Deploying the MetalSoft Site Controller¶
Each data center or pod is managed via a dedicated MetalSoft Site Controller. When powered on, Site Controllers will connect to the configured controller and will authenticate using pre-installed keys and will tie to the configured Datacenter record.
There are different ways in which the MetalSoft Site Controller can be deployed:
On bare metal
As a VM with L2 connectivity to the management network
As a VM with a firewall providing security and DHCP relay services
Under normal operation the Site Controller only requires access to the Out of band (management) networks. No in-band access is required.
The only exceptions to the above are when Extensions defined in Metalsoft need to talk to OS in-band networks for deploying or configuring software OR the Site Controller is used for older systems that only support PXE in which case the network setup is different or MetalSoft apps are used in conjunction with deploying the Operating System.
Resource requirements¶
The following resources are typically required for a MetalSoft Site Controller installation:
150GB Disk
8 vCPU
16GB RAM
Ubuntu 22.04 or higher or RHEL9
Other requirements¶
An already configured Datacenter record
Network access to MetalSoft Registry, MetalSoft Repo, MetalSoft controller. More details here.
Credentials for accessing MetalSoft docker registry
Bare metal Site Controller cabling¶
The following shows the Site Controller’s cabling if the Site Controller runs directly on a bare metal server. All ports of the OOB switch should be in the same L2 broadcast domain (VLAN).
Virtual Site Controller, L2 connectivity¶
The Site Controller can also be hosted as a virtual machine if the L2 connectivity can be extended (same VLAN).
Virtual Site Controller, L3 connectivity¶
The following shows the Site Controller’s connectivity if the Site Controller runs as a VM in some remote virtualization cluster and there is no direct L2 connectivity. In this case, the Site Controller is connected via a firewall or router or some other form.
This setup is often used to enforce firewall rules on the Site Controller in order for example to separate the switch management network from the server management network.
To enable ZTP a DHCP relay configuration is required on the firewall or router appliance that will take the DHCP traffic from the server or switch management interfaces to the Site Controller’s embedded DHCP server.
Install the Datacenter Site Controllers on the DC Site Controllers machine¶
Automated Install¶
This is the preferred method.
Connect to the Global Controller via SSH. Navigate to the manifests directory, typically located at /opt/metalsoft/manifests/. Inside, you’ll find a helper script that can generate a one-liner command for you.
./scripts/gen-agents-deploy-oneliner.sh -h
Usage:
./scripts/gen-agents-deploy-oneliner.sh -f -n namespace -d dc-name -t v6.2.3 -e
Example:
./scripts/gen-agents-deploy-oneliner.sh -f -n demo-metalsoft -d dc-demo -t v6.2.3 -e
If the -t option is not specified, the version will be automatically determined.
Namespace is the namespace of the Global Controller pods.
This will produce a one-line output, which can be pasted on a newly provisioned clean Site Controllers VM (Ubuntu LTS 22.04+ or RHEL 9.X), and will install all needed packages and configure the agents
Site Controller firewall configuration¶
Metalsoft Site Controllers require the following ports open, depending on the deployment type:
Ports open to inbound connections for virtual-media-based deployments¶
The following ports need to be accessible from the servers’ management IPs to allow the servers to boot ISOs during deployment in virtual-media based deployments (also called OOB-only operation mode):
TCP 111, 2049, 32765, 32767 (NFS)
TCP 139, 445 (Samba)
Ports open to inbound connections for zero-touch¶
If “zero touch” (automatic) registration of servers is required, the servers need to be able to reach the Site Controller with their DHCP requests, either via L2 or an DHCP relay configuration on the management network:
UDP port 67 (DHCP)
TCP port 80 (HTTP)
Outbound traffic¶
Metalsoft Controller → TCP/HTTP ports 80/443
Metalsoft Controller → TCP port 9091
Metalsoft image registry → TCP port 443 registry.metalsoft.dev
Metalsoft assets repo → TCP ports 80,443 repo.metalsoft.io
Server’s out-of-band network - TCP ports 22,80,443, 5901 and UDP Port 623 (IPMI)
Switches management interface - TCP ports 22(SSH),80(HTTP),443(HTTPS),830(NETCONF/SSH)
In-Band Access - Outbound from the Site Controllers perspective¶
In some cases where Metalsoft Apps are deployed, or workflows are used, in-band access to certain ports are required to be open:
TCP Port 22 → Used for deploying VMware vSphere, Kubernetes
TCP Port 443 → Common port used to communicate with various applications, for management and configuration.
`