Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Before You Install

  1. Set up an account with Red Hat and set up an account with Juniper Networks.
    You'll need the Red Hat account to use the hosted Assisted Installer service, and you'll need the Juniper Networks account to download the CN2 manifests from the Juniper Networks download site (https://support.juniper.net/support/downloads/?p=contrail-networking) and access the container repository at https://enterprise-hub.juniper.net.
  2. Set up the fabric network and connect your nodes to the fabric depending on whether you're installing with user-managed networking (Figure 1) or cluster-managed networking (Figure 1).
  3. Configure the Assisted Installer client machine.
    1. Install a fresh OS on the Assisted Installer client machine, configuring the OS minimally for the following:
      • static IP address and mask (for example, 172.16.0.10/24) and gateway
      • access to one or more DNS servers
      • SSH connectivity including root SSH access
      • NTP
      • curl
      • jq
      The Assisted Installer client machine used in our examples is running a RHEL OS.
    2. Install Helm 3.0 or later (optional). Helm is needed if you want to install Contrail Analytics.
      The following steps are copied from https://helm.sh/docs/intro/install/ for your convenience:
      • Download the get_helm.sh script:

      • Install Helm.

  4. Download the CN2 manifests from Juniper Networks.
    1. Download the CN2 manifests (see Manifests) onto your local computer.
    2. Copy the downloaded manifests and tools package to the Assisted Installer client machine and extract.
    3. Identify the manifests you want to use and copy them to a separate directory. For an explanation of the manifests, see Manifests for your release.
      Make sure you copy over all the manifests that you plan on using, including the manifests from the subdirectories if applicable. In our example, we copy the manifests to a manifests directory. Don't copy the subdirectories themselves. The manifests directory should be a flat directory.
    4. Populate the manifests with your repository login credentials.

      Add your repository login credentials to the contrail-manifests-openshift/auth-registry manifests. See Configure Repository Credentials.

    5. Customize the manifests for your environment as necessary.

      If you're running your cluster nodes on VMs, edit the following files to reference the actual names of your interfaces. These manifests disable checksum offloads on the named interface on the VM. (Checksum offload is usually only supported on real NICs on bare metal servers.)

      • 99-disable-offload-master.yaml - This manifest disables offload on the control plane nodes on the interface used for Kubernetes control plane traffic. This is the interface that attaches to the 172.16.0.0/24 network in our examples.
      • 99-disable-offload-worker.yaml - This manifest disables offload on the worker nodes on the interface used for Kubernetes control plane traffic. This is the interface that attaches to the 172.16.0.0/24 network in our examples.
      • 99-disable-offload-master-vrrp.yaml - This manifest disables offload on the control plane nodes on the interface used for Contrail control plane and user data plane traffic. Include this only when running a separate interface for Contrail control and data traffic (such as when using cluster-managed networking). This is the interface that attaches to the 10.16.0.0/24 network in our cluster-managed networking example.
      • 99-disable-offload-worker-vrrp.yaml - This manifest disables offload on the worker nodes on the interface used for Contrail control plane and user data plane traffic. Include this only when running a separate interface for Contrail control and data traffic (such as when using cluster-managed networking). This is the interface that attaches to the 10.16.0.0/24 network in our cluster-managed networking example.

      Look for the line ExecStart=/sbin/ethtool -K ens3 tx off or ExecStart=/sbin/ethtool -K ens4 tx off in these manifests and change the interface name to match the interface name on your control plane or worker node as appropriate.

    6. Specify the Contrail control and data network if you're using cluster-managed networking.
      Edit the following file to reference the subnet and gateway that you're using for Contrail control plane and user data plane traffic:
      • 99-network-configmap.yaml - This manifest specifies the network for Contrail control plane and user data plane traffic. Uncomment the contrail-network-config ConfigMap specification in the manifest and specify the appropriate subnet and gateway (for example, 10.16.0.0/24 and 10.16.0.254).
    7. If you're integrating CN2 with Juniper Apstra, configure your Juniper Apstra login credentials.

      Configure your Apstra login credentials in the contrail-manifests-openshift/plugins/111-apstra-secret.yaml manifest. Make sure the username and password that you specify are base64-encoded. For more information, see https://www.juniper.net/documentation/us/en/software/cn-cloud-native23.2/cn-cloud-native-feature-guide/index.html.

