From 720c2fbe08ccd09b7cea1b04f7c7ef977a95691a Mon Sep 17 00:00:00 2001 From: Shauna Diaz Date: Thu, 9 Feb 2023 12:02:22 -0500 Subject: [PATCH] OSDOCS-5274: Restart node when changing mtu value --- _topic_maps/_topic_map_ms.yml | 4 +- .../microshift-embed-in-rpm-ostree.adoc | 12 +-- .../ingress-operator-microshift.adoc | 87 ------------------- .../microshift-firewall.adoc | 23 +++++ .../microshift-networking.adoc | 20 ++--- modules/microshift-configuring-ovn.adoc | 18 ++-- .../microshift-cri-o-container-runtime.adoc | 3 +- .../microshift-firewall-allow-traffic.adoc | 3 +- .../microshift-firewall-apply-settings.adoc | 2 +- modules/microshift-firewall-config.adoc | 6 +- modules/microshift-firewall-opt-settings.adoc | 7 +- modules/microshift-firewall-req-settings.adoc | 2 +- .../microshift-firewall-verify-settings.adoc | 2 +- modules/microshift-firewalld-install.adoc | 2 +- modules/microshift-install-rpm-preparing.adoc | 1 + ...icroshift-install-system-requirements.adoc | 1 + .../microshift-ki-cni-iptables-deleted.adoc | 3 +- modules/microshift-ovs-snapshot.adoc | 5 +- .../microshift-restart-ovnkube-master.adoc | 51 +++++++++++ 19 files changed, 125 insertions(+), 127 deletions(-) delete mode 100644 microshift_networking/ingress-operator-microshift.adoc create mode 100644 microshift_networking/microshift-firewall.adoc create mode 100644 modules/microshift-restart-ovnkube-master.adoc diff --git a/_topic_maps/_topic_map_ms.yml b/_topic_maps/_topic_map_ms.yml index cc085bbf26..74c3bd80e9 100644 --- a/_topic_maps/_topic_map_ms.yml +++ b/_topic_maps/_topic_map_ms.yml @@ -104,8 +104,10 @@ Name: Networking Dir: microshift_networking Distros: microshift Topics: -- Name: Understanding networking +- Name: Applying networking settings File: microshift-networking +- Name: Using a firewall + File: microshift-firewall --- Name: Storage Dir: microshift_storage diff --git a/microshift_install/microshift-embed-in-rpm-ostree.adoc b/microshift_install/microshift-embed-in-rpm-ostree.adoc index 425adfe232..14f1026920 100644 --- a/microshift_install/microshift-embed-in-rpm-ostree.adoc +++ b/microshift_install/microshift-embed-in-rpm-ostree.adoc @@ -50,12 +50,12 @@ include::modules/microshift-provisioning-ostree.adoc[leveloffset=+1] [role="_additional-resources_microshift-embed-in-rpm-ostree"] .Additional resources -. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/composing_installing_and_managing_rhel_for_edge_images/index[{op-system-ostree} documentation]. -. xref:../microshift_install/microshift-install-rpm.adoc#system-requirements-installing-microshift[System requirements for installing {product-title}]. -. Red Hat Hybrid Cloud Console link:https://console.redhat.com/openshift/install/pull-secret[pull secret]. -. xref:../microshift_networking/microshift-networking.adoc#microshift-firewall-req-settings_microshift-networking[Required firewall settings]. -. link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/performing_an_advanced_rhel_8_installation/creating-kickstart-files_installing-rhel-as-an-experienced-user[Creating a Kickstart file]. -. link:https://access.redhat.com/solutions/60959[How to embed a Kickstart file into an ISO image]. +* link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/composing_installing_and_managing_rhel_for_edge_images/index[{op-system-ostree} documentation]. +* xref:../microshift_install/microshift-install-rpm.adoc#system-requirements-installing-microshift[System requirements for installing {product-title}]. +* Red Hat Hybrid Cloud Console link:https://console.redhat.com/openshift/install/pull-secret[pull secret]. +* xref:../microshift_networking/microshift-firewall.adoc#microshift-firewall-req-settings_microshift-networking[Required firewall settings]. +* link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/performing_an_advanced_rhel_8_installation/creating-kickstart-files_installing-rhel-as-an-experienced-user[Creating