This manual is a guide for configuring and upgrading the REM nodes as virtual machines on OpenStack, VMware vSphere, or VMware vCloud.
- Notices
- Changelogs
- Introduction
- Setting up CDS
- VM types
- Installation and upgrades
- Verify the state of the nodes and processes
- VM configuration
- Declarative configuration
- rvtconfig
- Scheduled tasks
- Writing an SDF
- Bootstrap parameters
- Bootstrap and configuration
- Login and authentication configuration
- REM certificates
- Users overview
- Cassandra security configuration
- Services and components
- Configuration YANG schema
- Example configuration YAML files
- Connecting to MetaView Server
- VM recovery
- Troubleshooting node installation
- Glossary
Notices
Copyright © 2014-2022 Metaswitch Networks. All rights reserved
This manual is issued on a controlled basis to a specific person on the understanding that no part of the Metaswitch Networks product code or documentation (including this manual) will be copied or distributed without prior agreement in writing from Metaswitch Networks.
Metaswitch Networks reserves the right to, without notice, modify or revise all or part of this document and/or change product features or specifications and shall not be responsible for any loss, cost, or damage, including consequential damage, caused by reliance on these materials.
Metaswitch and the Metaswitch logo are trademarks of Metaswitch Networks. Other brands and products referenced herein are the trademarks or registered trademarks of their respective holders.
Changelogs
4.1-7-1.0.0
Fixes
-
Update Cassandra 4.1 gc.log configuration options to reduce logging printed information and to allow analysis by censum tool. (#1161334)
-
Updated rvconfig set-desired-running-state command so it lowercases instance names for MDM instance IDs (as SIMPL/MDM do) (#994044)
-
Initconf sets directory and file permissions to the primary user (instead of root) when extracting custom data from yaml configuration files. (#510353)
4.1-5-1.0.0
New functionality
-
Add new charging option 'cap-ro' to support mixed CAMEL and Diameter Ro deployment. (#701809)
-
Add support for configuring multiple destination realms for Diameter Ro. (#701814)
Fixes
-
Updated example configuration for conference-mrf-uri to force TCP (#737570)
-
Corrected the SNMP alarm that was previously monitoring totalFree memory, it now checks for availReal memory instead. (#853447)
-
Modified the validation scripts to avoid checking rhino liveness & alerts when IPSMGW is disabled. (#737963)
-
Allow upload config if there is no live node for a given VM type (#511300)
-
Cassandra 4 container upgraded to 4.1.3 (#987347)
-
Updated system package versions of
libwebp
,bind
,bpftool
,kernel
,open-vm-tools
,perf
, andpython
to address security vulnerabilities. (#1023775)
4.1-3-1.0.0
New functionality
-
The minimum supported version of SIMPL is now 6.13.3. (#290889)
-
TSN upgrades are supported when all other non-TSN nodes are already upgraded to 4.1.3-1.0.0 or higher.
-
TSN VM supports 2 Cassandra releases - 3.11.13 and 4.1.1; the default is 4.1.1 for new deployments, 3.11.13 can be selected by setting the
custom-options
parameter tocassandra_version_3_11
during a VM deployment. Newrvtconfig cassandra-upgrade
allows one-way switch from 3.11.13 to 4.1.1 without outage. -
New
rvtconfig backup-cds
andrvtconfig restore-cds
commands allow backup and restore of CDS data. -
New
rvtconfig set-desired-running-state
command to set the desired state of non-TSN initconf processes.
Fixes
-
Fixed a race condition during quiesce that could result in a VM being turned off before it had completed writing data to CDS. (#733646)
-
Improved the output when rvtconfig gather-diags is given hostname or site ID parameters that do not exist in the SDF, or when the SDF does not specify any VNFCs. (#515668)
-
Fixed an issue where rvtconfig would display an exception stack trace if given an invalid secrets ID. (#515672)
-
rvtconfig gather-diags now reports the correct location of the downloaded diagnostics. (#515671)
-
The version arguments to rvtconfig are now optional, defaulting to the version from the SDF if it matches that of rvtconfig. (#380063)
-
There is now reduced verbosity in the output of the
upload-config
command and logs are now written to a log file. (#334928) -
Fixed service alarms so they will correctly clear after a reboot. (#672674)
-
Fixed rvtconfig gather-diags to be able to take ssh-keys that are outside the rvtcofig container. (#734624)
-
Fixed the
rvtconfig validate
command to only try to validate the optional files if they are all present. (#735591) -
The CDS event check now compares the target versions of the most recent and new events before the new event is deemed to be already in the CDS. (#724431)
-
Extend OutputTreeDiagNode data that the non-TSN initconf reports to MDM based on the DesiredRunningState set from
rvtconfig
. (#290889) -
Updated system package versions of
nss
,openssl
,sudo
,krb5
,zlib
,kpartx
,bind
,bpftool
,kernel
andperf
to address security vulnerabilities. (#748702)
4.1-1-1.0.0
-
The minimum supported version of SIMPL is now 6.11.2. (#443131)
-
Added a
csar validate
test that runs the same liveness checks asrvtconfig report-group-status
. (#397932) -
Added MDM status to
csar validate
tests andreport-group-status
. (#397933) -
Added the same healthchecks done in
csar validate
as part of the healthchecks forcsar update
. (#406261) -
Added a healthcheck script that runs before upgrade to ensure config has been uploaded for the uplevel version. (#399673)
-
Added a healthcheck script that runs before upgrade and enforces the use of
rvtconfig enter-maintenance-window
. (#399670) -
rvtconfig upload-config
and related commands now ignore specific files that may be in the input directory unnecessarily. (#386665) -
An error message is now output when incorrectly formatted override yaml files are inputted rather than a lengthy stack trace. (#381281)
-
Added a service to the VMs to allow SIMPL VM to query their version information. (#230585)
-
CSARs are now named with a
-v6
suffix for compatibility with version 6.11 of SIMPL VM. (#396587) -
Fixed an issue where the new
rvtconfig calculate-maintenance-window
command raised aKeyError
. (#364387) -
Fixed an issue where
rvtconfig
could not delete a node type if no config had been uploaded. (#379137) -
Improved logging when calls to MDM fail. (#397974)
-
Update initconf zip hashes to hash file contents and names. (#399675)
-
Fixed an issue where
rvtconfig maintenance-window-status
would report that a maintenance window is active when the end time had already passed. (#399670) -
Config check is now done once per node rather than unnecessarily repeated when multiple nodes are updated. (#334928)
-
Fixed an issue where
csar validate
,update
orheal
could fail if the target VM’s disk was full. (#468274) -
The
--vm-version-source
argument now takes the optionsdf-version
that uses the version in the SDF for a given node. There is now a check that the inputted version matches the SDF version and an optional argument--skip-version-check
that skips this check. (#380063) -
rvtconfig
now checks for, and reports, unsupported configuration changes. (#404791) -
Fixed Rhino not restarting automatically if it exited unexpectedly. (#397976)
-
Updated system package versions of
bind
,bpftool
,device-mapper-multipath
,expat
,krb5-devel
,libkadm5
andpython-ply
to address security vulnerabilities. (#406275, #441719)
4.1-0-1.0.0
First release in the 4.1 series.
Major new functionality
-
Added support for VM Recovery. Depending on different situations, this allows you to recover from malfunctioning VM nodes without affecting other nodes in the same VM group.
-
Added a low-privilege user, named
viewer
. This user has read-only access to diagnostics on the VMs and no superuser capabilities. (OPT-4831)
Backwards-incompatible changes
-
Access to VMs is now restricted to SSH keys only (no password authentication permitted). (OPT-4341)
-
The minimum supported version of SIMPL is now 6.10.1. (OPT-4677, OPT-4740, OPT-4722, OPT-4726, #207131) This includes different handling of secrets, see Secrets in the SDF for more details.
-
Made the
system-notification-enabled
,rhino-notification-enabled
, andsgc-notification-enabled
configuration options mandatory. Ensure these are specified insnmp-config.yaml
. (#270272)
Other new functionality
-
Added a list of expected open ports to the documentation. (OPT-3724)
-
Added
enter-maintenance-window
andleave-maintenance-window
commands torvtconfig
to control scheduled tasks. (OPT-4805) -
Added a command
liveness-check
to all VMs for a quick health overview. (OPT-4785) -
Added a command
rvtconfig report-group-status
for a quick health overview of an entire group. (OPT-4790) -
Split
rvtconfig delete-node-type
intorvtconfig delete-node-type-version
andrvtconfig delete-node-type-all-versions
commands to support different use cases. (OPT-4685) -
Added
rvtconfig delete-node-type-retain-version
command to search for and delete configuration and state related to versions other than a specified VM version. (OPT-4685) -
Added
rvtconfig calculate-maintenance-window
to calculate the suggested duration for an upgrade maintenance window. (#240973) -
Added
rvtconfig gather-diags
to retrieve all diags from a deployment. This has been optimised to gather diags in parallel safely based on the node types alongside disk usage safety checks. (#399682, #454095, #454094) -
Added support for Cassandra username/password authentication. (OPT-4846)
-
system-config.yaml
androuting-config.yaml
are now fully optional, rather than requiring the user to provide an empty file if they didn’t want to provide any configuration. (OPT-3614) -
Added tool
mdm_certificate_updater.py
to allow the update of MDM certificates on a VM. (OPT-4599) -
The VMs' infrastructure software now runs on Python 3.9. (OPT-4013, OPT-4210)
-
All RPMs and Python dependencies updated to the newest available versions.
-
Updated the linkerd version to 1.7.5. (#360288)
Fixes
-
Fixed issue with default gateway configuration.
-
initconf
is now significantly faster. (OPT-3144, OPT-3969) -
Added some additional clarifying text to the disk usage alarms. (OPT-4046)
-
Ensured tasks which only perform configuration actions on the leader do not complete too early. (OPT-3657)
-
Tightened the set of open ports used for SNMP, linkerd and the Prometheus stats reporter. (OPT-4061, OPT-4058)
-
Disabled NTP server function on the VMs (i.e. other devices cannot use the VM as a time source). (OPT-4061)
-
The
report-initconf
command now returns a meaningful exit code. (DEV-474) -
Alarms sent from initconf will have the source value of
RVT monitor
. (OPT-4521) -
Removed unnecessary logging about not needing to clear an alarm that hadn’t been previously raised. (OPT-4752)
-
Authorized site-wide SSH authorized public keys specified in the SDF on all VMs within the site. (OPT-4729)
-
Reduced coupling to specific SIMPL VM version, to improve forwards compatibility with SIMPL. (OPT-4699)
-
Moved
initconf.log
,mdm-quiesce-notifier.log
andbootstrap.log
to/var/log/tas
, with symlinks from old file paths to new file paths for backwards compatibility. (OPT-4904) -
Added the
rvt-gather_diags
script to all node types. -
Increased bootstrap timeout from 5 to 15 minutes to allow time (10 minutes) to establish connectivity to NTP servers. (OPT-4917)
-
Increase logging from tasks which run continuously, such as Postgres and SSH key management. (OPT-2773)
-
Avoid a tight loop when the CDS server is unavailable, which caused a high volume of logging. (OPT-4925)
-
SNMPv3 authentication key and privacy key are now stored encrypted in CDS. (OPT-3822)
-
Added a 3-minute timeout to the quiesce task runner to prevent quiescing from hanging indefinitely if one of the tasks hangs (OPT-5053)
-
The
report-initconf
command now reports quiesce failure separately to quiesce timeout. (#235188) -
Added a list of SSH authorized keys for the low-privilege user to the
product options
section of the SDF. (#259004) -
Store the public SSH host keys for VMs in a group in CDS instead of using
ssh-keyscan
to discover them. (#262397) -
Add mechanism to CDS state to support forward-compatible extensions. (#230677)
-
Logs stored in CDS during quiesce will be removed after 28 days. (#314937)
-
The VMs are now named "Metaswitch Virtual Appliance". (OPT-3686)
-
Updated system package versions of
bpftool
,kernel
,perf
,python
andxz
to address security vulnerabilities. -
Fixed an issue where VMs would send DNS queries for the
localhost
hostname. (#206220) -
Fixed issue that meant
rvtconfig upload-config
would fail when running in an environment where the input device is not a TTY. When this case is detectedupload-config
will default to non-interactive confirmation-y
. This preserves 4.0.0-26-1.0.0 (and earlier versions) in environments where an appropriate input device is not available. (#258542) -
Fixed an issue where scheduled tasks could incorrectly trigger on a reconfiguration of their schedules. (#167317)
-
Added
rvtconfig compare-config
command and madervtconfig upload-config
check config differences and request confirmation before upload. There is a new-f
flag that can be used withupload-config
to bypass the configuration comparison.-y
flag can now be used withupload-config
to provide non-interactive confirmation in the case that the comparison shows differences. (OPT-4517)
-
Added the rvt-gather_diags script to all node types. (#94043)
-
Increased bootstrap timeout from 5 to 15 minutes to allow time (10 minutes) to establish connectivity to NTP servers. (OPT-4917)
-
Make
rvtconfig validate
not fail if fields are present in the SDF it does not recognize. (OPT-4699) -
Added 3 new traffic schemes: "all signaling together except SIP", "all signaling together except HTTP", and "all traffic types separated". (#60997)
-
Fixed an issue where updated routing rules with the same target were not correctly applied. (#169195)
-
Scheduled tasks can now be configured to run more than once per day, week or month; and at different frequencies on different nodes. (OPT-4373)
-
Updated subnet validation to be done per-site rather than across the entire SDF deployment. (OPT-4412)
-
Fixed an issue where unwanted notification categories can be sent to SNMP targets. (OPT-4543)
-
Hardened linkerd by closing the prometheus stats port and changing the proxy port to listen on localhost only. (OPT-4840)
-
Added an optional node types field in the routing rules YAML configuration. This ensures the routing rule is only attempted to apply to VMs that are of the specified node types. (OPT-4079)
-
initconf
will not exit on invalid configuration. VM will be allowed to quiesce or upload new configuration. (OPT-4389) -
rvtconfig
now only uploads a single group’s configuration to that group’s entry in CDS. This means that initconf no longer fails if some other node type has invalid configuration. (OPT-4392) -
Fixed a race condition that could result in the quiescence tasks failing to run. (OPT-4468)
-
The
rvtconfig upload-config
command now displays leader seed information as part of the printed config version summary. (OPT-3962) -
Added
rvtconfig print-leader-seed
command to display the current leader seed for a deployment and group. (OPT-3962) -
Enum types stored in CDS cross-level refactored to string types to enable backwards compatibility. (OPT-4072)
-
Updated system package versions of
bind
,dhclient
,dhcp
,bpftool
,libX11
,linux-firmware
,kernel
,nspr
,nss
,openjdk
andperf
to address security vulnerabilities. (OPT-4332) -
Made
ip-address.ip
field optional during validation for non-RVT VNFCs. RVT and Custom VNFCs will still require the field. (OPT-4532) -
Fix SSH daemon configuration to reduce system log sizes due to error messages. (OPT-4538)
-
Allowed the primary user’s password to be configured in the product options in the SDF. (OPT-4448)
-
Updated system package version of
glib2
to address security vulnerabilities. (OPT-4198) -
Updated NTP services to ensure the system time is set correctly on system boot. (OPT-4204)
-
Include deletion of leader-node state in rvtconfig delete-node-type, resolving an issue where the first node deployed after running that command wouldn’t deploy until the leader was re-deployed. (OPT-4213)
-
Rolled back SIMPL support to 6.6.3. (OPT-43176)
-
Disk and service monitor notification targets that use SNMPv3 are now configured correctly if both SNMPv2c and SNMPv3 are enabled. (OPT-4054)
-
Fixed issue where initconf would exit (and restart 15 minutes later) if it received a 400 response from the MDM. (OPT-4106)
-
The Sentinel GAA Cassandra keyspace is now created with a replication factor of 3. (OPT-4080)
-
snmptrapd
is now enabled even if no targets are configured for system monitor notifications, in order to log any notifications that would have been sent. (OPT-4102) -
Fixed bug where the SNMPv3 user’s authentication and/or privacy keys could not be changed. (OPT-4102)
-
Making SNMPv3 queries to the VMs now requires encryption. (OPT-4102)
-
Fixed bug where system monitor notification traps would not be sent if SNMPv3 is enabled but v2c is not. Note that these traps are still sent as v2c only, even when v2c is not otherwise in use. (OPT-4102)
-
Removed support for the
signaling
andsignaling2
traffic type names. All traffic types should now be specified using the more granular names, such asss7
. Refer to the pageTraffic types and traffic schemes
in the Install Guide for a list of available traffic types. (OPT-3820) -
Ensured
ntpd
is in slew mode, but always step the time on boot before Cassandra, Rhino and OCSS7 start. (OPT-4131, OPT-4143)
4.0.0-14-1.0.0
-
Changed the
rvtconfig delete-node-type
command to also delete OID mappings as well as all virtual machine events for the specified version from cross-level group state. (OPT-3745) -
Fixed systemd units so that
systemd
does not restart Java applications after asystemctl kill
. (OPT-3938) -
Added additional validation rules for traffic types in the SDF. (OPT-3834)
-
Increased the severity of SNMP alarms raised by the disk monitor. (OPT-3987)
-
Added
--cds-address
and--cds-addresses
aliases for the-c
parameter inrvtconfig
. (OPT-3785)
4.0.0-13-1.0.0
-
Added support for separation of traffic types onto different network interfaces. (OPT-3818)
-
Improved the validation of SDF and YAML configuration files, and the errors reported when validation fails. (OPT-3656)
-
Added logging of the instance ID of the leader while waiting during initconf. (OPT-3558)
-
Do not use YAML anchors/aliases in the example SDFs. (OPT-3606)
-
Fixed a race condition that could cause initconf to hang indefinitely. (OPT-3742)
-
Improved error reporting in
rvtconfig
. -
Updated SIMPL VM dependency to 6.6.1. (OPT-3857)
-
Adjusted linkerd OOM score so it will no longer be terminated by the OOM killer (OPT-3780)
-
Disabled all yum repositories. (OPT-3781)
-
Disabled the TLSv1 and TLSv1.1 algorithms for Java. (OPT-3781)
-
Changed initconf to treat the reload-resource-adaptors flag passed to rvtconfig as an intrinsic part of the configuration, when determining if the configuration has been updated. (OPT-3766)
-
Updated system package versions of
bind
,bpftool
,kernel
,nettle
,perf
andscreen
to address security vulnerabilities. (OPT-3874) -
Added an option to
rvtconfig dump-config
to dump the config to a specified directory. (OPT-3876) -
Fixed the confirmation prompt for
rvtconfig delete-node-type
andrvtconfig delete-deployment
commands when run on the SIMPL VM. (OPT-3707) -
Corrected a regression and a race condition that prevented configuration being reapplied after a leader seed change. (OPT-3862)
4.0.0-9-1.0.0
-
All SDFs are now combined into a single SDF named
sdf-rvt.yaml
. (OPT-2286) -
Added the ability to set certain OS-level (kernel) parameters via YAML configuration. (OPT-3403)
-
Updated to SIMPL 6.5.0. (OPT-3358, OPT-3545)
-
Make the default gateway optional for the clustering interface. (OPT-3417)
-
initconf
will no longer block startup of a configured VM if MDM is unavailable. (OPT-3206) -
Enforce a single secrets-private-key in the SDF. (OPT-3441)
-
Made the message logged when waiting for config be more detailed about which parameters are being used to determine which config to retrieve. (OPT-3418)
-
Removed image name from example SDFs, as this is derived automatically by SIMPL. (OPT-3485)
-
Make
systemctl status
output for containerised services not print benign errors. (OPT-3407) -
Added a command
delete-node-type
to facilitate re-deploying a node type after a failed deployment. (OPT-3406) -
Updated system package versions of
glibc
,iwl1000-firmware
,net-snmp
andperl
to address security vulnerabilities. (OPT-3620)
4.0.0-8-1.0.0
-
Fix bug (affecting 4.0.0-7-1.0.0 only) where rvtconfig was not reporting the public version string, but rather the internal build version (OPT-3268).
-
Update sudo package for CVE-2021-3156 vulnerability (OPT-3497)
-
Validate the product-options for each node type in the SDF. (OPT-3321)
-
Clustered MDM installations are now supported. Initconf will failover across multiple configured MDMs. (OPT-3181)
4.0.0-7-1.0.0
-
If YAML validation fails, print the filename where an error was found alongside the error. (OPT-3108)
-
Improved support for backwards compatibility with future CDS changes. (OPT-3274)
-
Change the
report-initconf
script to check for convergence since the last time config was received. (OPT-3341) -
Improved exception handling when CDS is not available. (OPT-3288)
-
Change rvtconfig upload-config and rvtconfig initial-configure to read the deployment ID from the SDFs and not a command line argument. (OPT-3111)
-
Publish imageless CSARs for all node types. (OPT-3410)
-
Added message to initconf.log explaining some Cassandra errors are expected. (OPT-3081)
-
Updated system package versions of
bpftool
,dbus
,kernel
,nss
,openssl
andperf
to address security vulnerabilities.
4.0.0-6-1.0.0
-
Updated to SIMPL 6.4.3. (OPT-3254)
-
When using a release version of
rvtconfig
, the correctthis-rvtconfig
version is now used. (OPT-3268) -
All REM setup is now completed before restarting REM, to avoid unnecessary restarts. (OPT-3189)
-
Updated system package versions of
bind-*
,curl
,kernel
,perf
andpython-*
to address security vulnerabilities. (OPT-3208) -
Added support for routing rules on the Signaling2 interface. (OPT-3191)
-
Configured routing rules are now ignored if a VM does not have that interface. (OPT-3191)
-
Added support for absolute paths in
rvtconfig
CSAR container. (OPT-3077) -
The existing Rhino OIDs are now always imported for the current version. (OPT-3158)
-
Changed behaviour of
initconf
to not restart resource adaptors by default, to avoid an unexpected outage. A restart can be requested using the--reload-resource-adaptors
parameter torvtconfig upload-config
. (OPT-2906) -
Changed the SAS resource identifier to match the provided SAS resource bundles. (OPT-3322)
-
Added information about MDM and SIMPL to the documentation. (OPT-3074)
4.0.0-4-1.0.0
-
Added
list-config
anddescribe-config
operations torvtconfig
to list configurations already in CDS and describe the meaning of the specialthis-vm
andthis-rvtconfig
values. (OPT-3064) -
Renamed
rvtconfig initial-configure
torvtconfig upload-config
, with the old command remaining as a synonym. (OPT-3064) -
Fixed
rvtconfig pre-upgrade-init-cds
to create a necessary table for upgrades from 3.1.0. (OPT-3048) -
Fixed crash due to missing Cassandra tables when using
rvtconfig pre-upgrade-init-cds
. (OPT-3094) -
rvtconfig pre-upgrade-init-cds
andrvtconfig push-pre-upgrade-state
now supports absolute paths in arguments. (OPT-3094) -
Reduced timeout for DNS server failover. (OPT-2934)
-
Updated
rhino-node-id
max to 32767. (OPT-3153) -
Diagnostics at the top of
initconf.log
now include system version and CDS group ID. (OPT-3056) -
Random passwords for the Rhino client and server keystores are now generated and stored in CDS. (OPT-2636)
-
Updated to SIMPL 6.4.0. (OPT-3179)
-
Increased the healthcheck and decommision timeouts to 20 minutes and 15 minutes respectively. (OPT-3143)
-
Updated example SDFs to work with MDM 2.28.0, which is now the supported MDM version. (OPT-3028)
-
Added support to
report-initconf
for handling rolled overinitconf-json.log
files. The script can now read historic log files when building a report if necessary. (OPT-1440) -
Fixed potential data loss in Cassandra when doing an upgrade or rollback. (OPT-3004)
Introduction
This manual describes the configuration, recovery and upgrade of Rhino VM Automation VMs.
