docs/doc/source/dist_cloud/kubernetes/migrate-an-aiosx-subcloud-to-an-aiodx-subcloud.rst
Suzana Fernandes b029465b58 Protecting against L2 Network Attackers
Story: 2010940
Task: 50151

Change-Id: If7ffcf0ffb81d0f7952cd92167b992550e7e191e
Signed-off-by: Suzana Fernandes <Suzana.Fernandes@windriver.com>
2024-09-05 17:58:02 +00:00

9.3 KiB

Migrate an AIO-SX to an AIO-DX Subcloud

You can migrate an subcloud to an subcloud without reinstallation. This operation involves updating the system mode, adding the unit IP addresses of each controller, and installing the second controller.

A distributed cloud system is setup with at least a system controller and an subcloud. The subcloud must be online and managed by dcmanager. Both the management network and cluster-host network need to be configured and cannot be on the loopback interface.

Reconfigure the Cluster-Host Interface

If the cluster-host interface is on the loopback interface, use the following procedure to reconfigure the cluster-host interface on to a physical interface.

  1. Lock the active controller.

    ~(keystone_admin)$ system host-lock controller-0
  2. Change the class attribute to 'none' for the loopback interface.

    ~(keystone_admin)$ system host-if-modify controller-0 lo -c none
  3. Delete the current cluster-host interface-network configuration

    ~(keystone_admin)$ IFNET_UUID=$(system interface-network-list controller-0 | awk '{if ($8 =="cluster-host") print $4;}')
    ~(keystone_admin)$ system interface-network-remove $IFNET_UUID
  4. Assign the cluster-host network to the new interface. This example assumes the interface name is mgmt0.

    ~(keystone_admin)$ system interface-network-assign controller-0 mgmt0 cluster-host

Continue with the to subcloud migration, using one of the following procedures:

Use Ansible Playbook to Migrate a Subcloud from AIO-SX to AIO-DX, or Manually Migrate a Subcloud from AIO-SX to AIO-DX.

Use Ansible Playbook to Migrate a Subcloud from AIO-SX to AIO-DX

Use the following procedure to migrate a subcloud from to using the ansible playbook.

  • the subcloud must be online and managed from the System Controller
  • the subcloud's controller-0 may be locked or unlocked; the ansible playbook will lock the subcloud controller-0 as part of migrating the subcloud

  1. Use the ansible-vault create migrate-subcloud1-overrides-EXAMPLE.yml command to securely specify the unit IP addresses and the ansible ssh password. The existing IP address of the system will be used as the floating IP address of the new system.

    In the following example, 10.10.10.13 and 10.10.10.14 are the new unit IP addresses for controller-0 and controller-1 respectively.

    {
     "ansible_ssh_pass": "St8rlingXCloud*",
     "external_oam_node_0_address": "10.10.10.13",
     "external_oam_node_1_address": "10.10.10.14",
     }

    Use the ansible-vault edit migrate-subcloud1-overrides-EXAMPLE.yml command if the file needs to be edited after it is created.

  2. On the system controller, run the ansible playbook to migrate the subcloud to an .

    Note

    Run the following command on an system before changing to , as this does not apply to systems.

    ~(keystone_admin)$ system storage-backend-modify ceph-store replication=2

    For example, if the subcloud name is 'subcloud1', enter:

    ~(keystone_admin)$ ansible-playbook --ask-vault-pass /usr/share/ansible/stx-ansible/playbooks/migrate_sx_to_dx.yml -e @migrate-subcloud1-overrides-EXAMPLE.yml -i subcloud1, -v

    The ansible playbook will lock the subcloud's controller-0, if it not already locked, apply the configuration changes to convert the subcloud to an system with a single controller, and unlock controller-0. Wait for the controller to reset and come back up to an operational state.

  3. Software install and configure the second controller for the subcloud.

    From the System Controller, reconfigure the subcloud, using dcmanager. Specify the sysadmin password and the deployment configuration file, using the dcmanager subcloud deploy config command.

