openstack/kuryr-kubernetes
Code Issues Proposed changes
4465c2062a
kuryr-kubernetes/doc/source/installation/manual.rst

230 lines
8.2 KiB
ReStructuredText
Raw Normal View History

Update installation documentation This commit moves installation/configuration documentation from README file to installation section of the actual docs (which has been rather short thus far). This commit splits a single README into multiple installation sub-docs. It also expands the manual on installation and configuration of kuryr-k8s-controller and kuryr-cni. Change-Id: I88862f28d0bbbd8bf5259209c4fa3c41130479d1
2017-06-09 14:57:17 +03:00
Installing kuryr-kubernetes manually
====================================
Configure kuryr-k8s-controller
------------------------------
Install ``kuryr-k8s-controller`` in a virtualenv::
$ mkdir kuryr-k8s-controller
$ cd kuryr-k8s-controller
$ virtualenv env
$ git clone http://git.openstack.org/openstack/kuryr-kubernetes
$ . env/bin/activate
$ pip install -e kuryr-kubernetes
In neutron or in horizon create subnet for pods, subnet for services and a
doc: Fix manual installation neutron resource With the addition of the services documentation, the creation of the pod and services resources is much better explained there and the part in manual only adds confusion. This patch refers users to the new documentation Change-Id: I1bd83011742d77b026c746253c543839eb05a4f0 Closes-Bug: #1711074 Signed-off-by: Antoni Segura Puimedon <antonisp@celebdor.com>
2017-08-22 14:47:57 +02:00
security-group for pods. You may use existing if you like. In case that you
decide to create new networks and subnets with the cli, you can follow the
services guide, specifically its :ref:`k8s_default_configuration` section.
Update installation documentation This commit moves installation/configuration documentation from README file to installation section of the actual docs (which has been rather short thus far). This commit splits a single README into multiple installation sub-docs. It also expands the manual on installation and configuration of kuryr-k8s-controller and kuryr-cni. Change-Id: I88862f28d0bbbd8bf5259209c4fa3c41130479d1
2017-06-09 14:57:17 +03:00
Create ``/etc/kuryr/kuryr.conf``::
$ cd kuryr-kubernetes
$ ./tools/generate_config_file_samples.sh
$ cp etc/kuryr.conf.sample /etc/kuryr/kuryr.conf
Edit ``kuryr.conf``::
[DEFAULT]
use_stderr = true
bindir = {path_to_env}/libexec/kuryr
[kubernetes]
api_root = http://{ip_of_kubernetes_apiserver}:8080
[neutron]
auth_url = http://127.0.0.1:35357/v3/
username = admin
user_domain_name = Default
password = ADMIN_PASSWORD
project_name = service
project_domain_name = Default
auth_type = password
[neutron_defaults]
ovs_bridge = br-int
pod_security_groups = {id_of_secuirity_group_for_pods}
pod_subnet = {id_of_subnet_for_pods}
project = {id_of_project}
service_subnet = {id_of_subnet_for_k8s_services}
octavia: Make Octavia ready devstack This patch changes the main sample devstack local.conf to use Octavia. In order for that to work, it does some security group changes to ensure that the communication from the LB to the members will work in L3 modes. In L2 mode, which will be added at some point after this patch Octavia creates a pod_subnet port per each Load Balancer with the 'default' security group of the 'admin' project. This means that it would not be allowed by the members since they use the 'default' security group from the 'k8s' project. In L3 mode, Octavia does not create a port in the members subnet and relies on the service and the pod subnet to be connected to the same router. Some changes were necessary on the lbaas handler for that. Specifically, changing the member subnet to be the service subnet so that Octavia does not go into L2 mode. Implements: blueprint octavia-support Change-Id: I993ebb0d7b82ad1140d752982013bbadf35dfef7 Closes-Bug: #1707180 Signed-off-by: Antoni Segura Puimedon <antonisp@celebdor.com>
2017-07-31 11:48:21 +02:00
Note that the service_subnet and the pod_subnet *should be routable* and that
the pods should allow service subnet access.
