_logging_rate_limit_flag= + if [[ -n ${ovn_acl_logging_rate_limit} ]]; then + ovn_acl_logging_rate_limit_flag="--acl-logging-rate-limit ${ovn_acl_logging_rate_limit}" + fi + echo "ovn_acl_logging_rate_limit_flag=${ovn_acl_logging_rate_limit_flag}" + + multicast_enabled_flag= + if [[ ${ovn_multicast_enable} == "true" ]]; then + multicast_enabled_flag="--enable-multicast" + fi + echo "multicast_enabled_flag=${multicast_enabled_flag}" + + egressip_enabled_flag= + if [[ ${ovn_egressip_enable} == "true" ]]; then + egressip_enabled_flag="--enable-egress-ip" + fi + echo "egressip_enabled_flag=${egressip_enabled_flag}" + + egressip_healthcheck_port_flag= + if [[ -n "${ovn_egress_ip_healthcheck_port}" ]]; then + egressip_healthcheck_port_flag="--egressip-node-healthcheck-port=${ovn_egress_ip_healthcheck_port}" + fi + echo "egressip_healthcheck_port_flag=${egressip_healthcheck_port_flag}" + + egressfirewall_enabled_flag= + if [[ ${ovn_egressfirewall_enable} == "true" ]]; then + egressfirewall_enabled_flag="--enable-egress-firewall" + fi + echo "egressfirewall_enabled_flag=${egressfirewall_enabled_flag}" + + egressqos_enabled_flag= + if [[ ${ovn_egressqos_enable} == "true" ]]; then + egressqos_enabled_flag="--enable-egress-qos" + fi + echo "egressqos_enabled_flag=${egressqos_enabled_flag}" + + multi_network_enabled_flag= + if [[ ${ovn_multi_network_enable} == "true" ]]; then + multi_network_enabled_flag="--enable-multi-network --enable-multi-networkpolicy" + fi + echo "multi_network_enabled_flag=${multi_network_enabled_flag}" + + network_segmentation_enabled_flag= + if [[ ${ovn_network_segmentation_enable} == "true" ]]; then + network_segmentation_enabled_flag="--enable-multi-network --enable-network-segmentation" + fi + echo "network_segmentation_enabled_flag=${network_segmentation_enabled_flag}" + + egressservice_enabled_flag= + if [[ ${ovn_egressservice_enable} == "true" ]]; then + egressservice_enabled_flag="--enable-egress-service" + fi + echo "egressservice_enabled_flag=${egressservice_enabled_flag}" + + disable_ovn_iface_id_ver_flag= + if [[ ${ovn_disable_ovn_iface_id_ver} == "true" ]]; then + disable_ovn_iface_id_ver_flag="--disable-ovn-iface-id-ver" + fi + + netflow_targets= + if [[ -n ${ovn_netflow_targets} ]]; then + netflow_targets="--netflow-targets ${ovn_netflow_targets}" + fi + + sflow_targets= + if [[ -n ${ovn_sflow_targets} ]]; then + sflow_targets="--sflow-targets ${ovn_sflow_targets}" + fi + + ipfix_targets= + if [[ -n ${ovn_ipfix_targets} ]]; then + ipfix_targets="--ipfix-targets ${ovn_ipfix_targets}" + fi + + ipfix_config= + if [[ -n ${ovn_ipfix_sampling} ]]; then + ipfix_config="--ipfix-sampling ${ovn_ipfix_sampling}" + fi + if [[ -n ${ovn_ipfix_cache_max_flows} ]]; then + ipfix_config="${ipfix_config} --ipfix-cache-max-flows ${ovn_ipfix_cache_max_flows}" + fi + if [[ -n ${ovn_ipfix_cache_active_timeout} ]]; then + ipfix_config="${ipfix_config} --ipfix-cache-active-timeout ${ovn_ipfix_cache_active_timeout}" + fi + + monitor_all= + if [[ -n ${ovn_monitor_all} ]]; then + monitor_all="--monitor-all=${ovn_monitor_all}" + fi + + ofctrl_wait_before_clear= + if [[ -n ${ovn_ofctrl_wait_before_clear} ]]; then + ofctrl_wait_before_clear="--ofctrl-wait-before-clear=${ovn_ofctrl_wait_before_clear}" + fi + + enable_lflow_cache= + if [[ -n ${ovn_enable_lflow_cache} ]]; then + enable_lflow_cache="--enable-lflow-cache=${ovn_enable_lflow_cache}" + fi + + lflow_cache_limit= + if [[ -n ${ovn_lflow_cache_limit} ]]; then + lflow_cache_limit="--lflow-cache-limit=${ovn_lflow_cache_limit}" + fi + + lflow_cache_limit_kb= + if [[ -n ${ovn_lflow_cache_limit_kb} ]]; then + lflow_cache_limit_kb="--lflow-cache-limit-kb=${ovn_lflow_cache_limit_kb}" + fi + + egress_interface= + if [[ -n ${ovn_ex_gw_network_interface} ]]; then + egress_interface="--exgw-interface ${ovn_ex_gw_network_interface}" + fi + + ovn_encap_ip_flag= + if [[ ${ovn_encap_ip} != "" ]]; then + ovn_encap_ip_flag="--encap-ip=${ovn_encap_ip}" + else + ovn_encap_ip=$(ovs-vsctl --if-exists get Open_vSwitch . external_ids:ovn-encap-ip) + if [[ $? == 0 ]]; then + ovn_encap_ip=$(echo ${ovn_encap_ip} | tr -d '\"') + if [[ "${ovn_encap_ip}" != "" ]]; then + ovn_encap_ip_flag="--encap-ip=${ovn_encap_ip}" + fi + fi + fi + + ovnkube_node_mode_flag= + if [[ ${ovnkube_node_mode} != "" ]]; then + ovnkube_node_mode_flag="--ovnkube-node-mode=${ovnkube_node_mode}" + if [[ ${ovnkube_node_mode} == "dpu" ]]; then + # encap IP is required for dpu, this is either provided via OVN_ENCAP_IP env variable or taken from ovs + if [[ ${ovn_encap_ip} == "" ]]; then + echo "ovn encap IP must be provided if \"ovnkube-node-mode\" set to \"dpu\". Exiting..." + exit 1 + fi + fi + fi + + ovnkube_node_mgmt_port_netdev_flag= + if [[ ${ovnkube_node_mgmt_port_netdev} != "" ]]; then + ovnkube_node_mgmt_port_netdev_flag="--ovnkube-node-mgmt-port-netdev=${ovnkube_node_mgmt_port_netdev}" + fi + if [[ -n "${ovnkube_node_mgmt_port_dp_resource_name}" ]] ; then + node_mgmt_port_netdev_flags="$node_mgmt_port_netdev_flags --ovnkube-node-mgmt-port-dp-resource-name ${ovnkube_node_mgmt_port_dp_resource_name}" + fi + + ovn_unprivileged_flag="--unprivileged-mode" + if test -z "${OVN_UNPRIVILEGED_MODE+x}" -o "x${OVN_UNPRIVILEGED_MODE}" = xno; then + ovn_unprivileged_flag="" + fi + + ovn_metrics_bind_address="${metrics_endpoint_ip}:${metrics_bind_port}" + metrics_bind_address="${metrics_endpoint_ip}:${metrics_worker_port}" + echo "ovn_metrics_bind_address=${ovn_metrics_bind_address}" + echo "metrics_bind_address=${metrics_bind_address}" + + local ovnkube_metrics_tls_opts="" + if [[ ${OVNKUBE_METRICS_PK} != "" && ${OVNKUBE_METRICS_CERT} != "" ]]; then + ovnkube_metrics_tls_opts=" + --node-server-privkey ${OVNKUBE_METRICS_PK} + --node-server-cert ${OVNKUBE_METRICS_CERT} + " + fi + echo "ovnkube_metrics_tls_opts=${ovnkube_metrics_tls_opts}" + + ovnkube_config_duration_enable_flag= + if [[ ${ovnkube_config_duration_enable} == "true" ]]; then + ovnkube_config_duration_enable_flag="--metrics-enable-config-duration" + fi + echo "ovnkube_config_duration_enable_flag: ${ovnkube_config_duration_enable_flag}" + + ovn_zone=$(get_node_zone) + echo "ovnkube-controller-with-node's configured zone is ${ovn_zone}" + + ovn_dbs="" + if [[ $ovn_nbdb != "local" ]]; then + ovn_dbs="--nb-address=${ovn_nbdb}" + fi + if [[ $ovn_sbdb != "local" ]]; then + ovn_dbs="${ovn_dbs} --sb-address=${ovn_sbdb}" + fi + + ovnkube_enable_interconnect_flag= + if [[ ${ovn_enable_interconnect} == "true" ]]; then + ovnkube_enable_interconnect_flag="--enable-interconnect" + fi + echo "ovnkube_enable_interconnect_flag: ${ovnkube_enable_interconnect_flag}" + + ovnkube_enable_multi_external_gateway_flag= + if [[ ${ovn_enable_multi_external_gateway} == "true" ]]; then + ovnkube_enable_multi_external_gateway_flag="--enable-multi-external-gateway" + fi + echo "ovnkube_enable_multi_external_gateway_flag=${ovnkube_enable_multi_external_gateway_flag}" + + libovsdb_client_logfile_flag= + if [[ -n ${ovnkube_libovsdb_client_logfile} ]]; then + libovsdb_client_logfile_flag="--libovsdblogfile ${ovnkube_libovsdb_client_logfile}" + fi + + anp_enabled_flag= + if [[ ${ovn_admin_network_policy_enable} == "true" ]]; then + anp_enabled_flag="--enable-admin-network-policy" + fi + echo "anp_enabled_flag=${anp_enabled_flag}" + + ovn_v4_masquerade_subnet_opt= + if [[ -n ${ovn_v4_masquerade_subnet} ]]; then + ovn_v4_masquerade_subnet_opt="--gateway-v4-masquerade-subnet=${ovn_v4_masquerade_subnet}" + fi + echo "ovn_v4_masquerade_subnet_opt=${ovn_v4_masquerade_subnet_opt}" + + ovn_v6_masquerade_subnet_opt= + if [[ -n ${ovn_v6_masquerade_subnet} ]]; then + ovn_v6_masquerade_subnet_opt="--gateway-v6-masquerade-subnet=${ovn_v6_masquerade_subnet}" + fi + echo "ovn_v6_masquerade_subnet_opt=${ovn_v6_masquerade_subnet_opt}" + + ovnkube_metrics_scale_enable_flag= + if [[ ${ovnkube_metrics_scale_enable} == "true" ]]; then + ovnkube_metrics_scale_enable_flag="--metrics-enable-scale --metrics-enable-pprof" + fi + echo "ovnkube_metrics_scale_enable_flag: ${ovnkube_metrics_scale_enable_flag}" + ovnkube_local_cert_flags= + if [[ ${ovn_enable_ovnkube_identity} == "true" ]]; then + bootstrap_kubeconfig="/host-kubernetes/kubelet.conf" + if [ -f "${bootstrap_kubeconfig}" ]; then + ovnkube_local_cert_flags=" + --bootstrap-kubeconfig ${bootstrap_kubeconfig} + --cert-dir /var/run/ovn-kubernetes/certs + " + else + echo "bootstrap kubeconfig file: ${bootstrap_kubeconfig} doesn't exist, + skipping bootstrap-kubeconfig/cert-dir parameters" + fi + fi + echo "ovnkube_local_cert_flags=${ovnkube_local_cert_flags}" + + ovn_enable_svc_template_support_flag= + if [[ ${ovn_enable_svc_template_support} == "true" ]]; then + ovn_enable_svc_template_support_flag="--enable-svc-template-support" + fi + echo "ovn_enable_svc_template_support_flag=${ovn_enable_svc_template_support_flag}" + + ovn_enable_dnsnameresolver_flag= + if [[ ${ovn_enable_dnsnameresolver} == "true" ]]; then + ovn_enable_dnsnameresolver_flag="--enable-dns-name-resolver" + fi + echo "ovn_enable_dnsnameresolver_flag=${ovn_enable_dnsnameresolver_flag}" + + echo "=============== ovnkube-controller-with-node --init-ovnkube-controller-with-node==========" + /usr/bin/ovnkube --init-ovnkube-controller ${K8S_NODE} --init-node ${K8S_NODE} \ + ${anp_enabled_flag} \ + ${disable_forwarding_flag} \ + ${disable_ovn_iface_id_ver_flag} \ + ${disable_pkt_mtu_check_flag} \ + ${disable_snat_multiple_gws_flag} \ + ${egressfirewall_enabled_flag} \ + ${egress_interface} \ + ${egressip_enabled_flag} \ + ${egressip_healthcheck_port_flag} \ + ${egressqos_enabled_flag} \ + ${egressservice_enabled_flag} \ + ${empty_lb_events_flag} \ + ${enable_lflow_cache} \ + ${hybrid_overlay_flags} \ + ${ipfix_config} \ + ${ipfix_targets} \ + ${libovsdb_client_logfile_flag} \ + ${lflow_cache_limit} \ + ${lflow_cache_limit_kb} \ + ${monitor_all} \ + ${multicast_enabled_flag} \ + ${multi_network_enabled_flag} \ + ${network_segmentation_enabled_flag} \ + ${netflow_targets} \ + ${ofctrl_wait_before_clear} \ + ${ovn_acl_logging_rate_limit_flag} \ + ${ovn_dbs} \ + ${ovn_enable_svc_template_support_flag} \ + ${ovn_encap_ip_flag} \ + ${ovn_encap_port_flag} \ + ${ovnkube_config_duration_enable_flag} \ + ${ovnkube_enable_interconnect_flag} \ + ${ovnkube_local_cert_flags} \ + ${ovnkube_enable_multi_external_gateway_flag} \ + ${ovnkube_metrics_scale_enable_flag} \ + ${ovnkube_metrics_tls_opts} \ + ${ovnkube_node_mgmt_port_netdev_flag} \ + ${ovnkube_node_mode_flag} \ + ${ovn_unprivileged_flag} \ + ${ovn_v4_join_subnet_opt} \ + ${ovn_v4_masquerade_subnet_opt} \ + ${ovn_v6_join_subnet_opt} \ + ${ovn_v6_masquerade_subnet_opt} \ + ${routable_mtu_flag} \ + ${sflow_targets} \ + ${ssl_opts} \ + ${ovn_enable_dnsnameresolver_flag} \ + --cluster-subnets ${net_cidr} --k8s-service-cidr=${svc_cidr} \ + --export-ovs-metrics \ + --gateway-mode=${ovn_gateway_mode} \ + --gateway-router-subnet=${ovn_gateway_router_subnet} \ + --host-network-namespace ${ovn_host_network_namespace} \ + --inactivity-probe=${ovn_remote_probe_interval} \ + --logfile-maxage=${ovnkube_logfile_maxage} \ + --logfile-maxbackups=${ovnkube_logfile_maxbackups} \ + --logfile-maxsize=${ovnkube_logfile_maxsize} \ + --logfile /var/log/ovn-kubernetes/ovnkube-controller-with-node.log \ + --loglevel=${ovnkube_loglevel} \ + --metrics-bind-address ${metrics_bind_address} \ + --metrics-enable-pprof \ + --mtu=${mtu} \ + --nodeport \ + --ovn-metrics-bind-address ${ovn_metrics_bind_address} \ + --pidfile ${OVN_RUNDIR}/ovnkube-controller-with-node.pid \ + --zone ${ovn_zone} & + + wait_for_event attempts=3 process_ready ovnkube-controller-with-node + if [[ ${ovnkube_node_mode} != "dpu" ]]; then + setup_cni + fi + echo "=============== ovnkube-controller-with-node ========== running" + + process_healthy ovnkube-controller-with-node + # TODO exit 9 vs 7 + exit 9 +} + +# run ovnkube --cluster-manager. +ovn-cluster-manager() { + trap 'kill $(jobs -p); exit 0' TERM + check_ovn_daemonset_version "1.0.0" + + ovn_encap_port_flag= + if [[ -n "${ovn_encap_port}" ]]; then + ovn_encap_port_flag="--encap-port=${ovn_encap_port}" + fi + echo "ovn_encap_port_flag=${ovn_encap_port_flag}" + + egressip_enabled_flag= + if [[ ${ovn_egressip_enable} == "true" ]]; then + egressip_enabled_flag="--enable-egress-ip" + fi + + egressip_healthcheck_port_flag= + if [[ -n "${ovn_egress_ip_healthcheck_port}" ]]; then + egressip_healthcheck_port_flag="--egressip-node-healthcheck-port=${ovn_egress_ip_healthcheck_port}" + fi + echo "egressip_flags: ${egressip_enabled_flag}, ${egressip_healthcheck_port_flag}" + + egressservice_enabled_flag= + if [[ ${ovn_egressservice_enable} == "true" ]]; then + egressservice_enabled_flag="--enable-egress-service" + fi + echo "egressservice_enabled_flag=${egressservice_enabled_flag}" + + anp_enabled_flag= + if [[ ${ovn_admin_network_policy_enable} == "true" ]]; then + anp_enabled_flag="--enable-admin-network-policy" + fi + echo "anp_enabled_flag=${anp_enabled_flag}" + + egressfirewall_enabled_flag= + if [[ ${ovn_egressfirewall_enable} == "true" ]]; then + egressfirewall_enabled_flag="--enable-egress-firewall" + fi + echo "egressfirewall_enabled_flag=${egressfirewall_enabled_flag}" + + egressqos_enabled_flag= + if [[ ${ovn_egressqos_enable} == "true" ]]; then + egressqos_enabled_flag="--enable-egress-qos" + fi + echo "egressqos_enabled_flag=${egressqos_enabled_flag}" + + hybrid_overlay_flags= + if [[ ${ovn_hybrid_overlay_enable} == "true" ]]; then + hybrid_overlay_flags="--enable-hybrid-overlay" + if [[ -n "${ovn_hybrid_overlay_net_cidr}" ]]; then + hybrid_overlay_flags="${hybrid_overlay_flags} --hybrid-overlay-cluster-subnets=${ovn_hybrid_overlay_net_cidr}" + fi + fi + echo "hybrid_overlay_flags: ${hybrid_overlay_flags}" + + ovn_v4_join_subnet_opt= + if [[ -n ${ovn_v4_join_subnet} ]]; then + ovn_v4_join_subnet_opt="--gateway-v4-join-subnet=${ovn_v4_join_subnet}" + fi + echo "ovn_v4_join_subnet_opt: ${ovn_v4_join_subnet_opt}" + + ovn_v6_join_subnet_opt= + if [[ -n ${ovn_v6_join_subnet} ]]; then + ovn_v6_join_subnet_opt="--gateway-v6-join-subnet=${ovn_v6_join_subnet}" + fi + echo "ovn_v6_join_subnet_opt: ${ovn_v6_join_subnet_opt}" + + ovn_v4_masquerade_subnet_opt= + if [[ -n ${ovn_v4_masquerade_subnet} ]]; then + ovn_v4_masquerade_subnet_opt="--gateway-v4-masquerade-subnet=${ovn_v4_masquerade_subnet}" + fi + echo "ovn_v4_masquerade_subnet_opt=${ovn_v4_masquerade_subnet_opt}" + + ovn_v6_masquerade_subnet_opt= + if [[ -n ${ovn_v6_masquerade_subnet} ]]; then + ovn_v6_masquerade_subnet_opt="--gateway-v6-masquerade-subnet=${ovn_v6_masquerade_subnet}" + fi + echo "ovn_v6_masquerade_subnet_opt=${ovn_v6_masquerade_subnet_opt}" + + ovn_v4_transit_switch_subnet_opt= + if [[ -n ${ovn_v4_transit_switch_subnet} ]]; then + ovn_v4_transit_switch_subnet_opt="--cluster-manager-v4-transit-switch-subnet=${ovn_v4_transit_switch_subnet}" + fi + echo "ovn_v4_transit_switch_subnet_opt=${ovn_v4_transit_switch_subnet}" + + ovn_v6_transit_switch_subnet_opt= + if [[ -n ${ovn_v6_transit_switch_subnet} ]]; then + ovn_v6_transit_switch_subnet_opt="--cluster-manager-v6-transit-switch-subnet=${ovn_v6_transit_switch_subnet}" + fi + echo "ovn_v6_transit_switch_subnet_opt=${ovn_v6_transit_switch_subnet}" + + multicast_enabled_flag= + if [[ ${ovn_multicast_enable} == "true" ]]; then + multicast_enabled_flag="--enable-multicast" + fi + echo "multicast_enabled_flag: ${multicast_enabled_flag}" + + multi_network_enabled_flag= + if [[ ${ovn_multi_network_enable} == "true" ]]; then + multi_network_enabled_flag="--enable-multi-network --enable-multi-networkpolicy" + fi + echo "multi_network_enabled_flag: ${multi_network_enabled_flag}" + + network_segmentation_enabled_flag= + if [[ ${ovn_network_segmentation_enable} == "true" ]]; then + network_segmentation_enabled_flag="--enable-multi-network --enable-network-segmentation" + fi + echo "network_segmentation_enabled_flag=${network_segmentation_enabled_flag}" + + persistent_ips_enabled_flag= + if [[ ${ovn_enable_persistent_ips} == "true" ]]; then + persistent_ips_enabled_flag="--enable-persistent-ips" + fi + echo "persistent_ips_enabled_flag: ${persistent_ips_enabled_flag}" + + ovnkube_cluster_manager_metrics_bind_address="${metrics_endpoint_ip}:9411" + echo "ovnkube_cluster_manager_metrics_bind_address: ${ovnkube_cluster_manager_metrics_bind_address}" + + local ovnkube_metrics_tls_opts="" + if [[ ${OVNKUBE_METRICS_PK} != "" && ${OVNKUBE_METRICS_CERT} != "" ]]; then + ovnkube_metrics_tls_opts=" + --node-server-privkey ${OVNKUBE_METRICS_PK} + --node-server-cert ${OVNKUBE_METRICS_CERT} + " + fi + echo "ovnkube_metrics_tls_opts: ${ovnkube_metrics_tls_opts}" + + ovnkube_enable_interconnect_flag= + if [[ ${ovn_enable_interconnect} == "true" ]]; then + ovnkube_enable_interconnect_flag="--enable-interconnect" + fi + echo "ovnkube_enable_interconnect_flag: ${ovnkube_enable_interconnect_flag}" + + ovnkube_enable_multi_external_gateway_flag= + if [[ ${ovn_enable_multi_external_gateway} == "true" ]]; then + ovnkube_enable_multi_external_gateway_flag="--enable-multi-external-gateway" + fi + echo "ovnkube_enable_multi_external_gateway_flag=${ovnkube_enable_multi_external_gateway_flag}" + + empty_lb_events_flag= + if [[ ${ovn_empty_lb_events} == "true" ]]; then + empty_lb_events_flag="--ovn-empty-lb-events" + fi + echo "empty_lb_events_flag=${empty_lb_events_flag}" + + ovn_enable_dnsnameresolver_flag= + if [[ ${ovn_enable_dnsnameresolver} == "true" ]]; then + ovn_enable_dnsnameresolver_flag="--enable-dns-name-resolver" + fi + echo "ovn_enable_dnsnameresolver_flag=${ovn_enable_dnsnameresolver_flag}" + + echo "=============== ovn-cluster-manager ========== MASTER ONLY" + /usr/bin/ovnkube --init-cluster-manager ${K8S_NODE} \ + ${anp_enabled_flag} \ + ${egressfirewall_enabled_flag} \ + ${egressip_enabled_flag} \ + ${egressip_healthcheck_port_flag} \ + ${egressqos_enabled_flag} \ + ${egressservice_enabled_flag} \ + ${empty_lb_events_flag} \ + ${hybrid_overlay_flags} \ + ${multicast_enabled_flag} \ + ${multi_network_enabled_flag} \ + ${network_segmentation_enabled_flag} \ + ${persistent_ips_enabled_flag} \ + ${ovnkube_enable_interconnect_flag} \ + ${ovnkube_enable_multi_external_gateway_flag} \ + ${ovnkube_metrics_tls_opts} \ + ${ovn_encap_port_flag} \ + ${ovn_v4_join_subnet_opt} \ + ${ovn_v4_masquerade_subnet_opt} \ + ${ovn_v6_join_subnet_opt} \ + ${ovn_v6_masquerade_subnet_opt} \ + ${ovn_v4_transit_switch_subnet_opt} \ + ${ovn_v6_transit_switch_subnet_opt} \ + ${ovn_enable_dnsnameresolver_flag} \ + --cluster-subnets ${net_cidr} --k8s-service-cidr=${svc_cidr} \ + --host-network-namespace ${ovn_host_network_namespace} \ + --logfile-maxage=${ovnkube_logfile_maxage} \ + --logfile-maxbackups=${ovnkube_logfile_maxbackups} \ + --logfile-maxsize=${ovnkube_logfile_maxsize} \ + --logfile /var/log/ovn-kubernetes/ovnkube-cluster-manager.log \ + --loglevel=${ovnkube_loglevel} \ + --metrics-bind-address ${ovnkube_cluster_manager_metrics_bind_address} \ + --metrics-enable-pprof \ + --pidfile ${OVN_RUNDIR}/ovnkube-cluster-manager.pid & + + echo "=============== ovn-cluster-manager ========== running" + wait_for_event attempts=3 process_ready ovnkube-cluster-manager + + process_healthy ovnkube-cluster-manager + exit 9 +} + +# ovn-controller - all nodes +ovn-controller() { + check_ovn_daemonset_version "1.0.0" + rm -f ${OVN_RUNDIR}/ovn-controller.pid + + echo "=============== ovn-controller - (wait for ovs)" + wait_for_event ovs_ready + + echo "=============== ovn-controller - (wait for ready_to_start_node)" + wait_for_event ready_to_start_node + + echo "ovn_nbdb ${ovn_nbdb} ovn_sbdb ${ovn_sbdb}" + echo "ovn_nbdb_conn ${ovn_nbdb_conn}" + + echo "=============== ovn-controller start_controller" + rm -f /var/run/ovn-kubernetes/cni/* + rm -f ${OVN_RUNDIR}/ovn-controller.