Introduction to the Rhino VM Automation product
Refer to Rhino VM Automation Overview for more details about the Rhino VM Automation solution.
Installation
Installation is the process of deploying VMs onto your host. The Rhino VM Automation VMs must be installed using the SIMPL VM, which you will need to deploy manually first, using instructions for your platform in the SIMPL VM Documentation.
The SIMPL VM allows you to deploy VMs in an automated way. By writing a Solution Definition File (SDF), you describe to the SIMPL VM the number of VMs in your deployment and their properties such as hostnames and IP addresses. Software on the SIMPL VM then communicates with your VM host to create and power on the VMs.
The SIMPL VM deploys images from packages known as CSARs (Cloud Service Archives), which contain a VM image in the format the host would recognize, such as .ova
for VMware vSphere, as well as ancillary tools and data files.
The VMBC tool creates CSARs suitable for the platform(s) you specify when invoking it.
See the Installation and upgrades page for detailed installation instructions.
Note that all nodes in a deployment must be configured before any of them will start to serve live traffic.
Upgrades
Terminology
The current version of the VMs being upgraded is known as the downlevel version, and the version that the VMs are being upgraded to is known as the uplevel version.
A rolling upgrade is a procedure where each VM is replaced, one at a time, with a new VM running the uplevel version of software. The Rhino VM Automation nodes are designed to allow rolling upgrades with little or no service outage time.
Method
As with installation, upgrades and rollbacks use the SIMPL VM. The user starts the upgrade process by running csar update
on the SIMPL VM. SIMPL VM destroys, in turn, each downlevel node and replaces it with an uplevel node. This is repeated until all nodes have been upgraded.
Configuration for the uplevel nodes is uploaded in advance. As nodes are recreated, they immediately pick up the uplevel configuration and resume service.
If an upgrade goes wrong, rollback to the previous version is also supported.
See the Rolling upgrades and patches page for detailed instructions on how to perform an upgrade.
CSAR EFIX patches
CSAR EFIX patches, also known as VM patches, are based on the SIMPL VM’s csar efix command. The command is used to combine a CSAR EFIX file (a tar file containing some metadata and files to update), and an existing unpacked CSAR on the SIMPL. This creates a new, patched CSAR on the SIMPL VM. It does not patch any VMs in-place, but instead patches the CSAR itself offline on the SIMPL VM. A normal rolling upgrade is then used to migrate to the patched version.
Once a CSAR has been patched, the newly created CSAR is entirely separate, with no linkage between them. Applying patch EFIX_1 to the original CSAR creates a new CSAR with the changes from patch EFIX_1.
In general:
-
Applying patch EFIX_2 to the original CSAR will yield a new CSAR without the changes from EFIX_1.
-
Applying EFIX_2 to the already patched CSAR will yield a new CSAR with the changes from both EFIX_1 and EFIX_2.
VM patches which target SLEE components (e.g. a service or feature change) contain the full deployment state of Rhino, including all SLEE components. As such, if applying multiple patches of this type, only the last such patch will take effect, because the last patch contains all the SLEE components. In other words, a patch to SLEE components should contain all the desired SLEE component changes, relative to the original release of the VM. For example, patch EFIX_1 contains a fix for the HTTP RA SLEE component X and patch EFIX_2 contains an fix for a SLEE Service component Y. When EFIX_2 is generated it will contain the component X and Y fixes for the VM.
However, it is possible to apply a specific patch with a generic CSAR EFIX patch that only contains files to update. For example, patch EFIX_1 contains a specific patch that contains a fix for the HTTP RA SLEE component, and patch EFIX_2 contains an update to the linkerd config file. We can apply patch EFIX_1 to the original CSAR, then patch EFIX_2 to the patched CSAR.
We can also apply EFIX_2 first then EFIX_1.
When a CSAR EFIX patch is applied, a new CSAR is created with the versions of the target CSAR and the CSAR EFIX version. |
Configuration
The configuration model is "declarative". To change the configuration, you upload a complete set of files containing the entire configuration for all nodes, and the VMs will attempt to alter their configuration ("converge") to match. This allows for integration with GitOps (keeping configuration in a source control system), as well as ease of generating configuration via scripts.
Configuration is stored in a database called CDS, which is a set of tables in a Cassandra database. These tables contain version information, so that you can upload configuration in preparation for an upgrade without affecting the live system.
For the Rhino VM Automation, the CDS database must be provided by the customer. See Setting up CDS for a guide on how to create the required tables.
Configuration files are written in YAML format. Using the rvtconfig tool, their contents can be syntax-checked and verified for validity and self-consistency before uploading them to CDS.
See VM configuration for detailed information about writing configuration files and the (re)configuration process.
Recovery
When a VM malfunctions, recover it using commands run from the SIMPL VM.
Two approaches are available:
-
heal, for cases where the failing VM(s) are sufficiently responsive
-
redeploy, for cases where you cannot heal the failing VM(s)
In both cases, the failing VM(s) are destroyed, and then replaced with an equivalent VM.
See VM recovery for detailed information about which procedure to use, and the steps involved.
Setting up CDS
What is CDS?
CDS, or Configuration Data Store, is a Cassandra server that the custom VMs use to distribute configuration, and to coordinate their actions. Before deploying any custom VMs, the operator needs to set up a Cassandra server with the right keyspaces and tables, as described on this page.
Planning for the procedure
Background knowledge
This procedure assumes that:
-
you already have a Cassandra server running. Metaswitch does not provide Cassandra support.
-
you know how to use the
cqlsh
tool.
Reserve maintenance period
This procedure does not require a maintenance period. However, if you are integrating into a live network, we recommend that you implement measures to mitigate any unforeseen events.
Tools and access
You must have:
-
access to a local computer with
cqlsh
installed and access to the Cassandra server -
access to a Cassandra role with permissions to create keyspaces and tables.
Security configuration
If you have configured your custom VMs to use authentication or SSL encryption when connecting to Cassandra via CQL as per Cassandra security configuration, you must also configure your Cassandra servers to support your security configuration.
Authentication
To support custom VMs connecting to CDS using authentication, you must configure your Cassandra servers to use the PasswordAuthenticator
, and must configure a role with your chosen username and password. Refer to the security page of the Cassandra documentation for instructions on how to do this.
SSL
To support custom VMs connecting to CDS using SSL, you must configure your Cassandra servers to support incoming SSL connections and must load a certificate signed by the SSL signing certificate, and a corresponding private key, into the keystore. Refer to the security page of the Cassandra documentation for instructions on how to do this.
Method of procedure
Create keyspace and tables
Use the cqlsh
tool to create the CDS keyspace and tables as follows.
First create the keyspace. If your Cassandra cluster has 1 or 2 nodes, use the following statement.
CREATE KEYSPACE IF NOT EXISTS metaswitch_tas_deployment_info
WITH REPLICATION={'class' : 'SimpleStrategy', 'replication_factor' :
1};
If your Cassandra cluster has 3 or 4 nodes, use the following statement instead.
CREATE KEYSPACE IF NOT EXISTS metaswitch_tas_deployment_info
WITH REPLICATION={'class' : 'SimpleStrategy', 'replication_factor' :
3};
Finally, if your Cassandra cluster has 5 or more nodes, use the following statement instead.
CREATE KEYSPACE IF NOT EXISTS metaswitch_tas_deployment_info
WITH REPLICATION={'class' : 'SimpleStrategy', 'replication_factor' :
5};
Regardless of the number of nodes, create five tables as follows.
CREATE TABLE IF NOT EXISTS
metaswitch_tas_deployment_info.initial_config_namespaced (
deployment_id text, group_id text, namespace text, config blob, config_metadata blob,
PRIMARY KEY (deployment_id, group_id, namespace)
);
CREATE TABLE IF NOT EXISTS
metaswitch_tas_deployment_info.cas_group_state (
deployment_id text, group_id text, namespace text, state blob, seq int,
PRIMARY KEY (deployment_id, group_id, namespace)
);
CREATE TABLE IF NOT EXISTS
metaswitch_tas_deployment_info.cas_instance_state (
deployment_id text, group_id text, namespace text, instance_id text, state blob, seq int,
PRIMARY KEY (deployment_id, group_id, namespace, instance_id)
);
CREATE TABLE IF NOT EXISTS
metaswitch_tas_deployment_info.audit_history (
deployment_id text, group_id text, namespace text, instance_id text, history blob,
PRIMARY KEY (deployment_id, group_id, namespace, instance_id)
);
CREATE TABLE IF NOT EXISTS
metaswitch_tas_deployment_info.log_history (
deployment_id text, group_id text, namespace text, instance_id text, history blob, key_id text,
PRIMARY KEY (deployment_id, group_id, namespace, instance_id)
);
CREATE TABLE IF NOT EXISTS
metaswitch_tas_deployment_info.maintenance_window (
deployment_id text, site_id text, end_timestamp int,
PRIMARY KEY (deployment_id, site_id)
);
Your CDS is now ready for use.
VM types
This page describes the different Rhino VM Automation VM type(s) documented in this manual.
It also describes the ancillary nodes used to deploy and manage those VMs.
A REM node is a VM that runs the Rhino Element Manager (REM) application. REM is a web-based console for monitoring, configuring, and managing a Rhino SLEE. The REM node comes pre-installed with the Sentinel Express and SIS plugins, to simplify management of Sentinel Express and SIS-based applications.
Refer to the Flavors section for information on the REM VM’s sizing: number of vCPUs, RAM, and virtual disk.
Ancillary node types
The SIMPL VM
The SIMPL Virtual Appliance provides orchestration software to create, verify, configure, destroy and upgrade instances of your custom VM and the optional supporting REM and SGC VMs. Following the initial deployment, you will only need the SIMPL VM to perform configuration changes, patching or upgrades - it is not required for normal operation of the deployment.
Metaswitch Deployment Manager (MDM)
The custom application solution uses Metaswitch Deployment Manager (MDM) to co-ordinate installation, upgrades, scale and healing (replacement of failed instances). MDM is a virtual appliance that provides state monitoring, DNS and NTP services to the deployment. It is deployed as a pool of at least three virtual machines.
Upgrade
If you are upgrading from a deployment which already has MDM, ensure all MDM instances are upgraded before starting the upgrade of your custom application solution nodes. Your Customer Care Representative can provide guidance on upgrading MDM.
If you are upgrading from a deployment which does not have MDM, you must deploy MDM before upgrading any of your custom application nodes.
As REM nodes are non-clustered and not part of the call path, it is possible to deploy only one REM node. However, if redundant monitoring is desired, more nodes should be deployed.
Flavors
The REM nodes can be installed using the following flavors. This option has to be selected in the SDF. The selected option determines the values for RAM, hard disk space and virtual CPU count.
New deployments must not use flavors marked as Deploying VMs with sizings outside of the defined flavors is not supported. |
The term The sizes given in this section are the same for all host platforms. |
Spec | Use case | Resources |
---|---|---|
|
Lab and small-size production environments |
|
|
Mid- and large-size production environments |
|
Open Listening Ports
The REM node opens the following listening ports. Please refer to the tables below to configure your firewall rules appropriately.
Static ports
This table describes listening ports that will normally always be open at the specified port number.
Purpose | Port Number | Transport Layer Protocol | Interface | Notes |
---|---|---|---|---|
Local TCP port for receiving audit syslogs from Rhino and logging to dedicated audit files |
514 |
TCP |
global |
rsyslogd listens on both the IPv4 and IPv6 global addresses |
NTP - local administration |
123 |
UDP |
localhost |
ntpd listens on both the IPv4 and IPv6 localhost addresses |
Receive and forward SNMP trap messages |
162 |
UDP |
localhost |
|
SNMP Multiplexing protocol |
199 |
TCP |
localhost |
|
Server port for Tomcat |
8005 |
TCP |
localhost |
|
Allow querying of system-level statistics using SNMP |
161 |
UDP |
management |
|
NTP - time synchronisation with external server(s) |
123 |
UDP |
management |
This port is only open to this node’s registered NTP server(s) |
Port for serving version information to SIMPL VM over HTTP |
3000 |
TCP |
management |
|
Rhino Element Manager (REM) |
8443 |
TCP |
management |
|
SSH connections |
22 |
TCP |
management |
Port ranges
This table describes listening ports which may be open at any port number within a range. Unless otherwise specified, a single port in a range will be open.
These port numbers are often in the ephemeral port range of 32768 to 60999.
Purpose | Minimum Port Number | Maximum Port Number | Transport Layer Protocol | Interface | Notes |
---|---|---|---|---|---|
Outbound SNMP traps |
32768 |
60999 |
udp |
global |
Installation and upgrades
The steps below describe how to upgrade the nodes that make up your deployment. Select the steps that are appropriate for your VM host: OpenStack, VMware vSphere, or VMware vCloud.
The supported versions for the platforms are listed below:
Platform | Supported versions |
---|---|
OpenStack |
Newton to Wallaby |
VMware vSphere |
6.7 and 7.0 |
Live migration of a node to a new VMware vSphere host or a new OpenStack compute node is not supported. To move such a node to a new host, remove it from the old host and add it again to the new host.
Notes on parallel vs sequential upgrade
Some node types support parallel upgrade
, that is, SIMPL upgrades multiple VMs simultaneously. This can save a lot of time when you upgrade large deployments.
SIMPL VM upgrades one quarter of the nodes (rounding down any remaining fraction) simultaneously, up to a maximum of ten nodes. Once all those nodes have been upgraded, SIMPL VM upgrades the next set of nodes. For example, in a deployment of 26 nodes, SIMPL VM upgrades the first six nodes simultaneously, then six more, then six more, then six more and finally the last two.
The following node types support parallel upgrade: REM. All other node types are upgraded one VM at a time.
Preparing for an upgrade
Task | More information |
---|---|
Set up and/or verify your OpenStack, VMware vSphere, or VMware vCloud deployment |
The installation procedures assume that you are upgrading VMs on an existing OpenStack, VMware vSphere, or VMware vCloud host(s). Ensure the host(s) have sufficient vCPU, RAM and disk space capacity for the VMs. Note that for upgrades, you will temporarily need approximately one more VM’s worth of vCPU and RAM, and potentially more than double the disk space, than your existing deployment currently uses. You can later clean up older images to save disk space once you are happy that the upgrade was successful. Perform health checks on your host(s), such as checking for active alarms, to ensure they are in a suitable state to perform VM lifecycle operations. Ensure the VM host credentials that you will use in your SDF are valid and have sufficient permission to create/destroy VMs, power them on and off, change their properties, and access a VM’s terminal via the console. |
Set up your CDS deployment |
The installation procedures assume that CDS has been set up, as instructed in the Setting up CDS section. |
Prepare service configuration |
VM configuration information can be found at VM Configuration. |
Installation
The following table sets out the steps you need to take to install and commission your VM deployment.
Be sure you know the number of VMs you need in your deployment. At present it is not possible to change the size of your deployment after it has been created.
Step | Task | Link |
---|---|---|
Installation (on VMware vSphere) |
Prepare the SDF for the deployment |
|
Deploy SIMPL VM into VMware vSphere |
||
Prepare configuration files for the deployment |
||
Install MDM |
||
Prepare SIMPL VM for deployment |
||
Deploy REM nodes on VMware vSphere |
||
Installation (on OpenStack) |
Prepare the SDF for the deployment |
|
Deploy SIMPL VM into OpenStack |
||
Prepare configuration files for the deployment |
||
Create the OpenStack flavors |
||
Install MDM |
||
Prepare SIMPL VM for deployment |
||
Deploy REM nodes on OpenStack |
||
Installation (on VMware vCloud) |
Prepare the SDF for the deployment |
|
Deploy SIMPL VM into VMware vCloud |
||
Prepare configuration files for the deployment |
||
Install MDM |
||
Prepare SIMPL VM for deployment |
||
Deploy REM nodes on VMware vCloud |
||
Verification |
Run some simple tests to verify that your VMs are working as expected |
Prepare the SDF for the deployment
Planning for the procedure
Background knowledge
This procedure assumes that:
-
you are installing into an existing VMware vSphere deployment which has pre-configured networks and VLANs; this procedure does not cover setting up a VMware vSphere deployment from scratch
-
you know the IP networking information (IP address, subnet mask in CIDR notation, and default gateway) for the nodes.
-
you have read the installation guidelines at Installation and upgrades and have everything you need to carry out the installation.
Reserve maintenance period
This procedure does not require a maintenance period. However, if you are integrating into a live network, we recommend that you implement measures to mitigate any unforeseen events.
Tools and access
This page references an external document: the SIMPL VM Documentation. Ensure you have a copy available before proceeding.
Installation Questions
Question | More information |
---|---|
Do you have the correct CSARs? |
All virtual appliances use the naming convention - |
Do you have a list of the IP addresses that you intend to give to each node of each node type? |
Each node requires an IP address for each interface. You can find a list of the VM’s interfaces on the Traffic types and traffic schemes page. |
Do you have DNS and NTP Server information? |
It is expected that the deployed nodes will integrate with the IMS Core NTP and DNS servers. |
Method of procedure
Step 1 - Extract the CSAR
This can either be done on your local Linux machine or on a SIMPL VM.
Option A - Running on a local machine
If you plan to do all operations from your local Linux machine instead of SIMPL, Docker must be installed to run the rvtconfig tool in a later step. |
To extract the CSAR, run the command: unzip <path to CSAR> -d <new directory to extract CSAR to>
Option B - Running on an existing SIMPL VM
For this step, the SIMPL VM does not need to be running on the VMware vSphere where the deployment takes place. It is sufficient to use a SIMPL VM on a lab system to prepare for a production deployment.
Transfer the CSAR onto the SIMPL VM and run csar unpack <path to CSAR>
, where <path to CSAR>
is the full path to the transferred CSAR.
This will unpack the CSAR to ~/.local/share/csar/
.
Step 2 - Write the SDF
The Solution Definition File (SDF) contains all the information required to set up your cluster. It is therefore crucial to ensure all information in the SDF is correct before beginning the deployment. One SDF should be written per deployment.
It is recommended that the SDF is written before starting the deployment. The SDF must be named sdf-rvt.yaml
.
In addition, you will need to write a secrets file and upload its contents to QSG. For security, the SDF no longer contains plaintext values of secrets (such as the password to access the VM host). Instead, the SDF contains secret IDs
which refer to secrets stored in QSG.
See the various pages in the Writing an SDF section for more detailed information.
Each deployment needs a unique |
Example SDFs are included in every CSAR and can also be found at Example SDFs. We recommend that you start from a template SDF and edit it as desired instead of writing an SDF from scratch.
Deploy SIMPL VM into VMware vSphere
Note that one SIMPL VM can be used to deploy multiple node types. Thus, this step only needs to be performed once for all node types. |
The supported version of the SIMPL VM is |
Planning for the procedure
Background knowledge
This procedure assumes that:
-
you are using a supported VMware vSphere version, as described in the 'VMware requirements' section of the SIMPL VM Documentation
-
you are installing into an existing VMware vSphere deployment which has pre-configured networks and VLANs; this procedure does not cover setting up a VMware vSphere deployment from scratch
-
you know the IP networking information (IP address, subnet mask in CIDR notation, and default gateway) for the SIMPL VM.
Reserve maintenance period
This procedure does not require a maintenance period. However, if you are integrating into a live network, we recommend that you implement measures to mitigate any unforeseen events.
Tools and access
You must have access to a local computer (referred to in this procedure as the local computer) with a network connection and access to the vSphere client.
This page references an external document: the SIMPL VM Documentation. Ensure you have a copy available before proceeding.
Installation Questions
Question | More information |
---|---|
Do you have the correct SIMPL VM OVA? |
All SIMPL VM virtual appliances use the naming convention - |
Do you know the IP address that you intend to give to the SIMPL VM? |
The SIMPL VM requires one IP address, for management traffic. |
Method of procedure
Deploy and configure the SIMPL VM
Follow the SIMPL VM Documentation on how to deploy the SIMPL VM and set up the configuration.
Prepare configuration files for the deployment
To deploy nodes, you need to prepare configuration files that would be uploaded to the VMs.
Method of procedure
Step 1 - Create configuration YAML files
Create configuration YAML files relevant for your node type on the SIMPL VM. Store these files in the same directory as your prepared SDF.
See Example configuration YAML files for example configuration files.
Step 2 - Create secrets file
Generate a template secrets.yaml
file by running csar secrets create-input-file --sdf <path to SDF>
.
Replace the value of any secrets in your SDF with a secret ID. The secret ID and corresponding secret value should be written in secrets.yaml
.
Run the command csar secrets add <path to secrets.yaml template>
to add the secrets to the secret store.
Refer to the Refer to the SIMPL VM documentation for more information.
Install MDM
Before deploying any nodes, you will need to first install Metaswitch Deployment Manager (MDM).
Prerequisites
-
The MDM CSAR
-
A deployed and powered-on SIMPL virtual machine
-
The MDM deployment parameters (hostnames; management and signaling IP addresses)
-
Addresses for NTP, DNS and SNMP servers that the MDM instances will use
The minimum supported version of MDM is |
Method of procedure
Your Customer Care Representative can provide guidance on using the SIMPL VM to deploy MDM. Follow the instructions in the SIMPL VM Documentation.
As part of the installation, you will add MDM to the Solution Definition File (SDF) with the following data:
-
certificates and keys
-
custom topology
Generation of certificates and keys
MDM requires the following certificates and keys. Refer to the MDM documentation for more details.
-
An SSH key pair (for logging into all instances in the deployment, including MDM, which does not allow SSH access using passwords)
-
A CA (certificate authority) certificate (used for the server authentication side of mutual TLS)
-
A "static", also called "client", certificate and private key (used for the client authentication side of mutual TLS)
If the CA used is an in-house CA, keep the CA private key safe so that you can generate a new static certificate and private key from the same CA in the future. Add the other credentials to QSG as described in MDM service group.
Prepare SIMPL VM for deployment
Before deploying the VMs, the following files must be uploaded onto the SIMPL VM.
Upload the CSARs to the SIMPL VM
If not already done, transfer the CSARs onto the SIMPL VM. For each CSAR, run csar unpack <path to CSAR>
, where <path to CSAR>
is the full path to the transferred CSAR.
This will unpack the CSARs to ~/.local/share/csar/
.
Upload the SDF to SIMPL VM
If the CSAR SDF was not created on the SIMPL VM, transfer the previously written CSAR SDF onto the SIMPL VM.
Ensure that each version in the vnfcs section of the SDF matches each node type’s CSAR version. |
Deploy REM nodes on VMware vSphere
Planning for the procedure
Background knowledge
This procedure assumes that:
-
you are installing into an existing VMware vSphere deployment which has pre-configured networks and VLANs; this procedure does not cover setting up a VMware vSphere deployment from scratch
-
you have deployed a SIMPL VM, unpacked the CSAR, and prepared an SDF.
Reserve maintenance period
This procedure does not require a maintenance period. However, if you are integrating into a live network, we recommend that you implement measures to mitigate any unforeseen events.
Tools and access
You must have access to the SIMPL VM, and the SIMPL VM must have the right permissions on the VMware vSphere deployment.