Octavia supports two ways of performing the load balancing between the
Kubernetes load balancers and their members:
* Layer2: Octavia, apart from the VIP port in the services subnet, creates a
Add Octavia L2 member mode support This patch introduces the modifications needed to support L2 member mode communication between the loadbalancer and the pool members (i.e., the pods belonging to the service). It also includes the needed changes to set up the environment with devstack. Implements: blueprint octavia-layer2-member-connectivity Change-Id: I345a71fbdf6f30f314b12aed1fc6f59177c03d00
2017-08-30 10:07:11 +00:00
Neutron port to the subnet of each of the members. This way the traffic from
octavia: Make Octavia ready devstack This patch changes the main sample devstack local.conf to use Octavia. In order for that to work, it does some security group changes to ensure that the communication from the LB to the members will work in L3 modes. In L2 mode, which will be added at some point after this patch Octavia creates a pod_subnet port per each Load Balancer with the 'default' security group of the 'admin' project. This means that it would not be allowed by the members since they use the 'default' security group from the 'k8s' project. In L3 mode, Octavia does not create a port in the members subnet and relies on the service and the pod subnet to be connected to the same router. Some changes were necessary on the lbaas handler for that. Specifically, changing the member subnet to be the service subnet so that Octavia does not go into L2 mode. Implements: blueprint octavia-support Change-Id: I993ebb0d7b82ad1140d752982013bbadf35dfef7 Closes-Bug: #1707180 Signed-off-by: Antoni Segura Puimedon <antonisp@celebdor.com>
2017-07-31 11:48:21 +02:00
the Service Haproxy to the members will not go through the router again, only
will have gone through the router to reach the service.
* Layer3: Octavia only creates the VIP port. The traffic from the service VIP to
the members will go back to the router to reach the pod subnet. It is
modify some misspellings in doc Change-Id: Ib03dac2b098180dc01910a7039eccaaeeea7060d
2017-08-23 16:43:28 +08:00
important to note that it will have some performance impact depending on the SDN.
octavia: Make Octavia ready devstack This patch changes the main sample devstack local.conf to use Octavia. In order for that to work, it does some security group changes to ensure that the communication from the LB to the members will work in L3 modes. In L2 mode, which will be added at some point after this patch Octavia creates a pod_subnet port per each Load Balancer with the 'default' security group of the 'admin' project. This means that it would not be allowed by the members since they use the 'default' security group from the 'k8s' project. In L3 mode, Octavia does not create a port in the members subnet and relies on the service and the pod subnet to be connected to the same router. Some changes were necessary on the lbaas handler for that. Specifically, changing the member subnet to be the service subnet so that Octavia does not go into L2 mode. Implements: blueprint octavia-support Change-Id: I993ebb0d7b82ad1140d752982013bbadf35dfef7 Closes-Bug: #1707180 Signed-off-by: Antoni Segura Puimedon <antonisp@celebdor.com>
2017-07-31 11:48:21 +02:00
Add Octavia L2 member mode support This patch introduces the modifications needed to support L2 member mode communication between the loadbalancer and the pool members (i.e., the pods belonging to the service). It also includes the needed changes to set up the environment with devstack. Implements: blueprint octavia-layer2-member-connectivity Change-Id: I345a71fbdf6f30f314b12aed1fc6f59177c03d00
2017-08-30 10:07:11 +00:00
To support the L3 mode (both for Octavia and for the deprecated
Neutron-LBaaSv2):
octavia: Make Octavia ready devstack This patch changes the main sample devstack local.conf to use Octavia. In order for that to work, it does some security group changes to ensure that the communication from the LB to the members will work in L3 modes. In L2 mode, which will be added at some point after this patch Octavia creates a pod_subnet port per each Load Balancer with the 'default' security group of the 'admin' project. This means that it would not be allowed by the members since they use the 'default' security group from the 'k8s' project. In L3 mode, Octavia does not create a port in the members subnet and relies on the service and the pod subnet to be connected to the same router. Some changes were necessary on the lbaas handler for that. Specifically, changing the member subnet to be the service subnet so that Octavia does not go into L2 mode. Implements: blueprint octavia-support Change-Id: I993ebb0d7b82ad1140d752982013bbadf35dfef7 Closes-Bug: #1707180 Signed-off-by: Antoni Segura Puimedon <antonisp@celebdor.com>
2017-07-31 11:48:21 +02:00
* There should be a router between the two subnets.
