diff --git a/_topic_maps/_topic_map_ms.yml b/_topic_maps/_topic_map_ms.yml index cc085bbf26b1..74c3bd80e908 100644 --- a/_topic_maps/_topic_map_ms.yml +++ b/_topic_maps/_topic_map_ms.yml @@ -104,8 +104,10 @@ Name: Networking Dir: microshift_networking Distros: microshift Topics: -- Name: Understanding networking +- Name: Applying networking settings File: microshift-networking +- Name: Using a firewall + File: microshift-firewall --- Name: Storage Dir: microshift_storage diff --git a/microshift_install/microshift-embed-in-rpm-ostree.adoc b/microshift_install/microshift-embed-in-rpm-ostree.adoc index 425adfe23229..14f102692098 100644 --- a/microshift_install/microshift-embed-in-rpm-ostree.adoc +++ b/microshift_install/microshift-embed-in-rpm-ostree.adoc @@ -50,12 +50,12 @@ include::modules/microshift-provisioning-ostree.adoc[leveloffset=+1] [role="_additional-resources_microshift-embed-in-rpm-ostree"] .Additional resources -. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/composing_installing_and_managing_rhel_for_edge_images/index[{op-system-ostree} documentation]. -. xref:../microshift_install/microshift-install-rpm.adoc#system-requirements-installing-microshift[System requirements for installing {product-title}]. -. Red Hat Hybrid Cloud Console link:https://console.redhat.com/openshift/install/pull-secret[pull secret]. -. xref:../microshift_networking/microshift-networking.adoc#microshift-firewall-req-settings_microshift-networking[Required firewall settings]. -. link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/performing_an_advanced_rhel_8_installation/creating-kickstart-files_installing-rhel-as-an-experienced-user[Creating a Kickstart file]. -. link:https://access.redhat.com/solutions/60959[How to embed a Kickstart file into an ISO image]. +* link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/composing_installing_and_managing_rhel_for_edge_images/index[{op-system-ostree} documentation]. +* xref:../microshift_install/microshift-install-rpm.adoc#system-requirements-installing-microshift[System requirements for installing {product-title}]. +* Red Hat Hybrid Cloud Console link:https://console.redhat.com/openshift/install/pull-secret[pull secret]. +* xref:../microshift_networking/microshift-firewall.adoc#microshift-firewall-req-settings_microshift-networking[Required firewall settings]. +* link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/performing_an_advanced_rhel_8_installation/creating-kickstart-files_installing-rhel-as-an-experienced-user[Creating a Kickstart file]. +* link:https://access.redhat.com/solutions/60959[How to embed a Kickstart file into an ISO image]. include::modules/microshift-accessing.adoc[leveloffset=+1] include::modules/microshift-accessing-cluster-locally.adoc[leveloffset=+2] diff --git a/microshift_networking/ingress-operator-microshift.adoc b/microshift_networking/ingress-operator-microshift.adoc deleted file mode 100644 index 0108033866de..000000000000 --- a/microshift_networking/ingress-operator-microshift.adoc +++ /dev/null @@ -1,87 +0,0 @@ -:_content-type: ASSEMBLY -[id="configuring-ingress-microshift"] -= Ingress Operator in {product-title} -include::_attributes/attributes-microshift.adoc[] -:context: configuring-ingress - -toc::[] -include::modules/nw-ne-openshift-ingress.adoc[leveloffset=+1] -include::modules/nw-installation-ingress-config-asset.adoc[leveloffset=+1] -include::modules/nw-ingress-controller-configuration-parameters.adoc[leveloffset=+1] - -[id="configuring-ingress-controller-tls"] -=== Ingress Controller TLS security profiles - -TLS security profiles provide a way for servers to regulate which ciphers a connecting client can use when connecting to the server. - -// Understanding TLS security profiles -include::modules/tls-profiles-understanding.adoc[leveloffset=+3] - -// Configuring the TLS profile for the Ingress Controller -include::modules/tls-profiles-ingress-configuring.adoc[leveloffset=+3] - -include::modules/nw-mutual-tls-auth.adoc[leveloffset=+3] - -include::modules/nw-ingress-view.adoc[leveloffset=+1] - -include::modules/nw-ingress-operator-status.adoc[leveloffset=+1] - -include::modules/nw-ingress-operator-logs.adoc[leveloffset=+1] - -include::modules/nw-ingress-controller-status.adoc[leveloffset=+1] - -[id="configuring-ingress-controller"] -== Configuring the Ingress Controller - -include::modules/nw-ingress-setting-a-custom-default-certificate.adoc[leveloffset=+2] - -include::modules/nw-ingress-custom-default-certificate-remove.adoc[leveloffset=+2] - -include::modules/nw-autoscaling-ingress-controller.adoc[leveloffset=+2] - -include::modules/nw-scaling-ingress-controller.adoc[leveloffset=+2] - -include::modules/nw-configure-ingress-access-logging.adoc[leveloffset=+2] - -include::modules/nw-ingress-setting-thread-count.adoc[leveloffset=+2] - -include::modules/nw-ingress-sharding.adoc[leveloffset=+2] - -include::modules/nw-ingress-sharding-route-labels.adoc[leveloffset=+3] - -include::modules/nw-ingress-sharding-namespace-labels.adoc[leveloffset=+3] - -include::modules/nw-ingress-setting-internal-lb.adoc[leveloffset=+2] - -include::modules/nw-ingress-controller-configuration-gcp-global-access.adoc[leveloffset=+2] - -include::modules/nw-ingress-controller-config-tuningoptions-healthcheckinterval.adoc[leveloffset=+2] - -include::modules/nw-ingress-default-internal.adoc[leveloffset=+2] - -include::modules/nw-route-admission-policy.adoc[leveloffset=+2] - -include::modules/using-wildcard-routes.adoc[leveloffset=+2] - -include::modules/nw-using-ingress-forwarded.adoc[leveloffset=+2] - -include::modules/nw-http2-haproxy.adoc[leveloffset=+2] - -include::modules/nw-ingress-controller-configuration-proxy-protocol.adoc[leveloffset=+2] - -include::modules/nw-ingress-configuring-application-domain.adoc[leveloffset=+2] - -include::modules/nw-ingress-converting-http-header-case.adoc[leveloffset=+2] - -include::modules/nw-configuring-router-compression.adoc[leveloffset=+2] - -include::modules/nw-customize-ingress-error-pages.adoc[leveloffset=+2] -//include::modules/nw-ingress-select-route.adoc[leveloffset=+2] - -include::modules/nw-ingress-setting-max-connections.adoc[leveloffset=+2] - -//[role="_additional-resources"] -//== Additional resources - -//* xref:../networking/configuring-a-custom-pki.adoc#configuring-a-custom-pki[Configuring a custom PKI] - diff --git a/microshift_networking/microshift-firewall.adoc b/microshift_networking/microshift-firewall.adoc new file mode 100644 index 000000000000..85565eb79dba --- /dev/null +++ b/microshift_networking/microshift-firewall.adoc @@ -0,0 +1,23 @@ +:_content-type: ASSEMBLY +[id="microshift-using-a-firewall"] += Using a firewall +include::_attributes/attributes-microshift.adoc[] +:context: microshift-firewall + +toc::[] + +Firewalls are not required in {product-title}, but using a firewall can prevent undesired access to the {product-title} API. + +include::modules/microshift-firewall-config.adoc[leveloffset=+1] +include::modules/microshift-firewalld-install.adoc[leveloffset=+1] +include::modules/microshift-firewall-req-settings.adoc[leveloffset=+1] +include::modules/microshift-firewall-opt-settings.adoc[leveloffset=+1] +include::modules/microshift-firewall-allow-traffic.adoc[leveloffset=+1] +include::modules/microshift-firewall-apply-settings.adoc[leveloffset=+1] +include::modules/microshift-firewall-verify-settings.adoc[leveloffset=+1] +include::modules/microshift-firewall-known-issue.adoc[leveloffset=+1] + +[role="_additional-resources"] +[id="additional-resources_microshift-using-a-firewall"] +.Additional resources +* xref:../microshift_troubleshooting/microshift-troubleshooting.adoc#microshift-ki-cni-iptables-deleted[Troubleshooting iptables deleted]. diff --git a/microshift_networking/microshift-networking.adoc b/microshift_networking/microshift-networking.adoc index 67bdc3afc7a2..b472022c26fc 100644 --- a/microshift_networking/microshift-networking.adoc +++ b/microshift_networking/microshift-networking.adoc @@ -1,6 +1,6 @@ :_content-type: ASSEMBLY -[id="microshift-understanding-networking"] -= Understanding networking +[id="microshift-applying-networking-settings"] += Understanding networking settings include::_attributes/attributes-microshift.adoc[] :context: microshift-networking @@ -18,21 +18,17 @@ By default, Kubernetes allocates each pod an internal IP address for application