Determine Parameter Values
In the below steps, replace parameters marked with angle brackets (such as <deployment ID>
) with values as follows. (Replace the angle brackets as well, so that they are not included in the final command to be run.)
-
<path to SDF>
: The path to the SDF file on SIMPL VM. For example,/home/admin/current-config/sdf-rvt.yaml
. -
<yaml-config-file-directory>
: The path to the directory file where config is located on SIMPL VM. For example,/home/admin/current-config/
-
<vm version>
: The version of the VM that is deployed. For example,3.2-3-1.0.0
. -
<CDS address>
: The management IP address of the first CDS node. -
<CDS auth args>
(authentication arguments): If your CDS has Cassandra authentication enabled, replace this with the parameters-u <username> -k <secret ID>
to specify the configured Cassandra username and the secret ID of a secret containing the password for that Cassandra user. For example,./rvtconfig -c 1.2.3.4 -u cassandra-user -k cassandra-password-secret-id …
.If your CDS is not using Cassandra authentication, omit these arguments.
-
<deployment ID>
: The deployment ID. You can find this at the top of the SDF. -
<site ID>
: A number for the site in the formDC1
throughDC32
. You can find this at the top of the SDF. -
<any CDS IP>
: The management IP address of any TSN node.
Method of procedure
Refer to the SIMPL VM Documentation for details on the commands mentioned in the procedure. |
Step 1 - Validate REM RVT configuration
Validate the configuration for the REM nodes to ensure that each REM node can properly self-configure.
To validate the configuration after creating the YAML files, run
rvtconfig validate -t rem -i <yaml-config-file-directory>
on the SIMPL VM from the resources
subdirectory of the REM CSAR.
Step 2 - Upload REM RVT configuration
Upload the configuration for the REM nodes to the CDS. This will enable each REM node to self-configure when they are deployed in the next step.
To upload configuration after creating the YAML files and validating them as described above, run
rvtconfig upload-config -c <CDS address> <CDS auth args> -t rem -i <yaml-config-file-directory> (--vm-version-source this-rvtconfig | --vm-version <vm version>)
on the SIMPL VM from the resources
subdirectory of the REM CSAR.
See Example configuration YAML files for example configuration files.
Step 3 - Deploy the OVA
Run csar deploy --vnf rem --sdf <path to SDF>
.
This will validate the SDF, and generate the terraform template. After successful validation, this will upload the image, and deploy the number of REM nodes specified in the SDF.
Only one node type should be deployed at the same time. I.e. when deploying these REM nodes, don’t deploy other node types at the same time in parallel. |
Backout procedure
To delete the deployed VMs, run csar delete --vnf rem --sdf <path to SDF>
.
You must also delete the MDM state for each VM. To do this, you must first SSH into one of the MDM VMs. Get the instance IDs by running: mdmhelper --deployment-id <deployment ID> instance list
. Then for each REM VM, run the following command:
curl -X DELETE -k \
--cert /etc/certs-agent/upload/mdm-cert.crt \
--cacert /etc/certs-agent/upload/mdm-cas.crt \
--key /etc/certs-agent/upload/mdm-key.key \
https://127.0.0.1:4000/api/v1/deployments/<deployment ID>/instances/<instance ID>
Verify that the deletion worked by running mdmhelper --deployment-id <deployment ID> instance list
again. You may now log out of the MDM VM.
You must also delete state for this node type and version from the CDS prior to deploying the VMs again. To delete the state, run rvtconfig delete-node-type-version --cassandra-contact-point <any CDS IP> --deployment-id <deployment ID>
.
--site-id <site ID> --t rem (--ssh-key SSH_KEY | --ssh-key-secret-id SSH_KEY_SECRET_ID)
(--vm-version-source [this-vm | this-rvtconfig] | --vm-version <vm version>)
Prepare the SDF for the deployment
Planning for the procedure
Background knowledge
This procedure assumes that:
-
you are installing into an existing OpenStack deployment
-
you are using an OpenStack version from Newton through to Wallaby inclusive
-
you are thoroughly familiar with working with OpenStack machines and know how to set up tenants, users, roles, client environment scripts, and so on
(For more information, refer to the appropriate OpenStack installation guide for the version that you are using here.)
-
you have read the installation guidelines at Installation and upgrades and have everything you need to carry out the installation.
Reserve maintenance period
This procedure does not require a maintenance period. However, if you are integrating into a live network, we recommend that you implement measures to mitigate any unforeseen events.
Tools and access
This page references an external document: the SIMPL VM Documentation. Ensure you have a copy available before proceeding.
Installation Questions
Question | More information |
---|---|
Do you have the correct CSARs? |
All virtual appliances use the naming convention - |
Do you have a list of the IP addresses that you intend to give to each node of each node type? |
Each node requires an IP address for each interface. You can find a list of the VM’s interfaces on the Traffic types and traffic schemes page. |
Do you have DNS and NTP Server information? |
It is expected that the deployed nodes will integrate with the IMS Core NTP and DNS servers. |
Method of procedure
Step 1 - Extract the CSAR
This can either be done on your local Linux machine or on a SIMPL VM.
Option A - Running on a local machine
If you plan to do all operations from your local Linux machine instead of SIMPL, Docker must be installed to run the rvtconfig tool in a later step. |
To extract the CSAR, run the command: unzip <path to CSAR> -d <new directory to extract CSAR to>
.
Option B - Running on an existing SIMPL VM
For this step, the SIMPL VM does not need to be running on the Openstack deployment where the deployment takes place. It is sufficient to use a SIMPL VM on a lab system to prepare for a production deployment.
Transfer the CSAR onto the SIMPL VM and run csar unpack <path to CSAR>
, where <path to CSAR>
is the full path to the transferred CSAR.
This will unpack the CSAR to ~/.local/share/csar/
.
Step 2 - Write the SDF
The Solution Definition File (SDF) contains all the information required to set up your cluster. It is therefore crucial to ensure all information in the SDF is correct before beginning the deployment. One SDF should be written per deployment.
It is recommended that the SDF is written before starting the deployment. The SDF must be named sdf-rvt.yaml
.
In addition, you will need to write a secrets file and upload its contents to QSG. For security, the SDF no longer contains plaintext values of secrets (such as the password to access the VM host). Instead, the SDF contains secret IDs
which refer to secrets stored in QSG.
See the various pages in the Writing an SDF section for more detailed information.
Each deployment needs a unique |
Example SDFs are included in every CSAR and can also be found at Example SDFs. We recommend that you start from a template SDF and edit it as desired instead of writing an SDF from scratch.
Deploy SIMPL VM into OpenStack
Note that one SIMPL VM can be used to deploy multiple node types. Thus, this step only needs to be performed once for all node types. |
The minimum supported version of the SIMPL VM is |
Planning for the procedure
Background knowledge
This procedure assumes that:
-
you are installing into an existing OpenStack deployment
-
you are using a supported OpenStack version, as described in the 'OpenStack requirements' section of the SIMPL VM Documentation
-
you are thoroughly familiar with working with OpenStack machines and know how to set up tenants, users, roles, client environment scripts, and so on
(For more information, refer to the appropriate OpenStack installation guide for the version that you are using here.)
-
you know the IP networking information (IP address, subnet mask in CIDR notation, and default gateway) for the SIMPL VM.
Reserve maintenance period
This procedure does not require a maintenance period. However, if you are integrating into a live network, we recommend that you implement measures to mitigate any unforeseen events.
Tools and access
You must have:
-
access to a local computer with a network connection and browser access to the OpenStack Dashboard
-
administrative access to the OpenStack host machine
-
the OpenStack privileges required to deploy VMs from an image (see OpenStack documentation for specific details).
This page references an external document: the SIMPL VM Documentation. Ensure you have a copy available before proceeding.
Installation Questions
Question | More information |
---|---|
Do you have the correct SIMPL VM QCOW2? |
All SIMPL VM virtual appliances use the naming convention - |
Do you know the IP address that you intend to give to the SIMPL VM? |
The SIMPL VM requires one IP address, for management traffic. |
Have you created and do you know the names of the networks and security group for the nodes? |
The SIMPL VM requires a management network with an unrestricted security group. |
Method of procedure
Deploy and configure the SIMPL VM
Follow the SIMPL VM Documentation on how to deploy the SIMPL VM and set up the configuration.
Prepare configuration files for the deployment
To deploy nodes, you need to prepare configuration files that would be uploaded to the VMs.
Method of procedure
Step 1 - Create configuration YAML files
Create configuration YAML files relevant for your node type on the SIMPL VM. Store these files in the same directory as your prepared SDF.
See Example configuration YAML files for example configuration files.
Step 2 - Create secrets file
Generate a template secrets.yaml
file by running csar secrets create-input-file --sdf <path to SDF>
.
Replace the value of any secrets in your SDF with a secret ID. The secret ID and corresponding secret value should be written in secrets.yaml
.
Run the command csar secrets add <path to secrets.yaml template>
to add the secrets to the secret store.
Refer to the Refer to the SIMPL VM documentation for more information.
Create the OpenStack flavors
About this task
This task creates the node flavor(s) that you will need when installing your deployment on OpenStack virtual machines.
You must complete this procedure before you begin the installation of the first node on OpenStack, but will not need to carry it out again for subsequent node installations. |
Create your node flavor(s)
Detailed procedure
-
Run the following command to create the OpenStack flavor, replacing
<flavor name>
with a name that will help you identify the flavor in future.nova flavor-create <flavor name> auto <ram_mb> <disk_gb> <vcpu_count>
where:
-
<ram_mb>
is the amount of RAM, in megabytes -
<disk_gb>
is the amount of hard disk space, in gigabytes -
<vpu_count>
is the number of virtual CPUs.Specify the parameters as pure numbers without units.
-
You can find the possible flavors in the Flavors section, and it is recommended to use the same flavor name as described there.
Some node types share flavors. If the same flavor is to be used for multiple node types, only create it once.
-
Make note of the flavor ID value provided in the command output because you will need it when installing your OpenStack deployment.
-
To check that the flavor you have just created has the correct values, run the command:
nova flavor-list
-
If you need to remove an incorrectly-configured flavor (replacing <flavor name> with the name of the flavor), run the command:
nova flavor-delete <flavor name>
Install MDM
Before deploying any nodes, you will need to first install Metaswitch Deployment Manager (MDM).
Prerequisites
-
The MDM CSAR
-
A deployed and powered-on SIMPL virtual machine
-
The MDM deployment parameters (hostnames; management and signaling IP addresses)
-
Addresses for NTP, DNS and SNMP servers that the MDM instances will use
The minimum supported version of MDM is |
Method of procedure
Your Customer Care Representative can provide guidance on using the SIMPL VM to deploy MDM. Follow the instructions in the SIMPL VM Documentation.
As part of the installation, you will add MDM to the Solution Definition File (SDF) with the following data:
-
certificates and keys
-
custom topology
Generation of certificates and keys
MDM requires the following certificates and keys. Refer to the MDM documentation for more details.
-
An SSH key pair (for logging into all instances in the deployment, including MDM, which does not allow SSH access using passwords)
-
A CA (certificate authority) certificate (used for the server authentication side of mutual TLS)
-
A "static", also called "client", certificate and private key (used for the client authentication side of mutual TLS)
If the CA used is an in-house CA, keep the CA private key safe so that you can generate a new static certificate and private key from the same CA in the future. Add the other credentials to QSG as described in MDM service group.
Prepare SIMPL VM for deployment
Before deploying the VMs, the following files must be uploaded onto the SIMPL VM.
Upload the CSARs to the SIMPL VM
If not already done, transfer the CSARs onto the SIMPL VM. For each CSAR, run csar unpack <path to CSAR>
, where <path to CSAR>
is the full path to the transferred CSAR.
This will unpack the CSARs to ~/.local/share/csar/
.
Upload the SDF to SIMPL VM
If the CSAR SDF was not created on the SIMPL VM, transfer the previously written CSAR SDF onto the SIMPL VM.
Ensure that each version in the vnfcs section of the SDF matches each node type’s CSAR version. |
Deploy REM nodes on OpenStack
Planning for the procedure
Background knowledge
This procedure assumes that:
-
you are installing into an existing OpenStack deployment
-
The OpenStack deployment must be set up with support for Heat templates.
-
-
you are using an OpenStack version from Newton through to Wallaby inclusive
-
you are thoroughly familiar with working with OpenStack machines and know how to set up tenants, users, roles, client environment scripts, and so on.
(For more information, refer to the appropriate OpenStack installation guide for the version that you are using here.)
-
you have deployed a SIMPL VM, unpacked the CSAR, and prepared an SDF.
Reserve maintenance period
This procedure does not require a maintenance period. However, if you are integrating into a live network, we recommend that you implement measures to mitigate any unforeseen events.
Tools and access
You must have access to the SIMPL VM, and the SIMPL VM must have the right permissions on the OpenStack deployment.
Determine Parameter Values
In the below steps, replace parameters marked with angle brackets (such as <deployment ID>
) with values as follows. (Replace the angle brackets as well, so that they are not included in the final command to be run.)
-
<path to SDF>
: The path to the SDF file on SIMPL VM. For example,/home/admin/current-config/sdf-rvt.yaml
. -
<yaml-config-file-directory>
: The path to the directory file where config is located on SIMPL VM. For example,/home/admin/current-config/
-
<vm version>
: The version of the VM that is deployed. For example,3.2-3-1.0.0
. -
<CDS address>
: The management IP address of the first CDS node. -
<CDS auth args>
(authentication arguments): If your CDS has Cassandra authentication enabled, replace this with the parameters-u <username> -k <secret ID>
to specify the configured Cassandra username and the secret ID of a secret containing the password for that Cassandra user. For example,./rvtconfig -c 1.2.3.4 -u cassandra-user -k cassandra-password-secret-id …
.If your CDS is not using Cassandra authentication, omit these arguments.
-
<deployment ID>
: The deployment ID. You can find this at the top of the SDF. -
<site ID>
: A number for the site in the formDC1
throughDC32
. You can find this at the top of the SDF. -
<any CDS IP>
: The management IP address of any TSN node.
Method of procedure
Refer to the SIMPL VM Documentation for details on the commands mentioned in the procedure. |
Step 1 - Check OpenStack quotas
The SIMPL VM creates one server group per VM, and one security group per interface on each VM. OpenStack sets limits on the number of server groups and security groups through quotas.
View the quota by running openstack quota show <project id>
on OpenStack Controller node. This shows the maximum number of various resources.
You can view the existing server groups by running openstack server group list
. Similarly, you can find the security groups by running openstack security group list
If the quota is too small to accommodate the new VMs that will be deployed, increase it by running
openstack quota set --<quota field to increase> <new quota value> <project ID>
. For example:
openstack quota set --server-groups 100 125610b8bf424e61ad2aa5be27ad73bb
Step 2 - Validate REM RVT configuration
Validate the configuration for the REM nodes to ensure that each REM node can properly self-configure.
To validate the configuration after creating the YAML files, run
rvtconfig validate -t rem -i <yaml-config-file-directory>
on the SIMPL VM from the resources
subdirectory of the REM CSAR.
Step 3 - Upload REM RVT configuration
Upload the configuration for the REM nodes to the CDS. This will enable each REM node to self-configure when they are deployed in the next step.
To upload configuration after creating the YAML files and validating them as described above, run
rvtconfig upload-config -c <CDS address> <CDS auth args> -t rem -i <yaml-config-file-directory> (--vm-version-source this-rvtconfig | --vm-version <vm version>)
on the SIMPL VM from the resources
subdirectory of the REM CSAR.
See Example configuration YAML files for example configuration files.
Step 4 - Deploy the OVA
Run csar deploy --vnf rem --sdf <path to SDF>
.
This will validate the SDF, and generate the heat template. After successful validation, this will upload the image, and deploy the number of REM nodes specified in the SDF.
Only one node type should be deployed at the same time. I.e. when deploying these REM nodes, don’t deploy other node types at the same time in parallel. |
Backout procedure
To delete the deployed VMs, run csar delete --vnf rem --sdf <path to SDF>
.
You must also delete the MDM state for each VM. To do this, you must first SSH into one of the MDM VMs. Get the instance IDs by running: mdmhelper --deployment-id <deployment ID> instance list
. Then for each REM VM, run the following command:
curl -X DELETE -k \
--cert /etc/certs-agent/upload/mdm-cert.crt \
--cacert /etc/certs-agent/upload/mdm-cas.crt \
--key /etc/certs-agent/upload/mdm-key.key \
https://127.0.0.1:4000/api/v1/deployments/<deployment ID>/instances/<instance ID>
Verify that the deletion worked by running mdmhelper --deployment-id <deployment ID> instance list
again. You may now log out of the MDM VM.
You must also delete state for this node type and version from the CDS prior to deploying the VMs again. To delete the state, run rvtconfig delete-node-type-version --cassandra-contact-point <any CDS IP> --deployment-id <deployment ID>
.
--site-id <site ID> --t rem (--ssh-key SSH_KEY | --ssh-key-secret-id SSH_KEY_SECRET_ID)
(--vm-version-source [this-vm | this-rvtconfig] | --vm-version <vm version>)
Prepare the SDF for the deployment
Planning for the procedure
Background knowledge
This procedure assumes that:
-
you are installing into an existing VMware vCloud deployment which has pre-configured networks and VLANs; this procedure does not cover setting up a VMware vCloud deployment from scratch
-
you know the IP networking information (IP address, subnet mask in CIDR notation, and default gateway) for the nodes.
-
you have read the installation guidelines at Installation and upgrades and have everything you need to carry out the installation.
Reserve maintenance period
This procedure does not require a maintenance period. However, if you are integrating into a live network, we recommend that you implement measures to mitigate any unforeseen events.
Tools and access
This page references an external document: the SIMPL VM Documentation. Ensure you have a copy available before proceeding.
Installation Questions
Question | More information |
---|---|
Do you have the correct CSARs? |
All virtual appliances use the naming convention - |
Do you have a list of the IP addresses that you intend to give to each node of each node type? |
Each node requires an IP address for each interface. You can find a list of the VM’s interfaces on the Traffic types and traffic schemes page. |
Do you have DNS and NTP Server information? |
It is expected that the deployed nodes will integrate with the IMS Core NTP and DNS servers. |
Method of procedure
Step 1 - Extract the CSAR
This can either be done on your local Linux machine or on a SIMPL VM.
Option A - Running on a local machine
If you plan to do all operations from your local Linux machine instead of SIMPL, Docker must be installed to run the rvtconfig tool in a later step. |
To extract the CSAR, run the command: unzip <path-to-csar> -d <new-directory-to-extract-csar-to>
Option B - Running on an existing SIMPL VM
For this step, the SIMPL VM does not need to be running on the VMware vcloud where the deployment takes place. It is sufficient to use a SIMPL VM on a lab system to prepare for a production deployment.
Transfer the CSAR onto the SIMPL VM and run csar unpack <path to CSAR>
, where <path to CSAR>
is the full path to the transferred CSAR.
This will unpack the CSAR to ~/.local/share/csar/
.
Step 2 - Write the SDF
The Solution Definition File (SDF) contains all the information required to set up your cluster. It is therefore crucial to ensure all information in the SDF is correct before beginning the deployment. One SDF should be written per deployment.
It is recommended that the SDF is written before starting the deployment. The SDF must be named sdf-rvt.yaml
.
In addition, you will need to write a secrets file and upload its contents to QSG. For security, the SDF no longer contains plaintext values of secrets (such as the password to access the VM host). Instead, the SDF contains secret IDs
which refer to secrets stored in QSG.
See the various pages in the Writing an SDF section for more detailed information.
Each deployment needs a unique |
Example SDFs are included in every CSAR and can also be found at Example SDFs. We recommend that you start from a template SDF and edit it as desired instead of writing an SDF from scratch.
Deploy SIMPL VM into VMware vCloud
Note that one SIMPL VM can be used to deploy multiple node types. Thus, this step only needs to be performed once for all node types. |
The supported version of the SIMPL VM is |
Planning for the procedure
Background knowledge
This procedure assumes that:
-
you are using a supported VMware vCloud version, as described in the 'VMware requirements' section of the SIMPL VM Documentation
-
you are installing into an existing VMware vCloud deployment which has pre-configured networks and VLANs; this procedure does not cover setting up a VMware vCloud deployment from scratch
-
you know the IP networking information (IP address, subnet mask in CIDR notation, and default gateway) for the SIMPL VM.
Reserve maintenance period
This procedure does not require a maintenance period. However, if you are integrating into a live network, we recommend that you implement measures to mitigate any unforeseen events.
Tools and access
You must have access to a local computer (referred to in this procedure as the local computer) with a network connection and access to the vCloud client.
This page references an external document: the SIMPL VM Documentation. Ensure you have a copy available before proceeding.
Installation Questions
Question | More information |
---|---|
Do you have the correct SIMPL VM OVA? |
All SIMPL VM virtual appliances use the naming convention - |
Do you know the IP address that you intend to give to the SIMPL VM? |
The SIMPL VM requires one IP address, for management traffic. |
Method of procedure
Deploy and configure the SIMPL VM
Follow the SIMPL VM Documentation on how to deploy the SIMPL VM and set up the configuration.
Prepare configuration files for the deployment
To deploy nodes, you need to prepare configuration files that would be uploaded to the VMs.
Method of procedure
Step 1 - Create configuration YAML files
Create configuration YAML files relevant for your node type on the SIMPL VM. Store these files in the same directory as your prepared SDF.
See Example configuration YAML files for example configuration files.
Step 2 - Create secrets file
Generate a template secrets.yaml
file by running csar secrets create-input-file --sdf <path to SDF>
.
Replace the value of any secrets in your SDF with a secret ID. The secret ID and corresponding secret value should be written in secrets.yaml
.
Run the command csar secrets add <path to secrets.yaml template>
to add the secrets to the secret store.
Refer to the Refer to the SIMPL VM documentation for more information.
Install MDM
Before deploying any nodes, you will need to first install Metaswitch Deployment Manager (MDM).
Prerequisites
-
The MDM CSAR
-
A deployed and powered-on SIMPL virtual machine
-
The MDM deployment parameters (hostnames; management and signaling IP addresses)
-
Addresses for NTP, DNS and SNMP servers that the MDM instances will use
The minimum supported version of MDM is |
Method of procedure
Your Customer Care Representative can provide guidance on using the SIMPL VM to deploy MDM. Follow the instructions in the SIMPL VM Documentation.
As part of the installation, you will add MDM to the Solution Definition File (SDF) with the following data:
-
certificates and keys
-
custom topology
Generation of certificates and keys
MDM requires the following certificates and keys. Refer to the MDM documentation for more details.
-
An SSH key pair (for logging into all instances in the deployment, including MDM, which does not allow SSH access using passwords)
-
A CA (certificate authority) certificate (used for the server authentication side of mutual TLS)
-
A "static", also called "client", certificate and private key (used for the client authentication side of mutual TLS)
If the CA used is an in-house CA, keep the CA private key safe so that you can generate a new static certificate and private key from the same CA in the future. Add the other credentials to QSG as described in MDM service group.
Prepare SIMPL VM for deployment
Before deploying the VMs, the following files must be uploaded onto the SIMPL VM.
Upload the CSARs to the SIMPL VM
If not already done, transfer the CSARs onto the SIMPL VM. For each CSAR, run csar unpack <path to CSAR>
, where <path to CSAR>
is the full path to the transferred CSAR.