* The pod_security_groups setting should include a security group with a rule
Add Octavia L2 member mode support This patch introduces the modifications needed to support L2 member mode communication between the loadbalancer and the pool members (i.e., the pods belonging to the service). It also includes the needed changes to set up the environment with devstack. Implements: blueprint octavia-layer2-member-connectivity Change-Id: I345a71fbdf6f30f314b12aed1fc6f59177c03d00
2017-08-30 10:07:11 +00:00
granting access to all the CIDR of the service subnet, e.g.::
octavia: Make Octavia ready devstack This patch changes the main sample devstack local.conf to use Octavia. In order for that to work, it does some security group changes to ensure that the communication from the LB to the members will work in L3 modes. In L2 mode, which will be added at some point after this patch Octavia creates a pod_subnet port per each Load Balancer with the 'default' security group of the 'admin' project. This means that it would not be allowed by the members since they use the 'default' security group from the 'k8s' project. In L3 mode, Octavia does not create a port in the members subnet and relies on the service and the pod subnet to be connected to the same router. Some changes were necessary on the lbaas handler for that. Specifically, changing the member subnet to be the service subnet so that Octavia does not go into L2 mode. Implements: blueprint octavia-support Change-Id: I993ebb0d7b82ad1140d752982013bbadf35dfef7 Closes-Bug: #1707180 Signed-off-by: Antoni Segura Puimedon <antonisp@celebdor.com>
2017-07-31 11:48:21 +02:00
openstack security group create --project k8s_cluster_project \
service_pod_access_sg
openstack --project k8s_cluster_project security group rule create \
--remote-ip cidr_of_service_subnet --ethertype IPv4 --protocol tcp \
service_pod_access_sg
* The uuid of this security group id should be added to the comma separated
list of pod security groups. *pod_security_groups* in *[neutron_defaults]*.
Add Octavia L2 member mode support This patch introduces the modifications needed to support L2 member mode communication between the loadbalancer and the pool members (i.e., the pods belonging to the service). It also includes the needed changes to set up the environment with devstack. Implements: blueprint octavia-layer2-member-connectivity Change-Id: I345a71fbdf6f30f314b12aed1fc6f59177c03d00
2017-08-30 10:07:11 +00:00
Alternatively, to support Octavia L2 mode:
* The pod security_groups setting should include a security group with a rule
granting access to all the CIDR of the pod subnet, e.g.::
openstack security group create --project k8s_cluster_project \
octavia_pod_access_sg
openstack --project k8s_cluster_project security group rule create \
--remote-ip cidr_of_pod_subnet --ethertype IPv4 --protocol tcp \
octavia_pod_access_sg
* The uuid of this security group id should be added to the comma separated
list of pod security groups. *pod_security_groups* in *[neutron_defaults]*.
Update installation documentation This commit moves installation/configuration documentation from README file to installation section of the actual docs (which has been rather short thus far). This commit splits a single README into multiple installation sub-docs. It also expands the manual on installation and configuration of kuryr-k8s-controller and kuryr-cni. Change-Id: I88862f28d0bbbd8bf5259209c4fa3c41130479d1
2017-06-09 14:57:17 +03:00
Run kuryr-k8s-controller::
$ kuryr-k8s-controller --config-file /etc/kuryr/kuryr.conf -d
Alternatively you may run it in screen::
$ screen -dm kuryr-k8s-controller --config-file /etc/kuryr/kuryr.conf -d
Configure kuryr-cni
-------------------
On every kubernetes minion node (and on master if you intend to run containers
there) you need to configure kuryr-cni.
"Install kuryr-cni a virtualenv"->"Install kuryr-cni in a virtualenv" Change-Id: Id3a7620a968ed564d807352489a4eafbb2887275 Closes-Bug:#1714163
2017-08-31 06:41:57 +00:00
Install ``kuryr-cni`` in a virtualenv::
Update installation documentation This commit moves installation/configuration documentation from README file to installation section of the actual docs (which has been rather short thus far). This commit splits a single README into multiple installation sub-docs. It also expands the manual on installation and configuration of kuryr-k8s-controller and kuryr-cni. Change-Id: I88862f28d0bbbd8bf5259209c4fa3c41130479d1
2017-06-09 14:57:17 +03:00
$ mkdir kuryr-k8s-cni
$ cd kuryr-k8s-cni
$ virtualenv env
$ . env/bin/activate
$ git clone http://git.openstack.org/openstack/kuryr-kubernetes
$ pip install -e kuryr-kubernetes
Create ``/etc/kuryr/kuryr.conf``::
$ cd kuryr-kubernetes
$ ./tools/generate_config_file_samples.sh
$ cp etc/kuryr.conf.sample /etc/kuryr/kuryr.conf
Edit ``kuryr.conf``::
[DEFAULT]
use_stderr = true
[Trivial] Using Similar Format of path like other places in same Doc Change-Id: I3f95d549e476e54584475d8cb47cf8acad022df1
2017-08-08 05:29:18 +00:00
bindir = {path_to_env}/libexec/kuryr
Update installation documentation This commit moves installation/configuration documentation from README file to installation section of the actual docs (which has been rather short thus far). This commit splits a single README into multiple installation sub-docs. It also expands the manual on installation and configuration of kuryr-k8s-controller and kuryr-cni. Change-Id: I88862f28d0bbbd8bf5259209c4fa3c41130479d1
2017-06-09 14:57:17 +03:00
[kubernetes]
api_root = http://{ip_of_kubernetes_apiserver}:8080
Link the CNI binary to CNI directory, where kubelet would find it::
$ mkdir -p /opt/cni/bin
$ ln -s $(which kuryr-cni) /opt/cni/bin/
Create the CNI config file for kuryr-cni: ``/etc/cni/net.d/10-kuryr.conf``.
