Deploying the MetalSoft Site Controller

Each data center or pod is managed via a dedicated MetalSoft Site Controller. When powered on, Site Controllers will connect to the configured controller and will authenticate using pre-installed keys and will tie to the configured Datacenter record.

There are different ways in which the MetalSoft Site Controller can be deployed:

  1. On bare metal

  2. As a VM with L2 connectivity to the management network

  3. As a VM with a firewall providing security and DHCP relay services

Under normal operation the Site Controller only requires access to the Out of band (management) networks. No in-band access is required.

The only exceptions to the above are when the Site Controller is used for older systems that only support PXE in which case the network setup is different or MetalSoft apps are used in conjunction with deploying the Operating System.

Resource requirements

The following resources are typically required for a MetalSoft Site Controller installation:

  • 150GB Disk

  • 8 vCPU

  • 16GB RAM

  • Ubuntu 22.04 or higher

Other requirements

  1. An already configured Datacenter record

  2. Network access to MetalSoft Registry, MetalSoft Repo, MetalSoft controller. More details [here](#Site Controller firewall configuration).

  3. Environment cert and key to be saved in a file locally on the Site Controllers VM

  4. Credentials for accessing MetalSoft docker registry

Bare metal Site Controller cabling

The following shows the Site Controller’s cabling if the Site Controller runs directly on a bare metal server. All ports of the OOB switch should be in the same L2 broadcast domain (VLAN).

Virtual Site Controller, L2 connectivity

The Site Controller can also be hosted as a virtual machine if the L2 connectivity can be extended (same VLAN).

Virtual Site Controller, L3 connectivity

The following shows the Site Controller’s connectivity if the Site Controller runs as a VM in some remote virtualization cluster and there is no direct L2 connectivity. In this case, the Site Controller is connected via a firewall or router or some other form.

This setup is often used to enforce firewall rules on the Site Controller in order for example to separate the switch management network from the server management network.

To enable ZTP a DHCP relay configuration is required on the firewall or router appliance that will take the DHCP traffic from the server or switch management interfaces to the Site Controller’s embedded DHCP server.

Site Controller cabling - PXE (legacy, deprecated)

Some older equipment does not support virtual media-only setups. MetalSoft can utilize PXE in order to deploy the operating system and coordinate the SAN booting. In order for that to happen an extra link is required between the Site Controller server and the data & storage fabrics.

This can be made with the spine layer or with a leaf switches in which case the location of the Site Controller server should be inside one of the compute racks.

To improve the security and create a separation between the control plane and the data-plane a router VM which also acts as a firewall is introduced. To save resources the router and the Site Controller are now virtualized and deployed onto the same physical server.

Install the Datacenter Site Controllers on the DC Site Controllers machine

Option #1

On the deployed Controller in the manifests folder (usually found at: /opt/metalsoft/manifests/) you will find a helper script, which you can use to generate a one-liner:

./scripts/gen-agents-deploy-oneliner.sh -h
Usage: ./scripts/gen-agents-deploy-oneliner.sh -n namespace -d dc-name [ -t v6.0.0 ] [ -k alternative_kubectl ]
Example: ./scripts/gen-agents-deploy-oneliner.sh -n demo-metalsoft -d dc-demo -t v6.0.0

This will produce a one-line output, which can be pasted on a newly provisioned clean Site Controllers VM (Ubuntu LTS 20+), and will install all needed packages and configure the agents

Option #2

Retrieve the configuration URL using the CLI:

$ metalcloud-cli datacenter get --id uk-london --return-config-url
https://api.poc.metalsoft.io/api/url?rqi=br.ROc8B7Ogy12VrSbVI7koZ9vfpsWs9l3_tjMUd....

Alternatively click on the “Retrieve agent configuration URL” button in the UI on the Datacenter’s page.

$ export DCCONF=`https://api.poc.metalsoft.io/api/url?rqi=br.ROc8B7Ogy12VrSbVI7koZ9vfpsWs9l3_tjM...`

Save the provided certificates in a file named ca-cert.pem

Download and run the deploy-agents.sh script

$ wget https://raw.githubusercontent.com/metalsoft-io/scripts/main/deploy-agents.sh
$ DCCONF="https://api.poc.metalsoft.io/api/url?rqi=br.ROc8B7Ogy12VrSbVI7koZ9vfpsWs9l3_tjM..." SSL_HOSTNAME=yourhost.metalsoft.io GUACAMOLE_KEY=your_guacamole_key_provided_by_metalsoft bash ./deploy-agents.sh

And respond to all questions asked (Certificate file path, Metalsoft registry credentials)

Check if the containers are up:

$ docker ps
   CONTAINER ID        IMAGE                                                                      COMMAND                  CREATED             STATUS              PORTS               NAMES
2b3951a31c4db        registry.metalsoft.dev/datacenter-agents/datacenter-agents-compiled-v2:latest   "docker-entrypoint.s…"   5 hours ago         Up 5 hours                              dc-agents
356ba275db5ea        registry.metalsoft.dev/datacenter-agents/dc-haproxy:latest

Site Controller firewall configuration

Metalsoft Site Controllers require the following ports open, depending on the deployment type:

Ports open to inbound connections for virtual-media-based deployments

The following ports need to be accessible from the servers’ management IPs to allow the servers to boot ISOs during deployment in virtual-media based deployments (also called OOB-only operation mode):

  • TCP 111, 2049, 32765, 32767 (NFS)

  • TCP 139, 445 (Samba)

Ports open to inbound connections for zero-touch

If “zero touch” (automatic) registration of servers is required, the servers need to be able to reach the Site Controller with their DHCP requests, either via L2 or an DHCP relay configuration on the management network:

  • UDP port 67 (DHCP)

  • TCP port 80 (HTTP)

Ports open for inbound for legacy deployments (PXE-based)

The following ports need to be accessible to inbound from both the OOB network and the transient provisioning network (“Quarantine network”):

  • TCP ports 80/443 (HTTP/s)

  • TCP Port 53 (DNS)

  • UDP port 53 (DNS)

  • UDP port 67 (DHCP)

  • UDP port 69 (TFTP)

Outbound traffic

  • Metalsoft Controller → TCP ports 80/443

  • Metalsoft Controller → TCP ports 9003,9009,9090,9091,9011,9010

  • Metalsoft image registry → TCP port 443 registry.metalsoft.dev

  • Metalsoft assets repo → TCP ports 80,443 repo.metalsoft.io

  • Server’s out-of-band network - TCP ports 22,80,443, 5901 and UDP Port 623 (IPMI)

  • Switches management interface - TCP ports 22(SSH),80(HTTP),443(HTTPS),830(NETCONF/SSH)

In-Band Access - Outbound from the Site Controllers perspective

In some cases where Metalsoft Apps are deployed, or workflows are used, in-band access to certain ports are required to be open:

  • TCP Port 22 → Used for deploying VMware vSphere, Kubernetes

  • TCP Port 443 → Common port used to communicate with various applications, for management and configuration.

`