Deploying the MetalSoft agent

Pre-requisites

Usualy the agent is deployed on am VM with the following configuration:

  1. Hardware configuration: 100GB Disk, 8 vCPU, 16GB RAM
  2. OS: Ubuntu 20.04 or higher
  3. An already configured Datacenter record
  4. (Optional) A working CLI deployment on another machine
  5. Network access to MetalSoft Registry, MetalSoft Repo, MetalSoft controller. More details [here](#Agent firewall configuration).
  6. Environemt cert and key to be saved in a file locally on the agents VM
  7. Credentials for accessing Metalsoft docker registry

Install the Datacenter Agents on the DC agents machine

Option #1

On the deployed Controller in the manifests folder (usually found at: /opt/metalsoft/manifests/) you will find a helper script, which you can use to generate a one-liner:

./scripts/gen-agents-deploy-oneliner.sh -h
Usage: ./scripts/gen-agents-deploy-oneliner.sh -n namespace -d dc-name [ -t v6.0.0 ] [ -k alternative_kubectl ]
Example: ./scripts/gen-agents-deploy-oneliner.sh -n demo-metalsoft -d dc-demo -t v6.0.0

This will produce a one-line output, which can be pasted on a newly provisioned clean Agents VM (Ubuntu LTS 20+), and will install all needed packages and configure the agents

Option #2

Retrieve the configuration URL using the CLI:

$ metalcloud-cli datacenter get --id uk-london --return-config-url
https://api.poc.metalsoft.io/api/url?rqi=br.ROc8B7Ogy12VrSbVI7koZ9vfpsWs9l3_tjMUd....

Alternatively click on the “Retrieve agent configuration URL” button in the UI on the Datacenter’s page.

$ export DCCONF=`https://api.poc.metalsoft.io/api/url?rqi=br.ROc8B7Ogy12VrSbVI7koZ9vfpsWs9l3_tjM...`

Save the provided certificates in a file named ca-cert.pem

Download and run the deploy-agents.sh script

$ wget https://raw.githubusercontent.com/metalsoft-io/scripts/main/deploy-agents.sh
$ DCCONF="https://api.poc.metalsoft.io/api/url?rqi=br.ROc8B7Ogy12VrSbVI7koZ9vfpsWs9l3_tjM..." SSL_HOSTNAME=yourhost.metalsoft.io GUACAMOLE_KEY=your_guacamole_key_provided_by_metalsoft bash ./deploy-agents.sh

And respond to all questions asked (Certificate file path, Metalsoft registry credentials)

Check if the containers are up:

$ docker ps
   CONTAINER ID        IMAGE                                                                      COMMAND                  CREATED             STATUS              PORTS               NAMES
2b3951a31c4db        registry.metalsoft.dev/datacenter-agents/datacenter-agents-compiled-v2:latest   "docker-entrypoint.s…"   5 hours ago         Up 5 hours                              dc-agents
356ba275db5ea        registry.metalsoft.dev/datacenter-agents/dc-haproxy:latest

Agent firewall configuration

Metalsoft Agents require the following ports open, depending on the deployment type:

Ports open to inbound connections for virtual-media-based deployments

The following ports need to be accessible from the servers’ management IPs to allow the servers to boot ISOs during deployment in virtual-media based deployments (also called OOB-only operation mode):

  • TCP 111, 2049, 32765, 32767 (NFS)
  • TCP 139, 445 (Samba)

Ports open to inbound connections for zero-touch

If “zero touch” (automatic) registration of servers is required, the servers need to be able to reach the agent with their DHCP requests, either via L2 or an DHCP relay configuration on the management network:

  • UDP port 67 (DHCP)
  • TCP port 80 (HTTP)

Ports open for inbound for legacy deployments (PXE-based)

The following ports need to be accessible to inbound from both the OOB network and the transient provisioning network (”Quarantine network”):

  • TCP ports 80/443 (HTTP/s)
  • TCP Port 53 (DNS)
  • UDP port 53 (DNS)
  • UDP port 67 (DHCP)
  • UDP port 69 (TFTP)

Outbound traffic

  • Metalsoft Controller → TCP ports 80/443
  • Metalsoft Controller → TCP ports 9003,9009,9090,9091,9011,9010
  • Metalsoft image registry → TCP port 443 registry.metalsoft.dev
  • Metalsoft assets repo → TCP ports 80,443 repo.metalsoft.io
  • Server’s out-of-band network - TCP ports 22,80,443, 5901 and UDP Port 623 (IPMI)
  • Switches management interface - TCP ports 22(SSH),80(HTTP),443(HTTPS),830(NETCONF/SSH)

In-Band Access - Outbound from the agents perspective

In some cases where Metalsoft Apps are deployed, or workflows are used, in-band access to certain ports are required to be open:

  • TCP Port 22 → Used for deploying VMware vSphere, Kubernetes
  • TCP Port 443 → Common port used to communicate with various applications, for management and configuration.

`