Deploying the MetalSoft Site Controller¶
Each data center or pod is managed via a dedicated MetalSoft Site Controller. When powered on, Site Controllers will connect to the configured controller and will authenticate using pre-installed keys and will tie to the configured Datacenter record.
There are different ways in which the MetalSoft Site Controller can be deployed:
On bare metal
As a VM with L2 connectivity to the management network
As a VM with a firewall providing security and DHCP relay services
Under normal operation the Site Controller only requires access to the Out of band (management) networks. No in-band access is required.
The only exceptions to the above are when the Site Controller is used for older systems that only support PXE in which case the network setup is different or MetalSoft apps are used in conjunction with deploying the Operating System.
Resource requirements¶
The following resources are typically required for a MetalSoft Site Controller installation:
150GB Disk
8 vCPU
16GB RAM
Ubuntu 22.04 or higher or RHEL9
Other requirements¶
An already configured Datacenter record
Network access to MetalSoft Registry, MetalSoft Repo, MetalSoft controller. More details here.
Credentials for accessing MetalSoft docker registry
Bare metal Site Controller cabling¶
The following shows the Site Controller’s cabling if the Site Controller runs directly on a bare metal server. All ports of the OOB switch should be in the same L2 broadcast domain (VLAN).
Virtual Site Controller, L2 connectivity¶
The Site Controller can also be hosted as a virtual machine if the L2 connectivity can be extended (same VLAN).
Virtual Site Controller, L3 connectivity¶
The following shows the Site Controller’s connectivity if the Site Controller runs as a VM in some remote virtualization cluster and there is no direct L2 connectivity. In this case, the Site Controller is connected via a firewall or router or some other form.
This setup is often used to enforce firewall rules on the Site Controller in order for example to separate the switch management network from the server management network.
To enable ZTP a DHCP relay configuration is required on the firewall or router appliance that will take the DHCP traffic from the server or switch management interfaces to the Site Controller’s embedded DHCP server.
Site Controller cabling - PXE (legacy, deprecated)¶
Some older equipment does not support virtual media-only setups. MetalSoft can utilize PXE in order to deploy the operating system and coordinate the SAN booting. In order for that to happen an extra link is required between the Site Controller server and the data & storage fabrics.
This can be made with the spine layer or with a leaf switches in which case the location of the Site Controller server should be inside one of the compute racks.
To improve the security and create a separation between the control plane and the data-plane a router VM which also acts as a firewall is introduced. To save resources the router and the Site Controller are now virtualized and deployed onto the same physical server.
Install the Datacenter Site Controllers on the DC Site Controllers machine¶
Option #1 (automated)¶
This is the preferred method.
Connect to the Global Controller via SSH. Navigate to the manifests directory, typically located at /opt/metalsoft/manifests/. Inside, you’ll find a helper script that can generate a one-liner command for you.
./scripts/gen-agents-deploy-oneliner.sh -h
Usage:
./scripts/gen-agents-deploy-oneliner.sh -f -n namespace -d dc-name -t v6.2.3 -e
Example:
./scripts/gen-agents-deploy-oneliner.sh -f -n demo-metalsoft -d dc-demo -t v6.2.3 -e
If the -t option is not specified, the version will be automatically determined.
Namespace is the namespace of the Global Controller pods.
This will produce a one-line output, which can be pasted on a newly provisioned clean Site Controllers VM (Ubuntu LTS 20+), and will install all needed packages and configure the agents
Option #2 (manual)¶
Retrieve the configuration URL using the CLI:
$ metalcloud-cli datacenter get --id uk-london --return-config-url
https://api.poc.metalsoft.io/api/url?rqi=br.ROc8B7Ogy12VrSbVI7koZ9vfpsWs9l3_tjMUd....
Alternatively, click on the “Retrieve agent configuration URL” button in the UI on the Datacenter’s page.
$ export DCCONF="https://api.poc.metalsoft.io/api/url?rqi=br.ROc8B7Ogy12VrSbVI7koZ9vfpsWs9l3_tjM..."
Save the provided certificates in a file named ca-cert.pem
Download and run the deploy-agents.sh script
$ wget https://raw.githubusercontent.com/metalsoft-io/scripts/main/deploy-agents.sh
$ DCCONF="https://api.poc.metalsoft.io/api/url?rqi=br.ROc8B7Ogy12VrSbVI7koZ9vfpsWs9l3_tjM..." SSL_HOSTNAME=yourhost.metalsoft.io bash ./deploy-agents.sh
And respond to all questions asked (Certificate file path, Metalsoft registry credentials)
Check if the containers are up:
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2b3951a31c4db registry.metalsoft.dev/datacenter-agents/datacenter-agents-compiled-v2:latest "docker-entrypoint.s…" 5 hours ago Up 5 hours dc-agents
3774dcd94570 registry.metalsoft.dev/datacenter-agents-compiled/dc-haproxy:latest "haproxy -W -db -f /…" 5 hours ago Up 5 hours dc-haproxy
e8a128621297 registry.metalsoft.dev/datacenter-agents-compiled/ms-agent:v6.2.3 "/usr/bin/ms-agent" 5 hours ago Up 5 hours ms-agent
Site Controller firewall configuration¶
Metalsoft Site Controllers require the following ports open, depending on the deployment type:
Ports open to inbound connections for virtual-media-based deployments¶
The following ports need to be accessible from the servers’ management IPs to allow the servers to boot ISOs during deployment in virtual-media based deployments (also called OOB-only operation mode):
TCP 111, 2049, 32765, 32767 (NFS)
TCP 139, 445 (Samba)
Ports open to inbound connections for zero-touch¶
If “zero touch” (automatic) registration of servers is required, the servers need to be able to reach the Site Controller with their DHCP requests, either via L2 or an DHCP relay configuration on the management network:
UDP port 67 (DHCP)
TCP port 80 (HTTP)
Ports open for inbound for legacy deployments (PXE-based)¶
The following ports need to be accessible to inbound from both the OOB network and the transient provisioning network (“Quarantine network”):
TCP ports 80/443 (HTTP/s)
TCP Port 53 (DNS)
UDP port 53 (DNS)
UDP port 67 (DHCP)
UDP port 69 (TFTP)
Outbound traffic¶
Metalsoft Controller → TCP/HTTP ports 80/443
Metalsoft Controller → TCP port 9091
Metalsoft image registry → TCP port 443 registry.metalsoft.dev
Metalsoft assets repo → TCP ports 80,443 repo.metalsoft.io
Server’s out-of-band network - TCP ports 22,80,443, 5901 and UDP Port 623 (IPMI)
Switches management interface - TCP ports 22(SSH),80(HTTP),443(HTTPS),830(NETCONF/SSH)
In-Band Access - Outbound from the Site Controllers perspective¶
In some cases where Metalsoft Apps are deployed, or workflows are used, in-band access to certain ports are required to be open:
TCP Port 22 → Used for deploying VMware vSphere, Kubernetes
TCP Port 443 → Common port used to communicate with various applications, for management and configuration.
`