Menu Close

8.3.16. Creating network resources

Create the network resources that an OpenShift Container Platform on Red Hat OpenStack Platform (RHOSP) installation on your own infrastructure requires. To save time, run supplied Ansible playbooks that generate security groups, networks, subnets, routers, and ports.

Procedure

  1. Insert the following content into a local file that is called common.yaml:

    例8.1 common.yaml Ansible playbook

    - hosts: localhost
      gather_facts: no
    
      vars_files:
      - metadata.json
    
      tasks:
      - name: 'Compute resource names'
        set_fact:
          cluster_id_tag: "openshiftClusterID={{ infraID }}"
          os_network: "{{ infraID }}-network"
          os_subnet: "{{ infraID }}-nodes"
          os_router: "{{ infraID }}-external-router"
          # Port names
          os_port_api: "{{ infraID }}-api-port"
          os_port_ingress: "{{ infraID }}-ingress-port"
          os_port_bootstrap: "{{ infraID }}-bootstrap-port"
          os_port_master: "{{ infraID }}-master-port"
          os_port_worker: "{{ infraID }}-worker-port"
          # Security groups names
          os_sg_master: "{{ infraID }}-master"
          os_sg_worker: "{{ infraID }}-worker"
          # Server names
          os_bootstrap_server_name: "{{ infraID }}-bootstrap"
          os_cp_server_name: "{{ infraID }}-master"
          os_cp_server_group_name: "{{ infraID }}-master"
          os_compute_server_name: "{{ infraID }}-worker"
          # Trunk names
          os_cp_trunk_name: "{{ infraID }}-master-trunk"
          os_compute_trunk_name: "{{ infraID }}-worker-trunk"
          # Subnet pool name
          subnet_pool: "{{ infraID }}-kuryr-pod-subnetpool"
          # Service network name
          os_svc_network: "{{ infraID }}-kuryr-service-network"
          # Service subnet name
          os_svc_subnet: "{{ infraID }}-kuryr-service-subnet"
          # Ignition files
          os_bootstrap_ignition: "{{ infraID }}-bootstrap-ignition.json"
  2. Insert the following content into a local file that is called inventory.yaml:

    例8.2 inventory.yaml Ansible playbook

    all:
      hosts:
        localhost:
          ansible_connection: local
          ansible_python_interpreter: "{{ansible_playbook_python}}"
    
          # User-provided values
          os_subnet_range: '10.0.0.0/16'
          os_flavor_master: 'm1.xlarge'
          os_flavor_worker: 'm1.large'
          os_image_rhcos: 'rhcos'
          os_external_network: 'external'
          # OpenShift API floating IP address
          os_api_fip: '203.0.113.23'
          # OpenShift Ingress floating IP address
          os_ingress_fip: '203.0.113.19'
          # Service subnet cidr
          svc_subnet_range: '172.30.0.0/16'
          os_svc_network_range: '172.30.0.0/15'
          # Subnet pool prefixes
          cluster_network_cidrs: '10.128.0.0/14'
          # Subnet pool prefix length
          host_prefix: '23'
          # Name of the SDN.
          # Possible values are OpenshiftSDN or Kuryr.
          os_networking_type: 'OpenshiftSDN'
    
          # Number of provisioned Control Plane nodes
          # 3 is the minimum number for a fully-functional cluster.
          os_cp_nodes_number: 3
    
          # Number of provisioned Compute nodes.
          # 3 is the minimum number for a fully-functional cluster.
          os_compute_nodes_number: 3
  3. Insert the following content into a local file that is called security-groups.yaml:

    例8.3 security-groups.yaml

    # Required Python packages:
    #
    # ansible
    # openstackclient
    # openstacksdk
    
    - import_playbook: common.yaml
    
    - hosts: all
      gather_facts: no
    
      tasks:
      - name: 'Create the master security group'
        os_security_group:
          name: "{{ os_sg_master }}"
    
      - name: 'Set master security group tag'
        command:
          cmd: "openstack security group set --tag {{ cluster_id_tag }} {{ os_sg_master }} "
    