*.ctl + + local ovn_controller_ssl_opts="" + [[ "yes" == ${OVN_SSL_ENABLE} ]] && { + ovn_controller_ssl_opts=" + --ovn-controller-ssl-key=${ovn_controller_pk} + --ovn-controller-ssl-cert=${ovn_controller_cert} + --ovn-controller-ssl-ca-cert=${ovn_ca_cert} + " + } + run_as_ovs_user_if_needed \ + ${OVNCTL_PATH} --no-monitor start_controller \ + ${ovn_controller_ssl_opts} \ + --ovn-controller-log="${ovn_loglevel_controller}" \ + ${ovn_controller_opts} + + wait_for_event attempts=3 process_ready ovn-controller + echo "=============== ovn-controller ========== running" + + tail --follow=name ${OVN_LOGDIR}/ovn-controller.log & + controller_tail_pid=$! + + process_healthy ovn-controller ${controller_tail_pid} + exit 10 +} + +# ovn-node - all nodes +ovn-node() { + trap 'kill $(jobs -p) ; rm -f /etc/cni/net.d/10-ovn-kubernetes.conf ; exit 0' TERM + check_ovn_daemonset_version "1.0.0" + rm -f ${OVN_RUNDIR}/ovnkube.pid + + if [[ ${ovnkube_node_mode} != "dpu-host" ]]; then + echo "=============== ovn-node - (wait for ovs)" + wait_for_event ovs_ready + fi + + echo "=============== ovn-node - (wait for ready_to_start_node)" + wait_for_event ready_to_start_node + + echo "ovn_nbdb ${ovn_nbdb} ovn_sbdb ${ovn_sbdb} ovn_nbdb_conn ${ovn_nbdb_conn}" + + if [[ ${ovnkube_node_mode} != "dpu-host" ]]; then + echo "=============== ovn-node - (ovn-node wait for ovn-controller.pid)" + wait_for_event process_ready ovn-controller + fi + + ovn_routable_mtu_flag= + if [[ -n "${routable_mtu}" ]]; then + routable_mtu_flag="--routable-mtu ${routable_mtu}" + fi + + hybrid_overlay_flags= + if [[ ${ovn_hybrid_overlay_enable} == "true" ]]; then + hybrid_overlay_flags="--enable-hybrid-overlay" + if [[ -n "${ovn_hybrid_overlay_net_cidr}" ]]; then + hybrid_overlay_flags="${hybrid_overlay_flags} --hybrid-overlay-cluster-subnets=${ovn_hybrid_overlay_net_cidr}" + fi + fi + + disable_snat_multiple_gws_flag= + if [[ ${ovn_disable_snat_multiple_gws} == "true" ]]; then + disable_snat_multiple_gws_flag="--disable-snat-multiple-gws" + fi + + ovn_encap_port_flag= + if [[ -n "${ovn_encap_port}" ]]; then + ovn_encap_port_flag="--encap-port=${ovn_encap_port}" + fi + echo "ovn_encap_port_flag=${ovn_encap_port_flag}" + + disable_forwarding_flag= + if [[ ${ovn_disable_forwarding} == "true" ]]; then + disable_forwarding_flag="--disable-forwarding" + fi + + disable_pkt_mtu_check_flag= + if [[ ${ovn_disable_pkt_mtu_check} == "true" ]]; then + disable_pkt_mtu_check_flag="--disable-pkt-mtu-check" + fi + + multicast_enabled_flag= + if [[ ${ovn_multicast_enable} == "true" ]]; then + multicast_enabled_flag="--enable-multicast" + fi + + anp_enabled_flag= + if [[ ${ovn_admin_network_policy_enable} == "true" ]]; then + anp_enabled_flag="--enable-admin-network-policy" + fi + + egressip_enabled_flag= + if [[ ${ovn_egressip_enable} == "true" ]]; then + egressip_enabled_flag="--enable-egress-ip" + fi + + egressip_healthcheck_port_flag= + if [[ -n "${ovn_egress_ip_healthcheck_port}" ]]; then + egressip_healthcheck_port_flag="--egressip-node-healthcheck-port=${ovn_egress_ip_healthcheck_port}" + fi + + egressservice_enabled_flag= + if [[ ${ovn_egressservice_enable} == "true" ]]; then + egressservice_enabled_flag="--enable-egress-service" + fi + + disable_ovn_iface_id_ver_flag= + if [[ ${ovn_disable_ovn_iface_id_ver} == "true" ]]; then + disable_ovn_iface_id_ver_flag="--disable-ovn-iface-id-ver" + fi + + multi_network_enabled_flag= + if [[ ${ovn_multi_network_enable} == "true" ]]; then + multi_network_enabled_flag="--enable-multi-network --enable-multi-networkpolicy" + fi + + network_segmentation_enabled_flag= + if [[ ${ovn_network_segmentation_enable} == "true" ]]; then + network_segmentation_enabled_flag="--enable-multi-network --enable-network-segmentation" + fi + + netflow_targets= + if [[ -n ${ovn_netflow_targets} ]]; then + netflow_targets="--netflow-targets ${ovn_netflow_targets}" + fi + + sflow_targets= + if [[ -n ${ovn_sflow_targets} ]]; then + sflow_targets="--sflow-targets ${ovn_sflow_targets}" + fi + + ipfix_targets= + if [[ -n ${ovn_ipfix_targets} ]]; then + ipfix_targets="--ipfix-targets ${ovn_ipfix_targets}" + fi + + ipfix_config= + if [[ -n ${ovn_ipfix_sampling} ]]; then + ipfix_config="--ipfix-sampling ${ovn_ipfix_sampling}" + fi + if [[ -n ${ovn_ipfix_cache_max_flows} ]]; then + ipfix_config="${ipfix_config} --ipfix-cache-max-flows ${ovn_ipfix_cache_max_flows}" + fi + if [[ -n ${ovn_ipfix_cache_active_timeout} ]]; then + ipfix_config="${ipfix_config} --ipfix-cache-active-timeout ${ovn_ipfix_cache_active_timeout}" + fi + + monitor_all= + if [[ -n ${ovn_monitor_all} ]]; then + monitor_all="--monitor-all=${ovn_monitor_all}" + fi + + ofctrl_wait_before_clear= + if [[ -n ${ovn_ofctrl_wait_before_clear} ]]; then + ofctrl_wait_before_clear="--ofctrl-wait-before-clear=${ovn_ofctrl_wait_before_clear}" + fi + + enable_lflow_cache= + if [[ -n ${ovn_enable_lflow_cache} ]]; then + enable_lflow_cache="--enable-lflow-cache=${ovn_enable_lflow_cache}" + fi + + lflow_cache_limit= + if [[ -n ${ovn_lflow_cache_limit} ]]; then + lflow_cache_limit="--lflow-cache-limit=${ovn_lflow_cache_limit}" + fi + + lflow_cache_limit_kb= + if [[ -n ${ovn_lflow_cache_limit_kb} ]]; then + lflow_cache_limit_kb="--lflow-cache-limit-kb=${ovn_lflow_cache_limit_kb}" + fi + + egress_interface= + if [[ -n ${ovn_ex_gw_network_interface} ]]; then + egress_interface="--exgw-interface ${ovn_ex_gw_network_interface}" + fi + + ovn_encap_ip_flag= + if [[ ${ovn_encap_ip} != "" ]]; then + ovn_encap_ip_flag="--encap-ip=${ovn_encap_ip}" + else + ovn_encap_ip=$(ovs-vsctl --if-exists get Open_vSwitch . external_ids:ovn-encap-ip) + if [[ $? == 0 ]]; then + ovn_encap_ip=$(echo ${ovn_encap_ip} | tr -d '\"') + if [[ "${ovn_encap_ip}" != "" ]]; then + ovn_encap_ip_flag="--encap-ip=${ovn_encap_ip}" + fi + fi + fi + + ovnkube_node_mode_flag= + if [[ ${ovnkube_node_mode} != "" ]]; then + ovnkube_node_mode_flag="--ovnkube-node-mode=${ovnkube_node_mode}" + if [[ ${ovnkube_node_mode} == "dpu" ]]; then + # encap IP is required for dpu, this is either provided via OVN_ENCAP_IP env variable or taken from ovs + if [[ ${ovn_encap_ip} == "" ]]; then + echo "ovn encap IP must be provided if \"ovnkube-node-mode\" set to \"dpu\". Exiting..." + exit 1 + fi + fi + fi + + ovnkube_node_mgmt_port_netdev_flag= + if [[ ${ovnkube_node_mgmt_port_netdev} != "" ]]; then + ovnkube_node_mgmt_port_netdev_flag="--ovnkube-node-mgmt-port-netdev=${ovnkube_node_mgmt_port_netdev}" + fi + if [[ -n "${ovnkube_node_mgmt_port_dp_resource_name}" ]] ; then + node_mgmt_port_netdev_flags="$node_mgmt_port_netdev_flags --ovnkube-node-mgmt-port-dp-resource-name ${ovnkube_node_mgmt_port_dp_resource_name}" + fi + + local ovn_node_ssl_opts="" + if [[ ${ovnkube_node_mode} != "dpu-host" ]]; then + [[ "yes" == ${OVN_SSL_ENABLE} ]] && { + ovn_node_ssl_opts=" + --nb-client-privkey ${ovn_controller_pk} + --nb-client-cert ${ovn_controller_cert} + --nb-client-cacert ${ovn_ca_cert} + --nb-cert-common-name ${ovn_controller_cname} + --sb-client-privkey ${ovn_controller_pk} + --sb-client-cert ${ovn_controller_cert} + --sb-client-cacert ${ovn_ca_cert} + --sb-cert-common-name ${ovn_controller_cname} + " + } + fi + + ovn_unprivileged_flag="--unprivileged-mode" + if test -z "${OVN_UNPRIVILEGED_MODE+x}" -o "x${OVN_UNPRIVILEGED_MODE}" = xno; then + ovn_unprivileged_flag="" + fi + + ovn_metrics_bind_address="${metrics_endpoint_ip}:9476" + ovnkube_node_metrics_bind_address="${metrics_endpoint_ip}:9410" + + local ovnkube_metrics_tls_opts="" + if [[ ${OVNKUBE_METRICS_PK} != "" && ${OVNKUBE_METRICS_CERT} != "" ]]; then + ovnkube_metrics_tls_opts=" + --node-server-privkey ${OVNKUBE_METRICS_PK} + --node-server-cert ${OVNKUBE_METRICS_CERT} + " + fi + + ovnkube_enable_interconnect_flag= + if [[ ${ovn_enable_interconnect} == "true" ]]; then + ovnkube_enable_interconnect_flag="--enable-interconnect" + fi + echo "ovnkube_enable_interconnect_flag: ${ovnkube_enable_interconnect_flag}" + + ovn_zone=$(get_node_zone) + echo "ovnkube-node's configured zone is ${ovn_zone}" + + ovnkube_enable_multi_external_gateway_flag= + if [[ ${ovn_enable_multi_external_gateway} == "true" ]]; then + ovnkube_enable_multi_external_gateway_flag="--enable-multi-external-gateway" + fi + echo "ovnkube_enable_multi_external_gateway_flag=${ovnkube_enable_multi_external_gateway_flag}" + + if [[ $ovn_nbdb != "local" ]]; then + ovn_dbs="--nb-address=${ovn_nbdb}" + fi + if [[ $ovn_sbdb != "local" ]]; then + ovn_dbs="${ovn_dbs} --sb-address=${ovn_sbdb}" + fi + + ovnkube_node_certs_flags= + if [[ ${ovn_enable_ovnkube_identity} == "true" ]]; then + ovnkube_node_certs_flags=" + --bootstrap-kubeconfig /host/etc/kubernetes/kubelet.conf + --cert-dir /var/run/ovn-kubernetes/certs + " + fi + echo "ovnkube_node_certs_flags=${ovnkube_node_certs_flags}" + + ovn_conntrack_zone_flag= + if [[ ${ovn_conntrack_zone} != "" ]]; then + ovn_conntrack_zone_flag="--conntrack-zone=${ovn_conntrack_zone}" + fi + echo "ovn_conntrack_zone_flag=${ovn_conntrack_zone_flag}" + + ovn_v4_masquerade_subnet_opt= + if [[ -n ${ovn_v4_masquerade_subnet} ]]; then + ovn_v4_masquerade_subnet_opt="--gateway-v4-masquerade-subnet=${ovn_v4_masquerade_subnet}" + fi + + ovn_v6_masquerade_subnet_opt= + if [[ -n ${ovn_v6_masquerade_subnet} ]]; then + ovn_v6_masquerade_subnet_opt="--gateway-v6-masquerade-subnet=${ovn_v6_masquerade_subnet}" + fi + + echo "=============== ovn-node --init-node" + /usr/bin/ovnkube --init-node ${K8S_NODE} \ + ${anp_enabled_flag} \ + ${disable_forwarding_flag} \ + ${disable_ovn_iface_id_ver_flag} \ + ${disable_pkt_mtu_check_flag} \ + ${disable_snat_multiple_gws_flag} \ + ${egress_interface} \ + ${egressip_enabled_flag} \ + ${egressip_healthcheck_port_flag} \ + ${egressservice_enabled_flag} \ + ${enable_lflow_cache} \ + ${hybrid_overlay_flags} \ + ${ipfix_config} \ + ${ipfix_targets} \ + ${lflow_cache_limit} \ + ${lflow_cache_limit_kb} \ + ${monitor_all} \ + ${multicast_enabled_flag} \ + ${multi_network_enabled_flag} \ + ${network_segmentation_enabled_flag} \ + ${netflow_targets} \ + ${ofctrl_wait_before_clear} \ + ${ovn_dbs} \ + ${ovn_encap_ip_flag} \ + ${ovn_encap_port_flag} \ + ${ovn_conntrack_zone_flag} \ + ${ovnkube_enable_interconnect_flag} \ + ${ovnkube_enable_multi_external_gateway_flag} \ + ${ovn_v4_masquerade_subnet_opt} \ + ${ovn_v6_masquerade_subnet_opt} \ + ${ovnkube_metrics_tls_opts} \ + ${ovnkube_node_certs_flags} \ + ${ovnkube_node_mgmt_port_netdev_flag} \ + ${ovnkube_node_mode_flag} \ + ${ovn_node_ssl_opts} \ + ${ovn_unprivileged_flag} \ + ${routable_mtu_flag} \ + ${sflow_targets} \ + --cluster-subnets ${net_cidr} --k8s-service-cidr=${svc_cidr} \ + --export-ovs-metrics \ + --gateway-mode=${ovn_gateway_mode} ${ovn_gateway_opts} \ + --gateway-router-subnet=${ovn_gateway_router_subnet} \ + --host-network-namespace ${ovn_host_network_namespace} \ + --inactivity-probe=${ovn_remote_probe_interval} \ + --logfile-maxage=${ovnkube_logfile_maxage} \ + --logfile-maxbackups=${ovnkube_logfile_maxbackups} \ + --logfile-maxsize=${ovnkube_logfile_maxsize} \ + --logfile /var/log/ovn-kubernetes/ovnkube.log \ + --loglevel=${ovnkube_loglevel} \ + --metrics-bind-address ${ovnkube_node_metrics_bind_address} \ + --metrics-enable-pprof \ + --mtu=${mtu} \ + --nodeport \ + --ovn-metrics-bind-address ${ovn_metrics_bind_address} \ + --pidfile ${OVN_RUNDIR}/ovnkube.pid \ + --zone ${ovn_zone} & + + wait_for_event attempts=3 process_ready ovnkube + if [[ ${ovnkube_node_mode} != "dpu" ]]; then + setup_cni + fi + echo "=============== ovn-node ========== running" + + process_healthy ovnkube + exit 7 +} + +# cleanup-ovn-node - all nodes +cleanup-ovn-node() { + check_ovn_daemonset_version "1.0.0" + + rm -f /etc/cni/net.d/10-ovn-kubernetes.conf + + echo "=============== time: $(date +%d-%m-%H:%M:%S:%N) cleanup-ovn-node - (wait for ovn-controller to exit)" + retries=0 + while [[ ${retries} -lt 80 ]]; do + process_ready ovn-controller + if [[ $? != 0 ]]; then + break + fi + echo "=============== time: $(date +%d-%m-%H:%M:%S:%N) cleanup-ovn-node - (ovn-controller still running, wait)" + sleep 1 + ((retries += 1)) + done + + echo "=============== time: $(date +%d-%m-%H:%M:%S:%N) cleanup-ovn-node --cleanup-node" + /usr/bin/ovnkube --cleanup-node ${K8S_NODE} --gateway-mode=${ovn_gateway_mode} ${ovn_gateway_opts} \ + --k8s-token=${k8s_token} --k8s-apiserver=${K8S_APISERVER} --k8s-cacert=${K8S_CACERT} \ + --loglevel=${ovnkube_loglevel} \ + --logfile /var/log/ovn-kubernetes/ovnkube.log + +} + +# v1.0.0 - Runs ovn-kube-util in daemon mode to export prometheus metrics related to OVS. +ovs-metrics() { + check_ovn_daemonset_version "1.0.0" + + echo "=============== ovs-metrics - (wait for ovs_ready)" + wait_for_event ovs_ready + + ovs_exporter_bind_address="${metrics_endpoint_ip}:${metrics_exporter_port}" + /usr/bin/ovn-kube-util \ + --loglevel=${ovnkube_loglevel} \ + ovs-exporter \ + --metrics-bind-address ${ovs_exporter_bind_address} + + echo "=============== ovs-metrics with pid ${?} terminated ========== " + exit 1 +} + +echo "================== ovnkube.sh --- version: ${ovnkube_version} ================" + +echo " ==================== command: ${cmd}" +display_version + +# display_env + +# Start the requested daemons +# daemons come up in order +# ovs-db-server - all nodes -- not done by this script (v3) +# ovs-vswitchd - all nodes -- not done by this script (v3) +# run-ovn-northd Runs ovn-northd as a process does not run nb_ovsdb or sb_ovsdb (v3) +# nb-ovsdb Runs nb_ovsdb as a process (no detach or monitor) (v3) +# sb-ovsdb Runs sb_ovsdb as a process (no detach or monitor) (v3) +# ovn-dbchecker Runs ovndb checker alongside nb-ovsdb and sb-ovsdb containers (v3) +# ovn-master - master only (v3) +# ovn-identity - master only (v3) +# ovn-controller - all nodes (v3) +# ovn-node - all nodes (v3) +# cleanup-ovn-node - all nodes (v3) + +case ${cmd} in +"nb-ovsdb") # pod ovnkube-db container nb-ovsdb + nb-ovsdb + ;; +"sb-ovsdb") # pod ovnkube-db container sb-ovsdb + sb-ovsdb + ;; +"ovn-dbchecker") # pod ovnkube-db container ovn-dbchecker + ovn-dbchecker + ;; +"local-nb-ovsdb") + local-nb-ovsdb + ;; +"local-sb-ovsdb") + local-sb-ovsdb + ;; +"run-ovn-northd") # pod ovnkube-master container run-ovn-northd + run-ovn-northd + ;; +"ovn-master") # pod ovnkube-master container ovnkube-master + ovn-master + ;; +"ovnkube-identity") # pod ovnkube-identity container ovnkube-identity + ovnkube-identity + ;; +"ovnkube-controller") # pod ovnkube-master container ovnkube-controller + ovnkube-controller + ;; +"ovnkube-controller-with-node") + ovnkube-controller-with-node + ;; +"ovn-cluster-manager") # pod ovnkube-master container ovnkube-cluster-manager + ovn-cluster-manager + ;; +"ovs-server") # pod ovnkube-node container ovs-daemons + ovs-server + ;; +"ovn-controller") # pod ovnkube-node container ovn-controller + ovn-controller + ;; +"ovn-node") # pod ovnkube-node container ovn-node + ovn-node + ;; +"ovn-northd") + ovn-northd + ;; +"display_env") + display_env + exit 0 + ;; +"display") + display + exit 0 + ;; +"ovn_debug") + ovn_debug + exit 0 + ;; +"cleanup-ovs-server") + cleanup-ovs-server + ;; +"cleanup-ovn-node") + cleanup-ovn-node + ;; +"nb-ovsdb-raft") + ovsdb-raft nb ${ovn_nb_port} ${ovn_nb_raft_port} ${ovn_nb_raft_election_timer} + ;; +"sb-ovsdb-raft") + ovsdb-raft sb ${ovn_sb_port} ${ovn_sb_raft_port} ${ovn_sb_raft_election_timer} + ;; +"ovs-metrics") + ovs-metrics + ;; +*) + echo "invalid command ${cmd}" + echo "valid v3 commands: ovs-server nb-ovsdb sb-ovsdb run-ovn-northd ovn-master " \ + "ovnkube-identity ovn-controller ovn-node display_env display ovn_debug cleanup-ovs-server " \ + "cleanup-ovn-node nb-ovsdb-raft sb-ovsdb-raft" + exit 0 + ;; +esac + +exit 0 diff --git a/21_ovn/generated/images/push_manifest.sh b/21_ovn/generated/images/push_manifest.sh new file mode 100755 index 0000000..f82531d --- /dev/null +++ b/21_ovn/generated/images/push_manifest.sh @@ -0,0 +1,46 @@ +#!/bin/bash + +# Currently supported platforms of multi-arch images are: amd64 arm64 +LINUX_ARCH=(amd64 arm64) +PLATFORMS=linux/${LINUX_ARCH[0]} +for i in $(seq 1 $[${#LINUX_ARCH[@]}-1]) +do + PLATFORMS=$PLATFORMS,linux/${LINUX_ARCH[$i]} +done + +IMAGES_OVN=${1:-ovn-daemonset-ubuntu} +BRANCH_TAG=${2:-latest} +DOCKER_REPOSITORY=${3:-docker.io/ovnkube} +MANITOOL_VERSION=${4:-v1.0.0} + +if [ `uname -m` = 'aarch64' ] +then + BUILDARCH=arm64 +elif [ `uname -m` = 'x86_64' ] +then + BUILDARCH=amd64 +fi + + +#Before push, 'docker login' is needed +push_multi_arch(){ + + if [ ! -f "./manifest-tool" ] + then + sudo apt-get install -y jq + wget https://github.com/estesp/manifest-tool/releases/download/${MANITOOL_VERSION}/manifest-tool-linux-${BUILDARCH} \ + -O manifest-tool && \ + chmod +x ./manifest-tool + fi + + for IMAGE in "${IMAGES_OVN[@]}" + do + echo "multi arch image: ""${DOCKER_REPOSITORY}/${IMAGE}" + ./manifest-tool push from-args --platforms ${PLATFORMS} --template ${DOCKER_REPOSITORY}/${IMAGE}-ARCH:${BRANCH_TAG} \ + --target ${DOCKER_REPOSITORY}/${IMAGE}:${BRANCH_TAG} + done +} + +echo "Push fat manifest for multi-arch ovnkube images:" +push_multi_arch + diff --git a/21_ovn/generated/images/run-ovn-dpu.sh b/21_ovn/generated/images/run-ovn-dpu.sh new file mode 100755 index 0000000..4ca6c9d --- /dev/null +++ b/21_ovn/generated/images/run-ovn-dpu.sh @@ -0,0 +1,7 @@ +docker run --pid host --network host --user=0 --name ovn -dit --cap-add=SYS_NICE -v /var/run/dbus:/var/run/dbus:ro -v \ + /var/log/openvswitch:/var/log/openvswitch -v /var/log/openvswitch:/var/log/ovn -v \ + /var/run/openvswitch:/var/run/openvswitch -v /var/run/openvswitch:/var/run/ovn -v $K8S_CACERT:$K8S_CACERT -v \ + /etc/ovn:/ovn-cert:ro -e OVN_DAEMONSET_VERSION=1.0.0 -e OVN_LOGLEVEL_CONTROLLER="-vconsole:info" \ + -e K8S_APISERVER=$K8S_APISERVER -e OVN_KUBERNETES_NAMESPACE=ovn-kubernetes -e OVN_SSL_ENABLE=no \ + -e K8S_NODE=$K8S_NODE -e K8S_TOKEN=$K8S_TOKEN -e K8S_CACERT=$K8S_CACERT --entrypoint=/root/ovnkube.sh \ + ovn-daemonset:latest "ovn-controller" diff --git a/21_ovn/generated/images/run-ovnkube-node-dpu.sh b/21_ovn/generated/images/run-ovnkube-node-dpu.sh new file mode 100755 index 0000000..6db0484 --- /dev/null +++ b/21_ovn/generated/images/run-ovnkube-node-dpu.sh @@ -0,0 +1,14 @@ +docker run --pid host --network host --user=0 --name ovn-node -dit --cap-add=NET_ADMIN --cap-add=SYS_ADMIN \ + --cap-add=SYS_PTRACE -v /:/host:ro -v /var/run/dbus:/var/run/dbus:ro -v $K8S_CACERT:$K8S_CACERT \ + -v /var/log/ovn-kubernetes:/var/log/ovn-kubernetes -v /var/run/openvswitch:/var/run/openvswitch/ \ + -v /var/run/openvswitch:/var/run/ovn/ -v /var/run/ovn-kubernetes:/var/run/ovn-kubernetes \ + -v /etc/ovn:/ovn-cert:ro -v /var/lib/openvswitch:/etc/openvswitch:ro -v /var/lib/openvswitch:/etc/ovn:ro \ + -e OVN_DAEMONSET_VERSION=1.0.0 -e OVN_LOGLEVEL_CONTROLLER="-vconsole:info" \ + -e OVN_NET_CIDR=$OVN_NET_CIDR -e OVN_SVC_CIDR=$OVN_SVC_CIDR -e K8S_NODE=$K8S_NODE \ + -e OVN_GATEWAY_MODE="shared" -e OVN_GATEWAY_ROUTER_SUBNET=$OVN_GATEWAY_ROUTER_SUBNET \ + -e OVN_REMOTE_PROBE_INTERVAL=100000 -e K8S_APISERVER=$K8S_APISERVER \ + -e OVN_KUBERNETES_NAMESPACE=ovn-kubernetes -e OVN_SSL_ENABLE=no -e OVNKUBE_NODE_MODE="dpu" \ + -e OVN_ENCAP_IP=$DPU_IP -e K8S_TOKEN=$K8S_TOKEN -e K8S_CACERT=$K8S_CACERT \ + -e OVN_GATEWAY_OPTS="$OVN_GATEWAY_OPTS" -e OVNKUBE_NODE_MGMT_PORT_NETDEV="$OVNKUBE_NODE_MGMT_PORT_NETDEV" \ + -e OVN_DISABLE_PKT_MTU_CHECK=true \ + --entrypoint=/root/ovnkube.sh ovn-daemonset:latest "ovn-node" diff --git a/21_ovn/generated/yaml/.gitignore b/21_ovn/generated/yaml/.gitignore new file mode 100644 index 0000000..1e82fc7 --- /dev/null +++ b/21_ovn/generated/yaml/.gitignore @@ -0,0 +1 @@ +*.yaml diff --git a/21_ovn/generated/yaml/ovn-debug.out b/21_ovn/generated/yaml/ovn-debug.out new file mode 100644 index 0000000..4073e78 --- /dev/null +++ b/21_ovn/generated/yaml/ovn-debug.out @@ -0,0 +1,405 @@ +[root@ovn11 ~]# bash -x /usr/share/ovn/scripts/ovn-ctl --no-monitor start_controller --ovn-controller-log=-vconsole:dbg ++ case $0 in +++ echo /usr/share/ovn/scripts/ovn-ctl +++ sed 's,/[^/]*$,,' ++ dir0=/usr/share/ovn/scripts +++ echo /usr/share/ovn/scripts +++ sed s,/ovn/scripts,, ++ ovsdir=/usr/share ++ ovsdir=/usr/share/openvswitch/scripts ++ . /usr/share/openvswitch/scripts/ovs-lib +++ logdir=/var/log/openvswitch +++ rundir=/var/run/openvswitch +++ sysconfdir=/etc +++ etcdir=/etc/openvswitch +++ datadir=/usr/share/openvswitch +++ bindir=/usr/bin +++ sbindir=/usr/sbin +++ test X '!=' X +++ test X '!=' X +++ dbdir=/etc/openvswitch +++ VERSION=3.2.2 +++ DAEMON_CWD=/ +++ LC_ALL=C +++ export LC_ALL +++ test -e /etc/init.d/functions +++ test -e /etc/rc.d/init.d/functions +++ test -e /lib/lsb/init-functions +++ type log_success_msg +++ type log_failure_msg +++ type log_warning_msg +++ type action ++ . /usr/share/ovn/scripts/ovn-lib +++ ovn_logdir=/var/log/ovn +++ ovn_rundir=/var/run/ovn +++ ovn_sysconfdir=/etc +++ ovn_etcdir=/etc/ovn +++ ovn_datadir=/usr/share/ovn +++ ovn_bindir=/usr/bin +++ ovn_sbindir=/usr/sbin +++ test X '!=' X +++ test X '!