This will unpack the CSARs to ~/.local/share/csar/
.
Upload the SDF to SIMPL VM
If the CSAR SDF was not created on the SIMPL VM, transfer the previously written CSAR SDF onto the SIMPL VM.
Ensure that each version in the vnfcs section of the SDF matches each node type’s CSAR version. |
Deploy REM nodes on VMware vCloud
Planning for the procedure
Background knowledge
This procedure assumes that:
-
you are installing into an existing VMware vCloud deployment which has pre-configured networks and VLANs; this procedure does not cover setting up a VMware vCloud deployment from scratch
-
you have deployed a SIMPL VM, unpacked the CSAR, and prepared an SDF.
Reserve maintenance period
This procedure does not require a maintenance period. However, if you are integrating into a live network, we recommend that you implement measures to mitigate any unforeseen events.
Tools and access
You must have access to the SIMPL VM, and the SIMPL VM must have the right permissions on the VMware vCloud deployment.
Determine Parameter Values
In the below steps, replace parameters marked with angle brackets (such as <deployment ID>
) with values as follows. (Replace the angle brackets as well, so that they are not included in the final command to be run.)
-
<path to SDF>
: The path to the SDF file on SIMPL VM. For example,/home/admin/current-config/sdf-rvt.yaml
. -
<yaml-config-file-directory>
: The path to the directory file where config is located on SIMPL VM. For example,/home/admin/current-config/
-
<vm version>
: The version of the VM that is deployed. For example,3.2-3-1.0.0
. -
<CDS address>
: The management IP address of the first CDS node. -
<CDS auth args>
(authentication arguments): If your CDS has Cassandra authentication enabled, replace this with the parameters-u <username> -k <secret ID>
to specify the configured Cassandra username and the secret ID of a secret containing the password for that Cassandra user. For example,./rvtconfig -c 1.2.3.4 -u cassandra-user -k cassandra-password-secret-id …
.If your CDS is not using Cassandra authentication, omit these arguments.
-
<deployment ID>
: The deployment ID. You can find this at the top of the SDF. -
<site ID>
: A number for the site in the formDC1
throughDC32
. You can find this at the top of the SDF. -
<any CDS IP>
: The management IP address of any TSN node.
Method of procedure
Refer to the SIMPL VM Documentation for details on the commands mentioned in the procedure. |
Step 1 - Validate REM RVT configuration
Validate the configuration for the REM nodes to ensure that each REM node can properly self-configure.
To validate the configuration after creating the YAML files, run
rvtconfig validate -t rem -i <yaml-config-file-directory>
on the SIMPL VM from the resources
subdirectory of the REM CSAR.
Step 2 - Upload REM RVT configuration
Upload the configuration for the REM nodes to the CDS. This will enable each REM node to self-configure when they are deployed in the next step.
To upload configuration after creating the YAML files and validating them as described above, run
rvtconfig upload-config -c <CDS address> <CDS auth args> -t rem -i <yaml-config-file-directory> (--vm-version-source this-rvtconfig | --vm-version <vm version>)
on the SIMPL VM from the resources
subdirectory of the REM CSAR.
See Example configuration YAML files for example configuration files.
Step 3 - Deploy the OVA
Run csar deploy --vnf rem --sdf <path to SDF>
.
This will validate the SDF, and generate the terraform template. After successful validation, this will upload the image, and deploy the number of REM nodes specified in the SDF.
Only one node type should be deployed at the same time. I.e. when deploying these REM nodes, don’t deploy other node types at the same time in parallel. |
Backout procedure
To delete the deployed VMs, run csar delete --vnf rem --sdf <path to SDF>
.
You must also delete the MDM state for each VM. To do this, you must first SSH into one of the MDM VMs. Get the instance IDs by running: mdmhelper --deployment-id <deployment ID> instance list
. Then for each REM VM, run the following command:
curl -X DELETE -k \
--cert /etc/certs-agent/upload/mdm-cert.crt \
--cacert /etc/certs-agent/upload/mdm-cas.crt \
--key /etc/certs-agent/upload/mdm-key.key \
https://127.0.0.1:4000/api/v1/deployments/<deployment ID>/instances/<instance ID>
Verify that the deletion worked by running mdmhelper --deployment-id <deployment ID> instance list
again. You may now log out of the MDM VM.
You must also delete state for this node type and version from the CDS prior to deploying the VMs again. To delete the state, run rvtconfig delete-node-type-version --cassandra-contact-point <any CDS IP> --deployment-id <deployment ID>
.
--site-id <site ID> --t rem (--ssh-key SSH_KEY | --ssh-key-secret-id SSH_KEY_SECRET_ID)
(--vm-version-source [this-vm | this-rvtconfig] | --vm-version <vm version>)
Rolling upgrades and patches
This section provides information on performing a rolling upgrade of the VMs.
Each of the links below contains standalone instructions for upgrading a particular node type. The normal procedure is to upgrade only one node type in any given maintenance window, though you can upgrade multiple node types if the maintenance window is long enough.
Most call traffic will function as normal when the nodes are running different versions of the software. However, do not leave a deployment in this state for an extended period of time:
-
Certain call types cannot function when the cluster is running mixed software versions.
-
Part of the upgrade procedure is to disable scheduled tasks for the duration of the upgrade. Without these tasks running, the performance and health of the system will degrade.
Always finish upgrading all nodes of one node type before starting on another node type.
To apply a patch, first use the csar efix
command on the SIMPL VM. This command creates a copy of a specified CSAR but with the patch applied. You then upgrade to the patched CSAR using the procedure for a normal rolling upgrade. Detailed instructions for using csar efix
can be found within the individual upgrade pages below.
Rolling upgrade of REM nodes
The page is self-sufficient, that is, if you save or print this page, you have all the required information and instructions for upgrading REM nodes. However, before starting the procedure, make sure you are familiar with the operation of Rhino VM Automation nodes, this procedure, and the use of the SIMPL VM.
-
There are links in various places below to other parts of this book, which provide more detail about certain aspects of solution setup and configuration.
-
You can find more information about SIMPL VM commands in the SIMPL VM Documentation.
-
You can find more information on
rvtconfig
commands on thervtconfig
page.
Planning for the procedure
This procedure assumes that:
-
You are familiar with UNIX operating system basics, such as the use of
vi
and command-line tools likescp
. -
You have deployed a SIMPL VM, version 6.13.3 or later. Output shown on this page is correct for version 6.13.3 of the SIMPL VM; it may differ slightly on later versions.
Check you are using a supported VNFI version:
Platform | Supported versions |
---|---|
OpenStack |
Newton to Wallaby |
VMware vSphere |
6.7 and 7.0 |
Important notes
Do not use these instructions for target versions whose major version component differs from 3.2. |
Determine parameter values
In the below steps, replace parameters marked with angle brackets (such as <deployment ID>
) with values as follows. (Replace the angle brackets as well, so that they are not included in the final command to be run.)
-
<deployment ID>
: The deployment ID. You can find this at the top of the SDF. On this page, the example deployment IDmydeployment
is used. -
<site ID>
: A number for the site in the formDC1
throughDC32
. You can find this at the top of the SDF. -
<site name>
: The name of the site. You can find this at the top of the SDF. -
<MW duration in hours>
: The duration of the reserved maintenance period in hours. -
<CDS address>
: The management IP address of the first CDS node. -
<SIMPL VM IP address>
: The management IP address of the SIMPL VM. -
<CDS auth args>
(authentication arguments): If your CDS has Cassandra authentication enabled, replace this with the parameters-u <username> -k <secret ID>
to specify the configured Cassandra username and the secret ID of a secret containing the password for that Cassandra user. For example,./rvtconfig -c 1.2.3.4 -u cassandra-user -k cassandra-password-secret-id …
.If your CDS is not using Cassandra authentication, omit these arguments.
-
<service group name>
: The name of the service group (also known as a VNFC - a collection of VMs of the same type), which for Rhino VM Automation nodes will consist of all REM VMs in the site. This can be found in the SDF by identifying the REM VNFC and looking for itsname
field. -
<uplevel version>
: The version of the VMs you are upgrading to. On this page, the example version3.2-3-1.0.0
is used.
Tools and access
You must have the SSH keys required to access the SIMPL VM and the REM VMs that are to be upgraded.
The SIMPL VM must have the right permissions on the VNFI. Refer to the SIMPL VM documentation for more information:
When starting an SSH session to the SIMPL VM, use a keepalive of 30 seconds. This prevents the session from timing out - SIMPL VM automatically closes idle connections after a few minutes. When using OpenSSH (the SSH client on most Linux distributions), this can be controlled with the option |
rvtconfig
is a command-line tool for configuring and managing Rhino VM Automation VMs. All REM CSARs include this tool; once the CSAR is unpacked, you can find rvtconfig
in the resources
directory, for example:
$ cdcsars
$ cd rem/<uplevel version>
$ cd resources
$ ls rvtconfig
rvtconfig
The rest of this page assumes that you are running rvtconfig
from the directory in which it resides, so that it can be invoked as ./rvtconfig
. It assumes you use the uplevel version of rvtconfig
, unless instructed otherwise. If it is explicitly specified you must use the downlevel version, you can find it here:
$ cdcsars
$ cd rem/<downlevel version>
$ cd resources
$ ls rvtconfig
rvtconfig
1. Preparation for upgrade procedure
These steps can be carried out in advance of the upgrade maintenance window. They should take less than 30 minutes to complete.
1.1 Ensure the SIMPL version is at least 6.13.3
Log into the SIMPL VM and run the command simpl-version
. The SIMPL VM version is displayed at the top of the output:
SIMPL VM, version 6.13.3
Ensure this is at least 6.13.3. If not, contact your Customer Care Representative to organise upgrading the SIMPL VM before proceeding with the upgrade of the REM VMs.
Output shown on this page is correct for version 6.13.3 of the SIMPL VM; it may differ slightly on later versions.
1.2 Upload and unpack uplevel CSAR
Your Customer Care Representative will have provided you with the uplevel REM CSAR. Use scp
to copy this to /csar-volume/csar/
on the SIMPL VM.
Once the copy is complete, run csar unpack /csar-volume/csar/<filename>
on the SIMPL VM (replacing <filename>
with the filename of the CSAR, which will end with .zip
).
The csar unpack
command may fail if there is insufficient disk space available. If this occurs, SIMPL VM will report this with instructions to remove some CSARs to free up disk space. You can list all unpacked CSARs with csar list
and remove a CSAR with csar remove <node type>/<version>
.
1.3 Verify the downlevel CSAR is present
On the SIMPL VM, run csar list
.
Ensure that there is a REM CSAR listed there with the current downlevel version.
1.4 Apply patches (if appropriate)
If you are upgrading to an image that doesn’t require patching, or have already applied the patch, skip this step.
To patch a set of VMs, rather than modify the code directly on the VMs, the procedure is instead to patch the CSAR on SIMPL VM and then upgrade to the patched CSAR.
If you have a patch to apply, it will be provided to you in the form of a .tar.gz
file. Use scp
to transfer this file to /csar-volume/csar/
on the SIMPL VM. Apply it to the uplevel CSAR by running csar efix rem/<uplevel version> <patch file>
, for example, csar efix rem/3.2-3-1.0.0/csar-volume/csar/mypatch.tar.gz
. This takes about five minutes to complete.
Check the output of the patching process states that SIMPL VM successfully created a patch. Example output for a patch named mypatch
on version 3.2-3-1.0.0
and a vSphere deployment is:
Applying efix to rem/3.2-3-1.0.0
Patching rem-3.2-3-1.0.0-vsphere-mypatch.ova, this may take several minutes
Updating manifest
Successfully created rem/3.2-3-1.0.0-mypatch
You can verify that a patched CSAR now exists by running csar list
again - you should see a CSAR named rem/<uplevel version>-<patch name>
(for the above example that would be rem/3.2-3-1.0.0-mypatch
).
For all future steps on this page, wherever you type the <uplevel version>
, be sure to include the suffix with the patch name, for example 3.2-3-1.0.0-mypatch
.
If the csar efix
command fails, be sure to delete any partially-created patched CSAR before retrying the patch process. Run csar list
as above, and if you see the patched CSAR, delete it with csar remove <CSAR>
.
1.5 Prepare downlevel config directory
If you keep the configuration hosted on the SIMPL VM, find it and rename it to /home/admin/current-config
. Verify the contents by running ls /home/admin/current-config
and checking that at least the SDF (sdf-rvt.yaml
) is present there. If it isn’t, or you prefer to keep your configuration outside of the SIMPL VM, then create this directory on the SIMPL VM:
mkdir /home/admin/current-config
Use scp
to upload the SDF (sdf-rvt.yaml
) to this directory.
1.6 Prepare uplevel config directory including an SDF
On the SIMPL VM, run mkdir /home/admin/uplevel-config
. This directory is for holding the uplevel configuration files.
Use scp
(or cp
if the files are already on the SIMPL VM, for example in /home/admin/current-config
as detailed in the previous section) to copy the following files to this directory. Include configuration for the entire deployment, not just the REM nodes.
-
The uplevel configuration files.
-
The current SDF for the deployment.
1.7 Update SDF
Open the /home/admin/uplevel-config/sdf-rvt.yaml
file using vi
. Find the vnfcs
section, and within that the REM VNFC. Within the VNFC, locate the version
field and change its value to the uplevel version, for example 3.2-3-1.0.0
. Save and close the file.
You can verify the change you made by using diff -u2 /home/admin/current-config/sdf-rvt.yaml /home/admin/uplevel-config/sdf-rvt.yaml
. The diff should look like this (context lines and line numbers may vary), with only a change to the version for the relevant node type:
--- sdf-rvt.yaml 2022-10-31 14:14:49.282166672 +1300
+++ sdf-rvt.yaml 2022-11-04 13:58:42.054003577 +1300
@@ -211,5 +211,5 @@
shcm-vnf: shcm
type: rem
- version: {example-downlevel-version}
+ version: 3.2-3-1.0.0
vim-configuration:
vsphere:
1.8 Reserve maintenance period
The upgrade procedure requires a maintenance period. For upgrading nodes in a live network, implement measures to mitigate any unforeseen events.
Ensure you reserve enough time for the maintenance period, which must include the time for a potential rollback.
To calculate the time required for the actual upgrade or roll back of the VMs, The output will be similar to the following, stating how long it will take to do an upgrade or rollback of the REM VMs.
Nodes will be upgraded sequentially
-----
Estimated time for a full upgrade of 3 VMs: 24 minutes
Estimated time for a full rollback of 3 VMs: 24 minutes
-----
These numbers are a conservative best-effort estimate. Various factors, including IMS load levels, VNFI hardware configuration, VNFI load levels, and network congestion can all contribute to longer upgrade times. These numbers only cover the time spent actually running the upgrade on SIMPL VM. You must add sufficient overhead for setting up the maintenance window, checking alarms, running validation tests, and so on. |
The time required for an upgrade or rollback can also be manually calculated. For node types that are upgraded sequentially, like this node type, calculate the upgrade time by using the number of nodes. The first node takes 6 minutes, while later nodes take 6 minutes each. |
You must also reserve time for:
-
The SIMPL VM to upload the image to the VNFI. Allow 2 minutes, unless the connectivity between SIMPL and the VNFI is particularly slow.
-
Any validation testing needed to determine whether the upgrade succeeded.
1.9 Carry out dry run
The csar update dry run command carries out more extensive validation of the SDF and VM states than rvtconfig validate does.
Carrying out this step now, before the upgrade is due to take place, ensures problems with the SDF files are identified early and can be rectified beforehand.
The --dry-run operation will not make any changes to your VMs, it is safe to run at any time, although we always recommend running it during a maintenance window if possible. |
Please run the following command to execute the dry run.
csar update --sdf /home/admin/uplevel-config/sdf-rvt.yaml --vnf rem --sites <site> --service-group <service_group> --skip force-in-series-update-with-l3-permission --dry-run
Confirm the output does not flag any problems or errors. The end of the command output should look similar to this.
You are about to update VMs as follows:
- VNF rem:
- For site <site>:
- update all VMs in VNFC service group <service_group>/4.1-5-1.0.0:
- rem-1 (index 0)
- rem-2 (index 1)
- rem-3 (index 2)
Please confirm the set of nodes you are upgrading looks correct, and that the software version against the service group correctly indicates the software version you are planning to upgrade to.
If you see any errors, please address them, then re-run the dry run command until it indicates success.
2. Upgrade procedure
2.1 Disable scheduled tasks
Only perform this step if this is the first, or only, node type being upgraded.
Run ./rvtconfig enter-maintenance-window -c <CDS address> <CDS auth args> -d <deployment ID> --site-id <site ID> --hours <MW duration in hours>
. The output will look similar to:
Maintenance window is now active until 04 Nov 2022 21:38:06 NZDT.
Use the leave-maintenance-window command once maintenance is complete.
This will prevent scheduled tasks running on the VMs until the time given in the output.
If at any point in the upgrade process you wish to confirm the end time of the maintenance window, you can run ./rvtconfig maintenance-window-status -c <CDS address> <CDS auth args> -d <deployment ID> --site-id <site ID>
.
2.2 Verify config has no unexpected or prohibited changes
Run rm -rf /home/admin/config-output
on the SIMPL VM to remove that directory if it already exists. Then use the command ./rvtconfig compare-config -c <CDS address> <CDS auth args> -d <deployment ID> --input /home/admin/uplevel-config
to compare the live configuration to the configuration in the
--vm-version <downlevel version> --output-dir /home/admin/config-output -t rem/home/admin/uplevel-config
directory.
Example output is listed below:
Validating node type against the schema: rem
Redacting secrets…
Comparing live config for (version=3.2-1-1.0.0, deployment=mydeployment, group=RVT-rem.DC1) with local directory (version=3.2-3-1.0.0, deployment=mydeployment, group=RVT-rem.DC1)
Getting per-level configuration for version '3.2-1-1.0.0', deployment 'mydeployment', and group 'RVT-rem.DC1'
- Found config with hash 7f6cc1f3df35b43d6286f19c252311e09216e6115f314d0cb9cc3f3a24814395
Wrote currently uploaded configuration to /tmp/tmprh2uavbh
Redacting secrets…
Found
- 1 difference in file sdf-rvt.yaml
Differences have been written to /home/admin/config-output
Error: Line 110 exited with status 3
You can then view the differences using commands such as cat /home/admin/config-output/sdf-rvt.yaml.diff
(there will be one .diff
file for every file that has differences). Aside from the version
parameter in the SDF, there should normally be no other changes. If there are other unexpected changes, pause the procedure here and correct the configuration by editing the files in /home/admin/uplevel-config
.
When performing a rolling upgrade, some elements of the uplevel configuration must remain identical to those in the downlevel configuration. The affected elements of the REM configuration are described in the following list:
-
The
secrets-private-key-id
in the SDF must not be altered. -
The ordering of the VM instances in the SDF must not be altered.
-
The IP addresses and other networking information in the SDF must not be altered.
The rvtconfig compare-config
command reports any unsupported changes as errors, and may also emit warnings about other changes. For example:
Found
- 1 difference in file sdf-rvt.yaml
The configuration changes have the following ERRORS.
File sdf-rvt.yaml:
- Changing the IP addresses, subnets or traffic type assignments of live VMs is not supported. Restore the networks section of the rem VNFC in the SDF to its original value before uploading configuration.
Ensure you address the reported errors, if any, before proceeding. rvtconfig
will not upload a set of configuration files that contains unsupported changes.
2.3 Validate configuration
Run the command ./rvtconfig validate -t rem -i /home/admin/uplevel-config
to check that the configuration files are correctly formatted, contain valid values, and are self-consistent. A successful validation with no errors or warnings produces the following output.
Validating node type against the schema: rem
YAML for node type(s) ['rem'] validates against the schema
If the output contains validation errors, fix the configuration in the /home/admin/uplevel-config
directory
If the output contains validation warnings, consider whether you wish to address them before performing the upgrade. The VMs will accept configuration that has validation warnings, but certain functions may not work.
2.4 Upload configuration
Upload the configuration to CDS:
./rvtconfig upload-config -c <CDS address> <CDS auth args> -t rem -i /home/admin/uplevel-config --vm-version <uplevel version>
Check that the output confirms that configuration exists in CDS for both the current (downlevel) version and the uplevel version:
Validating node type against the schema: rem
Preparing configuration for node type rem…
Checking differences between uploaded configuration and provided files
Getting per-level configuration for version '3.2-3-1.0.0', deployment 'mydeployment-rem', and group 'RVT-rem.DC1'
- No configuration found
No uploaded configuration was found: this appears to be a new install or upgrade
Encrypting secrets…
Wrote config for version '3.2-3-1.0.0', deployment ID 'mydeployment', and group ID 'RVT-rem.DC1'
Versions in group RVT-rem.DC1
=============================
- Version: {example-downlevel-version}
Config hash: 7f6cc1f3df35b43d6286f19c252311e09216e6115f314d0cb9cc3f3a24814395
Active: mydeployment-rem-1, mydeployment-rem-2, mydeployment-rem-3
Leader seed: {downlevel-leader-seed}
- Version: 3.2-3-1.0.0
Config hash: f790cc96688452fdf871d4f743b927ce8c30a70e3ccb9e63773fc05c97c1d6ea
Active: None
Leader seed:
2.5 Collect diagnostics
We recommend gathering diagnostic archives for all REM VMs in the deployment.
On the SIMPL VM, run the command
If <diags-bundle>
does not exist, the command will create the directory for you.
Each diagnostic archive can be up to 200 MB per VM. Ensure you have enough disk space on the SIMPL VM to collect all diagnostics. The command will be aborted if the SIMPL VM does not have enough disk space to collect all diagnostic archives from all the VMs in your deployment specified in the provided SDF.
2.6 Begin the upgrade
Carry out a csar import of the rem VMs
Prepare for the upgrade by running the following command on the SIMPL VM csar import --vnf rem --sdf /home/admin/uplevel-config/sdf-rvt.yaml
to import terraform templates.
First, SIMPL VM connects to your VNFI to check the credentials specified in the SDF and QSG are correct. If this is successful, it displays the message All validation checks passed.
.
-
Type
no
. The csar import will be aborted. -
Investigate why there are unexpected changes in the SDF.
-
Correct the SDF as necessary.
-
Retry this step.
Otherwise, accept the prompt by typing yes
.
After you do this, SIMPL VM will import the terraform state. If successful, it outputs this message:
Done. Imported all VNFs.
If the output does not look like this, investigate and resolve the underlying cause, then re-run the import command again until it shows the expected output.
Begin the upgrade of the rem VMs
First, SIMPL VM connects to your VNFI to check the credentials specified in the SDF and QSG are correct. If this is successful, it displays the message All validation checks passed.
.
Next, SIMPL VM compares the specified SDF with the SDF used for the csar import command above. Since the contents have not changed since you ran the csar import, the output should indicate that the SDF has not changed.
If there are differences in the SDF, a message similar to this will be output:
Comparing current SDF with previously used SDF.
site site1:
rem:
rem-1:
networks:
- ip-addresses:
ip:
- - 10.244.21.106
+ - 10.244.21.196
- 10.244.21.107
name: Management
subnet: mgmt-subnet
Do you want to continue? [yes/no]: yes
If you see this, you must:
-
Type
no
. The upgrade will be aborted. -
Go back to the start of the upgrade section and run through the csar import section again, until the SDF differences are resolved.
-
Retry this step.