      - name: 'Create the worker security group'
        os_security_group:
          name: "{{ os_sg_worker }}"
    
      - name: 'Set worker security group tag'
        command:
          cmd: "openstack security group set --tag {{ cluster_id_tag }} {{ os_sg_worker }} "
    
      - name: 'Create master-sg rule "ICMP"'
        os_security_group_rule:
          security_group: "{{ os_sg_master }}"
          protocol: icmp
    
      - name: 'Create master-sg rule "machine config server"'
        os_security_group_rule:
          security_group: "{{ os_sg_master }}"
          protocol: tcp
          remote_ip_prefix: "{{ os_subnet_range }}"
          port_range_min: 22623
          port_range_max: 22623
    
      - name: 'Create master-sg rule "SSH"'
        os_security_group_rule:
          security_group: "{{ os_sg_master }}"
          protocol: tcp
          port_range_min: 22
          port_range_max: 22
    
      - name: 'Create master-sg rule "DNS (TCP)"'
        os_security_group_rule:
          security_group: "{{ os_sg_master }}"
          remote_ip_prefix: "{{ os_subnet_range }}"
          protocol: tcp
          port_range_min: 53
          port_range_max: 53
    
      - name: 'Create master-sg rule "DNS (UDP)"'
        os_security_group_rule:
          security_group: "{{ os_sg_master }}"
          remote_ip_prefix: "{{ os_subnet_range }}"
          protocol: udp
          port_range_min: 53
          port_range_max: 53
    
      - name: 'Create master-sg rule "mDNS"'
        os_security_group_rule:
          security_group: "{{ os_sg_master }}"
          remote_ip_prefix: "{{ os_subnet_range }}"
          protocol: udp
          port_range_min: 5353
          port_range_max: 5353
    
      - name: 'Create master-sg rule "OpenShift API"'
        os_security_group_rule:
          security_group: "{{ os_sg_master }}"
          protocol: tcp
          port_range_min: 6443
          port_range_max: 6443
    
      - name: 'Create master-sg rule "VXLAN"'
        os_security_group_rule:
          security_group: "{{ os_sg_master }}"
          protocol: udp
          remote_ip_prefix: "{{ os_subnet_range }}"
          port_range_min: 4789
          port_range_max: 4789
    
      - name: 'Create master-sg rule "Geneve"'
        os_security_group_rule:
          security_group: "{{ os_sg_master }}"
          protocol: udp
          remote_ip_prefix: "{{ os_subnet_range }}"
          port_range_min: 6081
          port_range_max: 6081
    
      - name: 'Create master-sg rule "ovndb"'
        os_security_group_rule:
          security_group: "{{ os_sg_master }}"
          protocol: tcp
          remote_ip_prefix: "{{ os_subnet_range }}"
          port_range_min: 6641
          port_range_max: 6642
    
      - name: 'Create master-sg rule "master ingress internal (TCP)"'
        os_security_group_rule:
          security_group: "{{ os_sg_master }}"
          protocol: tcp
          remote_ip_prefix: "{{ os_subnet_range }}"
          port_range_min: 9000
          port_range_max: 9999
    
      - name: 'Create master-sg rule "master ingress internal (UDP)"'
        os_security_group_rule:
          security_group: "{{ os_sg_master }}"
          protocol: udp
          remote_ip_prefix: "{{ os_subnet_range }}"
          port_range_min: 9000
          port_range_max: 9999
    
      - name: 'Create master-sg rule "kube scheduler"'
        os_security_group_rule:
          security_group: "{{ os_sg_master }}"
          protocol: tcp
          remote_ip_prefix: "{{ os_subnet_range }}"
          port_range_min: 10259
          port_range_max: 10259
    
      - name: 'Create master-sg rule "kube controller manager"'
        os_security_group_rule:
          security_group: "{{ os_sg_master }}"
          protocol: tcp
          remote_ip_prefix: "{{ os_subnet_range }}"
          port_range_min: 10257
          port_range_max: 10257
    