a Kickstart file]. +* link:https://access.redhat.com/solutions/60959[How to embed a Kickstart file into an ISO image]. include::modules/microshift-accessing.adoc[leveloffset=+1] include::modules/microshift-accessing-cluster-locally.adoc[leveloffset=+2] diff --git a/microshift_networking/ingress-operator-microshift.adoc b/microshift_networking/ingress-operator-microshift.adoc deleted file mode 100644 index 0108033866..0000000000 --- a/microshift_networking/ingress-operator-microshift.adoc +++ /dev/null @@ -1,87 +0,0 @@ -:_content-type: ASSEMBLY -[id="configuring-ingress-microshift"] -= Ingress Operator in {product-title} -include::_attributes/attributes-microshift.adoc[] -:context: configuring-ingress - -toc::[] -include::modules/nw-ne-openshift-ingress.adoc[leveloffset=+1] -include::modules/nw-installation-ingress-config-asset.adoc[leveloffset=+1] -include::modules/nw-ingress-controller-configuration-parameters.adoc[leveloffset=+1] - -[id="configuring-ingress-controller-tls"] -=== Ingress Controller TLS security profiles - -TLS security profiles provide a way for servers to regulate which ciphers a connecting client can use when connecting to the server. - -// Understanding TLS security profiles -include::modules/tls-profiles-understanding.adoc[leveloffset=+3] - -// Configuring the TLS profile for the Ingress Controller -include::modules/tls-profiles-ingress-configuring.adoc[leveloffset=+3] - -include::modules/nw-mutual-tls-auth.adoc[leveloffset=+3] - -include::modules/nw-ingress-view.adoc[leveloffset=+1] - -include::modules/nw-ingress-operator-status.adoc[leveloffset=+1] - -include::modules/nw-ingress-operator-logs.adoc[leveloffset=+1] - -include::modules/nw-ingress-controller-status.adoc[leveloffset=+1] - -[id="configuring-ingress-controller"] -== Configuring the Ingress Controller - -include::modules/nw-ingress-setting-a-custom-default-certificate.adoc[leveloffset=+2] - -include::modules/nw-ingress-custom-default-certificate-remove.adoc[leveloffset=+2] - -include::modules/nw-autoscaling-ingress-controller.adoc[leveloffset=+2] - -include::modules/nw-scaling-ingress-controller.adoc[leveloffset=+2] - -include::modules/nw-configure-ingress-access-logging.adoc[leveloffset=+2] - -include::modules/nw-ingress-setting-thread-count.adoc[leveloffset=+2] - -include::modules/nw-ingress-sharding.adoc[leveloffset=+2] - -include::modules/nw-ingress-sharding-route-labels.adoc[leveloffset=+3] - -include::modules/nw-ingress-sharding-namespace-labels.adoc[leveloffset=+3] - -include::modules/nw-ingress-setting-internal-lb.adoc[leveloffset=+2] - -include::modules/nw-ingress-controller-configuration-gcp-global-access.adoc[leveloffset=+2] - -include::modules/nw-ingress-controller-config-tuningoptions-healthcheckinterval.adoc[leveloffset=+2] - -include::modules/nw-ingress-default-internal.adoc[leveloffset=+2] - -include::modules/nw-route-admission-policy.adoc[leveloffset=+2] - -include::modules/using-wildcard-routes.adoc[leveloffset=+2] - -include::modules/nw-using-ingress-forwarded.adoc[leveloffset=+2] - -include::modules/nw-http2-haproxy.adoc[leveloffset=+2] - -include::modules/nw-ingress-controller-configuration-proxy-protocol.adoc[leveloffset=+2] - -include::modules/nw-ingress-configuring-application-domain.adoc[leveloffset=+2] - -include::modules/nw-ingress-converting-http-header-case.adoc[leveloffset=+2] - -include::modules/nw-configuring-router-compression.adoc[leveloffset=+2] - -include::modules/nw-customize-ingress-error-pages.adoc[leveloffset=+2] -//include::modules/nw-ingress-select-route.adoc[leveloffset=+2] - -include::modules/nw-ingress-setting-max-connections.adoc[leveloffset=+2] - -//[role="_additional-resources"] -//== Additional resources - -//* xref:../networking/configuring-a-custom-pki.adoc#configuring-a-custom-pki[Configuring a custom PKI] - diff --git a/microshift_networking/microshift-firewall.adoc b/microshift_networking/microshift-firewall.adoc new file mode 100644 index 0000000000..85565eb79d --- /dev/null +++ b/microshift_networking/microshift-firewall.adoc @@ -0,0 +1,23 @@ +:_content-type: ASSEMBLY +[id="microshift-using-a-firewall"] += Using a firewall +include::_attributes/attributes-microshift.adoc[] +:context: microshift-firewall + +toc::[] + +Firewalls are not required in {product-title}, but using a firewall can prevent undesired access to the {product-title} API. + +include::modules/microshift-firewall-config.adoc[leveloffset=+1] +include::modules/microshift-firewalld-install.adoc[leveloffset=+1] +include::modules/microshift-firewall-req-settings.adoc[leveloffset=+1] +include::modules/microshift-firewall-opt-settings.adoc[leveloffset=+1] +include::modules/microshift-firewall-allow-traffic.adoc[leveloffset=+1] +include::modules/microshift-firewall-apply-settings.adoc[leveloffset=+1] +include::modules/microshift-firewall-verify-settings.adoc[leveloffset=+1] +include::modules/microshift-firewall-known-issue.adoc[leveloffset=+1] + +[role="_additional-resources"] +[id="additional-resources_microshift-using-a-firewall"] +.Additional resources +* xref:../microshift_troubleshooting/microshift-troubleshooting.adoc#microshift-ki-cni-iptables-deleted[Troubleshooting iptables deleted]. diff --git a/microshift_networking/microshift-networking.adoc b/microshift_networking/microshift-networking.adoc index 67bdc3afc7..b472022c26 100644 --- a/microshift_networking/microshift-networking.adoc +++ b/microshift_networking/microshift-networking.adoc @@ -1,6 +1,6 @@ :_content-type: ASSEMBLY -[id="microshift-understanding-networking"] -= Understanding networking +[id="microshift-applying-networking-settings"] += Understanding networking settings include::_attributes/attributes-microshift.adoc[] :context: microshift-networking @@ -18,21 +18,17 @@ By default, Kubernetes allocates each pod an internal IP address for application include::modules/microshift-cni.adoc[leveloffset=+1] include::modules/microshift-configuring-ovn.adoc[leveloffset=+1] +include::modules/microshift-restart-ovnkube-master.adoc[leveloffset=+1] //include::modules/microshift-man-config-ovs-bridge.adoc[leveloffset=+1] include::modules/microshift-http-proxy.adoc[leveloffset=+1] include::modules/microshift-cri-o-container-runtime.adoc[leveloffset=+1] include::modules/microshift-ovs-snapshot.adoc[leveloffset=+1] include::modules/microshift-mDNS.adoc[leveloffset=+1] -include::modules/microshift-firewall-config.adoc[leveloffset=+1] -include::modules/microshift-firewalld-install.adoc[leveloffset=+1] -include::modules/microshift-firewall-req-settings.adoc[leveloffset=+1] -include::modules/microshift-firewall-opt-settings.adoc[leveloffset=+1] -include::modules/microshift-firewall-allow-traffic.adoc[leveloffset=+1] -include::modules/microshift-firewall-apply-settings.adoc[leveloffset=+1] -include::modules/microshift-firewall-verify-settings.adoc[leveloffset=+1] -include::modules/microshift-firewall-known-issue.adoc[leveloffset=+1] - [role="_additional-resources"] +[id="additional-resources_microshift-applying-networking-settings"] .Additional resources -* xref:../microshift_troubleshooting/microshift-troubleshooting.adoc#microshift-version[Troubleshooting]. + +. xref:../microshift_troubleshooting/microshift-troubleshooting.adoc#microshift-version[Troubleshooting] +. xref:../microshift_troubleshooting/microshift-troubleshooting.adoc#microshift-troubleshooting-nodeport[Troubleshooting the NodePort service]. +. xref:../microshift_troubleshooting/microshift-troubleshooting.adoc#microshift-nodeport-unreachable-workaround[NodePort unreachable workround]. diff --git a/modules/microshift-configuring-ovn.adoc b/modules/microshift-configuring-ovn.adoc index d57a6ec724..8d0f901712 100644 --- a/modules/microshift-configuring-ovn.adoc +++ b/modules/microshift-configuring-ovn.adoc @@ -2,9 +2,9 @@ // // * microshift_networking/microshift-networking.adoc -:_content-type: PROCEDURE +:_content-type: CONCEPT [id="microshift-config-OVN-K_{context}"] -= Configuring OVN-Kubernetes += OVN-Kubernetes configuration options An OVN-Kubernetes config file can be written to `/etc/microshift/ovn.yaml`. {product-title} will use default OVN-Kubernetes configuration values if an OVN-Kubernetes config file is not customized. @@ -20,7 +20,7 @@ mtu: 1400 <1> Default value is an empty string, which means "not-specified." The CNI network plugin auto-detects to interface with the default route. <2> Default value is an empty string, which means disabled. -To customize your configuration, use the following table to find valid values that you can use in your `ovn.yaml` config file. +To customize your configuration, use the following table to find valid values that you can use in your `ovn.yaml` config file: .Supported optional OVN-Kubernetes configurations for {product-title}. @@ -36,7 +36,7 @@ To customize your configuration, use the following table to find valid values th |bool |false |Skip configuring OVS bridge `br-ex` in `microshift-ovs-init.service` -|true <1> +|true ^1^ |`ovsInit.gatewayInterface` |Alpha @@ -56,8 +56,7 @@ To customize your configuration, use the following table to find valid values th |MTU value used for the pods |1300 |=== - -<1> The OVS bridge is required. When `disableOVSInit` is true, OVS bridge `br-ex` must be configured manually. +^1^ The OVS bridge is required. When `disableOVSInit` is true, OVS bridge `br-ex` must be configured manually. .Example `ovn.yaml` config file: @@ -71,4 +70,11 @@ mtu: 1300 ---- [IMPORTANT] +==== When `disableOVSInit` is set to true in the `ovn.yaml` config file, the OVS bridge br-ex must be manually configured. +==== + +[IMPORTANT] +==== +If you change the `mtu` configuration value in the `ovn.yaml` file, you must restart the host that {product-title} is running on for the updated setting to apply. +==== diff --git a/modules/microshift-cri-o-container-runtime.adoc b/modules/microshift-cri-o-container-runtime.adoc index c81ef5fcf0..257b17ea98 100644 --- a/modules/microshift-cri-o-container-runtime.adoc +++ b/modules/microshift-cri-o-container-runtime.adoc @@ -4,11 +4,12 @@ :_content-type: PROCEDURE [id="microshift-CRI-O-container-engine_{context}"] -= CRI-O container runtime += Using a proxy in the CRI-O container runtime To use an HTTP(S) proxy in `CRI-O`, you need to set the `HTTP_PROXY` and `HTTPS_PROXY` environment variables. You can also set the `NO_PROXY` variable to exclude a list of hosts from being proxied. .Procedure + . Add the following settings to the `/etc/systemd/system/crio.service.d/00-proxy.conf` file: + [source, config] diff --git a/modules/microshift-firewall-allow-traffic.adoc b/modules/microshift-firewall-allow-traffic.adoc index b1a2a4f8c5..f1e6c2f956 100644 --- a/modules/microshift-firewall-allow-traffic.adoc +++ b/modules/microshift-firewall-allow-traffic.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * microshift_networking/microshift-networking.adoc +// * microshift_networking/microshift-firewall.adoc :_content-type: PROCEDURE [id="microshift-firewall-network-traffic_{context}"] @@ -9,6 +9,7 @@ You can allow network traffic through the firewall by first configuring the IP address range with either default or custom values, and then allow internal traffic from pods through the network gateway by inserting the DNS server. .Procedure + Set the default values or a custom IP address range. After setting the IP address range, allow internal traffic from the pods through the network gateway. . To set the IP address range: diff --git a/modules/microshift-firewall-apply-settings.adoc b/modules/microshift-firewall-apply-settings.adoc index 1e361371dc..627d34f3ad 100644 --- a/modules/microshift-firewall-apply-settings.adoc +++ b/modules/microshift-firewall-apply-settings.