Deploying the MetalSoft agent#

Each data center or pod is managed via a dedicated MetalSoft Agent. When powered on, agents will connect to the configured controller and will authenticate using pre-installed keys and will tie to the configured Datacenter record.

There are different ways in which the MetalSoft Agent can be deployed:

  1. On bare metal

  2. As a VM with L2 connectivity to the management network

  3. As a VM with a firewall providing security and DHCP relay services

Under normal operation the Agent only requires access to the Out of band (management) networks. No in-band access is required.

The only exceptions to the above are when the agent is used for older systems that only support PXE in which case the network setup is different or MetalSoft apps are used in conjunction with deploying the Operating System.

Resource requirements#

The following resources are typically required for a MetalSoft agent installation:

  • 100GB Disk

  • 8 vCPU

  • 16GB RAM

  • Ubuntu 22.04 or higher

Other requirements#

  1. An already configured Datacenter record

  2. Network access to MetalSoft Registry, MetalSoft Repo, MetalSoft controller. More details [here](#Agent firewall configuration).

  3. Environment cert and key to be saved in a file locally on the agents VM

  4. Credentials for accessing MetalSoft docker registry

Bare metal Agent cabling#

The following shows the agent’s cabling if the agent runs directly on a bare metal server. All ports of the OOB switch should be in the same L2 broadcast domain (VLAN).

Virtual Agent, L2 connectivity#

The agent can also be hosted as a virtual machine if the L2 connectivity can be extended (same VLAN).

Virtual Agent, L3 connectivity#

The following shows the agent’s connectivity if the agent runs as a VM in some remote virtualization cluster and there is no direct L2 connectivity. In this case, the agent is connected via a firewall or router or some other form.

This setup is often used to enforce firewall rules on the agent in order for example to separate the switch management network from the server management network.

To enable ZTP a DHCP relay configuration is required on the firewall or router appliance that will take the DHCP traffic from the server or switch management interfaces to the agent’s embedded DHCP server.

Agent cabling - PXE (legacy, deprecated)#

Some older equipment does not support virtual media-only setups. MetalSoft can utilize PXE in order to deploy the operating system and coordinate the SAN booting. In order for that to happen an extra link is required between the agent server and the data & storage fabrics.

This can be made with the spine layer or with a leaf switches in which case the location of the agent server should be inside one of the compute racks.

To improve the security and create a separation between the control plane and the data-plane a router VM which also acts as a firewall is introduced. To save resources the router and the agent are now virtualized and deployed onto the same physical server.

Install the Datacenter Agents on the DC agents machine#

Option #1#

On the deployed Controller in the manifests folder (usually found at: /opt/metalsoft/manifests/) you will find a helper script, which you can use to generate a one-liner:

./scripts/gen-agents-deploy-oneliner.sh -h
Usage: ./scripts/gen-agents-deploy-oneliner.sh -n namespace -d dc-name [ -t v6.0.0 ] [ -k alternative_kubectl ]
Example: ./scripts/gen-agents-deploy-oneliner.sh -n demo-metalsoft -d dc-demo -t v6.0.0

This will produce a one-line output, which can be pasted on a newly provisioned clean Agents VM (Ubuntu LTS 20+), and will install all needed packages and configure the agents

Option #2#

Retrieve the configuration URL using the CLI:

$ metalcloud-cli datacenter get --id uk-london --return-config-url
https://api.poc.metalsoft.io/api/url?rqi=br.ROc8B7Ogy12VrSbVI7koZ9vfpsWs9l3_tjMUd....

Alternatively click on the “Retrieve agent configuration URL” button in the UI on the Datacenter’s page.

$ export DCCONF=`https://api.poc.metalsoft.io/api/url?rqi=br.ROc8B7Ogy12VrSbVI7koZ9vfpsWs9l3_tjM...`

Save the provided certificates in a file named ca-cert.pem

Download and run the deploy-agents.sh script

$ wget https://raw.githubusercontent.com/metalsoft-io/scripts/main/deploy-agents.sh
$ DCCONF="https://api.poc.metalsoft.io/api/url?rqi=br.ROc8B7Ogy12VrSbVI7koZ9vfpsWs9l3_tjM..." SSL_HOSTNAME=yourhost.metalsoft.io GUACAMOLE_KEY=your_guacamole_key_provided_by_metalsoft bash ./deploy-agents.sh

And respond to all questions asked (Certificate file path, Metalsoft registry credentials)

Check if the containers are up:

$ docker ps
   CONTAINER ID        IMAGE                                                                      COMMAND                  CREATED             STATUS              PORTS               NAMES
2b3951a31c4db        registry.metalsoft.dev/datacenter-agents/datacenter-agents-compiled-v2:latest   "docker-entrypoint.s…"   5 hours ago         Up 5 hours                              dc-agents
356ba275db5ea        registry.metalsoft.dev/datacenter-agents/dc-haproxy:latest

Agent firewall configuration#

Metalsoft Agents require the following ports open, depending on the deployment type:

Ports open to inbound connections for virtual-media-based deployments#

The following ports need to be accessible from the servers’ management IPs to allow the servers to boot ISOs during deployment in virtual-media based deployments (also called OOB-only operation mode):

  • TCP 111, 2049, 32765, 32767 (NFS)

  • TCP 139, 445 (Samba)

Ports open to inbound connections for zero-touch#

If “zero touch” (automatic) registration of servers is required, the servers need to be able to reach the agent with their DHCP requests, either via L2 or an DHCP relay configuration on the management network:

  • UDP port 67 (DHCP)

  • TCP port 80 (HTTP)

Ports open for inbound for legacy deployments (PXE-based)#

The following ports need to be accessible to inbound from both the OOB network and the transient provisioning network (“Quarantine network”):

  • TCP ports 80/443 (HTTP/s)

  • TCP Port 53 (DNS)

  • UDP port 53 (DNS)

  • UDP port 67 (DHCP)

  • UDP port 69 (TFTP)

Outbound traffic#

  • Metalsoft Controller → TCP ports 80/443

  • Metalsoft Controller → TCP ports 9003,9009,9090,9091,9011,9010

  • Metalsoft image registry → TCP port 443 registry.metalsoft.dev

  • Metalsoft assets repo → TCP ports 80,443 repo.metalsoft.io

  • Server’s out-of-band network - TCP ports 22,80,443, 5901 and UDP Port 623 (IPMI)

  • Switches management interface - TCP ports 22(SSH),80(HTTP),443(HTTPS),830(NETCONF/SSH)

In-Band Access - Outbound from the agents perspective#

In some cases where Metalsoft Apps are deployed, or workflows are used, in-band access to certain ports are required to be open:

  • TCP Port 22 → Used for deploying VMware vSphere, Kubernetes

  • TCP Port 443 → Common port used to communicate with various applications, for management and configuration.

`