Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Bug 1848945: OpenStack - Documentation for adding worker nodes using …
…ansible
- Loading branch information
Adolfo Duarte
committed
Nov 17, 2020
1 parent
cc15bc7
commit e894d59
Showing
1 changed file
with
68 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
# Adding Compute Nodes By Hand | ||
The preferred method of adding compute nodes to an OpenShift cluster is | ||
to use the worker MachineSet with [Machine API Operator](https://github.com/openshift/machine-api-operator). | ||
|
||
It is also possible to add a compute node through other tools like ansible. For example, | ||
the compute nodes may be added as described in [Installing OpenShift on OpenStack User-Provisioned Infrastructure][1]; | ||
or when scaling up the compute nodes using [Openshift-ansible][2]. | ||
|
||
When doing so, there are a few important points that should be taken into account. | ||
|
||
## Apply Necessary Security Groups To Ports | ||
When adding a new compute, the necessary security groups need to be applied to | ||
allow the node access the cluster API endpoints and services. | ||
|
||
If the node is directly attached to the machineNetwork, the pre-existing worker security groups maybe | ||
applied to the port attaching the node. The existing security rules should not require modifications. | ||
|
||
If the nodes is attached to a different network than the machineNetwork, | ||
then new security group rules will have to be configured because the security group rules deployed by default on a cluster | ||
match on both destination and source networks. | ||
|
||
|
||
## Configure Allowed Address Pairs On Node Port | ||
The port used by the new compute node needs to be configured to accept traffic for the ingress VIP. | ||
|
||
The value for the ingress VIP can be found by running the command: | ||
|
||
``` | ||
$ openstack port show <cluster-id>-ingress-port -f value -c fixed_ips | ||
10.0.128.7 | ||
``` | ||
|
||
Configure the compute node's port to accept traffic for the ingress VIP by | ||
setting the allowed address pairs. | ||
|
||
``` | ||
$ openstack port set 97f73ba7-e104-49e2-ad7a-d4b440acc57e --allowed-address ip-address='10.0.128.7' | ||
$ openstack port show 97f73ba7-e104-49e2-ad7a-d4b440acc57e -c allowed_address_pairs | ||
+-----------------------+----------------------------------------------------------+ | ||
| Field | Value | | ||
+-----------------------+----------------------------------------------------------+ | ||
| allowed_address_pairs | ip_address='10.0.128.7', mac_address='fa:16:3e:0d:35:f8' | | ||
+-----------------------+----------------------------------------------------------+ | ||
``` | ||
|
||
|
||
|
||
[1]: https://github.com/openshift/installer/blob/master/docs/user/openstack/install_upi.md#installing-openshift-on-openstack-user-provisioned-infrastructure | ||
[2]: https://github.com/openshift/openshift-ansible | ||
|
||
## Access To API Endpoints Using FQD Hostnames. | ||
The node needs to have access to the cluster API endpoints using | ||
Fully Qualified Domain hostnames. The node's DNS configuration should resolve the hostname to an IP address which is accessible | ||
to the node. Network security should be configured to allow access. | ||
|
||
DNS resolution is a system administration task and deploying a compute node | ||
by hand does not require a particular DNS configuration. For example, adding the necessary entries to /etc/hosts | ||
file is one possible way. For other possible ways to configure DNS resolution | ||
consult your operating system's documentation. | ||
|
||
Before starting the deployment process | ||
correct DNS configuration and access should be verified by using the appropriate tools. For example, if the cluster is named | ||
my.cluster.com, then the following _curl_ command maybe used to check the necessary access: | ||
|
||
```curl --insecure https://api.url.text:6443``` | ||
where ```api.url.text``` is a hostname that resolves to an IP address the node can use to reach the API endpoints. | ||
```curl``` is an example and not the only tool that maybe used to verify access. |