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * microshift_networking/microshift-networking.adoc +// * microshift_networking/microshift-firewall.adoc :_content-type: PROCEDURE [id="microshift-firewall-applying-settings_{context}"] diff --git a/modules/microshift-firewall-config.adoc b/modules/microshift-firewall-config.adoc index e8c64aacfc..e994144f43 100644 --- a/modules/microshift-firewall-config.adoc +++ b/modules/microshift-firewall-config.adoc @@ -1,12 +1,12 @@ // Module included in the following assemblies: // -// * microshift_networking/microshift-networking.adoc +// * microshift_networking/microshift-firewall.adoc :_content-type: CONCEPT [id="microshift-firewall-config_{context}"] -= Using a firewall += About network traffic through the firewall -Firewalls are not required in {product-title}, but using a firewall can prevent undesired access to the {product-title} API. When using a firewall, you must explicitly allow the following OVN-Kubernetes traffic when the `firewalld` service is running: +When using a firewall, you must explicitly allow the following OVN-Kubernetes traffic when the `firewalld` service is running: CNI pod to CNI pod:: CNI pod to Host-Network pod diff --git a/modules/microshift-firewall-opt-settings.adoc b/modules/microshift-firewall-opt-settings.adoc index 61da90a5a7..cbb6dee775 100644 --- a/modules/microshift-firewall-opt-settings.adoc +++ b/modules/microshift-firewall-opt-settings.adoc @@ -1,17 +1,16 @@ // Module included in the following assemblies: // -// * microshift_networking/microshift-networking.adoc +// * microshift_networking/microshift-firewall.adoc :_content-type: PROCEDURE - [id="microshift-firewall-optional-settings_{context}"] -= Optional port settings += Using optional port settings The {product-title} firewall service allows optional port settings. .Procedure -. To add customized ports to your firewall configuration, use the following command syntax: +* To add customized ports to your firewall configuration, use the following command syntax: + [source,terminal] ---- diff --git a/modules/microshift-firewall-req-settings.adoc b/modules/microshift-firewall-req-settings.adoc index 04b3c33f77..37418ac362 100644 --- a/modules/microshift-firewall-req-settings.adoc +++ b/modules/microshift-firewall-req-settings.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * microshift_networking/microshift-networking.adoc +// * microshift_networking/microshift-firewall.adoc :_content-type: CONCEPT [id="microshift-firewall-req-settings_{context}"] diff --git a/modules/microshift-firewall-verify-settings.adoc b/modules/microshift-firewall-verify-settings.adoc index 815358d3b3..4bda23d144 100644 --- a/modules/microshift-firewall-verify-settings.adoc +++ b/modules/microshift-firewall-verify-settings.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * microshift_networking/microshift-networking.adoc +// * microshift_networking/microshift-firewall.adoc :_content-type: PROCEDURE [id="microshift-firewall-verifying-settings_{context}"] diff --git a/modules/microshift-firewalld-install.adoc b/modules/microshift-firewalld-install.adoc index 843bcc270f..0e0d89c3a1 100644 --- a/modules/microshift-firewalld-install.adoc +++ b/modules/microshift-firewalld-install.