      - name: 'Create master-sg rule "master ingress kubelet secure"'
        os_security_group_rule:
          security_group: "{{ os_sg_master }}"
          protocol: tcp
          remote_ip_prefix: "{{ os_subnet_range }}"
          port_range_min: 10250
          port_range_max: 10250
    
      - name: 'Create master-sg rule "etcd"'
        os_security_group_rule:
          security_group: "{{ os_sg_master }}"
          protocol: tcp
          remote_ip_prefix: "{{ os_subnet_range }}"
          port_range_min: 2379
          port_range_max: 2380
    
      - name: 'Create master-sg rule "master ingress services (TCP)"'
        os_security_group_rule:
          security_group: "{{ os_sg_master }}"
          protocol: tcp
          remote_ip_prefix: "{{ os_subnet_range }}"
          port_range_min: 30000
          port_range_max: 32767
    
      - name: 'Create master-sg rule "master ingress services (UDP)"'
        os_security_group_rule:
          security_group: "{{ os_sg_master }}"
          protocol: udp
          remote_ip_prefix: "{{ os_subnet_range }}"
          port_range_min: 30000
          port_range_max: 32767
    
      - name: 'Create master-sg rule "VRRP"'
        os_security_group_rule:
          security_group: "{{ os_sg_master }}"
          protocol: '112'
          remote_ip_prefix: "{{ os_subnet_range }}"
    
    
      - name: 'Create worker-sg rule "ICMP"'
        os_security_group_rule:
          security_group: "{{ os_sg_worker }}"
          protocol: icmp
    
      - name: 'Create worker-sg rule "SSH"'
        os_security_group_rule:
          security_group: "{{ os_sg_worker }}"
          protocol: tcp
          port_range_min: 22
          port_range_max: 22
    
      - name: 'Create worker-sg rule "mDNS"'
        os_security_group_rule:
          security_group: "{{ os_sg_worker }}"
          protocol: udp
          remote_ip_prefix: "{{ os_subnet_range }}"
          port_range_min: 5353
          port_range_max: 5353
    
      - name: 'Create worker-sg rule "Ingress HTTP"'
        os_security_group_rule:
          security_group: "{{ os_sg_worker }}"
          protocol: tcp
          port_range_min: 80
          port_range_max: 80
    
      - name: 'Create worker-sg rule "Ingress HTTPS"'
        os_security_group_rule:
          security_group: "{{ os_sg_worker }}"
          protocol: tcp
          port_range_min: 443
          port_range_max: 443
    
      - name: 'Create worker-sg rule "router"'
        os_security_group_rule:
          security_group: "{{ os_sg_worker }}"
          protocol: tcp
          remote_ip_prefix: "{{ os_subnet_range }}"
          port_range_min: 1936
          port_range_max: 1936
    
      - name: 'Create worker-sg rule "VXLAN"'
        os_security_group_rule:
          security_group: "{{ os_sg_worker }}"
          protocol: udp
          remote_ip_prefix: "{{ os_subnet_range }}"
          port_range_min: 4789
          port_range_max: 4789
    
      - name: 'Create worker-sg rule "Geneve"'
        os_security_group_rule:
          security_group: "{{ os_sg_worker }}"
          protocol: udp
          remote_ip_prefix: "{{ os_subnet_range }}"
          port_range_min: 6081
          port_range_max: 6081
    
      - name: 'Create worker-sg rule "worker ingress internal (TCP)"'
        os_security_group_rule:
          security_group: "{{ os_sg_worker }}"
          protocol: tcp
          remote_ip_prefix: "{{ os_subnet_range }}"
          port_range_min: 9000
          port_range_max: 9999
    
      - name: 'Create worker-sg rule "worker ingress internal (UDP)"'
        os_security_group_rule:
          security_group: "{{ os_sg_worker }}"
          protocol: udp
          remote_ip_prefix: "{{ os_subnet_range }}"
          port_range_min: 9000
          port_range_max: 9999
    