Afterwards, the SIMPL VM displays the VMs that will be upgraded:
You are about to update VMs as follows:
- VNF rem:
- For site site1:
- update all VMs in VNFC service group mydeployment-rem/3.2-3-1.0.0:
- mydeployment-rem-1 (index 0)
- mydeployment-rem-2 (index 1)
- mydeployment-rem-3 (index 2)
Type 'yes' to continue, or run 'csar update --help' for more information.
Continue? [yes/no]:
Check this output displays the version you expect (the uplevel version) and exactly the set of VMs that you expect to be upgraded. If anything looks incorrect, type no
to abort the upgrade process, and recheck the VMs listed and the version field in /home/admin/uplevel-config/sdf-rvt.yaml
. Also check you are passing the correct SDF path and --vnf
argument to the csar update
command.
Otherwise, accept the prompt by typing yes
.
Next, each VM in your cluster will perform health checks. If successful, the output will look similar to this.
Running ansible scripts in '/home/admin/.local/share/csar/rem/4.1-1-1.0.0/update_healthcheck_scripts' for node 'mydeployment-rem-1'
Running script: check_config_uploaded…
Running script: check_ping_management_ip…
Running script: check_maintenance_window…
Running script: check_can_sudo…
Running script: check_converged…
Running script: check_liveness…
Running script: check_rhino_alarms…
Detailed output can be found in /var/log/csar/ansible_output-2023-01-05-02-05-51.log
All ansible update healthchecks have passed successfully
If a script fails, you can find details in the log file. The log file can be found in /var/log/csar/ansible_output-<timestamp>.log
.
Running ansible scripts in '/home/admin/.local/share/csar/rem/4.1-1-1.0.0/update_healthcheck_scripts' for node 'mydeployment-rem-1'
Running script: check_config_uploaded...
Running script: check_ping_management_ip...
Running script: check_maintenance_window...
Running script: check_can_sudo...
Running script: check_converged...
Running script: check_liveness...
ERROR: Script failed. Specific error lines from the ansible output will be logged to screen. For more details see the ansible_output file (/var/log/csar/ansible_output-2023-01-05-21-02-17.log). This file has only ansible output, unlike the main command log file.
fatal: [mydeployment-rem-1]: FAILED! => {"ansible_facts": {"liveness_report": {"cassandra": true, "cassandra_ramdisk": true, "cassandra_repair_timer": true, "cdsreport": true, "cleanup_sbbs_activities": false, "config_hash_report": true, "docker": true, "initconf": true, "linkerd": true, "mdm_state_and_status_ok": true, "mdmreport": true, "nginx": true, "no_ocss7_alarms": true, "ocss7": true, "postgres": true, "rem": true, "restart_rhino": true, "rhino": true}}, "attempts": 1, "changed": false, "msg": "The following liveness checks failed: ['cleanup_sbbs_activities']", "supports_liveness_checks": true}
Running script: check_rhino_alarms...
Detailed output can be found in /var/log/csar/ansible_output-2023-01-05-21-02-17.log
***Some tests failed for CSAR 'rem/4.1-1-1.0.0' - see output above***
The msg
field under each ansible task explains why the script failed.
If there are failures, investigate them with the help of your Customer Care Representative and the Troubleshooting pages.
Once the pre-upgrade health checks have been verified, SIMPL VM now proceeds to upgrade each of the VMs. Monitor the further output of csar update
as the upgrade progresses, as described in the next step.
2.7 Monitor csar update
output
For each VM:
-
The VM will be quiesced and destroyed.
-
SIMPL VM will create a replacement VM using the uplevel version.
-
The VM will automatically start applying configuration from the files you uploaded to CDS in the above steps.
-
Once configuration is complete, the VM will be ready for service. At this point, the
csar update
command will move on to the next REM VM.
The output of the csar update
command will look something like the following, repeated for each VM.
Decommissioning 'dc1-mydeployment-rem-1' in MDM, passing desired version 'vm.version=3.2-3-1.0.0', with a 900 second timeout
dc1-mydeployment-rem-1: Current status 'complete', current state 'commissioned' - desired status 'complete', desired state 'decommissioned'
dc1-mydeployment-rem-1: Current status 'in_progress'- desired status 'complete'
…
dc1-mydeployment-rem-1: Current status 'complete', current state 'decommissioned' - desired status 'complete', desired state 'decommissioned'
Running update for VM group [0]
Performing health checks for service group mydeployment-rem with a 1200 second timeout
Running MDM status health-check for dc1-mydeployment-rem-1
dc1-mydeployment-rem-1: Current status 'in_progress'- desired status 'complete'
…
dc1-mydeployment-rem-1: Current status 'complete', current state 'commissioned' - desired status 'complete', desired state 'commissioned'
If you see this error:
it can be safely ignored, provided that you do eventually see a |
Once all VMs have been upgraded, you should see this success message, detailing all the VMs that were upgraded and the version they are now running, which should be the uplevel version.
Successful VNF with full per-VNFC upgrade state:
VNF: rem
VNFC: mydeployment-rem
- Node name: mydeployment-rem-1
- Version: 3.2-3-1.0.0
- Build Date: 2022-11-21T22:58:24+00:00
- Node name: mydeployment-rem-2
- Version: 3.2-3-1.0.0
- Build Date: 2022-11-21T22:58:24+00:00
- Node name: mydeployment-rem-3
- Version: 3.2-3-1.0.0
- Build Date: 2022-11-21T22:58:24+00:00
If the upgrade fails, you will see Failed VNF
instead of Successful VNF
in the above output. There will also be more details of what went wrong printed before that. Refer to the Backout procedure below.
2.8 Run basic validation tests
Run csar validate --vnf rem --sdf /home/admin/uplevel-config/sdf-rvt.yaml
to perform some basic validation tests against the uplevel nodes.
This command first performs a check that the nodes are connected to MDM and reporting that they have successfully applied the uplevel configuration:
========================
Performing healthchecks
========================
Commencing healthcheck of VNF 'rem'
Performing health checks for service group mydeployment-rem with a 0 second timeout
Running MDM status health-check for dc1-mydeployment-rem-1
dc1-mydeployment-rem-1: Current status 'complete', current state 'commissioned' - desired status 'complete', desired state 'commissioned'
Running MDM status health-check for dc1-mydeployment-rem-2
dc1-mydeployment-rem-2: Current status 'complete', current state 'commissioned' - desired status 'complete', desired state 'commissioned'
Running MDM status health-check for dc1-mydeployment-rem-3
dc1-mydeployment-rem-3: Current status 'complete', current state 'commissioned' - desired status 'complete', desired state 'commissioned'
After that, it performs various checks on the health of the VMs' networking and services:
================================
Running validation test scripts
================================
Running validation tests in CSAR 'rem/3.2-3-1.0.0'
Test running for: mydeployment-rem-1
Running script: check_ping_management_ip…
Running script: check_can_sudo…
Running script: check_converged…
Running script: check_liveness…
Detailed output can be found in /var/log/csar/ansible_output-2023-01-06-03-21-51.log
If all is well, then you should see the message All tests passed for CSAR 'rem/<uplevel version>'!
.
If the VM validation fails, you can find details in the log file. The log file can be found in /var/log/csar/ansible_output-<timestamp>.log
.
Running validation test scripts
================================
Running validation tests in CSAR 'rem/3.2-3-1.0.0'
Test running for: mydeployment-rem-1
Running script: check_ping_management_ip...
Running script: check_can_sudo...
Running script: check_converged...
Running script: check_liveness...
ERROR: Script failed. Specific error lines from the ansible output will be logged to screen. For more details see the ansible_output file (/var/log/csar/ansible_output-2023-01-06-03-40-37.log). This file has only ansible output, unlike the main command log file.
fatal: [mydeployment-rem-1]: FAILED! => {"ansible_facts": {"liveness_report": {"cassandra": true, "cassandra_ramdisk": true, "cassandra_repair_timer": true, "cdsreport": true, "cleanup_sbbs_activities": false, "config_hash_report": true, "docker": true, "initconf": true, "linkerd": true, "mdm_state_and_status_ok": true, "mdmreport": true, "nginx": true, "no_ocss7_alarms": true, "ocss7": true, "postgres": true, "rem": true, "restart_rhino": true, "rhino": true}}, "attempts": 1, "changed": false, "msg": "The following liveness checks failed: ['cleanup_sbbs_activities']", "supports_liveness_checks": true}
Running script: check_rhino_alarms...
Detailed output can be found in /var/log/csar/ansible_output-2023-01-06-03-40-37.log
***Some tests failed for CSAR 'rem/3.2-3-1.0.0' - see output above***
----------------------------------------------------------
WARNING: Validation script tests failed for the following CSARs:
- 'rem/3.2-3-1.0.0'
See output above for full details
The msg
field under each ansible task explains why the script failed.
If there are failures, investigate them with the help of your Customer Care Representative and the Troubleshooting pages.
3. Post-upgrade procedure
3.1 Enable scheduled tasks
Run ./rvtconfig leave-maintenance-window -c <CDS address> <CDS auth args> -d <deployment ID> --site-id <site ID>
. This will allow scheduled tasks to run on the VMs again. The output should look like this:
Maintenance window has been terminated.
The VMs will resume running scheduled tasks as per their configured schedules.
5. Backout Method of Procedure
First, gather the log history of the downlevel VMs. Run mkdir -p /home/admin/rvt-log-history
and ./rvtconfig export-log-history -c <CDS address> <CDS auth args> -d <deployment ID> --zip-destination-dir /home/admin/rvt-log-history --secrets-private-key-id <secret ID>
. The secret ID you specify for --secrets-private-key-id
should be the secret ID for the secrets private key (the one used to encrypt sensitive fields in CDS). You can find this in the product-options
section of each VNFC in the SDF.
Make sure the <CDS address> used is one of the remaining available TSN nodes. |
Next, how much of the backout procedure to run depends on how much progress was made with the upgrade. If you did not get to the point of running csar update
, start from the Cleanup after backout section below.
If you encounter further failures during recovery or rollback, contact your Customer Care Representative to investigate and recover the deployment.
5.1 Collect diagnostics
We recommend gathering diagnostic archives for all REM VMs in the deployment.
On the SIMPL VM, run the command
If <diags-bundle>
does not exist, the command will create the directory for you.
Each diagnostic archive can be up to 200 MB per VM. Ensure you have enough disk space on the SIMPL VM to collect all diagnostics. The command will be aborted if the SIMPL VM does not have enough disk space to collect all diagnostic archives from all the VMs in your deployment specified in the provided SDF.
5.2 Disable scheduled tasks
Only perform this step if this is the first, or only, node type being rolled back. You can also skip this step if the rollback is occurring immediately after a failed upgrade, such that the existing maintenance window is sufficient. You can check the remaining maintenance window time with ./rvtconfig maintenance-window-status -c <CDS address> <CDS auth args> -d <deployment ID> --site-id <site ID>
.
To start a new maintenance window (or extend an existing one), run ./rvtconfig enter-maintenance-window -c <CDS address> <CDS auth args> -d <deployment ID> --site-id <site ID> --hours <MW duration in hours>
. The output will look similar to:
Maintenance window is now active until 04 Nov 2022 21:38:06 NZDT.
Use the leave-maintenance-window command once maintenance is complete.
This will prevent scheduled tasks running on the VMs until the time given in the output.
If at any point in the rollback process you wish to confirm the end time of the maintenance window, you can run the above rvtconfig maintenance-window-status
command.
5.3 Roll back VMs
To roll back the VMs, the procedure is essentially to perform an "upgrade" back to the downlevel version, that is, with <downlevel version>
and <uplevel version>
swapped. You can refer to the Begin the upgrade section above for details on the prompts and output of csar update
.
Once the csar update
command completes successfully, proceed with the next steps below.
The Contiguous ranges can be expressed with a hyphen ( If you want to roll back just one node, use If you want to roll back all nodes, omit the The |
If csar update
fails, check the output for which VMs failed. For each VM that failed, run csar redeploy --vm <failed VM name> --sdf /home/admin/current-config/sdf-rvt.yaml
.
If csar redeploy
fails, contact your Customer Care Representative to start the recovery procedures.
If all the csar redeploy
commands were successful, then run the previously used csar update
command on the VMs that were neither rolled back nor redeployed yet.
To help you determine which VMs were neither rolled back nor redeployed yet, |
5.4 Delete uplevel CDS data
Run ./rvtconfig delete-node-type-version -c <CDS address> <CDS auth args> -t rem --vm-version <uplevel version>
to remove data for the uplevel version from CDS.
-d <deployment ID> --site-id <site ID> --ssh-key-secret-id <SSH key secret ID>
Example output from the command:
The following versions will be deleted: 3.2-3-1.0.0
The following versions will be retained: {example-downlevel-version}
Do you wish to continue? Y/[N] Y
Check the versions are the correct way around, and then confirm this prompt to delete the uplevel data from CDS.
Backout procedure
-
If desired, remove the uplevel CSAR. On the SIMPL VM, run
csar remove rem/<uplevel version>
. -
If desired, remove the uplevel config directories on the SIMPL VM with
rm -rf /home/admin/uplevel-config
. We recommend these files are kept in case the upgrade is attempted again at a later time.
5.6 Enable scheduled tasks
Run ./rvtconfig leave-maintenance-window -c <CDS address> <CDS auth args> -d <deployment ID> --site-id <site ID>
. This will allow scheduled tasks to run on the VMs again. The output should look like this:
Maintenance window has been terminated.
The VMs will resume running scheduled tasks as per their configured schedules.
5.7 Verify service is restored
Perform verification tests to ensure the deployment is functioning as expected.
If applicable, contact your Customer Care Representative to investigate the cause of the upgrade failure.
Before re-attempting the upgrade, ensure you have run the You will also need to re-upload the uplevel configuration. |
Post-acceptance tasks
Following an upgrade, we recommend leaving all images and CDS data for the downlevel version in place for a period of time, in case you find a problem with the uplevel version and you wish to roll the VMs back to the downlevel version. This is referred to as an acceptance period.
After the acceptance period is over and no problems have been found, you can optionally clean up the data relating to the downlevel version to free up disk space on the VNFI, the SIMPL VM, and the CDS nodes. Follow the steps below for each group (node type) you want to clean up.
Only perform these steps if all VMs are running at the uplevel version. You can query the versions in use with the After performing the following steps, rollback to the previous version will no longer be possible. Be very careful that you specify the correct commands and versions. There are similarly-named commands that do different things and could lead to a service outage if used by accident. |
Move the configuration folder
During the upgrade, you stored the downlevel configuration in /home/admin/current-config
, and the uplevel configuration in /home/admin/uplevel-config
.
Once the upgrade has been accepted, update /home/admin/current-config
to point at the now current config:
rm -rf /home/admin/current-config
mv /home/admin/uplevel-config /home/admin/current-config
Remove unused (downlevel) images from the SIMPL VM and the VNFI
Use the csar delete-images --sdf <path to downlevel SDF>
command to remove images from the VNFI.
Use the csar remove <CSAR version>
to remove CSARs from the SIMPL VM. Refer to the SIMPL VM documentation for more information.
Do not remove the CSAR for the version of software that the VMs are currently using - it is required for future upgrades. Be sure to use the |
Delete CDS data
Use the rvtconfig delete-node-type-retain-version
command to remove CDS data relating to a particular node type for all versions except the current version.
Be sure to use the |
Use the rvtconfig list-config
command to verify that the downlevel version data has been removed. It should show that configuration for only the current (uplevel) version is present.
Verify the state of the nodes and processes
VNF validation tests
What are VNF validation tests?
The VNF validation tests can be used to run some basic checks on deployed VMs to ensure they have been deployed correctly. Tests include:
-
checking that the management IP can be reached
-
checking that the management gateway can be reached
-
checking that
sudo
works on the VM -
checking that the VM has converged to its configuration.
Running the VNF validation tests
After deploying the VMs for a given VM type, and performing the configuration for those VMs, you can run the VNF validation tests for those VMs from the SIMPL VM.
Run the validation tests: csar validate --vnf <node-type> --sdf <path to SDF>
Here, <node-type>
is one of rem
.
If any of the tests fail, refer to the troubleshooting section.
An MDM CSAR must be unpacked on the SIMPL VM before running the csar validate command. Run csar list on the SIMPL VM to verify whether an MDM CSAR is already installed. |
REM checks
Verify REM is running
Log in to the VM with the default credentials.
Run systemctl status rhino-element-manager
to view the status of the REM service. It should be listed as active (running)
.
You can also check the jps
command to ensure that the Tomcat process has started. It is listed in the output as Bootstrap
.
Verify you can connect to REM
From a PC which is on or can reach the same subnet as the REM node’s management interface, connect to https://<management IP address>:8443/rem/
with a web browser. You should be presented with a login page. From here you can use the credentials set up in the rem-vmpool-config.yaml file to log in.
VM configuration
This section describes details of the VM configuration of the nodes.
-
An overview of the configuration process is described in declarative configuration.
-
The bootstrap parameters are derived from the SDF and supplied as either vApp parameters or as OpenStack userdata automatically.
-
After the VMs boot up, they will automatically perform bootstrap. You then need to upload configuration to the CDS for the configuration step.
-
The rvtconfig tool is used to upload configuration to the CDS.
-
You may wish to refer to the Services and Components page for information about each node’s components, directory structure, and the like.
Declarative configuration
Overview
This section describes how to configure the Rhino VM Automation VMs - that is, the processes of making and applying configuration changes.
It is not intended as a full checklist of the steps to take during an upgrade or full installation - for example, business level change-control processes are not discussed.
The configuration process is based on modifying configuration files, which are validated and sent to a central configuration data store (CDS) using the rvtconfig
tool. The Rhino VM Automation VMs will poll the CDS, and will pull down and apply any changes.
Initial setup
The initial configuration process starts with the example YAML files distributed alongside the Rhino VM Automation VMs, as described in Example configuration YAML files.
Metaswitch strongly recommends that the configuration files are stored in a version control system (VCS). A VCS allows version control, rollback, traceability, and reliable storage of the system’s configuration. |
If a VCS is not a viable option for you, you must take backups of the configuration before making any changes. The configuration backups are your responsibility and must be made every time a change is required. In this case, we recommend that you store the full set of configuration files in a reliable cloud storage system (for example, OneDrive) and keep the backups in different folders named with a progressive number and a timestamp of the backup date (for example, v1-20210310T1301).
The rest of the guide is written assuming the use of a VCS to manage the configuration files.
Initially, add the full set of example YAMLs into your VCS as a baseline, alongside the solution definition files (SDFs) described in the Rhino VM Automation VM install guides. You should store all files (including the SDFs for all nodes) in a single directory yamls
with no subdirectories.
Making changes
To change the system configuration, the first step is to edit the configuration files, making the desired changes (as described in this guide). You can do this on any machine using a text editor (one with YAML support is recommended). After you have made the changes, record them in the VCS.
Validating the changes
On the SIMPL VM, as the admin user, change to the directory /home/admin/
. Check out (or copy) your yamls
directory to this location, as /home/admin/yamls/
.
If network access allows, we recommend that you retrieve the files directly from the VCS into this directory, rather than copying them. Having a direct VCS connection means that changes made at this point in the process are more likely to be committed back into the VCS, a critical part of maintaining the match between live and stored configuration. |
At this point, use the rvtconfig
tool to validate the configuration used for all relevant nodes.
For more information on the rvtconfig tool, see rvtconfig. |
The relevant nodes depend on which configuration files have been changed. To determine the mapping between configuration files and nodes, consult Example configuration YAML files.
The rvtconfig
tool is delivered as part of the VM image CSAR file, and unpacked into /home/admin/.local/share/csar/<csar name>/<version>/resources/rvtconfig
.
It is important that the rvtconfig binary used to validate a node’s configuration is from a matching release. That is, if the change is being made to a node that is at version x.y.z-p1 , the rvtconfig binary must be from a version x.y.z CSAR. |
For example, assume a change has been made to the rem-vmpool-config.yaml
file in the Rhino VM Automation network. This would require reconfiguration of the rem
node at version 4.0.0
. To validate this change, use the following command from the /home/admin/
directory.
./.local/share/csar/rem/4.0.0/resources/rvtconfig validate -t rem -i ./yamls
If the node fails validation, update the files to fix the errors as reported, and record the changes in your VCS.
Uploading the changes
Once the file is validated, record the local changes in your VCS.
Next, use the rvtconfig upload-config
command to upload the changes to the CDS. As described in Uploading configuration to CDS with upload-config, the upload-config
command requires a number of command line arguments.
The full syntax to use for this use case is:
rvtconfig upload-config -c <cds-ip-addresses> -t <node type> -i <config-path> --vm-version <vm_version>
where:
-
<cds-ip-addresses>
is the signaling IP address of a CDS node. -
<deployment-id>
can be found in the relevant SDF. -
<node type>
is the node being configured, as described above. -
<config-path>
is the path of the directory containing the YAML and SDFs. -
<vm_version>
is the version string of the node being configured.
As with validation, the rvtconfig
executable must match the version of software being configured. Take the example of a change to the rem-vmpool-config.yaml
as above, on a Rhino VM Automation network with nodes at version 4.0.0
, a deployment ID of prod
, and a CDS at IP 192.0.0.1
. In this environment the configuration could be uploaded with the following commands (from /home/admin/
):
./.local/share/csar/rem/4.0.0/resources/rvtconfig upload-config -c 192.0.0.1 -t rem -i ./yamls --vm-version 4.0.0
rvtconfig
rvtconfig
tool
Configuration YAML files can be validated and uploaded to the CDS using the rvtconfig
tool. The rvtconfig
tool can be run either on the SIMPL VM or any Rhino VM Automation VM.
On the SIMPL VM, you can find the command in the resources
subdirectory of any Rhino VM Automation (rem
) CSAR, after it has been extracted using csar unpack
.
/home/admin/.local/share/csar/<csar name>/<version>/resources/rvtconfig
On any Rhino VM Automation VM, the rvtconfig
tool is in the PATH
for the sentinel
user and can be run directly by running:
rvtconfig <command>
The available rvtconfig
commands are:
-
rvtconfig validate
validates the configuration, even before booting any VMs by using the SIMPL VM. -
rvtconfig upload-config
validates, encrypts, and uploads the configuration to the CDS. -
rvtconfig delete-deployment
deletes a deployment from the CDS.Only use this when advised to do so by a Customer Care Representative. -
rvtconfig delete-node-type-version
deletes state and configuration for a specified version of a given node type from the CDS.This should only be used when there are no VMs of that version deployed. -
rvtconfig delete-node-type-all-versions
deletes state and configuration for all versions of a given node type from the CDS.Only use this after deleting all VMs for a given node type. -
rvtconfig delete-node-type-retain-version
deletes state and configuration for a given node type from the CDS, except for the specified version. -
rvtconfig list-config
displays a summary of the configurations stored in the CDS. -
rvtconfig dump-config
dumps the current configuration from the CDS. -
rvtconfig print-leader-seed
prints the current leader seed as stored in the CDS. -
rvtconfig generate-private-key
generates a new private key for use in the SDF. -
rvtconfig enter-maintenance-window
disables VMs' scheduled tasks for a period of time. -
rvtconfig leave-maintenance-window
re-enables VMs' scheduled tasks. -
rvtconfig calculate-maintenance-window
calculates the required length of a maintenance window for rolling upgrades. -
rvtconfig maintenance-window-status
displays a message indicating whether there is an maintenance window period reserved or not. -
rvtconfig export-log-history
exports the quiesce log history from the CDS. -
rvtconfig initconf-log
retrievesinitconf.log
file from the specified remote RVT node. -
rvtconfig describe-versions
prints the current values of the versions of the VM found in the config and in the SDF. -
rvtconfig compare-config
compares currently uploaded config with a given set of configuration. -
rvtconfig backup-cds
creates a backup of the CDS database intar
format and retrieves it. -
rvtconfig restore-cds
uses CDS database backup taken withbackup-cds
to restore the CDS database to a previous state. -
rvtconfig set-desired-running-state
setsDesiredRunningState
to stopped/started in MDM.-
If
--state Started
or no--state
is specified, all initconf processes of non-TSN VMs will pause their configuration loops. -
If
--state Stopped
is specified, all initconf processes of non-TSN VMs will resume their configuration loops.