include::modules/microshift-cni.adoc[leveloffset=+1] include::modules/microshift-configuring-ovn.adoc[leveloffset=+1] +include::modules/microshift-restart-ovnkube-master.adoc[leveloffset=+1] //include::modules/microshift-man-config-ovs-bridge.adoc[leveloffset=+1] include::modules/microshift-http-proxy.adoc[leveloffset=+1] include::modules/microshift-cri-o-container-runtime.adoc[leveloffset=+1] include::modules/microshift-ovs-snapshot.adoc[leveloffset=+1] include::modules/microshift-mDNS.adoc[leveloffset=+1] -include::modules/microshift-firewall-config.adoc[leveloffset=+1] -include::modules/microshift-firewalld-install.adoc[leveloffset=+1] -include::modules/microshift-firewall-req-settings.adoc[leveloffset=+1] -include::modules/microshift-firewall-opt-settings.adoc[leveloffset=+1] -include::modules/microshift-firewall-allow-traffic.adoc[leveloffset=+1] -include::modules/microshift-firewall-apply-settings.adoc[leveloffset=+1] -include::modules/microshift-firewall-verify-settings.adoc[leveloffset=+1] -include::modules/microshift-firewall-known-issue.adoc[leveloffset=+1] - [role="_additional-resources"] +[id="additional-resources_microshift-applying-networking-settings"] .Additional resources -* xref:../microshift_troubleshooting/microshift-troubleshooting.adoc#microshift-version[Troubleshooting]. + +. xref:../microshift_troubleshooting/microshift-troubleshooting.adoc#microshift-version[Troubleshooting] +. xref:../microshift_troubleshooting/microshift-troubleshooting.adoc#microshift-troubleshooting-nodeport[Troubleshooting the NodePort service]. +. xref:../microshift_troubleshooting/microshift-troubleshooting.adoc#microshift-nodeport-unreachable-workaround[NodePort unreachable workround]. diff --git a/modules/microshift-configuring-ovn.adoc b/modules/microshift-configuring-ovn.adoc index d57a6ec72488..8d0f901712fc 100644 --- a/modules/microshift-configuring-ovn.adoc +++ b/modules/microshift-configuring-ovn.adoc @@ -2,9 +2,9 @@ // // * microshift_networking/microshift-networking.adoc -:_content-type: PROCEDURE +:_content-type: CONCEPT [id="microshift-config-OVN-K_{context}"] -= Configuring OVN-Kubernetes += OVN-Kubernetes configuration options An OVN-Kubernetes config file can be written to `/etc/microshift/ovn.yaml`. {product-title} will use default OVN-Kubernetes configuration values if an OVN-Kubernetes config file is not customized. @@ -20,7 +20,7 @@ mtu: 1400 <1> Default value is an empty string, which means "not-specified." The CNI network plugin auto-detects to interface with the default route. <2> Default value is an empty string, which means disabled. -To customize your configuration, use the following table to find valid values that you can use in your `ovn.yaml` config file. +To customize your configuration, use the following table to find valid values that you can use in your `ovn.yaml` config file: .Supported optional OVN-Kubernetes configurations for {product-title}. @@ -36,7 +36,7 @@ To customize your configuration, use the following table to find valid values th |bool |false |Skip configuring OVS bridge `br-ex` in `microshift-ovs-init.service` -|true <1> +|true ^1^ |`ovsInit.gatewayInterface` |Alpha @@ -56,8 +56,7 @@ To customize your configuration, use the following table to find valid values th |MTU value used for the pods |1300 |=== - -<1> The OVS bridge is required. When `disableOVSInit` is true, OVS bridge `br-ex` must be configured manually. +^1^ The OVS bridge is required. When `disableOVSInit` is true, OVS bridge `br-ex` must be configured manually. .Example `ovn.yaml` config file: @@ -71,4 +70,11 @@ mtu: 1300 ---- [IMPORTANT] +==== When `disableOVSInit` is set to true in the `ovn.yaml` config file, the OVS bridge br-ex must be manually configured. +==== + +[IMPORTANT] +==== +If you change the `mtu` configuration value in the `ovn.yaml` file, you must restart the host that {product-title} is running on for the updated setting to apply. +==== diff --git a/modules/microshift-cri-o-container-runtime.adoc b/modules/microshift-cri-o-container-runtime.adoc index c81ef5fcf05b..257b17ea98f1 100644 --- a/modules/microshift-cri-o-container-runtime.adoc +++ b/modules/microshift-cri-o-container-runtime.adoc @@ -4,11 +4,12 @@ :_content-type: PROCEDURE [id="microshift-CRI-O-container-engine_{context}"] -= CRI-O container runtime += Using a proxy in the CRI-O container runtime To use an HTTP(S) proxy in `CRI-O`, you need to set the `HTTP_PROXY` and `HTTPS_PROXY` environment variables. You can also set the `NO_PROXY` variable to exclude a list of hosts from being proxied. .Procedure + . Add the following settings to the `/etc/systemd/system/crio.service.d/00-proxy.conf` file: + [source, config] diff --git a/modules/microshift-firewall-allow-traffic.adoc b/modules/microshift-firewall-allow-traffic.adoc index b1a2a4f8c54e..f1e6c2f95607 100644 --- a/modules/microshift-firewall-allow-traffic.adoc +++ b/modules/microshift-firewall-allow-traffic.