- Clean VM with Centos7
- Installed k8s + contrail with contrail-ansible-deployer
- Sample instances.yaml file presented below. Tokens @localip and @routerip must be changed before running contrail-ansible-deployer, passwords should be adjusted.
provider_config:
bms:
ssh_user: centos
ssh_private_key: /home/centos/id_rsa
domainsuffix: novalocal
instances:
kolla-aio:
provider: bms
ip: @localip
roles:
config_database:
config:
control:
webui:
vrouter:
k8s_master:
kubemanager:
k8s_node:
global_configuration:
CONTAINER_REGISTRY: opencontrailnightly
K8S_VERSION: 1.9.2
contrail_configuration:
CONTRAIL_VERSION: master-latest
CLOUD_ORCHESTRATOR: kubernetes
VROUTER_GATEWAY: @routerip
PHYSICAL_INTERFACE: eth0
JVM_EXTRA_OPTS: "-Xms1g -Xmx2g"
CONFIG_NODEMGR__DEFAULTS__minimum_diskGB: 2
DATABASE_NODEMGR__DEFAULTS__minimum_diskGB: 2
KUBERNETES_PUBLIC_FIP_POOL:
domain: default-domain
name: __fip_pool_public__
network: __public__
project: k8s-default
deployment:
orchestrator: kubernetes-
On remote (target) machine clone Contrail repository into $HOME/go/src/github.com/Juniper
mkdir -p $HOME/go/src/github.com/Juniper cd !$ git clone https://github.com/Juniper/contrail
-
Run a deployment script
cd contrail ./tools/deploy-for_k8s.sh
Run two pods in different terminals (default namespace can be used):
kubectl run -i --tty busybox-one --image=busybox -- shkubectl run -i --tty busybox-two --image=busybox -- shYou can check their IP addresses by typing
ip aAnd then you can try to make them ping each other.
Run the script located in ./tools/demo/intra-vn-ping/run.sh on target machine. Last command located in script launches new pod in that terminal.
Next run second pod in another terminal
kubectl run -i --tty busybox-one --image=busybox --namespace blue -- shNow you can check their IP addresses by typing
ip aAnd then you can try to make them ping each other.
Run the script located in ./tools/demo/logical-router-ping/run.sh on target machine. Last command located in script launches new pod in that terminal.
Next run second pod in another terminal
sudo kubectl run -i --tty busybox-one --image=busybox --namespace blue -- shNow you can check their IP addresses and then ping the same way as described in "Intra VN ping"
-
Prepare 3 terminals on a machine with Contrail deployed: one for running the scenario script, and two for running Kubernetes pods.
-
Go to the
tools/demo/security-groupssubdirectory of the Contrail repository and runsetup.shas root. It will create a Kubernetes namespace and a virtual network. For example:# In the Contrail repository cd ./tools/demo/security-groups/ sudo ./setup.sh
-
Go to the same directory in the other two terminals and create two pods using
pod.shas root. Use different names for the pods. For example:cd ./tools/demo/security-groups/ sudo ./pod.sh pod1 # Do the same in the other terminal, using e.g. ./pod.sh pod2
The script will print the full name of the pods, such as "pod1-75f684d9f9-mndt4". You will need one of them in the next step.
-
Run the scenario script
run.sh. It requires the name of the pod. For example:# In the security groups demo directory ./run.sh pod1-75f684d9f9-mndt4 -
The script will allow/disallow traffic from/to the chosen pod. Attach the pods in the other two terminals. Use
ip ato obtain their IP addresses. You can use ping andecho.shwith netcat to check if ICMP/TCP is blocked. For example, in one of the pods:./echo.sh
and in the other:
# Assuming the IP of the first pod is 10.32.0.1. # Should reply if and only if ICMP traffic is allowed: ping 10.32.0.1 # Should print "echo" if and only if TCP traffic is allowed: nc 10.32.0.1 8080
Follow steps described in ./tools/demo/floating-ip-ping/scenario.md