-
-
rvtconfig cassandra-upgrade
performs a cassandra upgrade operation from {cassandra-version-three} to {cassandra-version-four}. This command can only be used after a Major TSN upgrade has been successfully executed to TSN 4.1 and the cassandra version running is {cassandra-version-three}. This operation must be done one TSN node at a time and no parallelization is allowed. -
rvtconfig cassandra-status
prints the cassandra database status of all the specified CDS IP addresses. -
rvtconfig cassandra-upgrade-sstables
upgradessstables
status once all TSN 4.1 nodes have been upgraded to Cassandra version {cassandra-version-four} withrvtconfig cassandra-upgrade
Common arguments
Commands that read or modify CDS state take a --cds-address
parameter (which is also aliased as --cds-addresses
, --cassandra-contact-point
, --cassandra-contact-points
, or simply -c
). For this parameter, specify the management address(es) of at least one machine hosting the CDS database. Separate multiple addresses with a space, for example --cds-address 1.2.3.4 1.2.3.5
.
The upload-config
and export-audit-history
commands read secrets from QSG. If you have not yet uploaded secrets to QSG, you can specify a --secrets-file <file>
argument, passing in the path to your secrets file (the YAML file which you pass to csar secrets add
). QSG is only available on the SIMPL VM; if running rvtconfig
on a platform other than the SIMPL VM, for example on the VM itself, then you must pass the --secrets-file
argument.
Commands that read or modify CDS state may also require additional parameters if the CDS endpoints are configured to use authentication and/or SSL encryption as per Cassandra security configuration. If the CDS endpoints are configured to use authentication, you must pass the --cds-username
argument with your configured password and either the --cds-password
or --cds-password-secret-name
argument with the configured password or its ID in the secrets file. If the CDS endpoints are configured to use SSL encryption, you must pass the --ssl
flag and also pass either the --ssl-ca-certificate
or --ssl-ca-certificate-secret-name
argument containing a file with the SSL signing certificate, or its ID in the secrets file.
The various delete-node-type
commands, and the report-group-status
command, require an SSH private key to access the VMs. You can specify this key as either a path to the private key file with the --ssh-key
argument, or as a secret ID with the --ssh-key-secret-id
argument. If you are running rvtconfig
on the SIMPL VM, the recommended approach is to use the secret ID of the SIMPL VM-specific private key that you specified in the SDF (see SIMPL VM SSH private key ). Otherwise, use the SSH private key file itself (copying it to the machine on which you are running rvtconfig
, and deleting it once you have finished, if necessary).
For more information, run rvtconfig --help
. You can also view help about a particular command using, for example, rvtconfig upload-config --help
.
rvtconfig
limitations
The following limitations apply when running rvtconfig
on the SIMPL VM:
-
All files and directories mentioned in parameter values and the secrets file must reside within the root (
/
) filesystem of the SIMPL VM. A good way to ensure this is the case is to store files only in directories under/home/admin
. -
rvtconfig
assumes files specified without paths are located in the current directory. If multiple directories are involved, it is recommended to use absolute paths everywhere. (Relative paths can be used, but may not use..
to navigate out of the current directory.)
Verifying and uploading configuration
-
Create a directory to hold the configuration YAML files.
mkdir yamls
-
Ensure the directory contains the following:
-
configuration YAML files
-
the Solution Definition File (SDF)
-
Rhino license for nodes running Rhino.
-
Do not create any subdirectories. Ensure the file names match the example YAML files. |
Verifying configuration with validate
To validate configuration, run the command:
rvtconfig validate -t <node type> -i ~/yamls
where <node type>
is the node type you want to verify, which can be rem
. If there are any errors, fix them, move the fixed files to the yamls
directory, and then re-run the above rvtconfig validate
command on the yamls
directory.
Once the files pass validation, store the YAML files in the CDS using the rvtconfig upload-config
command.
If using the SIMPL VM, the |
Uploading configuration to the CDS with upload-config
To upload the YAML files to the CDS, run the command:
rvtconfig upload-config [--secrets-file <file>] -c <cds-mgmt-addresses> -t <node type> -i ~/yamls
[(--vm-version-source [this-vm | this-rvtconfig | sdf-version] | --vm-version <vm_version>)] [--reload-resource-adaptors]
The |
If you would like to specify a version, you can use:
-
--vm-version
to specify the exact version of the VM to target (as configuration can differ across a VM upgrade). -
--vm-version-source
to automatically derive the VM version from the given source. Failure to determine the version will result in an error.-
Use
this-rvtconfig
when running thervtconfig
tool included in the CSAR for the target VM, to extract the version information packaged intorvtconfig
. -
Use
this-vm
if running thervtconfig
tool directly on the VM being configured, to extract the version information from the VM. -
Option
sdf-version
extracts the version value written in the SDF for the given node.
-
If the version is not specified, then the version in the SDF will be compared to the this-rvtconfig
or this-vm
version (whichever is appropriate given how the rvtconfig
command is run). If they match, this value will be used. Otherwise, the command will fail.
Whatever way you enter the version, the value obtained must match the version in the SDF. Otherwise, the upload will fail. |
Any YAML configuration values which are specified as secrets are marked as such in the YAML files' comments. These values will be encrypted using the generated private-key created by rvtconfig generate-private-key
and prior to uploading the SDF. In other words, the secrets should be entered in plain text in the SDF, and the upload-config
command takes care of encrypting them. Currently this applies to the following:
-
Rhino users' passwords
-
REM users' passwords
-
SSH keys for accessing the VM
-
the SNMPv3 authentication key and privacy key
Use the |
If the CDS is not yet available, this will retry every 30 seconds for up to 15 minutes. As a large Cassandra cluster can take up to one hour to form, this means the command could time out if run before the cluster is fully formed. If the command still fails after several attempts over an hour, troubleshoot Cassandra on the machines hosting the CDS database.
This command first compares the configuration files currently uploaded for the target version with those in the input directory. It summarizes which files are different, how many lines differ, and if there are any configuration changes that are unsupported (for example, changing the VMs' IP addresses). If there are any unsupported configuration changes, the config will not be uploaded. Follow the instructions in the error message(s) to revert unsupported changes in the configuration, then try again.
If the changes are valid, but any files are different, rvtconfig
will prompt the user to confirm the differences are as expected before continuing with the upload. If the upload is canceled, and --output-dir
is specified, then full details of any files with differences will be put into the given output directory, which rvtconfig
creates if it doesn’t already exist.
Changes to secrets and non-YAML files cannot be detected due to encryption; they will not appear in the summary or detailed output. Any such changes will still be uploaded.
You can disable this pre-upload check on config differences using the --skip-diff
flag (also aliased as -f
).
Restarting resource adaptors
Specify the The If you apply configuration changes that don’t include changes to any fields marked as needing an RA restart, then you do not need to specify the If you apply configuration changes that include changes to such fields, and do not specify the |
Comparing existing configuration in the CDS with compare-config
Compare the configuration in an input directory with the currently uploaded configuration in the CDS using the command:
rvtconfig compare-config -c <cds-mgmt-addresses> -t <node type> -i ~/yamls --output-dir <output-directory>
[--deployment-id <deployment ID>] [--site-id <site ID>] [(--vm-version-source [this-vm | this-rvtconfig | sdf-version] | --vm-version <vm_version>)]
This will compare the currently uploaded configuration in the CDS with the configuration in the local input directory.
The deployment ID, site ID, and version of configuration to look up in CDS will be automatically taken from the SDF. These can be overridden by using the --deployment-id
, --site-id
, and one of the --vm-version-source
or --vm-version
parameters respectively. For example, you can specify --vm-version <downlevel version>
to check what has changed just before running an upgrade, where the version in the input SDF will be the uplevel version.
The files that have differences will be displayed, along with the number of different lines, and any errors or warnings about the changes themselves. Any errors will need to be corrected before you can run rvtconfig upload-config
.
The command puts the full contents of each version of these files into the output directory, along with separate files showing the differences found. The command ignores non-YAML files and any secrets in YAML files. The files in this output directory use the suffix .local
for a redacted version of the input file, .live
for a redacted version of the live file, and .diff
for a file showing the differences between the two.
The contents of the files in the output directory are reordered and no longer have comments; these won’t match the formatting of the original input files, but contain the same information. |
Deleting configuration from the CDS with delete-deployment
Delete all deployment configuration from the CDS by running the command:
rvtconfig delete-deployment -c <cds-mgmt-addresses> -d <deployment-id> [--delete-audit-history]
Only use this when advised to do so by a Customer Care Representative. |
Only use this after deleting all VMs of the deployment within the specified site. Functionality of all nodes of this type and version within the given site will be lost. These nodes will have to be deployed again to restore functionality. |
Deleting state and configuration for a specific node type and version from the CDS with delete-node-type-version
Delete all state and configuration for a given node type and version from the CDS by running the command:
rvtconfig delete-node-type-version -c <cds-mgmt-addresses> -d <deployment-id> --site-id <site-id> --node-type <node type>
(--vm-version-source [this-vm | this-rvtconfig | sdf-version -i ~/yamls] | --vm-version <vm_version>) (--ssh-key SSH_KEY | --ssh-key-secret-id SSH_KEY_SECRET_ID) [-y]
The argument -i ~/yamls is only needed if sdf-version is used. |
Only use this after deleting all VMs of this node type and version within the specified site. Functionality of all nodes of this type and version within the given site will be lost. These nodes will have to be deployed again to restore functionality. |
Deleting all state and configuration for a specific node type from the CDS with delete-node-type-all-versions
Delete all state and configuration for a given node type from the CDS by running the command:
rvtconfig delete-node-type-all-versions -c <cds-mgmt-addresses> -d <deployment-id> --site-id <site-id>
--node-type <node type> (--ssh-key SSH_KEY | --ssh-key-secret-id SSH_KEY_SECRET_ID) [--delete-certificates] [-y]
Only use this after deleting all VMs of this node type within the specified site. Functionality of all nodes of this type within the given site will be lost. These nodes will have to be deployed again to restore functionality. |
The --delete-certificates option should only be used when advised by a Customer Care Representative. |
Deleting historical state and configuration for a given node type from the CDS with delete-node-type-retain-version
Remove all state and configuration relating to a versions of the node type other than the specified version from CDS by running the command:
rvtconfig delete-node-type-retain-version -c <cds-mgmt-addresses> -d <deployment-id> --site-id <site-id> --node-type <node-type>
(--vm-version-source [this-vm | this-rvtconfig | sdf-version -i ~/yamls] | --vm-version <vm_version>) (--ssh-key SSH_KEY | --ssh-key-secret-id SSH_KEY_SECRET_ID) [-y]
The argument -i ~/yamls is only needed if sdf-version is used. |
The version specified in this command must be the only running VM version for this node type. i.e. do not use during an upgrade or rollback when multiple versions of the same node type may be running. All state and configuration relating to other versions will be deleted from CDS. |
Removing unused Rhino-generated keyspaces
Following an upgrade or rollback, you may wish to clean up keyspaces in the Cassandra ramdisk database from version(s) that are no longer in use. This conserves memory and disk space.
To clean up unused keyspaces, use the following command:
rvtconfig remove-unused-keyspaces -c <cds-mgmt-addresses> -d <deployment-id> -g <group-id> [-y]
Group ID syntax: RVT-<node type>.<site ID> Example: RVT-tsn.DC1 Here, <node type> can be rem . |
Confirm that the active VM versions that the command identifies are correct. rvtconfig
removes keyspaces relating to all other versions from Cassandra.
Listing configurations available in the CDS with list-config
List all currently available configurations in the CDS by running the command:
rvtconfig list-config -c <cds-mgmt-addresses> -d <deployment-id>
This command will print a short summary of the configurations uploaded, the VM version they are uploaded for, and which VMs are commissioned in that version.
Retrieving configuration from the CDS with dump-config
Retrieve the VM group configuration from the CDS by running the command:
rvtconfig dump-config -c <cds-mgmt-addresses> -d <deployment-id> --group-id <group-id>
(--vm-version-source [this-vm | this-rvtconfig | sdf-version -i ~/yamls -t <node type>] | --vm-version <vm_version>)
[--output-dir <output-dir>]
Group ID syntax: RVT-<node type>.<site ID> Example: RVT-tsn.DC1 Here, <node type> can be rem . |
If the optional --output-dir <directory>
argument is specified, then the configuration will be dumped as individual files in the given directory. The directory can be expressed as either an absolute or relative path. It will be created if it doesn’t exist.
If the --output-dir
argument is omitted, then the configuration is printed to the terminal.
The arguments -i ~/yamls and -t <node type> are only needed if sdf-version is used. |
Displaying the current leader seed with print-leader-seed
Display the current leader seed by running the command:
rvtconfig print-leader-seed -c <cds-mgmt-addresses> -d <deployment-id> --group-id <group-id>
(--vm-version-source [this-vm | this-rvtconfig | sdf-version -i ~/yamls -t <node type>] | --vm-version <vm_version>)
Group ID syntax: RVT-<node type>.<site ID> Example: RVT-tsn.DC1 Here, <node type> can be rem . |
The command will display the current leader seed for the specified deployment, group, and VM version. A leader seed may not always exist, in which case the output will include No leader seed found
. Conditions where a leader seed may not exist include:
-
No deployment exists with the specified deployment, group, and VM version.
-
A deployment exists, but initconf has not yet initialized.
-
A deployment exists, but the previous leader seed has quiesced and a new leader seed has not yet been selected.
The arguments -i ~/yamls and -t <node type> are only needed if sdf-version is used. |
Generating a secrets-private-key
for Encrypting Secrets with generate-private-key
Some configuration, for example Rhino or REM users' passwords, are configured in plaintext, but stored encrypted in CDS for security. rvtconfig
automatically performs this encryption using a secrets private key
which you configure in the SDF. This key must be a Fernet key, in Base64 format. Use the following rvtconfig
command to generate a suitable secrets private key:
rvtconfig generate-private-key
Add the generated secrets private key to your secrets input file when adding secrets to QSG.
Maintenance window support
The rvtconfig enter-maintenance-window
and rvtconfig leave-maintenance-window
commands allow you to pause and resume scheduled tasks (Rhino restarts, SBB/activity cleanup, and Cassandra repair) on the VMs for a period of time. This is useful to avoid the scheduled tasks interfering with maintenance window activities, such as patching a VM or making substantial configuration changes.
To start a maintenance window, use
rvtconfig enter-maintenance-window -c <cds-mgmt-addresses> -d <deployment-id> -S <site-id> [--hours <hours>]
-
The <site-id> is in the form
DC1
toDC32
. It can be found in the SDF. -
The number of hours defaults to 6 if not specified, and must be between 1 and 24 hours.
Once started, the maintenance window can be extended by running the same command again (but not shortened). rvtconfig
will display the end time of the maintenance window in the command output. Until this time, all scheduled tasks on all VMs in the specified site will not be run.
Any scheduled tasks which are in progress at the time the maintenance window is started will continue until they are finished. If the maintenance window is starting around the time of a scheduled task as configured in the YAML files, it is advisable to manually check that the task is complete before starting maintenance (or run the |
When the maintenance window is complete, use the following command:
rvtconfig leave-maintenance-window -c <cds-mgmt-addresses> -d <deployment-id> -S <site-id>
Scheduled tasks will now resume as per their configured schedules.
To check whether or not a maintenance window is currently active, use the following command:
rvtconfig maintenance-window-status -c <cds-mgmt-addresses> -d <deployment-id> -S <site-id>
Calculating the required length of a maintenance window with calculate-maintenance-window
The rvtconfig calculate-maintenance-window
commands allows you to estimate how long an upgrade or rollback is expected to take, so that an adequate maintenance window can be scheduled.
To calculate the recommended maintenance window duration, use
rvtconfig calculate-maintenance-window -i ~/yamls -t <node type> -s <site-id> [--index-range <index range>]
-
The <site-id> is in the form
DC1
toDC32
. It can be found in the SDF. -
If
--index-range
is not specified, a maintenance window for upgrading all VMs will be calculated. If only some VMs are to be upgraded, specify the--index-range
argument exactly as it will be specified for thecsar update
command to be used to upgrade the subset of VMs. For example, if only nodes with indices 0, 3, 4 and 5 are to be upgraded, the argument is--index-range 0,3-5
.
Retrieving VM logs with export-log-history
During upgrade, when a downlevel VM is removed, it uploads Initconf and Rhino logs to the CDS. The log files are stored as encrypted data in the CDS.
Only the portions of the logs written during quiesce are stored. |
Retrieve the VM logs for a deployment from the CDS by running the command:
rvtconfig export-log-history -c <cds-mgmt-addresses> -d <deployment-id> --zip-destination-dir <directory>
--secrets-private-key-id <secrets-private-key-id>
The --secrets-private-key-id must match the ID used in the SDF (secrets-private-key-id ). |
The Initconf and Rhino logs are exported in unencrypted zip files. The zip file names will consist of VM hostname, version, and type of log. |
Viewing the values associated with the special sdf-version
, this-vm
, and this-rvtconfig
versions with describe-versions
Some commands, upload-config
for example, can be used with the special version values sdf-version
, this-vm
, and this-rvtconfig
.
-
Calling
sdf-version
extracts the version from the value given in the SDF for a given node. -
The
this-vm
option takes the version of the VM the command is being run from. This can only be used when the commands are run on a node VM. -
Using
this-rvtconfig
extracts the version from the rvtconfig found in the directory the command is being run from. This can only be used on a SIMPL VM.
To view the real version strings associated with each of these special values:
rvtconfig describe-versions [-i ~/yamls]
Optional argument -i ~/yamls
is required for the sdf-version
value to be given. If it is called, the sdf-version
will be found for each node type in the SDF. If a node type is expected but not printed this may be because the config yaml files for that node are invalid or not present in the ~/yamls
directory.
If a special version value cannot be found, for example if this-vm
is run on a SIMPL VM or the optional argument is not called, the describe-versions
command will print N/A
for that special version.
Reporting group status, to help guide VM recovery
This command reports the status of each node in the given group, providing information to help inform which approach to take when recovering VMs.
It connects to each of the VMs in the group via SSH, as well as querying the CDS service. It then prints a detailed summary of status information for each VM, as well as a high level summary of the status of the group.
It does not log its output to a file. When using this command to aid in recovery operations, it’s good practice to redirect its output to a file locally on disk, which can then be used as part of any root cause analysis efforts afterwards.
On the SIMPL VM, run the command as follows, under the resources dir of the unpacked CSAR:
./rvtconfig report-group-status -c <cds-mgmt-addresses> -d <deployment-id> \
--g <group-id> --ssh-key-secret-id <simpl-private-key-id>
Group ID syntax: RVT-<node type>.<site ID> Example: RVT-tsn.DC1 Here, <node type> can be rem . |
Gathering diagnostics and initconf
log files
It is possible to obtain diagnostic files from RVT nodes with the command rvtconfig gather-diags
. These diagnostic files include system files and solution configuration files, are packaged as a tar.gz
file and deposited in the given output directory. Depending on the node type there will be different kinds of solution configuration files. These files can be crucial to troubleshoot problems on the VMs.
./rvtconfig gather-diags --sdf <SDF File> -t <node type> --ssh-key-secret-id <SSH key secret ID> --ssh-username sentinel --output-dir <output-directory>
If you need to quickly check the initconf.log
file from a certain VM or VMs, it is possible to do it with the command rvtconfig initconf-log
. This command executes a tail on the initconf.log
file of the specified VM or VMs and dumps it to the standard output.
rvtconfig initconf-log --ssh-key-secret-id <SSH key secret ID> --ssh-username sentinel --ip-addresses <Space separated VM IP address list> --tail <num lines>
Operate the TSN Cassandra Database
From RVT 4.1-3-1.0.0, the TSN nodes can be deployed with Cassandra version {cassandra-version-three} or {cassandra-version-four}. Both Cassandra versions are installed in the VM Image, but only one is active. The commands rvtconfig cassandra-upgrade
and rvtconfig cassandra-upgrade-sstables
allow you to perform a Cassandra upgrade from {cassandra-version-three} to {cassandra-version-four} on a running TSN VM 4.1-3-1.0.0 or higher. These two commands must only be run if the target TSNs are running Cassandra {cassandra-version-three}.
To upgrade a single TSN node from {cassandra-version-three} to {cassandra-version-four} you can run ./rvtconfig cassandra-upgrade --ssh-key-secret-id <SSH key secret ID> --ip-addresses <TSN Address>
for every TSN VM, one by one, and not in parallel.
Once all TSN nodes have been upgraded to {cassandra-version-four}, we must perform a sstables
upgrade operation with the following command ./rvtconfig cassandra-upgrade-sstables --ssh-key-secret-id <SSH key secret ID> --ip-addresses <TSN Addresses>
Additionally the command rvtconfig cassandra-status
prints the cassandra database status for the specified CDS IP addresses. Here is a couple of examples:
-
./rvtconfig cassandra-status --ssh-key-secret-id <SSH key secret ID> --ip-addresses <TSN Address 1> <TSN Address 2> …
CDS Backup and Restore operations.
From RVT 4.1-3-1.0.0, the TSNs' CDS database can be backed up and restored. This provides a faster recovery procedure in case TSN upgrades go wrong.
To backup the CDS of a running TSN cluster, run ./rvtconfig backup-cds --sdf /home/admin/uplevel-config/sdf-rvt.yaml --site-id <site ID> --output-dir <backup-cds-bundle-dir> --ssh-key-secret-id <SSH key secret ID> -c <CDS address> <CDS auth args>
To restore the CDS of a running TSN cluster, run ./rvtconfig restore-cds --sdf /home/admin/uplevel-config/sdf-rvt.yaml --site-id <site ID> --snapshot-file <backup-cds-bundle-dir>/tsn_cassandra_backup.tar --ssh-key-secret-id <SSH key secret ID> -c <CDS Address> <CDS auth args>
Only use restore-cds when advised to do so by a Customer Care Representative. |
Control initconf
configuration loop in non-TSN nodes.
During maintenance windows which involve upgrading TSN nodes, the command rvtconfig set-desired-running-state
allows you stop/start the configuration tasks performed by the initconf
that read from the CDS database in all non-TSN VMs. This operation does not stop the non-TSN VMs or the initconf
process within it. But it instructs the initconf
to pause or resume, the configuration tasks, while operating normally under traffic.
To pause initconf
configuration tasks of all non-TSN VMs, run ./rvtconfig set-desired-running-state --sdf /home/admin/uplevel-config/sdf-rvt.yaml --site-id <site ID> --state Stopped
.
To resume initconf
configuration tasks of all non-TSN VMs, run ./rvtconfig set-desired-running-state --sdf /home/admin/uplevel-config/sdf-rvt.yaml --site-id <site ID> --state Started
.