  5. Install contrailstatus on the Assisted Installer client machine. Contrailstatus is a kubectl plug-in you can use to query CN2 microservices and CN2-specific resources.
    The contrailstatus executable is packaged within the downloaded tools package. Extract and copy the kubectl-contrailstatus executable to /usr/local/bin.
  6. Install a load balancer (if you're running with user-managed networking). This step is not required when running with cluster-managed networking.
    In this example, we run haxproxy on the Assisted Installer client machine. You can choose to run a different load balancer for your installation.
    1. Install the load balancer.
      For example:
    2. Configure the load balancer.
      We use a single IP address (172.16.0.10) that distributes API and ingress traffic to the nodes in the cluster.
      Table 1: Example Load Balancer Entries
      Type of Traffic Front End Back End

      api

      172.16.0.10:6443

      172.16.0.11:6443

      172.16.0.12:6443

      172.16.0.13:6443

      api-int

      172.16.0.10:22623

      172.16.0.11:22623

      172.16.0.12:22623

      172.16.0.13:22623

      https

      172.16.0.10:443

      172.16.0.14:443

      172.16.0.15:443

      http

      172.16.0.10:80

      172.16.0.14:80

      172.16.0.15:80

      Here's an example snippet of haproxy configuration (/etc/haproxy/haproxy.cfg) that performs the above mappings:
    3. Start the load balancer.
      For example:
      Note:

      If you're running with selinux, you may need to explicitly allow haproxy to listen on ports (setsebool -P haproxy_connect_any 1).

  7. Install a DNS/DHCP server in your network to serve the Kubernetes nodes.
    In this example, we run dnsmasq on the Assisted Installer client machine. You can choose to run a different DNS/DHCP server for your installation.
    1. Install the DNS/DHCP server.
      Dnsmasq is preinstalled on some RHEL OS packages. If it's not preinstalled, you can install it as follows:
    2. Configure the domain name and DHCP entries.
      Table 2: Example DHCP Assignments
      Fully-Qualified Domain Name IP Address
      ocp1.mycluster.contrail.lan 172.16.0.11
      ocp2.mycluster.contrail.lan 172.16.0.12
      ocp3.mycluster.contrail.lan 172.16.0.13
      ocp4.mycluster.contrail.lan 172.16.0.14
      ocp5.mycluster.contrail.lan 172.16.0.15
      Note:

      When using the Assisted Installer service, the fully-qualified domain name is constructed as follows: <hostname>.<cluster name>.<domain name>

      In this example, we use ocpn as the hostname, mycluster as the cluster name, and contrail.lan as the domain name.

    3. Configure your DNS entries.
      Table 3: Example DNS Entries
      Hostname IP Address Note
      ocp1.mycluster.contrail.lan 172.16.0.11 Same as DHCP assignment
      ocp2.mycluster.contrail.lan 172.16.0.12 Same as DHCP assignment
      ocp3.mycluster.contrail.lan 172.16.0.13 Same as DHCP assignment
      ocp4.mycluster.contrail.lan 172.16.0.14 Same as DHCP assignment
      ocp5.mycluster.contrail.lan 172.16.0.15 Same as DHCP assignment
      api.mycluster.contrail.lan 172.16.0.10 Load balancer for external API traffic. Required for user-managed networking only.
      api-int.mycluster.contrail.lan 172.16.0.10 Load balancer for internal API traffic. Required for user-managed networking only.
      apps.mycluster.contrail.lan 172.16.0.10 Load balancer for ingress traffic. Required for user-managed networking only.
      *.apps.mycluster.contrail.lan 172.16.0.10 Load balancer for ingress traffic. Required for user-managed networking only.
      Here's an example snippet of dnsmasq configuration (/etc/dnsmasq.conf) that performs the above assignments:
    4. Start the DNS/DHCP server.
      For example:
  8. Download the OpenShift command line interface tool (oc) from Red Hat. This package includes kubectl.
    1. On the browser of your local computer, go to https://console.redhat.com/openshift/downloads#tool-oc and download the OpenShift command line interface tool (oc).
    2. Copy the downloaded package to the Assisted Installer client machine and untar.
    3. Copy the oc and kubectl executables into a directory in your path (for example, /usr/local/bin).