modify some misspellings in doc Change-Id: Ib03dac2b098180dc01910a7039eccaaeeea7060d
2017-08-23 16:43:28 +08:00
Kubelet would only use the lexicographically first file in that directory, so
Update installation documentation This commit moves installation/configuration documentation from README file to installation section of the actual docs (which has been rather short thus far). This commit splits a single README into multiple installation sub-docs. It also expands the manual on installation and configuration of kuryr-k8s-controller and kuryr-cni. Change-Id: I88862f28d0bbbd8bf5259209c4fa3c41130479d1
2017-06-09 14:57:17 +03:00
make sure that it is kuryr's config file::
{
Proceed CNI output in format of version 0.3.1 Kuryr-kubernetes declares, that supported CNI version is 0.3.0, but it prints to output in format of version 0.2.0. Kubernetes can't parse it. This patch modifies CNI output according to 0.3.1, it has a little difference with version 0.3.0, just in naming of ips field. Change-Id: I7b6bb5c178035b7c85fc28973f9a0cf1bc1a139e Closes-Bug: 1779718 Signed-off-by: Alexey Perevalov <a.perevalov@samsung.com>
2018-07-04 04:27:11 -04:00
"cniVersion": "0.3.1",
Update installation documentation This commit moves installation/configuration documentation from README file to installation section of the actual docs (which has been rather short thus far). This commit splits a single README into multiple installation sub-docs. It also expands the manual on installation and configuration of kuryr-k8s-controller and kuryr-cni. Change-Id: I88862f28d0bbbd8bf5259209c4fa3c41130479d1
2017-06-09 14:57:17 +03:00
"name": "kuryr",
"type": "kuryr-cni",
"kuryr_conf": "/etc/kuryr/kuryr.conf",
"debug": true
}
Install ``os-vif`` and ``oslo.privsep`` libraries globally. These modules
are used to plug interfaces and would be run with raised privileges. ``os-vif``
uses ``sudo`` to raise privileges, and they would need to be installed globally
to work correctly::
deactivate
sudo pip install 'oslo.privsep>=1.20.0' 'os-vif>=1.5.0'
CNI Daemon documentation This commit extends developer docs to add information about CNI Daemon and APIs between CNI Driver and CNI Daemon. Implements: blueprint cni-split-exec-daemon Co-Authored-By: Janonymous <janonymous.codevulture@gmail.com> Change-Id: I0188c133d656e32b75bf7d9b6c012da33ffa2571
2017-10-04 10:54:28 +02:00
Deprecate running kuryr-k8s without kuryr-daemon This commit implements what was discussed on the PTG, i.e. deprecation of running Kuryr-Kubernetes without kuryr-daemon services. This commit includes changes in configuration defaults, sample local.conf files, documentation, gates and a release note explaining the change. Change-Id: I152c81797cb83237af4917a4487cb1f1918270aa
2018-03-06 18:00:54 +01:00
Configure Kuryr CNI Daemon
CNI Daemon documentation This commit extends developer docs to add information about CNI Daemon and APIs between CNI Driver and CNI Daemon. Implements: blueprint cni-split-exec-daemon Co-Authored-By: Janonymous <janonymous.codevulture@gmail.com> Change-Id: I0188c133d656e32b75bf7d9b6c012da33ffa2571
2017-10-04 10:54:28 +02:00
-------------------------------------
Deprecate running kuryr-k8s without kuryr-daemon This commit implements what was discussed on the PTG, i.e. deprecation of running Kuryr-Kubernetes without kuryr-daemon services. This commit includes changes in configuration defaults, sample local.conf files, documentation, gates and a release note explaining the change. Change-Id: I152c81797cb83237af4917a4487cb1f1918270aa
2018-03-06 18:00:54 +01:00
Kuryr CNI Daemon is a service designed to increased scalability of the Kuryr
operations done on Kubernetes nodes. More information can be found on
CNI Daemon documentation This commit extends developer docs to add information about CNI Daemon and APIs between CNI Driver and CNI Daemon. Implements: blueprint cni-split-exec-daemon Co-Authored-By: Janonymous <janonymous.codevulture@gmail.com> Change-Id: I0188c133d656e32b75bf7d9b6c012da33ffa2571
2017-10-04 10:54:28 +02:00
:ref:`cni-daemon` page.