Scheduled tasks
Scheduled tasks on Rhino VM Automation VMs
The Rhino VM Automation VMs run scheduled tasks to perform housekeeping and maintain stability. The following table shows all scheduled tasks present on the Rhino VM Automation VMs:
Scheduled task | Description | Configurable? |
---|---|---|
Restart Rhino |
Runs on all Rhino nodes. Restarts Rhino to avoid issues caused by memory leaks and heap fragmentation in a long-running process. |
Yes (can be disabled), through the |
Configuring scheduled tasks
You can configure the scheduled tasks for any VM by adding appropriate configuration options to the relevant <node type>-vmpool-config.yaml
file. The VM must be of a node type that supports that particular task, and it must be marked as configurable. Refer to the table above for details.
To disable Rhino restarts, omit the scheduled-rhino-restarts
option from the configuration file.
Changes to task schedules take effect immediately. If a task is already in progress at the time of pushing a configuration change, it will complete its current run, and then run according to the new schedule.
For VMs in a group (that is, all VMs of a particular node type), we recommend the following:
-
If a scheduled task is configured on one VM, it is configured on all VMs in the group.
-
The frequency (daily, weekly or monthly) of the schedules is the same for all VMs in the group.
If you upload configuration where the enabled/disabled state and/or frequency varies between VMs in a group, the configuration is still applied, but rvtconfig
will issue warnings and the VMs will raise a corresponding configuration warning alarm.
Restrictions
You cannot schedule two Rhino restarts on any one VM within 30 minutes of each other. (Such configuration would be excessive anyway; outside of exceptional circumstances, you only need to run these tasks at most once per day per VM.)
Additionally, two nodes in a group cannot restart Rhino within 30 minutes of each other. This is to prevent having a period where there are too few Rhino nodes to handle incoming traffic. While Rhino will normally restart in much less than 30 minutes, all traffic does need to drain from the node first, which can take some time.
All the above restrictions are checked by rvtconfig
: configuration that doesn’t satisfy these requirements will not be accepted.
Example schedules for Rhino restarts
Scheduled Rhino restarts are applied per Rhino VM node, so they are defined under each virtual-machine
element. For clarity, the examples below omit various fields that would normally be required.
Daily
For a daily schedule, specify only the time-of-day
field. The format of this field is a 24-hour clock time, which must include any leading zeroes.
virtual-machines:
- vm-id: mag-1
scheduled-rhino-restarts:
time-of-day: 02:00
- vm-id: mag-2
scheduled-rhino-restarts:
time-of-day: 02:30
Weekly
For a weekly schedule, specify a list of pairs of fields, each pair being day-of-week
and time-of-day
. The day-of-week
field takes an English day of the week name with leading capital letter, for example Monday
.
virtual-machines:
- vm-id: shcm-1
scheduled-rhino-restarts:
- day-of-week: Monday
time-of-day: 02:00
- day-of-week: Thursday
time-of-day: 03:00
- vm-id: shcm-2
scheduled-rhino-restarts:
- day-of-week: Tuesday
time-of-day: 02:00
- day-of-week: Friday
time-of-day: 03:00
Monthly
For a monthly schedule, specify a list of pairs of fields, each pair being day-of-month
and time-of-day
. The day-of-month
field takes a number between 1 and 28 (29 to 31 are not included to avoid the task unexpectedly not running in certain months).
virtual-machines:
- vm-id: smo-1
scheduled-rhino-restarts:
- day-of-month: 1
time-of-day: 02:00
- day-of-month: 11
time-of-day: 03:00
- day-of-month: 21
time-of-day: 04:00
- vm-id: smo-2
scheduled-rhino-restarts:
- day-of-month: 6
time-of-day: 02:00
- day-of-month: 16
time-of-day: 03:00
- day-of-month: 26
time-of-day: 04:00
Example schedules for Cassandra repairs
Scheduled Cassandra repairs are executed on the whole TSN cluster, so they are set globally for all the virtual-machines
element. For clarity, the examples below omit various fields that would normally be required.
Daily
For a daily schedule, specify only the time-of-day
field. The format of this field is a 24-hour clock time, which must include any leading zeroes.
virtual-machines:
- vm-id: tsn-1
- vm-id: tsn-2
- vm-id: tsn-3
scheduled-cassandra-repairs:
time-of-day: "16:30"
Weekly
For a weekly schedule, specify a list of pairs of fields, each pair being day-of-week
and time-of-day
. The day-of-week
field takes an English day of the week name with leading capital letter, for example Monday
.
virtual-machines:
- vm-id: tsn-1
- vm-id: tsn-2
- vm-id: tsn-3
scheduled-cassandra-repairs:
- day-of-week: Monday
time-of-day: 02:00
- day-of-week: Thursday
time-of-day: 03:00
Monthly
For a monthly schedule, specify a list of pairs of fields, each pair being day-of-month
and time-of-day
. The day-of-month
field takes a number between 1 and 28 (29 to 31 are not included to avoid the task unexpectedly not running in certain months).
virtual-machines:
- vm-id: tsn-1
- vm-id: tsn-2
- vm-id: tsn-3
scheduled-cassandra-repairs:
- day-of-month: 1
time-of-day: 02:00
- day-of-month: 11
time-of-day: 03:00
- day-of-month: 21
time-of-day: 04:00
Maintenance window support
When performing maintenance activities that involve reconfiguring, restarting or replacing VMs, notably patching or upgrades, use the rvtconfig enter-maintenance-window
command to temporarily disable all scheduled tasks on all VMs in a site. You can disable the scheduled tasks for a given number of hours (1 to 24).
Once the maintenance window is finished, run the rvtconfig leave-maintenance-window
command. Scheduled tasks will then resume running as per the VMs' configuration.
While a maintenance window is active, you can still make configuration changes as normal. Uploading configuration that includes (changes to) schedules won’t reactivate the scheduled tasks. Once the maintenance window ends, the tasks will run according to the most recent configuration. |
Scheduled tasks that are already running at the time you run |
For more details on the enter-maintenance-window
and leave-maintenance-window
commands, see the rvtconfig
page.
Overview and structure of SDF
SDF overview and terminology
A Solution Definition File (SDF) contains information about all Metaswitch products in your deployment. It is a plain-text file in YAML format.
-
The deployment is split into
sites
. Note that multiple sites act as independent deployments, e.g. there is no automatic georedundancy. -
Within each site you define one or more
service groups
of virtual machines. A service group is a collection of virtual machines (nodes) of the same type. -
The collection of all virtual machines of the same type is known as a
VNFC
(Virtual Network Function Component). For example, you may have a SAS VNFC and an MDM VNFC. -
The VMs in a VNFC are also known as
VNFCIs
(Virtual Network Function Component Instances), or justinstances
for short.
Some products may support a VNFC being split into multiple service groups. However, for Rhino VM Automation VMs, all VMs of a particular type must be in a single service group. |
The format of the SDF is common to all Metaswitch products, and in general it is expected that you will have a single SDF containing information about all Metaswitch products in your deployment.
This section describes how to write the parts of the SDF specific to the Rhino VM Automation product. It includes how to configure the MDM and REM VNFCs, how to configure subnets and traffic schemes, and some example SDF files to use as a starting point for writing your SDF.
Further documentation on how to write an SDF is available in the 'Creating an SDF' section of the SIMPL VM Documentation.
For the Rhino VM Automation solution, the SDF must be named sdf-rvt.yaml
when uploading configuration.
Structure of a site
Each site in the SDF has a name
, site-parameters
and vnfcs
.
-
The site
name
can be any unique human-readable name. -
The
site-parameters
has multiple sub-sections and sub-fields. Only some are described here. -
The
vnfcs
is where you list your service groups.
Site parameters
Under site-parameters
, all of the following are required for the Rhino VM Automation product:
-
deployment-id
: The common identifier for a SDF and set of YAML configuration files. It can be any name consisting of up to 20 characters. Valid characters are alphanumeric characters and underscores. -
site-id
: The identifier for this site. Must be in the formDC1
toDC32
. -
fixed-ips
: Must be set totrue
. -
vim-configuration
: VNFI-specific configuration (see below) that describes how to connect to your VNFI and the backing resources for the VMs. -
services:
→ntp-servers
must be a list of NTP servers. At least one NTP server is required; at least two is recommended. These must be specified as IP addresses, not hostnames. -
networking
: Subnet definitions. See Subnets and traffic schemes. -
timezone
: Timezone, in POSIX format such asEurope/London
. -
mdm
: MDM options. See MDM service group.
Structure of a service group
Under the vnfcs
section in each site, you list that site’s service groups. For REM VMs, each service group consists of the following fields:
-
name
: A unique human-readable name for the service group. -
type
: Must be one ofrem
. -
version
: Must be set to the version of the CSAR.The version can be found in the CSAR filename, e.g. if the filename is
rem-4.0.0-12-1.0.0-vsphere-csar.zip
then the version is4.0.0-12-1.0.0
. Alternatively, inside each CSAR is a manifest file with a.mf
extension, whose content lists the version under the keyvnf_package_version
, for examplevnf_package_version: 4.0.0-12-1.0.0
.Specifying the version in the SDF is mandatory for Rhino VM Automation service groups, and strongly recommended for other products in order to disambiguate between CSARs in the case of performing an upgrade.
-
cluster-configuration:
→count
: The number of VMs in this service group. -
cluster-configuration:
→instances
: A list of instances. Each instance has aname
(the VM’s hostname), SSH options, and, on VMware vSphere only, a list ofvnfci-vim-options
(see below). -
networks
: A list of networks used by this service group. See Subnets and traffic schemes. -
vim-configuration
: The VNFI-specific configuration for this service group (see below).
VNFI-specific options
The SDF includes VNFI-specific options at both the site and service group levels. At the site level, you specify how to connect to your VNFI and give the top-level information about the deployment’s backing resources, such as datastore locations on vSphere, or availability zone on OpenStack. At the VNFC level, you can assign the VMs to particular sub-hosts or storage devices (for example vSphere hosts within a vCenter), and specify the flavor of each VM.
For OpenStack, be sure to include the name of the OpenStack release running on the hosts in the the site-level options, like so:
Acceptable values are |
For vSphere, be sure to reserve resources for all VNFCs in production environments to avoid resource overcommitment. You should also set cpu-speed-mhz to the clock speed (in MHz) of your physical CPUs, and enable hyperthreading.
|
Options required for REM VMs
For each service group, include a vim-configuration
section with the flavor information, which varies according to the target VNFI type:
-
VMware vSphere:
vim-configuration:
→vsphere:
→deployment-size: <flavor name>
-
OpenStack:
vim-configuration:
→openstack:
→flavor: <flavor name>
When deploying to VMware vSphere, include a vnfci-vim-options
section for each instance with the following fields set:
-
vnfci-vim-options:
→vsphere:
→folder
May be any valid folder name on the VMware vSphere instance, or""
(i.e. an empty string) if the VMs are not organised into folders. -
vnfci-vim-options:
→vsphere:
→datastore
-
vnfci-vim-options:
→vsphere:
→host
-
vnfci-vim-options:
→vsphere:
→resource-pool-name
For example:
vnfcs:
- name: rem
cluster-configuration:
count: 3
instances:
- name: rem-1
vnfci-vim-options:
folder: production
datastore: datastore1
host: esxi1
resource-pool-name: Resources
- name: rem-2
...
vim-configuration:
vsphere:
deployment-size: medium
For OpenStack, no vnfci-vim-options
section is required.
Secrets in the SDF
Secrets in the SDF
As of SIMPL VM 6.8.0, a major change was made to the way secrets are handled. Secrets are now stored in a secure database on the SIMPL VM known as QSG (Quicksilver Secrets Gateway), to avoid them having to be written in plaintext in the SDF.
Each secret has a secret ID
, which is just a human-readable name. It can be any combination of lowercase letters a-z
, digits 0-9
, and hyphens -
. Each secret must have a unique secret ID. While in earlier SIMPL VM versions the SDF would contain the plaintext value of the secret, the SDF now contains the secret ID in that field (and the field name is slightly modified). See below for a list of secret fields in the SDF.
Secrets come in three types:
-
freeform (a simple string; used for passwords, encryption keys, and the like)
-
key (an SSH private key)
-
certificate (a three-part secret, consisting of a certificate, the key used to sign it, and the issuing CA’s certificate).
To handle secrets, perform the following steps before uploading configuration to CDS and/or deploying the VMs:
-
Create an SDF with secret IDs in the appropriate fields.
-
Upload any keys and certificates to a directory on the SIMPL VM.
-
Use the
csar secrets create-input-file
command to generate an input file for QSG. -
Edit the input file, filling in freeform secret values and specifying the full path to the key and certificate files.
-
Run
csar secrets add
to add the secrets to QSG.
Adding secrets to QSG
To add secrets to QSG, first create a YAML file describing the secrets and their plaintext values. Next, pass the input file to the csar secrets add
command. See the SIMPL VM documentation for instructions on how to create a template file, fill it in, and use csar secrets add
.
When deploying a VM, SIMPL VM reads the values from QSG and passes them as bootstrap parameters. Likewise, when you run rvtconfig upload-config
, rvtconfig
will read secrets from QSG before encrypting them and storing them in CDS.
If you need to update the value of a secret (for example, if the password to the VM host is changed), edit your input file and run csar secrets add
again. Any secrets already existing in QSG will be overwritten with their new values from the file.
Note carefully the following:
|
List of secrets in the SDF
-
In a site’s
vim-options
, any password fields for connecting to the VNFI (VM host) are freeform-type secrets. See the example SDFs. -
The MDM credentials for each site are configured under a certificate-type field named
mdm-certificate-id
. See MDM service group for more information. -
In the
product-options
for each Rhino VM Automation VNFC, the fieldssecrets-private-key-id
,primary-user-password-id
, andcassandra-password-id
are freeform-type secrets. -
For each instance, the SSH key used by SIMPL VM to access the VM for validation tests is a key-type secret. See SSH options for more information.
-
In the
product-options
for each Rhino VM Automation VNFC, the fieldcassandra-encryption-signing-certificate-id
is a certificate-type secret. -
In the
product-options
for the TSN VNFC, the fieldcassandra-encryption-signing-key-password-id
is a freeform-type secret.
MDM service group
MDM site-level configuration
In the site-parameters
, include the MDM credentials that you generated when installing MDM, in the form of a single certificate-type secret. The field name is mdm-certificate-id
.
The secret must have all three parameters included: CA certificate, static certificate, and static private key.
In addition, to access MDM, add one or more public keys from the SSH key pair(s) to the ssh
section of each MDM instance.
MDM service group
Define one service group containing details of all the MDM VMs.
Networks for the MDM service group
MDM requires two traffic types: management
and signaling
, which must be on separate subnets.
MDM v3.0 or later only requires the management traffic type. Refer to the {mdm-v3-page-prefix}/MDMIPND.html[MDM Overview Guide] for further information. |
Each MDM instance needs one IP address on each subnet. The management
subnet does not necessarily have to be the same as the management subnet that the REM VMs are assigned to, but the network firewalling and topology does need to allow for communication between the REM VMs' management addresses and the MDM instances' management addresses, and as such it is simplest to use the same subnet as a matter of practicality.
Product options for the MDM service group
For MDM product options, you must include the consul token and custom topology data.
-
The consul token is an arbitrary, unique string of up to 40 characters (for example, a UUID). Generate it once during MDM installation.
If you are using MDM version 3.0.1 or later, you must specify the consul token as a freeform-type secret. Add it to QSG along with the credentials (certificates and key). In the example snippet of the SDF below, replace the field |
-
The custom topology data is a JSON blob describing which VNFCs in the deployment communicate with which other VNFCs through MDM. See the example below. You need to add an entry for group name
DNS
with no neighbours, and one for each node type in the deployment with the neighbourSAS-DATA
. The VMs will be unable to communicate with MDM if the topology is not configured as described.
The |
Use YAML’s |-
block-scalar style for the JSON blob, which will keep all newlines except the final one. Overall, the product options should look like this:
vnfcs:
...
- name: mdm
product-options:
mdm:
consul-token: 01234567-abcd-efab-cdef-0123456789ab
custom-topology: |-
{
"member_groups": [
{
"group_name": "DNS",
"neighbors": []
},
{
"group_name": "RVT-rem.<site_id>",
"neighbors": ["SAS-DATA"]
}
]
}
REM service groups
REM service groups
Note that whilst SDFs include all VNFCs in the deployment, this section only covers the Rhino VM Automation VMs (REM). |
Define one service group for each REM node type (rem
).
SSH configuration
SIMPL VM SSH private key
For validation tests (csar validate
) to succeed, you must also add a secret ID of an SSH key that SIMPL VM can use to access the VM, under the field private-key-id
within the SSH section. It is not necessary to also add the public half of this key to the authorized-keys
list; rvtconfig
will ensure the VM is configured with the public key.
The SSH key must be in PEM format; it must not be an OpenSSH formatted key (the default format of keys created by ssh-keygen
). You can create a PEM formatted SSH key pair using the command ssh-keygen -b 4096 -m PEM
.
To minimize the risk of this key being compromised, we recommend making the SIMPL VM create this key for you. See Auto-creating SSH keys in the SIMPL VM Documentation for instructions on how to do this. |
Product options for REM service groups
The following is a list of REM-specific product options in the SDF. All listed product options must be included in a product-options:
→ <node type>
section, for example:
product-options:
rem:
cds-addresses:
- 1.2.3.4
etc.
-
cds-addresses
: Required by all node types. This element lists all the CDS addresses. Must be set to all the signaling IPs of the CDS nodes. -
secrets-private-key-id
: Required by all node types. A secret ID referencing an encryption key to encrypt/decrypt passwords generated for configuration. Thervtconfig
tool should be used to generate this key. More details can be found in the rvtconfig page. The same key must be used for all VMs in a deployment.
Subnets and traffic schemes
The SDF defines subnets. Each subnet corresponds to a virtual NIC on the VMs, which in turn maps to a physical NIC on the VNFI. The mapping from subnets to VMs' vNICs is one-to-one, but the mapping from vNICs to physical NICs can be many-to-one.
A traffic scheme is a mapping of traffic types (such as management or SIP traffic) to these subnets. The list of traffic types required by each VM, and the possible traffic schemes, can be found in Traffic types and traffic schemes.
Defining subnets
Networks are defined in the site-parameters:
→ networking:
→ subnets
section. For each subnet, define the following parameters:
-
cidr
: The subnet mask in CIDR notation, for example172.16.0.0/24
. All IP addresses assigned to the VMs must be congruent with the subnet mask. -
default-gateway
: The default gateway IP address. Must be congruent with the subnet mask. -
identifier
: A unique identifier for the subnet, for examplemanagement
. This identifier is used when assigning traffic types to the subnet (see below). -
vim-network
: The name of the corresponding VNFI physical network, as configured on the VNFI.
The subnet that is to carry management traffic must include a dns-servers
option, which specifies a list of DNS server IP addresses. Said DNS server addresses must be reachable from the management subnet.
Physical network requirements
Each physical network attached to the VNFI must be at least 100Mb/s Ethernet (1Gb/s or better is preferred).
As a security measure, we recommend that you set up network firewalls to prevent traffic flowing between subnets. Note however that the VMs' software will send traffic over a particular subnet only when the subnet includes the traffic’s destination IP address; if the destination IP address is not on any of the VM’s subnets, it will use the management subnet as a default route.
If configuring routing rules for every destination is not possible, then an acceptable, but less secure, workaround is to firewall all interfaces except the management interface.
Allocating IP addresses and traffic types
Within each service group, define a networks
section, which is a list of subnets on which the VMs in the service group will be assigned addresses. Define the following fields for each subnet:
-
name
: A human-readable name for the subnet. -
subnet
: The subnetidentifier
of a subnet defined in thesite-parameters
section as described above. -
ip-addresses:
-
ip
: A list of IP addresses, in the same order as theinstances
that will be assigned those IP addresses. Note that while, in general, the SDF supports various formats for specifying IP addresses, for REM VMs theip
list form must be used.
-
-
traffic-types
: A list of traffic types to be carried on this subnet.
Examples
Example 1
The following example shows a partial service group definition, describing three VMs with IPs allocated on two subnets - one for management traffic, and one for SIP and internal signaling traffic.
The order of the IP addresses on each subnet matches the order of the instances, so the first VM (vm01
) will be assigned IP addresses 172.16.0.11
for management
traffic and 172.18.0.11
for sip
and internal
traffic, the next VM (vm02
) is assigned 172.16.0.12
and 172.18.0.12
, and so on.
Ensure that each VM in the service group has an IP address - i.e. each list of IP addresses must have the same number of elements as there are VM instances.
vnfcs:
- name: rem
cluster-configuration:
count: 3
instances:
- name: vm01
- name: vm02
- name: vm03
networks:
- name: Management network
ip-addresses:
ip:
- 172.16.0.11
- 172.16.0.12
- 172.16.0.13
subnet: management-subnet
traffic-types:
- management
- name: Core Signaling network
ip-addresses:
ip:
- 172.18.0.11
- 172.18.0.12
- 172.18.0.13
subnet: core-signaling-subnet
traffic-types:
- sip
- internal
...
Example 2
The order of the IP addresses on each subnet matches the order of the instances, so the first VM (vm01
) will be assigned IP addresses 172.16.0.11
for management
traffic, 172.17.0.11
for cluster
traffic etc.; the next VM (vm02
) will be assigned 172.16.0.12
, 172.17.0.12
etc; and so on. Ensure that each VM in the service group has an IP address - i.e. each list of IP addresses must have the same number of elements as there are VM instances.
vnfcs:
- name: rem
cluster-configuration:
count: 3
instances:
- name: vm01
- name: vm02
- name: vm03
networks:
- name: Management network
ip-addresses:
ip:
- 172.16.0.11
- 172.16.0.12
- 172.16.0.13
subnet: management-subnet
traffic-types:
- management
- name: Cluster
ip-addresses:
ip:
- 172.17.0.11
- 172.17.0.12
- 172.17.0.13
subnet: cluster
traffic-types:
- cluster
- name: Core Signaling network
ip-addresses:
ip:
- 172.18.0.11
- 172.18.0.12
- 172.18.0.13
subnet: core-signaling-subnet
traffic-types:
- diameter
- internal
...
Traffic type assignment restrictions
For all REM service groups in the SDF, where two or more service groups use a particular traffic type, this traffic type must be assigned to the same subnet throughout. For example, it is not permitted to use one subnet for management traffic on the REM VMs and a different subnet for management traffic on another VM type.
traffic types must each be assigned to a different subnet.
Traffic types and traffic schemes
About traffic types, network interfaces and traffic schemes
A traffic type is a particular classification of network traffic. It may include more than one protocol, but generally all traffic of a particular traffic type serves exactly one purpose, such as Diameter signaling or VM management.
A network interface is a virtual NIC (vNIC) on the VM. These are mapped to physical NICs on the host, normally one vNIC to one physical NIC, but sometimes many vNICs to one physical NIC.
A traffic scheme is an assignment of each of the traffic types that a VM uses to one of the VM’s network interfaces. For example:
-
First interface: Management
-
Second interface: Cluster
-
Third interface: Diameter signaling and Internal signaling
-
Fourth interface: SS7 signaling
Applicable traffic types
Traffic type | Name in SDF | Description |
---|---|---|
Management |
management |
Used by Administrators for managing the node. |
Internal signaling |
internal |
Used for signaling traffic between a site’s Rhino VM Automation nodes. |
Defining a traffic scheme
Traffic schemes are defined in the SDF. Specifically, within the vnfcs
section of the SDF there is a VNFC entry for each node type, and each VNFC has a networks
section. Within each network interface defined in the networks
section of the VNFC, there is a list named traffic_types
, where you list the traffic type(s) (use the Name in SDF
from the table above) that are assigned to that network interface.