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * microshift_networking/microshift-networking.adoc +// * microshift_networking/microshift-firewall.adoc :_content-type: PROCEDURE [id="microshift-firewall-network-traffic_{context}"] @@ -9,6 +9,7 @@ You can allow network traffic through the firewall by first configuring the IP address range with either default or custom values, and then allow internal traffic from pods through the network gateway by inserting the DNS server. .Procedure + Set the default values or a custom IP address range. After setting the IP address range, allow internal traffic from the pods through the network gateway. . To set the IP address range: diff --git a/modules/microshift-firewall-apply-settings.adoc b/modules/microshift-firewall-apply-settings.adoc index 1e361371dc0d..627d34f3ad53 100644 --- a/modules/microshift-firewall-apply-settings.adoc +++ b/modules/microshift-firewall-apply-settings.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * microshift_networking/microshift-networking.adoc +// * microshift_networking/microshift-firewall.adoc :_content-type: PROCEDURE [id="microshift-firewall-applying-settings_{context}"] diff --git a/modules/microshift-firewall-config.adoc b/modules/microshift-firewall-config.adoc index e8c64aacfcaf..e994144f4360 100644 --- a/modules/microshift-firewall-config.adoc +++ b/modules/microshift-firewall-config.adoc @@ -1,12 +1,12 @@ // Module included in the following assemblies: // -// * microshift_networking/microshift-networking.adoc +// * microshift_networking/microshift-firewall.adoc :_content-type: CONCEPT [id="microshift-firewall-config_{context}"] -= Using a firewall += About network traffic through the firewall -Firewalls are not required in {product-title}, but using a firewall can prevent undesired access to the {product-title} API. When using a firewall, you must explicitly allow the following OVN-Kubernetes traffic when the `firewalld` service is running: +When using a firewall, you must explicitly allow the following OVN-Kubernetes traffic when the `firewalld` service is running: CNI pod to CNI pod:: CNI pod to Host-Network pod diff --git a/modules/microshift-firewall-opt-settings.adoc b/modules/microshift-firewall-opt-settings.adoc index 61da90a5a7aa..cbb6dee775b0 100644 --- a/modules/microshift-firewall-opt-settings.adoc +++ b/modules/microshift-firewall-opt-settings.adoc @@ -1,17 +1,16 @@ // Module included in the following assemblies: // -// * microshift_networking/microshift-networking.adoc +// * microshift_networking/microshift-firewall.adoc :_content-type: PROCEDURE - [id="microshift-firewall-optional-settings_{context}"] -= Optional port settings += Using optional port settings The {product-title} firewall service allows optional port settings. .Procedure -. To add customized ports to your firewall configuration, use the following command syntax: +* To add customized ports to your firewall configuration, use the following command syntax: + [source,terminal] ---- diff --git a/modules/microshift-firewall-req-settings.adoc b/modules/microshift-firewall-req-settings.adoc index 04b3c33f77b3..37418ac36275 100644 --- a/modules/microshift-firewall-req-settings.adoc +++ b/modules/microshift-firewall-req-settings.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * microshift_networking/microshift-networking.adoc +// * microshift_networking/microshift-firewall.adoc :_content-type: CONCEPT [id="microshift-firewall-req-settings_{context}"] diff --git a/modules/microshift-firewall-verify-settings.adoc b/modules/microshift-firewall-verify-settings.adoc index 815358d3b368..4bda23d144d0 100644 --- a/modules/microshift-firewall-verify-settings.adoc +++ b/modules/microshift-firewall-verify-settings.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * microshift_networking/microshift-networking.adoc +// * microshift_networking/microshift-firewall.adoc :_content-type: PROCEDURE [id="microshift-firewall-verifying-settings_{context}"] diff --git a/modules/microshift-firewalld-install.adoc b/modules/microshift-firewalld-install.adoc index 843bcc270f8e..0e0d89c3a18d 100644 --- a/modules/microshift-firewalld-install.adoc +++ b/modules/microshift-firewalld-install.