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * microshift_configuring/microshift-networking.adoc +// * microshift_networking/microshift-firewall.adoc :_content-type: PROCEDURE [id="microshift-firewall-install_{context}"] diff --git a/modules/microshift-install-rpm-preparing.adoc b/modules/microshift-install-rpm-preparing.adoc index 5646dad250..40bf482011 100644 --- a/modules/microshift-install-rpm-preparing.adoc +++ b/modules/microshift-install-rpm-preparing.adoc @@ -2,6 +2,7 @@ // // microshift/microshift-install-rpm.adoc +:_content-type: PROCEDURE [id="preparing-install-microshift-from-rpm-package_{context}"] = Preparing to install {product-title} from an RPM package diff --git a/modules/microshift-install-system-requirements.adoc b/modules/microshift-install-system-requirements.adoc index 96765e7567..b26b4c3633 100644 --- a/modules/microshift-install-system-requirements.adoc +++ b/modules/microshift-install-system-requirements.adoc @@ -2,6 +2,7 @@ // // microshift/microshift-install-rpm.adoc +:_content-type: REFERENCE [id="system-requirements-installing-microshift"] = System requirements for installing {product-title} diff --git a/modules/microshift-ki-cni-iptables-deleted.adoc b/modules/microshift-ki-cni-iptables-deleted.adoc index 282846bb28..ecfc36f7c0 100644 --- a/modules/microshift-ki-cni-iptables-deleted.adoc +++ b/modules/microshift-ki-cni-iptables-deleted.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * microshift_troubleshooting/microshift-known-issues.adoc + :_content-type: PROCEDURE [id="microshift-ki-cni-iptables-deleted_{context}"] = Reloading the firewall deletes iptable rules @@ -22,7 +23,7 @@ To troubleshoot this issue, delete the ovnkube-master pod to restart the ovnkube Run the commands listed in each step that follows to restore the iptable rules. -. Stop the ovn-master application: +. Find the name of the ovnkube-master pod that you want to restart by running the following command: + [source, terminal] ---- diff --git a/modules/microshift-ovs-snapshot.adoc b/modules/microshift-ovs-snapshot.adoc index 03f3dff50c..e89775f080 100644 --- a/modules/microshift-ovs-snapshot.adoc +++ b/modules/microshift-ovs-snapshot.adoc @@ -6,8 +6,11 @@ [id="microshift-OVS-snapshot_{context}"] = Getting a snapshot of OVS interfaces from a running cluster +A snapshot represents the state and data of OVS interfaces at a specific point in time. + .Procedure -To see a snapshot of OVS interfaces from a running {product-title} cluster, use the following command: + +* To see a snapshot of OVS interfaces from a running {product-title} cluster, use the following command: [source, terminal] ---- diff --git a/modules/microshift-restart-ovnkube-master.adoc b/modules/microshift-restart-ovnkube-master.adoc new file mode 100644 index 0000000000..63c3b05de1 --- /dev/null +++ b/modules/microshift-restart-ovnkube-master.adoc @@ -0,0 +1,51 @@ +// Module included in the following assemblies: +// +// * microshift_networking/microshift-networking.adoc + +:_content-type: PROCEDURE +[id="microshift-restart-ovnkube-master_{context}"] += Restarting the ovnkube-master pod + +The following procedure restarts the `ovnkube-master` pod. + +.Prerequisites + +* The OpenShift CLI (`oc`) is installed. +* Access to the cluster as a user with the `cluster-admin` role. +* A cluster installed on infrastructure configured with the OVN-Kubernetes network plugin. +* The KUBECONFIG environment variable is set. + +.Procedure + +Use the following steps to restart the `ovnkube-master` pod. + +. Access the remote cluster by running the following command: ++ +[source, terminal] +---- +$ export KUBECONFIG=$PWD/kubeconfig +---- + +. Find the name of the `ovnkube-master` pod that you want to restart by running the following command: ++ +[source, terminal] +---- +$ pod=$(oc get pods -n openshift-ovn-kubernetes | awk -F " " '/ovnkube-master/{print $1}') +---- + +. Delete the `ovnkube-master` pod by running the following command: ++ +[source, terminal] +---- +$ oc -n openshift-ovn-kubernetes delete pod $pod +---- + +. Confirm that a new `ovnkube-master` pod is running by using the following command: ++ +[source, terminal] +---- +$ oc get pods -n openshift-ovn-kubernetes +---- +The listing of the running pods shows a new `ovnkube-master` pod name and age. + +//.Example output needs to be added here \ No newline at end of file