      - name: 'Create worker-sg rule "worker ingress kubelet insecure"'
        os_security_group_rule:
          security_group: "{{ os_sg_worker }}"
          protocol: tcp
          remote_ip_prefix: "{{ os_subnet_range }}"
          port_range_min: 10250
          port_range_max: 10250
    
      - name: 'Create worker-sg rule "worker ingress services (TCP)"'
        os_security_group_rule:
          security_group: "{{ os_sg_worker }}"
          protocol: tcp
          remote_ip_prefix: "{{ os_subnet_range }}"
          port_range_min: 30000
          port_range_max: 32767
    
      - name: 'Create worker-sg rule "worker ingress services (UDP)"'
        os_security_group_rule:
          security_group: "{{ os_sg_worker }}"
          protocol: udp
          remote_ip_prefix: "{{ os_subnet_range }}"
          port_range_min: 30000
          port_range_max: 32767
    
      - name: 'Create worker-sg rule "VRRP"'
        os_security_group_rule:
          security_group: "{{ os_sg_worker }}"
          protocol: '112'
          remote_ip_prefix: "{{ os_subnet_range }}"
  4. Insert the following content into a local file that is called network.yaml:

    例8.4 network.yaml

    # Required Python packages:
    #
    # ansible
    # openstackclient
    # openstacksdk
    # netaddr
    
    - import_playbook: common.yaml
    
    - hosts: all
      gather_facts: no
    
      tasks:
      - name: 'Create the cluster network'
        os_network:
          name: "{{ os_network }}"
    
      - name: 'Set the cluster network tag'
        command:
          cmd: "openstack network set --tag {{ cluster_id_tag }} {{ os_network }}"
    
      - name: 'Create a subnet'
        os_subnet:
          name: "{{ os_subnet }}"
          network_name: "{{ os_network }}"
          cidr: "{{ os_subnet_range }}"
          allocation_pool_start: "{{ os_subnet_range | next_nth_usable(10) }}"
          allocation_pool_end: "{{ os_subnet_range | ipaddr('last_usable') }}"
    
      - name: 'Set the cluster subnet tag'
        command:
          cmd: "openstack subnet set --tag {{ cluster_id_tag }} {{ os_subnet }}"
    
      - name: 'Create the service network'
        os_network:
          name: "{{ os_svc_network }}"
        when: os_networking_type == "Kuryr"
    
      - name: 'Set the service network tag'
        command:
          cmd: "openstack network set --tag {{ cluster_id_tag }} {{ os_svc_network }}"
        when: os_networking_type == "Kuryr"
    
      - name: 'Computing facts for service subnet'
        set_fact:
          first_ip_svc_subnet_range: "{{ svc_subnet_range | ipv4('network') }}"
          last_ip_svc_subnet_range: "{{ svc_subnet_range | ipaddr('last_usable') |ipmath(1) }}"
          first_ip_os_svc_network_range: "{{ os_svc_network_range | ipv4('network') }}"
          last_ip_os_svc_network_range: "{{ os_svc_network_range | ipaddr('last_usable') |ipmath(1) }}"
          allocation_pool: ""
        when: os_networking_type == "Kuryr"
    
      - name: 'Get first part of OpenStack network'
        set_fact:
          allocation_pool: "{{ allocation_pool + '--allocation-pool start={{ first_ip_os_svc_network_range | ipmath(1) }},end={{ first_ip_svc_subnet_range |ipmath(-1) }}' }}"
        when:
        - os_networking_type == "Kuryr"
        - first_ip_svc_subnet_range != first_ip_os_svc_network_range
    
      - name: 'Get last part of OpenStack network'
        set_fact:
          allocation_pool: "{{ allocation_pool + ' --allocation-pool start={{ last_ip_svc_subnet_range | ipmath(1) }},end={{ last_ip_os_svc_network_range |ipmath(-1) }}' }}"
        when:
        - os_networking_type == "Kuryr"
        - last_ip_svc_subnet_range != last_ip_os_svc_network_range
    
      - name: 'Get end of allocation'
        set_fact:
          gateway_ip: "{{ allocation_pool.split('=')[-1] }}"
        when: os_networking_type == "Kuryr"
    