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * microshift_configuring/microshift-networking.adoc +// * microshift_networking/microshift-firewall.adoc :_content-type: PROCEDURE [id="microshift-firewall-install_{context}"] diff --git a/modules/microshift-install-rpm-preparing.adoc b/modules/microshift-install-rpm-preparing.adoc index 5646dad250f4..40bf4820118b 100644 --- a/modules/microshift-install-rpm-preparing.adoc +++ b/modules/microshift-install-rpm-preparing.adoc @@ -2,6 +2,7 @@ // // microshift/microshift-install-rpm.adoc +:_content-type: PROCEDURE [id="preparing-install-microshift-from-rpm-package_{context}"] = Preparing to install {product-title} from an RPM package diff --git a/modules/microshift-install-system-requirements.adoc b/modules/microshift-install-system-requirements.adoc index 96765e7567af..b26b4c3633f6 100644 --- a/modules/microshift-install-system-requirements.adoc +++ b/modules/microshift-install-system-requirements.adoc @@ -2,6 +2,7 @@ // // microshift/microshift-install-rpm.adoc +:_content-type: REFERENCE [id="system-requirements-installing-microshift"] = System requirements for installing {product-title} diff --git a/modules/microshift-ki-cni-iptables-deleted.adoc b/modules/microshift-ki-cni-iptables-deleted.adoc index 282846bb28ca..ecfc36f7c0c9 100644 --- a/modules/microshift-ki-cni-iptables-deleted.adoc +++ b/modules/microshift-ki-cni-iptables-deleted.adoc @@ -1,6 +1,7 @@ // Module included in the following assemblies: // // * microshift_troubleshooting/microshift-known-issues.adoc + :_content-type: PROCEDURE [id="microshift-ki-cni-iptables-deleted_{context}"] = Reloading the firewall deletes iptable rules @@ -22,7 +23,7 @@ To troubleshoot this issue, delete the ovnkube-master pod to restart the ovnkube Run the commands listed in each step that follows to restore the iptable rules. -. Stop the ovn-master application: +. Find the name of the ovnkube-master pod that you want to restart by running the following command: + [source, terminal] ---- diff --git a/modules/microshift-ovs-snapshot.adoc b/modules/microshift-ovs-snapshot.adoc index 03f3dff50c99..e89775f08094 100644 --- a/modules/microshift-ovs-snapshot.adoc +++ b/modules/microshift-ovs-snapshot.adoc @@ -6,8 +6,11 @@ [id="microshift-OVS-snapshot_{context}"] = Getting a snapshot of OVS interfaces from a running cluster +A snapshot represents the state and data of OVS interfaces at a specific point in time. + .Procedure -To see a snapshot of OVS interfaces from a running {product-title} cluster, use the following command: + +* To see a snapshot of OVS interfaces from a running {product-title} cluster, use the following command: [source, terminal] ---- diff --git a/modules/microshift-restart-ovnkube-master.adoc b/modules/microshift-restart-ovnkube-master.adoc new file mode 100644 index 000000000000..63c3b05de1a1 --- /dev/null +++ b/modules/microshift-restart-ovnkube-master.adoc @@ -0,0 +1,51 @@ +// Module included in the following assemblies: +// +// * microshift_networking/microshift-networking.adoc + +:_content-type: PROCEDURE +[id="microshift-restart-ovnkube-master_{context}"] += Restarting the ovnkube-master pod + +The following procedure restarts the `ovnkube-master` pod. + +.Prerequisites + +* The OpenShift CLI (`oc`) is installed. +* Access to the cluster as a user with the `cluster-admin` role. +* A cluster installed on infrastructure configured with the OVN-Kubernetes network plugin. +* The KUBECONFIG environment variable is set. + +.Procedure + +Use the following steps to restart the `ovnkube-master` pod. + +. Access the remote cluster by running the following command: ++ +[source, terminal] +---- +$ export KUBECONFIG=$PWD/kubeconfig +---- + +. Find the name of the `ovnkube-master` pod that you want to restart by running the following command: ++ +[source, terminal] +---- +$ pod=$(oc get pods -n openshift-ovn-kubernetes | awk -F " " '/ovnkube-master/{print $1}') +---- + +. Delete the `ovnkube-master` pod by running the following command: ++ +[source, terminal] +---- +$ oc -n openshift-ovn-kubernetes delete pod $pod +---- + +. Confirm that a new `ovnkube-master` pod is running by using the following command: ++ +[source, terminal] +---- +$ oc get pods -n openshift-ovn-kubernetes +---- +The listing of the running pods shows a new `ovnkube-master` pod name and age. + +//.Example output needs to be added here \ No newline at end of file