Deprecate running kuryr-k8s without kuryr-daemon This commit implements what was discussed on the PTG, i.e. deprecation of running Kuryr-Kubernetes without kuryr-daemon services. This commit includes changes in configuration defaults, sample local.conf files, documentation, gates and a release note explaining the change. Change-Id: I152c81797cb83237af4917a4487cb1f1918270aa
2018-03-06 18:00:54 +01:00
Kuryr CNI Daemon, should be installed on every Kubernetes node, so following
steps need to be repeated.
CNI Daemon documentation This commit extends developer docs to add information about CNI Daemon and APIs between CNI Driver and CNI Daemon. Implements: blueprint cni-split-exec-daemon Co-Authored-By: Janonymous <janonymous.codevulture@gmail.com> Change-Id: I0188c133d656e32b75bf7d9b6c012da33ffa2571
2017-10-04 10:54:28 +02:00
.. note::
You can tweak configuration of some timeouts to match your environment. It's
crucial for scalability of the whole deployment. In general the timeout to
serve CNI request from kubelet to Kuryr is 180 seconds. After that time
kubelet will retry the request. Additionally there are two configuration
options::
[cni_daemon]
vif_annotation_timeout=60
pyroute2_timeout=10
``vif_annotation_timeout`` is time the Kuryr CNI Daemon will wait for Kuryr
Controller to create a port in Neutron and add information about it to Pod's
metadata. If either Neutron or Kuryr Controller doesn't keep up with high
number of requests, it's advised to increase this timeout. Please note that
increasing it over 180 seconds will not have any effect as the request will
time out anyway and will be retried (which is safe).
``pyroute2_timeout`` is internal timeout of pyroute2 library, that is
responsible for doing modifications to Linux Kernel networking stack (e.g.
moving interfaces to Pod's namespaces, adding routes and ports or assigning
addresses to interfaces). When serving a lot of ADD/DEL CNI requests on a
regular basis it's advised to increase that timeout. Please note that the
value denotes *maximum* time to wait for kernel to complete the operations.
If operation succeeds earlier, request isn't delayed.
Run kuryr-daemon::
$ kuryr-daemon --config-file /etc/kuryr/kuryr.conf -d
Alternatively you may run it in screen::
Update doc title format Change-Id: Idd06ad6fc05bddc6dc84ee0924645beac66db72e Signed-off-by: Yuanbin.Chen <cybing4@gmail.com>
2018-03-01 14:27:13 +08:00
$ screen -dm kuryr-daemon --config-file /etc/kuryr/kuryr.conf -d
cni health: track all cgroup memory usage The CNI daemon should always be run in its own cgroup. That typically can take two forms: - Running inside a container - Running as a systemd service This patch changes the way the memory usage is tracked so that both of the cgroup memberships listed above are supported. Thanks to using cgroups for tracking the memory usage, we will finally take into account the CNI daemon children memory usage. Change-Id: I0ef48742653d5c17ea0cc787ae3a997d5d315c5a Closes-Bug: 1752939 Signed-off-by: Antoni Segura Puimedon <antonisp@celebdor.com>
2018-03-02 22:53:54 +00:00
Kuryr CNI Daemon health checks
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The CNI daemon health checks allow the deployer or the orchestration layer
(like for example Kubernetes or OpenShift) to probe the CNI daemon for liveness
and readiness.
If you want to make use of all of its facilities, you should run the
kuryr-daemon in its own cgroup. It will get its own cgroup if you:
* Run it as a systemd service,
* run it containerized,
* create a memory cgroup for it.
In order to make the daemon run in its own cgroup, you can do the following::
systemd-run --unit=kuryr-daemon --scope --slice=kuryr-cni \
kuryr-daemon --config-file /etc/kuryr/kuryr.conf -d
After this, with the CNI daemon running inside its own cgroup, we can enable
the CNI daemon memory health check. This health check allows us to limit the
memory consumption of the CNI Daemon. The health checks will fail if CNI starts
taking more memory that it is set and the orchestration layer should restart.
The setting is::
[cni_health_server]
max_memory_usage = 4096 # Set the memory limit to 4GiB
Copy Permalink