      - name: 'replace last IP'
        set_fact:
          allocation_pool: "{{ allocation_pool | replace(gateway_ip, gateway_ip | ipmath(-1))}}"
        when: os_networking_type == "Kuryr"
    
      - name: 'list service subnet'
        command:
          cmd: "openstack subnet list --name {{ os_svc_subnet }} --tag {{ cluster_id_tag }}"
        when: os_networking_type == "Kuryr"
        register: svc_subnet
    
      - name: 'Create the service subnet'
        command:
          cmd: "openstack subnet create --ip-version 4 --gateway {{ gateway_ip }} --subnet-range {{ os_svc_network_range }} {{ allocation_pool }} --no-dhcp --network {{ os_svc_network }} --tag {{ cluster_id_tag }} {{ os_svc_subnet }}"
        when:
        - os_networking_type == "Kuryr"
        - svc_subnet.stdout == ""
    
      - name: 'list subnet pool'
        command:
          cmd: "openstack subnet pool list --name {{ subnet_pool }} --tags {{ cluster_id_tag }}"
        when: os_networking_type == "Kuryr"
        register: pods_subnet_pool
    
      - name: 'Create pods subnet pool'
        command:
          cmd: "openstack subnet pool create --default-prefix-length {{ host_prefix }} --pool-prefix {{ cluster_network_cidrs }} --tag {{ cluster_id_tag }} {{ subnet_pool }}"
        when:
        - os_networking_type == "Kuryr"
        - pods_subnet_pool.stdout == ""
    
      - name: 'Create external router'
        os_router:
          name: "{{ os_router }}"
          network: "{{ os_external_network }}"
          interfaces:
          - "{{ os_subnet }}"
    
      - name: 'Set external router tag'
        command:
          cmd: "openstack router set --tag {{ cluster_id_tag }} {{ os_router }}"
        when: os_networking_type == "Kuryr"
    
      - name: 'Create the API port'
        os_port:
          name: "{{ os_port_api }}"
          network: "{{ os_network }}"
          security_groups:
          - "{{ os_sg_master }}"
          fixed_ips:
          - subnet: "{{ os_subnet }}"
            ip_address: "{{ os_subnet_range | next_nth_usable(5) }}"
    
      - name: 'Set API port tag'
        command:
          cmd: "openstack port set --tag {{ cluster_id_tag }} {{ os_port_api }}"
    
      - name: 'Create the Ingress port'
        os_port:
          name: "{{ os_port_ingress }}"
          network: "{{ os_network }}"
          security_groups:
          - "{{ os_sg_worker }}"
          fixed_ips:
          - subnet: "{{ os_subnet }}"
            ip_address: "{{ os_subnet_range | next_nth_usable(7) }}"
    
      - name: 'Set the Ingress port tag'
        command:
          cmd: "openstack port set --tag {{ cluster_id_tag }} {{ os_port_ingress }}"
    
      # NOTE: openstack ansible module doesn't allow attaching Floating IPs to
      # ports, let's use the CLI instead
      - name: 'Attach the API floating IP to API port'
        command:
          cmd: "openstack floating ip set --port {{ os_port_api }} {{ os_api_fip }}"
    
      # NOTE: openstack ansible module doesn't allow attaching Floating IPs to
      # ports, let's use the CLI instead
      - name: 'Attach the Ingress floating IP to Ingress port'
        command:
          cmd: "openstack floating ip set --port {{ os_port_ingress }} {{ os_ingress_fip }}"
  5. On a command line, create security groups by running the security-groups.yaml playbook:

    $ ansible-playbook -i inventory.yaml security-groups.yaml
  6. On a command line, create a network, subnet, and router by running the network.yaml playbook:

    $ ansible-playbook -i inventory.yaml network.yaml
  7. Optional: If you want to control the default resolvers that Nova servers use, run the RHOSP CLI command:

    $ openstack subnet set --dns-nameserver <server_1> --dns-nameserver <server_2> "$INFRA_ID-nodes"