    ~(keystone_admin)$ dcmanager subcloud deploy config --sysadmin-password <sysadmin_password> --deploy-config deployment-config-subcloud1-duplex.yaml <subcloud1>

    where <sysadmin_password> is assumed to be the login password and <subcloud1> is the name of the subcloud

    Note

    --deploy-config must reference a deployment configuration file for a subcloud.

    For example, deployment-config-subcloud1-duplex.yaml should only include changes for controller-1 as changing fields for other nodes/ resources may cause them to go out of sync.

partner

Manually Migrate a Subcloud from AIO-SX to AIO-DX

As an alternative to using the Ansible playbook, use the following procedure to manually migrate a subcloud from to . Perform the following commands on the subcloud.

  1. If not already locked, lock the active controller.

    ~(keystone_admin)$ system host-lock controller-0

    Note

    Run the following command on an system before changing to , as this does not apply to systems.

    ~(keystone_admin)$ system storage-backend-modify ceph-store replication=2
  2. Change the system mode to 'duplex'.

    ~(keystone_admin)$ system modify --system_mode=duplex
  3. Add the unit IP addresses of controller-0 and controller-1.

    For example, the subnet is 10.10.10.0/24 and uses 10.10.10.13 and 10.10.10.14 for the unit IP addresses of controller-0 and controller-1 respectively. The existing IP address of the system will be used as the OAM floating IP address of the new system.

    Note

    Only specifying oam_c0_ip and oam_c1_ip is necessary to configure the OAM unit IPs to transition to Duplex. However, oam_c0_ip and oam_c1_ip cannot equal the current or specified value for oam_floating_ip.

    ~(keystone_admin)$ system oam-modify oam_subnet=10.10.10.0/24 oam_gateway_ip=10.10.10.1 oam_floating_ip=10.10.10.12 oam_c0_ip=10.10.10.13 oam_c1_ip=10.10.10.14
  4. Unlock the controller.

    ~(keystone_admin)$ system host-unlock controller-0

    Wait for the controller to reset and come back up to an operational state.

  5. Config and enable IPsec on the controller.

    ~(keystone_admin)$ sudo ipsec-client pxecontroller

    This is only needed on controller-0. The command should complete successfully as following:

    ~(keystone_admin)$ sudo ipsec-client pxecontroller
    
    2024-08-07 20:43:28.622 182204 INFO sysinv.ipsec_auth.client.client [-] Connecting to pxecontroller port 64764
    2024-08-07 20:43:28.630 182204 INFO sysinv.ipsec_auth.client.client [-] Sending IPSec Auth request
    2024-08-07 20:43:36.521 182204 INFO sysinv.ipsec_auth.client.client [-] Received IPSec Auth response
    2024-08-07 20:43:36.765 182204 INFO sysinv.ipsec_auth.client.client [-] Generate RSA Private Key (PRK2).
    2024-08-07 20:43:37.029 182204 INFO sysinv.ipsec_auth.client.client [-] Generate AES Key (AK1).
    2024-08-07 20:43:37.029 182204 INFO sysinv.ipsec_auth.client.client [-] Generate Certificate Signing Request (CSR).
    2024-08-07 20:43:37.033 182204 INFO sysinv.ipsec_auth.client.client [-] Encrypt CSR w/ AK1.
    2024-08-07 20:43:37.035 182204 INFO sysinv.ipsec_auth.client.client [-] Encrypt AK1 and IV w/ PUK1
    2024-08-07 20:43:37.038 182204 INFO sysinv.ipsec_auth.client.client [-] Hash OTS Token, eAK1 and eCSR.
    2024-08-07 20:43:37.041 182204 INFO sysinv.ipsec_auth.client.client [-] Sending IPSec Auth CSR request
    2024-08-07 20:43:38.541 182204 INFO sysinv.ipsec_auth.client.client [-] Received IPSec Auth CSR response
    2024-08-07 20:43:38.544 182204 INFO sysinv.ipsec_auth.client.client [-] Generating config files and restart ipsec
    2024-08-07 20:43:53.141 182204 INFO sysinv.ipsec_auth.client.client [-] Shutting down
  6. Software install and configure the second controller for the subcloud.

    For instructions on installing and configuring controller-1 in an setup to continue with the migration, see .