=' X +++ ovn_dbdir=/etc/ovn +++ VERSION=24.03.3 +++ DAEMON_CWD=/ +++ LC_ALL=C +++ export LC_ALL ++ for dir in "$sbindir" "$ovn_bindir" "$bindir" /sbin /bin /usr/sbin /usr/bin ++ case :$PATH: in ++ for dir in "$sbindir" "$ovn_bindir" "$bindir" /sbin /bin /usr/sbin /usr/bin ++ case :$PATH: in ++ for dir in "$sbindir" "$ovn_bindir" "$bindir" /sbin /bin /usr/sbin /usr/bin ++ case :$PATH: in ++ for dir in "$sbindir" "$ovn_bindir" "$bindir" /sbin /bin /usr/sbin /usr/bin ++ case :$PATH: in ++ for dir in "$sbindir" "$ovn_bindir" "$bindir" /sbin /bin /usr/sbin /usr/bin ++ case :$PATH: in ++ for dir in "$sbindir" "$ovn_bindir" "$bindir" /sbin /bin /usr/sbin /usr/bin ++ case :$PATH: in ++ for dir in "$sbindir" "$ovn_bindir" "$bindir" /sbin /bin /usr/sbin /usr/bin ++ case :$PATH: in ++ ovnnb_active_conf_file=/etc/ovn/ovnnb-active.conf ++ ovnsb_active_conf_file=/etc/ovn/ovnsb-active.conf ++ ovn_northd_db_conf_file=/etc/ovn/ovn-northd-db-params.conf ++ ic_nb_active_conf_file=/etc/ovn/ic-nb-active.conf ++ ic_sb_active_conf_file=/etc/ovn/ic-sb-active.conf ++ ovn_ic_db_conf_file=/etc/ovn/ovn-ic-db-params.conf ++ set_defaults ++ OVN_MANAGE_OVSDB=yes ++ RESTART=no ++ OVS_RUNDIR=/var/run/openvswitch ++ OVN_RUNDIR=/var/run/ovn ++ DB_NB_SOCK=/var/run/ovn/ovnnb_db.sock ++ DB_NB_PIDFILE=/var/run/ovn/ovnnb_db.pid ++ DB_NB_CTRL_SOCK=/var/run/ovn/ovnnb_db.ctl ++ DB_NB_FILE=/etc/ovn/ovnnb_db.db ++ DB_NB_ADDR=0.0.0.0 ++ DB_NB_PORT=6641 ++ DB_NB_SYNC_FROM_PROTO=tcp ++ DB_NB_SYNC_FROM_ADDR= ++ DB_NB_SYNC_FROM_PORT=6641 ++ DB_NB_PROBE_INTERVAL_TO_ACTIVE=60000 ++ DB_NB_ELECTION_TIMER= ++ DB_SB_SOCK=/var/run/ovn/ovnsb_db.sock ++ DB_SB_PIDFILE=/var/run/ovn/ovnsb_db.pid ++ DB_SB_CTRL_SOCK=/var/run/ovn/ovnsb_db.ctl ++ DB_SB_FILE=/etc/ovn/ovnsb_db.db ++ DB_SB_ADDR=0.0.0.0 ++ DB_SB_PORT=6642 ++ DB_SB_SYNC_FROM_PROTO=tcp ++ DB_SB_SYNC_FROM_ADDR= ++ DB_SB_SYNC_FROM_PORT=6642 ++ DB_SB_PROBE_INTERVAL_TO_ACTIVE=60000 ++ DB_SB_ELECTION_TIMER= ++ DB_IC_NB_SOCK=/var/run/ovn/ovn_ic_nb_db.sock ++ DB_IC_NB_PIDFILE=/var/run/ovn/ovn_ic_nb_db.pid ++ DB_IC_NB_CTRL_SOCK=/var/run/ovn/ovn_ic_nb_db.ctl ++ DB_IC_NB_FILE=/etc/ovn/ovn_ic_nb_db.db ++ DB_IC_NB_ADDR=0.0.0.0 ++ DB_IC_NB_PORT=6645 ++ DB_IC_NB_SYNC_FROM_PROTO=tcp ++ DB_IC_NB_SYNC_FROM_ADDR= ++ DB_IC_NB_SYNC_FROM_PORT=6645 ++ DB_IC_SB_SOCK=/var/run/ovn/ovn_ic_sb_db.sock ++ DB_IC_SB_PIDFILE=/var/run/ovn/ovn_ic_sb_db.pid ++ DB_IC_SB_CTRL_SOCK=/var/run/ovn/ovn_ic_sb_db.ctl ++ DB_IC_SB_FILE=/etc/ovn/ovn_ic_sb_db.db ++ DB_IC_SB_ADDR=0.0.0.0 ++ DB_IC_SB_PORT=6646 ++ DB_IC_SB_SYNC_FROM_PROTO=tcp ++ DB_IC_SB_SYNC_FROM_ADDR= ++ DB_IC_SB_SYNC_FROM_PORT=6646 ++ DB_NB_SCHEMA=/usr/share/ovn/ovn-nb.ovsschema ++ DB_SB_SCHEMA=/usr/share/ovn/ovn-sb.ovsschema ++ DB_IC_NB_SCHEMA=/usr/share/ovn/ovn-ic-nb.ovsschema ++ DB_IC_SB_SCHEMA=/usr/share/ovn/ovn-ic-sb.ovsschema ++ DB_SOCK=/var/run/openvswitch/db.sock ++ DB_CONF_FILE=/etc/openvswitch/conf.db ++ OVN_NORTHD_PRIORITY=-10 ++ OVN_NORTHD_WRAPPER= ++ OVN_IC_PRIORITY=-10 ++ OVN_IC_WRAPPER= ++ OVN_CONTROLLER_PRIORITY=-10 ++ OVN_CONTROLLER_WRAPPER= ++ OVSDB_NB_WRAPPER= ++ OVSDB_SB_WRAPPER= ++ OVSDB_DISABLE_FILE_COLUMN_DIFF=no ++ OVN_USER= ++ OVN_CONTROLLER_LOG='-vconsole:emer -vsyslog:err -vfile:info' ++ OVN_NORTHD_LOG='-vconsole:emer -vsyslog:err -vfile:info' ++ OVN_NORTHD_LOGFILE= ++ OVN_NORTHD_N_THREADS=1 ++ OVN_IC_LOG='-vconsole:emer -vsyslog:err -vfile:info' ++ OVN_IC_LOGFILE= ++ OVN_NB_LOG='-vconsole:off -vfile:info' ++ OVN_SB_LOG='-vconsole:off -vfile:info' ++ OVN_NB_LOGFILE=/var/log/ovn/ovsdb-server-nb.log ++ OVN_SB_LOGFILE=/var/log/ovn/ovsdb-server-sb.log ++ OVN_IC_NB_LOG='-vconsole:off -vfile:info' ++ OVN_IC_SB_LOG='-vconsole:off -vfile:info' ++ OVN_IC_NB_LOGFILE=/var/log/ovn/ovsdb-server-ic-nb.log ++ OVN_IC_SB_LOGFILE=/var/log/ovn/ovsdb-server-ic-sb.log ++ OVN_SB_RELAY_LOG='-vconsole:emer -vsyslog:err -vfile:info' ++ OVN_SB_RELAY_LOGFILE=/var/log/ovn/ovsdb-server-sb-relay.log ++ OVN_CONTROLLER_SSL_KEY= ++ OVN_CONTROLLER_SSL_CERT= ++ OVN_CONTROLLER_SSL_CA_CERT= ++ OVN_CONTROLLER_SSL_BOOTSTRAP_CA_CERT= ++ OVN_NORTHD_SSL_KEY= ++ OVN_NORTHD_SSL_CERT= ++ OVN_NORTHD_SSL_CA_CERT= +:q! +:q+ OVN_IC_SSL_KEY= ++ OVN_IC_SSL_CERT= ++ OVN_IC_SSL_CA_CERT= ++ DB_SB_CREATE_INSECURE_REMOTE=no ++ DB_NB_CREATE_INSECURE_REMOTE=no ++ DB_IC_SB_CREATE_INSECURE_REMOTE=no ++ DB_IC_NB_CREATE_INSECURE_REMOTE=no ++ MONITOR=yes ++ DB_NB_DETACH=yes ++ DB_SB_DETACH=yes ++ DB_IC_NB_DETACH=yes ++ DB_IC_SB_DETACH=yes ++ DB_NB_CLUSTER_LOCAL_ADDR= ++ DB_NB_CLUSTER_LOCAL_PROTO=tcp ++ DB_NB_CLUSTER_LOCAL_PORT=6643 ++ DB_NB_CLUSTER_REMOTE_ADDR= ++ DB_NB_CLUSTER_REMOTE_PROTO=tcp ++ DB_NB_CLUSTER_REMOTE_PORT=6643 ++ DB_SB_CLUSTER_LOCAL_ADDR= ++ DB_SB_CLUSTER_LOCAL_PROTO=tcp ++ DB_SB_CLUSTER_LOCAL_PORT=6644 ++ DB_SB_CLUSTER_REMOTE_ADDR= ++ DB_SB_CLUSTER_REMOTE_PROTO=tcp ++ DB_SB_CLUSTER_REMOTE_PORT=6644 ++ DB_IC_NB_CLUSTER_LOCAL_ADDR= ++ DB_IC_NB_CLUSTER_LOCAL_PROTO=tcp ++ DB_IC_NB_CLUSTER_LOCAL_PORT=6647 ++ DB_IC_NB_CLUSTER_REMOTE_ADDR= ++ DB_IC_NB_CLUSTER_REMOTE_PROTO=tcp ++ DB_IC_NB_CLUSTER_REMOTE_PORT=6647 ++ DB_IC_SB_CLUSTER_LOCAL_ADDR= ++ DB_IC_SB_CLUSTER_LOCAL_PROTO=tcp ++ DB_IC_SB_CLUSTER_LOCAL_PORT=6648 ++ DB_IC_SB_CLUSTER_REMOTE_ADDR= ++ DB_IC_SB_CLUSTER_REMOTE_PROTO=tcp ++ DB_IC_SB_CLUSTER_REMOTE_PORT=6648 ++ OVN_NORTHD_NB_DB=unix:/var/run/ovn/ovnnb_db.sock ++ OVN_NORTHD_SB_DB=unix:/var/run/ovn/ovnsb_db.sock ++ DB_NB_USE_REMOTE_IN_DB=yes ++ DB_SB_USE_REMOTE_IN_DB=yes ++ OVN_IC_NB_DB=unix:/var/run/ovn/ovn_ic_nb_db.sock ++ OVN_IC_SB_DB=unix:/var/run/ovn/ovn_ic_sb_db.sock ++ DB_IC_NB_USE_REMOTE_IN_DB=yes ++ DB_IC_SB_USE_REMOTE_IN_DB=yes ++ OVN_NB_DB_SSL_KEY= ++ OVN_NB_DB_SSL_CERT= ++ OVN_NB_DB_SSL_CA_CERT= ++ OVN_SB_DB_SSL_KEY= ++ OVN_SB_DB_SSL_CERT= ++ OVN_SB_DB_SSL_CA_CERT= ++ OVN_IC_NB_DB_SSL_KEY= ++ OVN_IC_NB_DB_SSL_CERT= ++ OVN_IC_NB_DB_SSL_CA_CERT= ++ OVN_IC_SB_DB_SSL_KEY= ++ OVN_IC_SB_DB_SSL_CERT= ++ OVN_IC_SB_DB_SSL_CA_CERT= ++ RELAY_MODE=no ++ DB_SB_RELAY_REMOTE= ++ DB_SB_RELAY_SOCK=/var/run/ovn/ovnsb_relay_db.sock ++ DB_SB_RELAY_PIDFILE=/var/run/ovn/ovnsb_relay_db.pid ++ DB_SB_RELAY_CTRL_SOCK=/var/run/ovn/ovnsb_relay_db.ctl ++ OVN_SB_RELAY_DB_SSL_KEY= ++ OVN_SB_RELAY_DB_SSL_CERT= ++ OVN_SB_RELAY_DB_SSL_CA_CERT= ++ DB_SB_RELAY_USE_REMOTE_IN_DB=yes ++ DB_CLUSTER_SCHEMA_UPGRADE=yes ++ command= ++ extra_args= ++ for arg in "$@" ++ shift ++ case $arg in +++ expr X--no-monitor : 'X--no-\(.*\)' ++ option=monitor ++ value=no ++ type=bool ++ set_option +++ echo monitor +++ tr abcdefghijklmnopqrstuvwxyz- ABCDEFGHIJKLMNOPQRSTUVWXYZ_ ++ var=MONITOR ++ eval 'set=${MONITOR+yes}' +++ set=yes ++ eval 'old_value=$MONITOR' +++ old_value=yes ++ test Xyes = X ++ test bool = bool ++ test Xyes '!=' Xno ++ test Xyes '!=' Xyes ++ eval 'MONITOR=$value' +++ MONITOR=no ++ for arg in "$@" ++ shift ++ case $arg in ++ test X = X ++ command=start_controller ++ for arg in "$@" ++ shift ++ case $arg in +++ expr X--ovn-controller-log=-vconsole:dbg : 'X--\([^=]*\)' ++ option=ovn-controller-log +++ expr X--ovn-controller-log=-vconsole:dbg : 'X[^=]*=\(.*\)' ++ value=-vconsole:dbg ++ type=string ++ set_option +++ echo ovn-controller-log +++ tr abcdefghijklmnopqrstuvwxyz- ABCDEFGHIJKLMNOPQRSTUVWXYZ_ ++ var=OVN_CONTROLLER_LOG ++ eval 'set=${OVN_CONTROLLER_LOG+yes}' +++ set=yes ++ eval 'old_value=$OVN_CONTROLLER_LOG' +++ old_value='-vconsole:emer -vsyslog:err -vfile:info' ++ test Xyes = X ++ test string = bool ++ eval 'OVN_CONTROLLER_LOG=$value' +++ OVN_CONTROLLER_LOG=-vconsole:dbg ++ OVN_NORTHD_BIN=ovn-northd ++ case $command in ++ start_controller ++ set ovn-controller unix:/var/run/openvswitch/db.sock ++ set ovn-controller unix:/var/run/openvswitch/db.sock -vconsole:dbg ++ test X '!=' X ++ test X '!=' X ++ test X '!=' X ++ test X '!=' X ++ '[' '' '!=' '' ']' ++ test X '!=' X ++ OVS_RUNDIR=/var/run/openvswitch ++ start_ovn_daemon -10 '' ovn-controller unix:/var/run/openvswitch/db.sock -vconsole:dbg ++ priority=-10 ++ wrapper= ++ shift ++ shift ++ daemon=ovn-controller ++ ovn_install_dir / ++ DIR=/ ++ INSTALL_MODE=755 +++ id -un ++ INSTALL_USER=root +++ id -gn ++ INSTALL_GROUP=root ++ '[' '' '!=' '' ']' ++ '[' '' '!=' '' ']' ++ test '!' -d / ++ set ovn-controller unix:/var/run/openvswitch/db.sock -vconsole:dbg --no-chdir ++ cd / ++ ovn_install_dir /var/log/ovn 750 ++ DIR=/var/log/ovn ++ INSTALL_MODE=750 +++ id -un ++ INSTALL_USER=root +++ id -gn ++ INSTALL_GROUP=root ++ '[' '' '!=' '' ']' ++ '[' '' '!=' '' ']' ++ test '!' -d /var/log/ovn ++ set ovn-controller unix:/var/run/openvswitch/db.sock -vconsole:dbg --no-chdir --log-file=/var/log/ovn/ovn-controller.log ++ ovn_install_dir /var/run/ovn ++ DIR=/var/run/ovn ++ INSTALL_MODE=755 +++ id -un ++ INSTALL_USER=root +++ id -gn ++ INSTALL_GROUP=root ++ '[' '' '!=' '' ']' ++ '[' '' '!=' '' ']' ++ test '!' -d /var/run/ovn ++ set ovn-controller unix:/var/run/openvswitch/db.sock -vconsole:dbg --no-chdir --log-file=/var/log/ovn/ovn-controller.log --pidfile=/var/run/ovn/ovn-controller.pid ++ set ovn-controller unix:/var/run/openvswitch/db.sock -vconsole:dbg --no-chdir --log-file=/var/log/ovn/ovn-controller.log --pidfile=/var/run/ovn/ovn-controller.pid --detach ++ test Xno = Xno ++ chown -R root:root /var/log/ovn ++ chown -R root:root /var/run/ovn ++ start_wrapped_daemon '' ovn-controller -10 ovn-controller unix:/var/run/openvswitch/db.sock -vconsole:dbg --no-chdir --log-file=/var/log/ovn/ovn-controller.log --pidfile=/var/run/ovn/ovn-controller.pid --detach ++ wrapper= ++ daemon=ovn-controller ++ priority=-10 ++ strace= ++ shift ++ shift ++ shift ++ case $wrapper in ++ test X-10 '!=' X ++ set nice -n -10 ovn-controller unix:/var/run/openvswitch/db.sock -vconsole:dbg --no-chdir --log-file=/var/log/ovn/ovn-controller.log --pidfile=/var/run/ovn/ovn-controller.pid --detach ++ action 'Starting ovn-controller' nice -n -10 ovn-controller unix:/var/run/openvswitch/db.sock -vconsole:dbg --no-chdir --log-file=/var/log/ovn/ovn-controller.log --pidfile=/var/run/ovn/ovn-controller.pid --detach ++ STRING='Starting ovn-controller' ++ shift ++ nice -n -10 ovn-controller unix:/var/run/openvswitch/db.sock -vconsole:dbg --no-chdir --log-file=/var/log/ovn/ovn-controller.log --pidfile=/var/run/ovn/ovn-controller.pid --detach +2024-08-22T11:52:17Z|00001|vlog|INFO|opened log file /var/log/ovn/ovn-controller.log +2024-08-22T11:52:17.630Z|00001|vlog|INFO|opened log file /var/log/ovn/ovn-controller.log +2024-08-22T11:52:17Z|00002|daemon_unix|DBG|/var/run/ovn/ovn-controller.pid: deleted stale pidfile ++ rc=0 ++ test 0 = 0 ++ log_success_msg 'Starting ovn-controller' ++ printf '%s.\n' 'Starting ovn-controller' +Starting ovn-controller. ++ return 0 ++ test X '!