Prior to updating SLS, at a minimum, answers to the following questions must be known:
Will user traffic (non-administrative) come in via the CAN or CHN, or is the site air-gapped?
By default when upgrading to CSM 1.2, non-administrative user traffic is migrated from the CAN to the CHN while minimizing changes. If instead it is desired that the non-administrative user traffic continue to come in via the CAN, or if the site is air-gapped, then this must be explicitly specified during the SLS update.
What is the internal VLAN and the site-routable IP subnet for the new CAN or CHN?
Is there a need to preserve any existing IP addresses during the CAN-to-CMN migration?
One example is the external-dns
IP address used for DNS lookups of system resources from site DNS servers. Changes to
external-dns
often require changes to site resources with requisite process and timeframes from other groups. For
preserving external-dns
IP addresses, the flag is --preserve-existing-subnet-for-cmn external-dns
.
WARNING: It is up to the administrator to compare pre-upgraded and post-upgraded SLS files for sanity. Specifically, in the
case of preserving external-dns
values, the administrator must ensure there are no site-networking changes that might result in NCN IP addresses
overlapping during the upgrade process. This requires network subnetting expertise and “expert mode” (described below).
If the external-dns
IP address is changed, then the customizations.yaml
site_to_system_lookups
value must be updated to the new IP address. For instructions on how to do this, see
Update customizations.yaml
.
A mutually exclusive example is the need to preserve all NCN IP addresses related to the old CAN while migrating
the new CMN. This preservation is not often needed as the transition of NCN IP addresses for the CAN-to-CMN is automatically
handled during the upgrade. The flag to preserve CAN-to-CMN NCN IP addresses is mutually exclusive with other preservations
and the flag is --preserve-existing-subnet-for-cmn ncns
.
If no preservation flag is set, then the default behavior is to recalculate every IP address on the existing CAN while migrating to the CMN. The behavior in this case is to calculate the subnet sizes based on number of devices (with a bit of spare room), while maximizing IP address pool sizes for dynamic services.
Get a token.
ncn# export TOKEN=$(curl -s -k -S -d grant_type=client_credentials -d client_id=admin-client \
-d client_secret=`kubectl get secrets admin-client-auth -o jsonpath='{.data.client-secret}' | base64 -d` \
https://api-gw-service-nmn.local/keycloak/realms/shasta/protocol/openid-connect/token | jq -r '.access_token')
Extract SLS data to a file.
ncn# curl -k -H "Authorization: Bearer ${TOKEN}" https://api-gw-service-nmn.local/apis/sls/v1/dumpstate | jq -S . > sls_input_file.json
Upgrade SLS data.
Example 1: Upgrade, using the CHN as the system default route (will by default output to migrated_sls_file.json
).
ncn# /usr/share/doc/csm/upgrade/1.2/scripts/sls/sls_updater_csm_1.2.py --sls-input-file sls_input_file.json \
--bican-user-network-name CHN \
--customer-highspeed-network 5 10.103.11.192/26
Example 2: Upgrade, using the CAN as the system default route, keep the generated CHN (for testing), and preserve the existing external-dns entry.
ncn# /usr/share/doc/csm/upgrade/1.2/scripts/sls/sls_updater_csm_1.2.py --sls-input-file sls_input_file.json \
--bican-user-network-name CAN \
--customer-highspeed-network 5 10.103.11.192/26 \
--preserve-existing-subnet-for-cmn external-dns \
--retain-unused-user-network
NOTE: A detailed review of the migrated/upgraded data is strongly recommended. Particularly, ensure that subnet reservations are correct to prevent any data loss.
Upload migrated SLS file to SLS service.
ncn# curl -H "Authorization: Bearer ${TOKEN}" -k -L -X POST 'https://api-gw-service-nmn.local/apis/sls/v1/loadstate' -F 'sls_dump=@migrated_sls_file.json'
For help and all options, run the following:
ncn# /usr/share/doc/csm/upgrade/1.2/scripts/sls/sls_updater_csm_1.2.py --help
This migration is performed offline for data security. The running SLS file is first dumped, then the migration script is run and a new, migrated output file is created.
leaf
to leaf-bmc
, and agg
to leaf
.api-gateway
entries from HMLB subnets for CSM 1.2 security.kubeapi-vip
reservations for all networks except NMN.uai_macvlan
in NMN DHCP ranges and uai_macvlan
VLAN.--retain-unused-user-network
to keep).Switch names change in CSM 1.2 and must be applied in the following order:
leaf
switches become leaf-bmc
switches.agg
switches become leaf
switches.This needs to be done in the order listed above.
api-gateway
/ istio-ingress-gateway
reservations from HMNLB subnetsFor CSM 1.2, the API gateway will no longer listen on the HMNLB MetalLB address pool. These aliases provided DNS records and are being removed.
Some systems installed Shasta 1.4 and prior contained a bug in CSI which created reservations with incorrect IP addresses.
New for CSM 1.2, the BICAN network ExtraProperties
value of SystemDefaultRoute
is used
to point to the CAN, CHN, or CMN, and is used by utilities to systematically toggle routes.
Using the existing CAN as a template, create the CMN. The same IP addresses will be preserved for
NCNs (bootstrap_dhcp
). A new network_hardware
subnet will be created where the end of the previous
bootstrap_dhcp
subnet existed to contain switching hardware. MetalLB pools in the bootstrap_dhcp
subnet will be shifted around to remain at the end of the new bootstrap subnet.
With the original CAN as a template, the new CHN network will be created. IP addresses will come from the
--customer-highspeed-network <vlan> <ipaddress>
(or its defaults). This is be created by default, but
can be removed (if not needed or desired) by using the --retain-unused-user-network
flag.
Since the original/existing CAN has been converted to the new CMN, the CAN must have new IP addresses.
These are provided using the --customer-access-network <vlan> <ipaddress>
(or its defaults). This CAN
conversion will happen by default, but the new CAN may be removed (if not needed or desired) by using the
--retain-unused-user-network
flag.
MetalLB and switches now obtain BGP peers using SLS data.
--bgp-asn INTEGER RANGE The autonomous system number for BGP router
[default: 65533;64512<=x<=65534]
--bgp-cmn-asn INTEGER RANGE The autonomous system number for CMN BGP
clients [default: 65534;64512<=x<=65534]
--bgp-nmn-asn INTEGER RANGE The autonomous system number for NMN BGP
clients [default: 65533;64512<=x<=65534]
In CMN and NMN:
"Type": "ethernet",
"ExtraProperties": {
"CIDR": "10.102.3.0/25",
"MTU": 9000,
"MyASN": 65536,
"PeerASN": 65533,
"Subnets":
kubeapi-vip
reservations for all networks except NMNSelf explanatory. This endpoint now exists only on the NMN.
uai_macvlan
in NMN ranges and uai_macvlan
VLANSelf explanatory. Ranges are used for the addresses of UAIs.
By default the CAN will be removed if --bican-user-network-name CHN
is specified, or the CHN will be removed if
--bican-user-network-name CAN
is specified. In order to prevent this, use the --retain-unused-user-network
flag.
Retention of the unused network is not normal behavior.
For technical details on the SLS update automation, see SLS Updater Technical Details.
Go back to Stage 0.2 - Update SLS.