=' X +[root@ovn11 ~]# 2024-08-22T11:52:17.635Z|00003|reconnect|INFO|unix:/var/run/openvswitch/db.sock: connecting... +2024-08-22T11:52:17.636Z|00004|reconnect|INFO|unix:/var/run/openvswitch/db.sock: connected +2024-08-22T11:52:17.639Z|00005|main|INFO|OVN internal version is : [24.03.3-20.33.0-72.6] +2024-08-22T11:52:17.639Z|00006|main|INFO|OVS IDL reconnected, force recompute. +2024-08-22T11:52:17.640Z|00007|main|INFO|OVNSB IDL reconnected, force recompute. + +[root@ovn11 ~]# 2024-08-22T11:53:11.539Z|00008|memory|INFO|6512 kB peak resident set size after 53.9 seconds +2024-08-22T11:53:11.540Z|00009|memory|INFO|idl-cells-Open_vSwitch:237 ++ case $0 in +++ echo /usr/share/ovn/scripts/ovn-ctl +++ sed 's,/[^/]*$,,' ++ dir0=/usr/share/ovn/scripts +++ echo /usr/share/ovn/scripts +++ sed s,/ovn/scripts,, ++ ovsdir=/usr/share ++ ovsdir=/usr/share/openvswitch/scripts ++ . /usr/share/openvswitch/scripts/ovs-lib +++ logdir=/var/log/openvswitch +++ rundir=/var/run/openvswitch +++ sysconfdir=/etc +++ etcdir=/etc/openvswitch +++ datadir=/usr/share/openvswitch +++ bindir=/usr/bin +++ sbindir=/usr/sbin +++ test X '!=' X +++ test X '!=' X +++ dbdir=/etc/openvswitch +++ VERSION=3.2.2 +++ DAEMON_CWD=/ +++ LC_ALL=C +++ export LC_ALL +++ test -e /etc/init.d/functions +++ test -e /etc/rc.d/init.d/functions +++ test -e /lib/lsb/init-functions +++ type log_success_msg +++ type log_failure_msg +++ type log_warning_msg +++ type action ++ . /usr/share/ovn/scripts/ovn-lib +++ ovn_logdir=/var/log/ovn +++ ovn_rundir=/var/run/ovn +++ ovn_sysconfdir=/etc +++ ovn_etcdir=/etc/ovn +++ ovn_datadir=/usr/share/ovn +++ ovn_bindir=/usr/bin +++ ovn_sbindir=/usr/sbin +++ test X '!=' X +++ test X '!=' X +++ ovn_dbdir=/etc/ovn +++ VERSION=24.03.3 +++ DAEMON_CWD=/ +++ LC_ALL=C +++ export LC_ALL ++ for dir in "$sbindir" "$ovn_bindir" "$bindir" /sbin /bin /usr/sbin /usr/bin ++ case :$PATH: in ++ for dir in "$sbindir" "$ovn_bindir" "$bindir" /sbin /bin /usr/sbin /usr/bin ++ case :$PATH: in ++ for dir in "$sbindir" "$ovn_bindir" "$bindir" /sbin /bin /usr/sbin /usr/bin + diff --git a/21_ovn/k8s/ovn-config-cm.yaml b/21_ovn/k8s/ovn-config-cm.yaml new file mode 100644 index 0000000..d5eabdf --- /dev/null +++ b/21_ovn/k8s/ovn-config-cm.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +data: + host_network_namespace: ovn-host-network + k8s_apiserver: https://10.1.16.11:6443 + mtu: "1400" + net_cidr: 10.38.0.0/16 + svc_cidr: 10.49.0.0/16 +kind: ConfigMap +metadata: + annotations: + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"v1","data":{"host_network_namespace":"ovn-host-network","k8s_apiserver":"https://10.1.16.11:6443","mtu":"1400","net_cidr":"10.38.0.0/16","svc_cidr":"10.49.0.0/16"},"kind":"ConfigMap","metadata":{"annotations":{},"name":"ovn-config","namespace":"ovn-kubernetes"}} + creationTimestamp: "2024-08-27T10:13:50Z" + name: ovn-config + namespace: ovn-kubernetes + resourceVersion: "11184" + uid: 0949e29f-0a47-48f4-9fc3-6175f11677a1 diff --git a/21_ovn/k8s/ovnkube-db-deployment.yaml b/21_ovn/k8s/ovnkube-db-deployment.yaml new file mode 100644 index 0000000..ac452f4 --- /dev/null +++ b/21_ovn/k8s/ovnkube-db-deployment.yaml @@ -0,0 +1,229 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + deployment.kubernetes.io/revision: "1" + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{"kubernetes.io/description":"This daemonset launches the OVN NB/SB ovsdb service components.\n"},"name":"ovnkube-db","namespace":"ovn-kubernetes"},"spec":{"progressDeadlineSeconds":600,"replicas":1,"revisionHistoryLimit":10,"selector":{"matchLabels":{"name":"ovnkube-db"}},"strategy":{"rollingUpdate":{"maxSurge":"25%","maxUnavailable":"25%"},"type":"RollingUpdate"},"template":{"metadata":{"labels":{"component":"network","kubernetes.io/os":"linux","name":"ovnkube-db","ovn-db-pod":"true","type":"infra"}},"spec":{"containers":[{"command":["/root/ovnkube.sh","nb-ovsdb"],"env":[{"name":"OVN_DAEMONSET_VERSION","value":"1.0.0"},{"name":"OVN_LOGLEVEL_NB","value":"-vconsole:info -vfile:info"},{"name":"K8S_APISERVER","valueFrom":{"configMapKeyRef":{"key":"k8s_apiserver","name":"ovn-config"}}},{"name":"OVN_KUBERNETES_NAMESPACE","valueFrom":{"fieldRef":{"fieldPath":"metadata.namespace"}}},{"name":"K8S_NODE_IP","valueFrom":{"fieldRef":{"fieldPath":"status.hostIP"}}},{"name":"OVN_SSL_ENABLE","value":"no"},{"name":"OVN_NB_PORT","value":"6641"},{"name":"ENABLE_IPSEC","value":"false"},{"name":"OVN_NORTHD_BACKOFF_INTERVAL","value":""}],"image":"registry.lab.syscallx86.com/ovn-daemonset-fedora:latest","imagePullPolicy":"IfNotPresent","name":"nb-ovsdb","readinessProbe":{"exec":{"command":["/usr/bin/ovn-kube-util","readiness-probe","-t","ovnnb-db"]},"initialDelaySeconds":30,"periodSeconds":60,"timeoutSeconds":30},"resources":{"requests":{"cpu":"100m","memory":"300Mi"}},"securityContext":{"capabilities":{"add":["NET_ADMIN"]},"runAsUser":0},"terminationMessagePolicy":"FallbackToLogsOnError","volumeMounts":[{"mountPath":"/etc/openvswitch/","name":"host-var-lib-ovs"},{"mountPath":"/etc/ovn/","name":"host-var-lib-ovs"},{"mountPath":"/var/log/openvswitch/","name":"host-var-log-ovs"},{"mountPath":"/var/log/ovn/","name":"host-var-log-ovs"},{"mountPath":"/ovn-cert","name":"host-ovn-cert","readOnly":true},{"mountPath":"/var/run/ovn/","name":"host-var-run-ovs"},{"mountPath":"/var/run/openvswitch/","name":"host-var-run-ovs"}]},{"command":["/root/ovnkube.sh","sb-ovsdb"],"env":[{"name":"OVN_DAEMONSET_VERSION","value":"1.0.0"},{"name":"OVN_LOGLEVEL_SB","value":"-vconsole:info -vfile:info"},{"name":"K8S_APISERVER","valueFrom":{"configMapKeyRef":{"key":"k8s_apiserver","name":"ovn-config"}}},{"name":"OVN_KUBERNETES_NAMESPACE","valueFrom":{"fieldRef":{"fieldPath":"metadata.namespace"}}},{"name":"K8S_NODE_IP","valueFrom":{"fieldRef":{"fieldPath":"status.hostIP"}}},{"name":"OVN_SSL_ENABLE","value":"no"},{"name":"OVN_SB_PORT","value":"6642"}],"image":"registry.lab.syscallx86.com/ovn-daemonset-fedora:latest","imagePullPolicy":"IfNotPresent","name":"sb-ovsdb","readinessProbe":{"exec":{"command":["/usr/bin/ovn-kube-util","readiness-probe","-t","ovnsb-db"]},"initialDelaySeconds":30,"periodSeconds":60,"timeoutSeconds":30},"resources":{"requests":{"cpu":"100m","memory":"300Mi"}},"securityContext":{"capabilities":{"add":["NET_ADMIN"]},"runAsUser":0},"terminationMessagePolicy":"FallbackToLogsOnError","volumeMounts":[{"mountPath":"/etc/openvswitch/","name":"host-var-lib-ovs"},{"mountPath":"/etc/ovn/","name":"host-var-lib-ovs"},{"mountPath":"/var/log/openvswitch/","name":"host-var-log-ovs"},{"mountPath":"/var/log/ovn/","name":"host-var-log-ovs"},{"mountPath":"/ovn-cert","name":"host-ovn-cert","readOnly":true},{"mountPath":"/var/run/ovn/","name":"host-var-run-ovs"},{"mountPath":"/var/run/openvswitch/","name":"host-var-run-ovs"}]}],"dnsPolicy":"Default","hostNetwork":true,"nodeSelector":{"kubernetes.io/os":"linux","node-role.kubernetes.io/control-plane":""},"priorityClassName":"system-cluster-critical","serviceAccountName":"ovnkube-db","tolerations":[{"operator":"Exists"}],"volumes":[{"hostPath":{"path":"/var/lib/openvswitch"},"name":"host-var-lib-ovs"},{"hostPath":{"path":"/var/log/openvswitch"},"name":"host-var-log-ovs"},{"hostPath":{"path":"/etc/ovn","type":"DirectoryOrCreate"},"name":"host-ovn-cert"},{"hostPath":{"path":"/var/run/openvswitch"},"name":"host-var-run-ovs"}]}}}} + kubernetes.io/description: | + This daemonset launches the OVN NB/SB ovsdb service components. + creationTimestamp: "2024-08-27T10:19:47Z" + generation: 5 + name: ovnkube-db + namespace: ovn-kubernetes + resourceVersion: "601906" + uid: fb67b434-9c83-4429-b764-76944af5c6bb +spec: + progressDeadlineSeconds: 600 + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + name: ovnkube-db + strategy: + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + component: network + kubernetes.io/os: linux + name: ovnkube-db + ovn-db-pod: "true" + type: infra + spec: + containers: + - command: + - /root/ovnkube.sh + - nb-ovsdb + env: + - name: OVN_DAEMONSET_VERSION + value: 1.0.0 + - name: OVN_LOGLEVEL_NB + value: -vconsole:info -vfile:info + - name: K8S_APISERVER + valueFrom: + configMapKeyRef: + key: k8s_apiserver + name: ovn-config + - name: OVN_KUBERNETES_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: K8S_NODE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + - name: OVN_SSL_ENABLE + value: "no" + - name: OVN_NB_PORT + value: "6641" + - name: ENABLE_IPSEC + value: "false" + - name: OVN_NORTHD_BACKOFF_INTERVAL + image: registry.lab.syscallx86.com/ovn-daemonset-fedora:latest + imagePullPolicy: IfNotPresent + name: nb-ovsdb + readinessProbe: + exec: + command: + - /usr/bin/ovn-kube-util + - readiness-probe + - -t + - ovnnb-db + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 60 + successThreshold: 1 + timeoutSeconds: 30 + resources: + requests: + cpu: 100m + memory: 300Mi + securityContext: + capabilities: + add: + - NET_ADMIN + runAsUser: 0 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /etc/openvswitch/ + name: host-var-lib-ovs + - mountPath: /etc/ovn/ + name: host-var-lib-ovs + - mountPath: /var/log/openvswitch/ + name: host-var-log-ovs + - mountPath: /var/log/ovn/ + name: host-var-log-ovs + - mountPath: /ovn-cert + name: host-ovn-cert + readOnly: true + - mountPath: /var/run/ovn/ + name: host-var-run-ovs + - mountPath: /var/run/openvswitch/ + name: host-var-run-ovs + - command: + - /root/ovnkube.sh + - sb-ovsdb + env: + - name: OVN_DAEMONSET_VERSION + value: 1.0.0 + - name: OVN_LOGLEVEL_SB + value: -vconsole:info -vfile:info + - name: K8S_APISERVER + valueFrom: + configMapKeyRef: + key: k8s_apiserver + name: ovn-config + - name: OVN_KUBERNETES_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: K8S_NODE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + - name: OVN_SSL_ENABLE + value: "no" + - name: OVN_SB_PORT + value: "6642" + image: registry.lab.syscallx86.com/ovn-daemonset-fedora:latest + imagePullPolicy: IfNotPresent + name: sb-ovsdb + readinessProbe: + exec: + command: + - /usr/bin/ovn-kube-util + - readiness-probe + - -t + - ovnsb-db + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 60 + successThreshold: 1 + timeoutSeconds: 30 + resources: + requests: + cpu: 100m + memory: 300Mi + securityContext: + capabilities: + add: + - NET_ADMIN + runAsUser: 0 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /etc/openvswitch/ + name: host-var-lib-ovs + - mountPath: /etc/ovn/ + name: host-var-lib-ovs + - mountPath: /var/log/openvswitch/ + name: host-var-log-ovs + - mountPath: /var/log/ovn/ + name: host-var-log-ovs + - mountPath: /ovn-cert + name: host-ovn-cert + readOnly: true + - mountPath: /var/run/ovn/ + name: host-var-run-ovs + - mountPath: /var/run/openvswitch/ + name: host-var-run-ovs + dnsPolicy: Default + hostNetwork: true + nodeSelector: + kubernetes.io/os: linux + node-role.kubernetes.io/control-plane: "" + priorityClassName: system-cluster-critical + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + serviceAccount: ovnkube-db + serviceAccountName: ovnkube-db + terminationGracePeriodSeconds: 30 + tolerations: + - operator: Exists + volumes: + - hostPath: + path: /var/lib/openvswitch + type: "" + name: host-var-lib-ovs + - hostPath: + path: /var/log/openvswitch + type: "" + name: host-var-log-ovs + - hostPath: + path: /etc/ovn + type: DirectoryOrCreate + name: host-ovn-cert + - hostPath: + path: /var/run/openvswitch + type: "" + name: host-var-run-ovs +status: + availableReplicas: 1 + conditions: + - lastTransitionTime: "2024-08-27T10:19:47Z" + lastUpdateTime: "2024-08-27T10:20:45Z" + message: ReplicaSet "ovnkube-db-84468d897f" has successfully progressed. + reason: NewReplicaSetAvailable + status: "True" + type: Progressing + - lastTransitionTime: "2024-09-17T07:23:09Z" + lastUpdateTime: "2024-09-17T07:23:09Z" + message: Deployment has minimum availability. + reason: MinimumReplicasAvailable + status: "True" + type: Available + observedGeneration: 5 + readyReplicas: 1 + replicas: 1 + updatedReplicas: 1 diff --git a/21_ovn/k8s/ovnkube-master-deployment.yaml b/21_ovn/k8s/ovnkube-master-deployment.yaml new file mode 100644 index 0000000..9664340 --- /dev/null +++ b/21_ovn/k8s/ovnkube-master-deployment.yaml @@ -0,0 +1,281 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + deployment.kubernetes.io/revision: "2" + kubernetes.io/description: | + This Deployment launches the ovn-kubernetes master networking components. + creationTimestamp: "2024-08-27T11:57:30Z" + generation: 2 + name: ovnkube-master + namespace: ovn-kubernetes + resourceVersion: "601978" + uid: bd42d043-3775-4bc8-84e0-35d86776ff27 +spec: + progressDeadlineSeconds: 600 + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + name: ovnkube-master + strategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + component: network + kubernetes.io/os: linux + name: ovnkube-master + type: infra + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: In + values: + - "" + - key: kubernetes.io/os + operator: In + values: + - linux + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: name + operator: In + values: + - ovnkube-master + topologyKey: kubernetes.io/hostname + containers: + - command: + - /root/ovnkube.sh + - run-ovn-northd + env: + - name: OVN_DAEMONSET_VERSION + value: 1.0.0 + - name: OVN_LOGLEVEL_NORTHD + value: -vconsole:info -vfile:info + - name: K8S_APISERVER + valueFrom: + configMapKeyRef: + key: k8s_apiserver + name: ovn-config + - name: OVN_KUBERNETES_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: OVN_SSL_ENABLE + value: "no" + image: registry.lab.syscallx86.com/ovn-daemonset-fedora:latest + imagePullPolicy: IfNotPresent + name: ovn-northd + readinessProbe: + exec: + command: + - /usr/bin/ovn-kube-util + - readiness-probe + - -t + - ovn-northd + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 60 + successThreshold: 1 + timeoutSeconds: 30 + resources: + requests: + cpu: 100m + memory: 300Mi + securityContext: + capabilities: + add: + - SYS_NICE + runAsUser: 0 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/dbus/ + name: host-var-run-dbus + readOnly: true + - mountPath: /var/log/openvswitch/ + name: host-var-log-ovs + - mountPath: /var/log/ovn/ + name: host-var-log-ovs + - mountPath: /var/run/openvswitch/ + name: host-var-run-ovs + - mountPath: /var/run/ovn/ + name: host-var-run-ovs + - mountPath: /ovn-cert + name: host-ovn-cert + readOnly: true + - command: + - /root/ovnkube.sh + - ovn-master + env: + - name: OVN_DAEMONSET_VERSION + value: 1.0.0 + - name: OVNKUBE_LOGLEVEL + value: "5" + - name: OVNKUBE_LOGFILE_MAXSIZE + value: "100" + - name: OVNKUBE_LOGFILE_MAXBACKUPS + value: "5" + - name: OVNKUBE_LOGFILE_MAXAGE + value: "5" + - name: OVNKUBE_LIBOVSDB_CLIENT_LOGFILE + - name: OVNKUBE_CONFIG_DURATION_ENABLE + - name: OVNKUBE_METRICS_SCALE_ENABLE + - name: OVNKUBE_COMPACT_MODE_ENABLE + value: "false" + - name: OVN_NET_CIDR + valueFrom: + configMapKeyRef: + key: net_cidr + name: ovn-config + - name: OVN_SVC_CIDR + valueFrom: + configMapKeyRef: + key: svc_cidr + name: ovn-config + - name: K8S_APISERVER + valueFrom: + configMapKeyRef: + key: k8s_apiserver + name: ovn-config + - name: K8S_NODE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: K8S_NODE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + - name: OVN_KUBERNETES_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: OVN_HYBRID_OVERLAY_ENABLE + - name: OVN_ADMIN_NETWORK_POLICY_ENABLE + - name: OVN_EGRESSIP_ENABLE + value: "true" + - name: OVN_EGRESSIP_HEALTHCHECK_PORT + - name: OVN_EGRESSFIREWALL_ENABLE + - name: OVN_EGRESSQOS_ENABLE + - name: OVN_MULTI_NETWORK_ENABLE + - name: OVN_NETWORK_SEGMENTATION_ENABLE + - name: OVN_EGRESSSERVICE_ENABLE + - name: OVN_HYBRID_OVERLAY_NET_CIDR + - name: OVN_DISABLE_SNAT_MULTIPLE_GWS + - name: OVN_DISABLE_FORWARDING + - name: OVN_ENCAP_PORT + - name: OVN_EMPTY_LB_EVENTS + - name: OVN_V4_JOIN_SUBNET + - name: OVN_V6_JOIN_SUBNET + - name: OVN_V4_MASQUERADE_SUBNET + - name: OVN_V6_MASQUERADE_SUBNET + - name: OVN_SSL_ENABLE + value: "no" + - name: OVN_GATEWAY_MODE + value: local + - name: OVN_GATEWAY_OPTS + - name: OVN_MULTICAST_ENABLE + - name: OVN_ACL_LOGGING_RATE_LIMIT + value: "20" + - name: OVN_STATELESS_NETPOL_ENABLE + - name: OVN_ENABLE_MULTI_EXTERNAL_GATEWAY + - name: OVN_ENABLE_SVC_TEMPLATE_SUPPORT + value: "true" + - name: OVN_HOST_NETWORK_NAMESPACE + valueFrom: + configMapKeyRef: + key: host_network_namespace + name: ovn-config + - name: OVN_ENABLE_PERSISTENT_IPS + - name: OVN_ENABLE_DNSNAMERESOLVER + value: "false" + image: registry.lab.syscallx86.com/ovn-daemonset-fedora:latest + imagePullPolicy: IfNotPresent + name: ovnkube-master + resources: + requests: + cpu: 100m + memory: 300Mi + securityContext: + runAsUser: 0 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/dbus/ + name: host-var-run-dbus + readOnly: true + - mountPath: /var/log/ovn-kubernetes/ + name: host-var-log-ovnkube + - mountPath: /var/run/openvswitch/ + name: host-var-run-ovs + - mountPath: /var/run/ovn/ + name: host-var-run-ovs + - mountPath: /ovn-cert + name: host-ovn-cert + readOnly: true + dnsPolicy: Default + hostNetwork: true + priorityClassName: system-cluster-critical + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + serviceAccount: ovnkube-master + serviceAccountName: ovnkube-master + terminationGracePeriodSeconds: 30 + tolerations: + - operator: Exists + volumes: + - hostPath: + path: /var/run/dbus + type: "" + name: host-var-run-dbus + - hostPath: + path: /var/log/openvswitch + type: "" + name: host-var-log-ovs + - hostPath: + path: /var/log/ovn-kubernetes + type: "" + name: host-var-log-ovnkube + - hostPath: + path: /var/run/openvswitch + type: "" + name: host-var-run-ovs + - hostPath: + path: /etc/ovn + type: DirectoryOrCreate + name: host-ovn-cert +status: + availableReplicas: 1 + conditions: + - lastTransitionTime: "2024-08-27T11:57:30Z" + lastUpdateTime: "2024-08-27T11:57:30Z" + message: Deployment has minimum availability. + reason: MinimumReplicasAvailable + status: "True" + type: Available + - lastTransitionTime: "2024-08-27T11:57:30Z" + lastUpdateTime: "2024-08-28T10:26:11Z" + message: ReplicaSet "ovnkube-master-f9c59bd6c" has successfully progressed. + reason: NewReplicaSetAvailable + status: "True" + type: Progressing + observedGeneration: 2 + readyReplicas: 1 + replicas: 1 + updatedReplicas: 1 diff --git a/21_ovn/k8s/ovnkube-node-ds.yaml b/21_ovn/k8s/ovnkube-node-ds.yaml new file mode 100644 index 0000000..03ec284 --- /dev/null +++ b/21_ovn/k8s/ovnkube-node-ds.yaml @@ -0,0 +1,386 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + annotations: + deprecated.daemonset.template.generation: "2" + kubernetes.io/description: | + This DaemonSet launches the ovn-kubernetes networking components for worker nodes. + creationTimestamp: "2024-08-27T12:08:51Z" + generation: 2 + name: ovnkube-node + namespace: ovn-kubernetes + resourceVersion: "601975" + uid: 8304a683-e79a-4f17-84d5-425551fdbe57 +spec: + revisionHistoryLimit: 10 + selector: + matchLabels: + app: ovnkube-node + template: + metadata: + creationTimestamp: null + labels: + app: ovnkube-node + component: network + kubernetes.io/os: linux + name: ovnkube-node + type: infra + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: k8s.ovn.org/dpu-host + operator: DoesNotExist + - key: k8s.ovn.org/dpu + operator: DoesNotExist + containers: + - command: + - /root/ovnkube.sh + - ovn-node + env: + - name: OVN_DAEMONSET_VERSION + value: 1.0.0 + - name: OVNKUBE_LOGLEVEL + value: "5" + - name: OVNKUBE_LOGFILE_MAXSIZE + value: "100" + - name: OVNKUBE_LOGFILE_MAXBACKUPS + value: "5" + - name: OVNKUBE_LOGFILE_MAXAGE + value: "5" + - name: OVN_NET_CIDR + valueFrom: + configMapKeyRef: + key: net_cidr + name: ovn-config + - name: OVN_SVC_CIDR + valueFrom: + configMapKeyRef: + key: svc_cidr + name: ovn-config + - name: K8S_APISERVER + valueFrom: + configMapKeyRef: + key: k8s_apiserver + name: ovn-config + - name: OVN_MTU + valueFrom: + configMapKeyRef: + key: mtu + name: ovn-config + - name: OVN_ROUTABLE_MTU + valueFrom: + configMapKeyRef: + key: routable_mtu + name: ovn-config + optional: true + - name: K8S_NODE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: K8S_NODE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + - name: OVN_GATEWAY_MODE + value: local + - name: OVN_GATEWAY_OPTS + - name: OVN_HYBRID_OVERLAY_ENABLE + - name: OVN_ADMIN_NETWORK_POLICY_ENABLE + - name: OVN_EGRESSIP_ENABLE + value: "true" + - name: OVN_EGRESSIP_HEALTHCHECK_PORT + - name: OVN_EGRESSSERVICE_ENABLE + - name: OVN_HYBRID_OVERLAY_NET_CIDR + - name: OVN_DISABLE_SNAT_MULTIPLE_GWS + - name: OVN_DISABLE_FORWARDING + - name: OVN_ENCAP_PORT + - name: OVN_DISABLE_PKT_MTU_CHECK + - name: OVN_NETFLOW_TARGETS + - name: OVN_SFLOW_TARGETS + - name: OVN_IPFIX_TARGETS + - name: OVN_IPFIX_SAMPLING + - name: OVN_IPFIX_CACHE_MAX_FLOWS + - name: OVN_IPFIX_CACHE_ACTIVE_TIMEOUT + - name: OVN_V4_JOIN_SUBNET + - name: OVN_V6_JOIN_SUBNET + - name: OVN_V4_MASQUERADE_SUBNET + - name: OVN_V6_MASQUERADE_SUBNET + - name: OVN_MULTICAST_ENABLE + - name: OVN_UNPRIVILEGED_MODE + value: "no" + - name: OVN_EX_GW_NETWORK_INTERFACE + - name: OVN_ENABLE_OVNKUBE_IDENTITY + value: "false" + - name: OVN_SSL_ENABLE + value: "no" + - name: OVN_DISABLE_OVN_IFACE_ID_VER + value: "false" + - name: OVN_REMOTE_PROBE_INTERVAL + value: "100000" + - name: OVN_MONITOR_ALL + - name: OVN_OFCTRL_WAIT_BEFORE_CLEAR + - name: OVN_ENABLE_LFLOW_CACHE + - name: OVN_LFLOW_CACHE_LIMIT + - name: OVN_LFLOW_CACHE_LIMIT_KB + - name: OVN_MULTI_NETWORK_ENABLE + - name: OVN_NETWORK_SEGMENTATION_ENABLE + - name: OVN_ENABLE_INTERCONNECT + - name: OVN_ENABLE_MULTI_EXTERNAL_GATEWAY + - name: OVNKUBE_NODE_MGMT_PORT_NETDEV + - name: OVN_HOST_NETWORK_NAMESPACE + valueFrom: + configMapKeyRef: + key: host_network_namespace + name: ovn-config + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + image: registry.lab.syscallx86.com/ovn-daemonset-fedora:latest + imagePullPolicy: IfNotPresent + name: ovnkube-node + readinessProbe: + exec: + command: + - /usr/bin/ovn-kube-util + - readiness-probe + - -t + - ovnkube-node + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 60 + successThreshold: 1 + timeoutSeconds: 30 + resources: + requests: + cpu: 100m + memory: 300Mi + securityContext: + privileged: true + runAsUser: 0 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /host + name: host-slash + readOnly: true + - mountPath: /var/run/dbus/ + name: host-var-run-dbus + readOnly: true + - mountPath: /var/lib/kubelet + name: host-kubelet + readOnly: true + - mountPath: /var/log/ovn-kubernetes/ + name: host-var-log-ovnkube + - mountPath: /var/run/ovn-kubernetes + name: host-var-run-ovn-kubernetes + - mountPath: /opt/cni/bin + name: host-opt-cni-bin + - mountPath: /etc/cni/net.d + name: host-etc-cni-netd + - mountPath: /var/run/netns + mountPropagation: Bidirectional + name: host-netns + - mountPath: /var/run/openvswitch/ + name: host-var-run-ovs + - mountPath: /var/run/ovn/ + name: host-var-run-ovs + - mountPath: /ovn-cert + name: host-ovn-cert + readOnly: true + - mountPath: /etc/openvswitch/ + name: host-etc-ovs + readOnly: true + - mountPath: /etc/ovn/ + name: host-var-lib-ovs + readOnly: true + - command: + - /root/ovnkube.sh + - ovn-controller + env: + - name: OVN_DAEMONSET_VERSION + value: 1.0.0 + - name: OVN_LOGLEVEL_CONTROLLER + value: -vconsole:dbg + - name: K8S_APISERVER + valueFrom: + configMapKeyRef: + key: k8s_apiserver + name: ovn-config + - name: K8S_NODE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: OVN_KUBERNETES_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: OVN_SSL_ENABLE + value: "no" + image: registry.lab.syscallx86.com/ovn-daemonset-fedora:latest + imagePullPolicy: IfNotPresent + name: ovn-controller + readinessProbe: + exec: + command: + - /usr/bin/ovn-kube-util + - readiness-probe + - -t + - ovn-controller + failureThreshold: 3 + initialDelaySeconds: 30 + periodSeconds: 60 + successThreshold: 1 + timeoutSeconds: 30 + resources: + requests: + cpu: 100m + memory: 300Mi + securityContext: + capabilities: + add: + - SYS_NICE + runAsUser: 0 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/dbus/ + name: host-var-run-dbus + readOnly: true + - mountPath: /var/log/openvswitch/ + name: host-var-log-ovs + - mountPath: /var/log/ovn/ + name: host-var-log-ovs + - mountPath: /var/run/openvswitch/ + name: host-var-run-ovs + - mountPath: /var/run/ovn/ + name: host-var-run-ovs + - mountPath: /ovn-cert + name: host-ovn-cert + readOnly: true + - command: + - /root/ovnkube.sh + - ovs-metrics + env: + - name: OVN_DAEMONSET_VERSION + value: 1.0.0 + - name: K8S_NODE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + image: registry.lab.syscallx86.com/ovn-daemonset-fedora:latest + imagePullPolicy: IfNotPresent + name: ovs-metrics-exporter + resources: + requests: + cpu: 100m + memory: 300Mi + securityContext: + capabilities: + add: + - NET_ADMIN + runAsUser: 0 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/run/dbus/ + name: host-var-run-dbus + readOnly: true + - mountPath: /var/log/openvswitch/ + name: host-var-log-ovs + - mountPath: /var/run/openvswitch/ + name: host-var-run-ovs + readOnly: true + dnsPolicy: Default + hostNetwork: true + hostPID: true + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-cluster-critical + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + serviceAccount: ovnkube-node + serviceAccountName: ovnkube-node + terminationGracePeriodSeconds: 30 + tolerations: + - operator: Exists + volumes: + - hostPath: + path: /var/run/dbus + type: "" + name: host-var-run-dbus + - hostPath: + path: /var/lib/kubelet + type: "" + name: host-kubelet + - hostPath: + path: /var/log/ovn-kubernetes + type: "" + name: host-var-log-ovnkube + - hostPath: + path: /var/run/ovn-kubernetes + type: "" + name: host-var-run-ovn-kubernetes + - hostPath: + path: /opt/cni/bin + type: "" + name: host-opt-cni-bin + - hostPath: + path: /etc/cni/net.d + type: "" + name: host-etc-cni-netd + - hostPath: + path: / + type: "" + name: host-slash + - hostPath: + path: /var/run/netns + type: "" + name: host-netns + - hostPath: + path: /var/log/openvswitch + type: "" + name: host-var-log-ovs + - hostPath: + path: /run/openvswitch + type: "" + name: host-run-ovs + - hostPath: + path: /var/run/openvswitch + type: "" + name: host-var-run-ovs + - hostPath: + path: /etc/ovn + type: DirectoryOrCreate + name: host-ovn-cert + - hostPath: + path: /var/lib/openvswitch + type: "" + name: host-var-lib-ovs + - hostPath: + path: /etc/openvswitch + type: "" + name: host-etc-ovs + updateStrategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + type: RollingUpdate +status: + currentNumberScheduled: 7 + desiredNumberScheduled: 7 + numberAvailable: 7 + numberMisscheduled: 0 + numberReady: 7 + observedGeneration: 2 + updatedNumberScheduled: 7 diff --git a/21_ovn/k8s/pods.out b/21_ovn/k8s/pods.out new file mode 100644 index 0000000..0e4956f --- /dev/null +++ b/21_ovn/k8s/pods.out @@ -0,0 +1,10 @@ +NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES +ovnkube-db-84468d897f-764mr 2/2 Running 32 20d 10.1.16.11 ovn11.lab.syscallx86.com +ovnkube-master-f9c59bd6c-cdpqg 2/2 Running 28 19d 10.1.16.11 ovn11.lab.syscallx86.com +ovnkube-node-8zbjr 3/3 Running 42 19d 10.1.16.11 ovn11.lab.syscallx86.com +ovnkube-node-9wb5f 3/3 Running 42 19d 10.1.16.15 ovn15.lab.syscallx86.com +ovnkube-node-qfsjr 3/3 Running 45 19d 10.1.16.17 ovn17.lab.syscallx86.com +ovnkube-node-rcfwk 3/3 Running 42 18d 10.1.16.52 ovn52.lab.syscallx86.com +ovnkube-node-rjwwz 3/3 Running 42 19d 10.1.16.16 ovn16.lab.syscallx86.com +ovnkube-node-ss9zx 3/3 Running 40 18d 10.1.16.51 ovn51.lab.syscallx86.com +ovnkube-node-zzccr 3/3 Running 48 19d 10.1.16.18 ovn18.lab.syscallx86.com diff --git a/21_ovn/ovn b/21_ovn/ovn new file mode 120000 index 0000000..8530575 --- /dev/null +++ b/21_ovn/ovn @@ -0,0 +1 @@ +../05_k8s/ovn \ No newline at end of file diff --git a/99_newhost/ansible/01_prepare_nodes.yaml b/99_newhost/ansible/01_prepare_nodes.yaml index 8aa69f4..a55cd1a 100644 --- a/99_newhost/ansible/01_prepare_nodes.yaml +++ b/99_newhost/ansible/01_prepare_nodes.yaml @@ -23,7 +23,7 @@ shell: mkdir /data/vms/{{ hostname }}.{{ domain }} - name: Clone template - shell: virt-clone --original-xml /data/templates/t_centos7/t_centos7.xml --name {{ fqdn }} --file /data/vms/{{ fqdn }}/rootvg.qcow2 + shell: virt-clone --original-xml /data/vms/templates/basevm.xml --name {{ fqdn }} --file /data/vms/{{ fqdn }}/rootvg.qcow2 - name: Change rootvg size shell: qemu-img resize /data/vms/{{ fqdn }}/rootvg.qcow2 +{{ rootvg_size - 20 }}G @@ -41,7 +41,7 @@ -- hosts: centos7 +- hosts: basevm become: true gather_facts: no tasks: @@ -56,7 +56,7 @@ shell: echo "{{ fqdn }}" > /etc/hostname - name: Add hosts to hostname - shell: echo "{{ ip }} {{ hostname }} {{ fqdn }}" >> /etc/hosts + shell: echo "{{ ip }} {{ fqdn }} {{ hostname }}" >> /etc/hosts - name: Resize partition shell: printf 'd\n2\np\nn\np\n2\n\n\nt\n2\n8e\nw' | fdisk /dev/vda @@ -69,13 +69,10 @@ shell: pvresize /dev/vda2 - name: Add an Ethernet connection with static IP configuration - shell: nmcli connection modify eth0 ipv4.addresses {{ ip }}/24 ipv4.method manual ipv4.dns "{{ ipaip }}" + shell: nmcli connection modify enp1s0 ipv4.addresses {{ ip }}/24 ipv4.method manual ipv4.dns "{{ ipaip }}" - name: Install additional packages - shell: yum install -y ipa-client sssd openldap-clients krb5-workstation nfs-client autofs policycoreutils-python - - - name: Enable make dir option for new users - shell: authconfig --enablemkhomedir --update + shell: yum install -y ipa-client sssd openldap-clients krb5-workstation nfs-utils autofs policycoreutils-python-utils python3-policycoreutils.noarch - name: Update sshd config - part 1 shell: echo "AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys" >> /etc/ssh/sshd_config @@ -118,10 +115,9 @@ - name: "Destroy domain" shell: "virsh destroy {{ fqdn }}" ignore_errors: yes - - - name: "Change virbr interface" - shell: virt-xml {{ fqdn }} --edit -w vnet0 --network bridge=virbr{{ virbr }} - + + - name: "Change network configuration" + shell: "virt-xml {{ fqdn }} --xml ./devices/interface/vlan/tag/@id={{ virbr }} --edit" - name: "Start domain" shell: "virsh start {{ fqdn }}" diff --git a/99_newhost/repos/crio.repo b/99_newhost/repos/crio.repo new file mode 100644 index 0000000..015a54d --- /dev/null +++ b/99_newhost/repos/crio.repo @@ -0,0 +1,6 @@ +[cri-o] +name=CRI-O +baseurl=https://pkgs.k8s.io/addons:/cri-o:/stable:/v1.30/rpm/ +enabled=1 +gpgcheck=1 +gpgkey=https://pkgs.k8s.io/addons:/cri-o:/stable:/v1.30/rpm/repodata/repomd.xml.key diff --git a/99_newhost/repos/hashicorp.repo b/99_newhost/repos/hashicorp.repo new file mode 100644 index 0000000..e69de29 diff --git a/99_newhost/repos/kubernetes.repo b/99_newhost/repos/kubernetes.repo new file mode 100644 index 0000000..d58d55d --- /dev/null +++ b/99_newhost/repos/kubernetes.repo @@ -0,0 +1,6 @@ +[kubernetes] +name=Kubernetes +baseurl=https://pkgs.k8s.io/core:/stable:/v1.30/rpm/ +enabled=1 +gpgcheck=1 +gpgkey=https://pkgs.k8s.io/core:/stable:/v1.30/rpm/repodata/repomd.xml.key