Traffic type names use lowercase letters and underscores only. Specify traffic types as a YAML list, not a comma-separated list. For example:
|
When defining the traffic scheme in the SDF, for each node type (VNFC), be sure to include only the relevant traffic types for that VNFC. If an interface in your chosen traffic scheme has no traffic types applicable to a particular VNFC, then do not specify the corresponding network in that VNFC.
Currently only one traffic scheme is supported for REM nodes.
Traffic scheme description | First interface | Second interface |
---|---|---|
Standard traffic scheme |
- management |
- internal |
|
Example SDF for VMware vSphere
---
msw-deployment:deployment:
sites:
- name: my-site-1
site-parameters:
deployment-id: example
fixed-ips: true
mdm-certificate-id: my-mdm-certificate
networking:
subnets:
- cidr: 172.16.0.0/24
default-gateway: 172.16.0.1
dns-servers:
- 2.3.4.5
- 3.4.5.6
identifier: management
vim-network: management-network
- cidr: 173.16.0.0/24
default-gateway: 173.16.0.1
identifier: core-signaling
vim-network: core-signaling-network
services:
ntp-servers:
- 1.2.3.4
- 1.2.3.5
site-id: DC1
timezone: Europe/London
vim-configuration:
vsphere:
connection:
allow-insecure: true
password-id: password-secret-id
server: 172.1.1.1
username: VSPHERE.LOCAL\vsphere
cpu-speed-mhz: 2900
datacenter: Automation
folder: ''
hyperthreading: true
reserve-resources: true
resource-pool-name: Resources
vnfcs:
- cluster-configuration:
count: 3
instances:
- name: example-mdm-1
ssh:
authorized-keys:
- ssh-rsa XXXXXXXXXXXXXXXXXXXX
private-key-id: my-private-key
vnfci-vim-options:
datastore: data:storage1
host: esxi.hostname
resource-pool-name: Resources
- name: example-mdm-2
ssh:
authorized-keys:
- ssh-rsa XXXXXXXXXXXXXXXXXXXX
private-key-id: my-private-key
vnfci-vim-options:
datastore: data:storage1
host: esxi.hostname
resource-pool-name: Resources
- name: example-mdm-3
ssh:
authorized-keys:
- ssh-rsa XXXXXXXXXXXXXXXXXXXX
private-key-id: my-private-key
vnfci-vim-options:
datastore: data:storage1
host: esxi.hostname
resource-pool-name: Resources
name: mdm
networks:
- ip-addresses:
ip:
- 172.16.0.135
- 172.16.0.136
- 172.16.0.137
name: Management
subnet: management
traffic-types:
- management
- ip-addresses:
ip:
- 173.16.0.135
- 173.16.0.136
- 173.16.0.137
name: Core Signaling
subnet: core-signaling
traffic-types:
- signaling
product-options:
mdm:
consul-token: ABCdEfgHIJkLmNOp-MS-MDM
custom-topology: |-
{
"member_groups": [
{
"group_name": "DNS",
"neighbors": []
},
{
"group_name": "RVT-rem.DC1",
"neighbors": [
"SAS-DATA"
]
}
]
}
type: mdm
version: 2.31.0
vim-configuration:
vsphere:
deployment-size: medium
- cluster-configuration:
count: 1
instances:
- name: example-rem-1
ssh:
authorized-keys:
- ssh-rsa XXXXXXXXXXXXXXXXXXXX
private-key-id: my-private-key
vnfci-vim-options:
datastore: data:storage1
host: esxi.hostname
resource-pool-name: Resources
name: rem
networks:
- ip-addresses:
ip:
- 172.16.0.10
name: Management
subnet: management
traffic-types:
- management
- ip-addresses:
ip:
- 173.16.0.10
name: Core Signaling
subnet: core-signaling
traffic-types:
- internal
product-options:
rem:
cds-addresses:
- 1.2.3.4
low-privilege-ssh-authorized-keys:
- ssh-rsa YYYYYYYYYYYYYYYYYYYY
primary-user-password-id: my-password-secret-id
secrets-private-key-id: my-secrets-private-key-secret-id
type: rem
version: 4.0.0-99-1.0.0
vim-configuration:
vsphere:
deployment-size: medium
Example SDF for OpenStack
---
msw-deployment:deployment:
sites:
- name: my-site-1
site-parameters:
deployment-id: example
fixed-ips: true
mdm-certificate-id: my-mdm-certificate
networking:
subnets:
- cidr: 172.16.0.0/24
default-gateway: 172.16.0.1
dns-servers:
- 2.3.4.5
- 3.4.5.6
identifier: management
vim-network: management-network
- cidr: 173.16.0.0/24
default-gateway: 173.16.0.1
identifier: core-signaling
vim-network: core-signaling-network
services:
ntp-servers:
- 1.2.3.4
- 1.2.3.5
site-id: DC1
ssh:
keypair-name: key-pair
timezone: Europe/London
vim-configuration:
openstack:
availability-zone: nonperf
connection:
auth-url: http://my-openstack-server:5000/v3
keystone-v3:
project-id: 0102030405060708090a0b0c0d0e0f10
user-domain-name: Default
password-id: openstack-password-secret-id
username: openstack-user
vnfcs:
- cluster-configuration:
count: 3
instances:
- name: example-mdm-1
ssh:
authorized-keys:
- ssh-rsa XXXXXXXXXXXXXXXXXXXX
private-key-id: my-private-key
- name: example-mdm-2
ssh:
authorized-keys:
- ssh-rsa XXXXXXXXXXXXXXXXXXXX
private-key-id: my-private-key
- name: example-mdm-3
ssh:
authorized-keys:
- ssh-rsa XXXXXXXXXXXXXXXXXXXX
private-key-id: my-private-key
name: mdm
networks:
- ip-addresses:
ip:
- 172.16.0.135
- 172.16.0.136
- 172.16.0.137
name: Management
subnet: management
traffic-types:
- management
- ip-addresses:
ip:
- 173.16.0.135
- 173.16.0.136
- 173.16.0.137
name: Core Signaling
subnet: core-signaling
traffic-types:
- signaling
product-options:
mdm:
consul-token: ABCdEfgHIJkLmNOp-MS-MDM
custom-topology: |-
{
"member_groups": [
{
"group_name": "DNS",
"neighbors": []
},
{
"group_name": "RVT-rem.DC1",
"neighbors": [
"SAS-DATA"
]
}
]
}
type: mdm
version: 2.31.0
vim-configuration:
openstack:
flavor: medium
- cluster-configuration:
count: 1
instances:
- name: example-rem-1
ssh:
authorized-keys:
- ssh-rsa XXXXXXXXXXXXXXXXXXXX
private-key-id: my-private-key
name: rem
networks:
- ip-addresses:
ip:
- 172.16.0.10
name: Management
subnet: management
traffic-types:
- management
- ip-addresses:
ip:
- 173.16.0.10
name: Core Signaling
subnet: core-signaling
traffic-types:
- internal
product-options:
rem:
cds-addresses:
- 1.2.3.4
low-privilege-ssh-authorized-keys:
- ssh-rsa YYYYYYYYYYYYYYYYYYYY
primary-user-password-id: my-password-secret-id
secrets-private-key-id: my-secrets-private-key-secret-id
type: rem
version: 4.0.0-99-1.0.0
vim-configuration:
openstack:
flavor: medium
Example SDF for VMware vCloud
---
msw-deployment:deployment:
sites:
- name: my-site-1
site-parameters:
deployment-id: example
fixed-ips: true
mdm-certificate-id: my-mdm-certificate
networking:
subnets:
- cidr: 172.16.0.0/24
default-gateway: 172.16.0.1
dns-servers:
- 2.3.4.5
- 3.4.5.6
identifier: management
vim-network: management-network
- cidr: 173.16.0.0/24
default-gateway: 173.16.0.1
identifier: core-signaling
vim-network: core-signaling-network
services:
ntp-servers:
- 1.2.3.4
- 1.2.3.5
site-id: DC1
timezone: Europe/London
vim-configuration:
vcloud:
catalog: mycatalog
connection:
allow-insecure: true
password-id: password-secret-id
sysadmin-privileges: true
url: https://vcloud-server
username: admin
org: MyOrg
vdc: My VDC
vnfcs:
- cluster-configuration:
count: 3
instances:
- name: example-mdm-1
ssh:
authorized-keys:
- ssh-rsa XXXXXXXXXXXXXXXXXXXX
private-key-id: my-private-key
- name: example-mdm-2
ssh:
authorized-keys:
- ssh-rsa XXXXXXXXXXXXXXXXXXXX
private-key-id: my-private-key
- name: example-mdm-3
ssh:
authorized-keys:
- ssh-rsa XXXXXXXXXXXXXXXXXXXX
private-key-id: my-private-key
name: mdm
networks:
- ip-addresses:
ip:
- 172.16.0.135
- 172.16.0.136
- 172.16.0.137
name: Management
subnet: management
traffic-types:
- management
- ip-addresses:
ip:
- 173.16.0.135
- 173.16.0.136
- 173.16.0.137
name: Core Signaling
subnet: core-signaling
traffic-types:
- signaling
product-options:
mdm:
consul-token: ABCdEfgHIJkLmNOp-MS-MDM
custom-topology: |-
{
"member_groups": [
{
"group_name": "DNS",
"neighbors": []
},
{
"group_name": "RVT-rem.DC1",
"neighbors": [
"SAS-DATA"
]
}
]
}
type: mdm
version: 2.31.0
vim-configuration:
vcloud:
deployment-size: medium
- cluster-configuration:
count: 1
instances:
- name: example-rem-1
ssh:
authorized-keys:
- ssh-rsa XXXXXXXXXXXXXXXXXXXX
private-key-id: my-private-key
name: rem
networks:
- ip-addresses:
ip:
- 172.16.0.10
name: Management
subnet: management
traffic-types:
- management
- ip-addresses:
ip:
- 173.16.0.10
name: Core Signaling
subnet: core-signaling
traffic-types:
- internal
product-options:
rem:
cds-addresses:
- 1.2.3.4
low-privilege-ssh-authorized-keys:
- ssh-rsa YYYYYYYYYYYYYYYYYYYY
primary-user-password-id: my-password-secret-id
secrets-private-key-id: my-secrets-private-key-secret-id
type: rem
version: 4.0.0-99-1.0.0
vim-configuration:
vcloud:
deployment-size: medium
Bootstrap parameters
Bootstrap parameters are provided to the VM when the VM is created. They are used by the bootstrap process to configure various settings in the VM’s operating system.
On VMware vSphere, the bootstrap parameters are provided as vApp parameters. On OpenStack, the bootstrap parameters are provided as userdata in YAML format.
Configuration of bootstrap parameters is handled automatically by the SIMPL VM. This page is only relevant if you are deploying VMs manually or using an orchestrator other than the SIMPL VM, in consultation with your Metaswitch Customer Care Representative.
List of bootstrap parameters
Property | Description | Format and Example |
---|---|---|
|
Required. The hostname of the server. |
A string consisting of letters A-Z, a-z, digits 0-9, and hyphens (-). Maximum length is 27 characters. Example: |
|
Required. List of DNS servers. |
For VMware vSphere, a comma-separated list of IPv4 addresses. For OpenStack, a list of IPv4 addresses. Example: |
|
Required. List of NTP servers. |
For VMware vSphere, a comma-separated list of IPv4 addresses or FQDNs. For OpenStack, a list of IPv4 addresses or FQDNs. Example: |
|
Optional. The system time zone in POSIX format. Defaults to UTC. |
Example: |
|
Required. The list of signaling addresses of Config Data Store (CDS) servers which will provide configuration for the cluster. CDS is provided by the TSN nodes. Refer to the Configuration section of the documentation for more information. |
For VMware vSphere, a comma-separated list of IPv4 addresses. For OpenStack, a list of IPv4 addresses. Example: |
|
Required. This is only for TSN VMs. The IP address of the leader node of the CDS cluster. This should only be set in the "node heal" case, not when doing the initial deployment of a cluster. |
A single IPv4 address. Example: |
|
Required. The username for Cassandra authentication for CDS and the Ramdisk Cassandra on TSN nodes. This should only be set if Cassandra authentication is desired. |
a string. Example: |
|
Required. The password for Cassandra authentication for CDS and the Ramdisk Cassandra on TSN nodes. This should only be set if Cassandra authentication is desired. |
a string that’s at least 8 characters long. Example: |
|
Required. The password for the nodetool CLI, which is used for managing a Cassandra cluster. |
a string that’s at least 8 characters long. Example: |
|
Required. An identifier for this deployment. A deployment consists of one or more sites, each of which consists of several clusters of nodes. |
A string consisting of letters A-Z, a-z, digits 0-9, and hyphens (-). Maximum length is 15 characters. Example: |
|
Required. A unique identifier (within the deployment) for this site. |
A string of the form |
|
Required only when there are multiple clusters of the same type in the same site. A suffix to distinguish between clusters of the same node type within a particular site. For example, when deploying the MaX product, a second TSN cluster may be required. |
A string consisting of letters A-Z, a-z, and digits 0-9. Maximum length is 8 characters. Example: |
|
Optional. A list of SSH public keys. Machines configured with the corresponding private key will be allowed to access the node over SSH as the |
For VMware vSphere, a comma-separated list of SSH public key strings, including the For OpenStack, a list of SSH public key strings. Example: |
|
Optional. A list of SSH public keys. Machines configured with the corresponding private key will be allowed to access the node over SSH as the low-privilege user. Supply only the public keys, never the private keys. |
For VMware vSphere, a comma-separated list of SSH public key strings, including the For OpenStack, a list of SSH public key strings. Example: |
|
Optional. An identifier for the VM to use when communicating with MDM, provided by the orchestrator. Required if this is an MDM-managed deployment. We strongly recommend using the same format as SIMPL VM, namely |
Free form string Example: |
|
Optional. The list of management addresses of Metaswitch Deployment Manager(MDM) servers which will manage this cluster. Supply this only for an MDM-managed deployment. |
For VMware vSphere, a comma-separated list of IPv4 addresses. For OpenStack, a list of IPv4 addresses. Example: |
|
Optional. The static certificate for connecting to MDM. Supply this only for an MDM-managed deployment. |
The static certificate as a string. Newlines should be represented as "\n", i.e. a literal backslash followed by the letter "n". Example: |
|
Optional. The CA certificate for connecting to MDM. Supply this only for an MDM-managed deployment. |
The CA certificate as a string. Newlines should be represented as "\n", i.e. a literal backslash followed by the letter "n". Example: |
|
Optional. The private key for connecting to MDM. Supply this only for an MDM-managed deployment. |
The private key as a string Newlines should be represented as "\n", i.e. a literal backslash followed by the letter "n". Example: |
|
Required. The private Fernet key used to encrypt and decrypt secrets used by this deployment. A Fernet key may be generated for the deployment using the |
The private key as a string Example: |
|
Required. The primary user’s password. The primary user is the |
The password as a string. Minimum length is 8 characters. Be sure to quote it if it contains special characters. Example: |
|
Required. The IP address information for the VM. |
An encoded string. Example: |
The ip_info
parameter
For all network interfaces on a VM, the assigned traffic types, MAC address (OpenStack only), IP address, subnet mask, are encoded in a single parameter called ip_info
. Refer to Traffic types and traffic schemes for a list of traffic types found on each VM and how to assign them to network interfaces.
The names of the traffic types as used in the ip_info
parameter are:
Traffic type | Name used in ip_info |
---|---|
Management |
management |
Internal signaling |
internal |
Constructing the ip_info
parameter
-
Choose a traffic scheme.
-
For each interface in the traffic scheme which has traffic types relevant to your VM, note down the values of the parameters for that interface: traffic types, MAC address, IP address, subnet mask, and default gateway address.
-
Construct a string for each parameter using these prefixes:
Parameter Prefix Format Traffic types
t=
A comma-separated list (without spaces) of the names given above.
Example:t=diameter,sip,internal
MAC address
m=
Six pairs of hexadecimal digits, separated by colons. Case is unimportant.
Example:m=01:23:45:67:89:AB
IP address
i=
IPv4 address in dotted-decimal notation.
Example:i=172.16.0.11
Subnet mask
s=
CIDR notation.
Example:s=172.16.0.0/24
Default gateway address
g=
IPv4 address in dotted-decimal notation.
Example:g=172.16.0.1
-
Join all the parameter strings together with an ampersand (
&
) between each.
Example:t=diameter,sip,internal&m=01:23:45:67:89:AB&i=172.16.0.11&s=172.16.0.0/24&g=172.16.0.1
-
Repeat for every other network interface.
-
Finally, join the resulting strings for each interface together with a semicolon (
;
) between each.
The individual strings for each network interface must not contain a trailing When including the string in a YAML userdata document, be sure to quote the string, e.g. Do not include details of any interfaces which haven’t been assigned any traffic types. |
Bootstrap and configuration
Bootstrap
Bootstrap is the process whereby, after a VM is started for the first time, it is configured with key system-level configuration such as IP addresses, DNS and NTP server addresses, a hostname, and so on. This process runs automatically on the first boot of the VM. For bootstrap to succeed it is crucial that all entries in the SDF (or in the case of a manual deployment, all the bootstrap parameters) are correct.
Successful bootstrap
Once the VM has booted into multi-user mode, bootstrap normally takes about one minute.
SSH access to the VM is not possible until bootstrap has completed. If you want to monitor bootstrap from the console, log in as the sentinel
user with the password you set in the SDF and examine the log file bootstrap/bootstrap.log
. Successful completion is indicated by the line Bootstrap complete
.
Troubleshooting bootstrap
If bootstrap fails, an exception will be written to the log file. If the network-related portion of bootstrap succeeded but a failure occurred afterwards, the VM will be accessible over SSH and logging in will display a warning Automatic bootstrap failed
.
Examine the log file bootstrap/bootstrap.log
to see why bootstrap failed. In the majority of cases it will be down to an incorrect SDF or a missing or invalid bootstrap parameter. Destroy the VM and recreate it with the correct SDF or bootstrap parameters (it is not possible to run bootstrap more than once).
If you are sure you have the SDF or bootstrap parameters correct, or it is not obvious what is wrong, contact your Customer Care Representative.
Configuration
Configuration occurs after bootstrap. It sets up product-level configuration such as:
-
configuring Rhino and the relevant products (on systems that run Rhino)
-
SNMP-based monitoring
-
SSH key exchange to allow access from other VMs in the cluster to this VM
-
authentication and encryption settings for the Cassandra clusters on the TSN VNFCs
To perform this configuration, the process retrieves its configuration in the form of YAML files from the CDS. The CDS to contact is determined using the cds-addresses
parameter from the SDF or bootstrap parameters.
The configuration process constantly looks for new configuration, and reconfigures the system if new configuration has been uploaded to the CDS.
The YAML files describing the configuration should be prepared in advance.
rvtconfig
After spinning up the VMs, configuration YAML files can be validated and uploaded to CDS using the rvtconfig
tool. The rvtconfig
tool can be run either on the SIMPL VM or any Rhino VM Automation VM.
CDS should be running before any other nodes are booted. See Setting up CDS for instructions on how to set up a Cassandra service to provide CDS. |
Configuration files
The configuration process reads settings from YAML files. Each YAML file refers to a particular set of configuration options, for example, SNMP settings. The YAML files are validated against a YANG schema. The YANG schema is human-readable and lists all the possible options, together with a description. It is therefore recommended to reference the Configuration YANG schema while preparing the YAML files.
Some YAML files are shared between different node types. If a file with the same file name is required for two different node types, the same file must be used in both cases.
When uploading configuration files, you must also include a Solution Definition File containing all nodes in the deployment (see below). Furthermore, for any VM which runs Rhino, you must also include a valid Rhino license. |
Solution Definition File
You will already have written a Solution Definition File (SDF) as part of the creation of the VMs. As the configuration process discovers other RVT nodes using the SDF, this SDF needs to be uploaded as part of the configuration.
The SDF must be named |
Successful configuration
The configuration process on the VMs starts after bootstrap completes. It is constantly listening for configuration to be written to CDS (via rvtconfig upload-config
). Once it detects configuration has been uploaded, it will automatically download and validate it. Assuming everything passes validation, the configuration will then be applied automatically. This can take up to 20 minutes depending on node type.
The configuration process can be monitored using the report-initconf status
tool. The tool can be run via an VM SSH session. Success is indicated by status=vm_converged
.
Troubleshooting configuration
Like bootstrap, errors are reported to the log file, located at initconf/initconf.log
in the default user’s home directory.
initconf initialization failed due to an error
: This indicates that initconf initialization has irrecoverably failed. Contact a Customer Care Representative for next steps.
Task <name> marked as permanently failed
: This indicates that configuration has irrecoverably failed. Contact a Customer Care Representative for next steps.
<file> failed to validate against YANG schemas
: This indicates something in one of the YAML files was invalid. Refer to the output to check which field was invalid, and fix the problem. For configuration validation issues, the VM doesn’t need to be destroyed and recreated. The fixed configuration can be uploaded using rvtconfig upload-config
. The configuration process will automatically try again once it detects the uploaded configuration has been updated.
If there is a configuration validation error on the VM, initconf will NOT run tasks until new configuration has been validated and uploaded to the CDS. |
Other errors: If these relate to invalid field values or a missing license, it is normally safe to fix the configuration and try again. Otherwise, contact a Customer Care Representative.
Configuration alarms
The configuration process can raise the following SNMP alarms, which are sent to the configured notification targets (all with OID prefix 1.3.6.1.4.1.19808.2
):
OID | Description | Details |
---|---|---|
12355 |
Initconf warning |
This alarm is raised if a task has failed to converge after 5 minutes. Refer to Troubleshooting configuration to troubleshoot the issue. |
12356 |
Initconf failed |
This alarm is raised if the configuration process irrecoverably failed, or if the VM failed to quiesce (shut down prior to an upgrade) cleanly. Refer to Troubleshooting configuration to troubleshoot the issue. |
12361 |
Initconf unexpected exception |
This alarm is raised if the configuration process encountered an unexpected exception, or if initconf received invalid configuration. Examine the initconf logs to determine the cause of the exception. If it is due to a validation error, correct any errors in the configuration and try again. (This won’t normally be the case, as If initconf hit an unexpected error when applying the configuration, initconf attempts to retry the failed task up to five times. Even if it eventually succeeds on a subsequent attempt, the eventual configuration of the node might not match the desired configuration exactly, or a component may be left in a partly-failed state. We therefore recommend that you investigate further. This alarm must be administratively cleared as it indicates an issue that requires manual intervention. |
12363 |
Configuration validation warning |
This alarm is raised if the VM’s configuration contains items that require attention, such as expired or expiring REM certificates. The configuration will be applied, but some services may not be fully operational. Further information regarding the configuration warning may be found in the initconf log. |
12364 |
OCSS7 reconfiguration attempt blocked |
This alarm is raised if the VM configuration has changed, and the change would result in the OCSS7 SGC being reconfigured. It is not currently possible to reconfigure OCSS7 through changing the YAML configuration alone. Components other than the OCSS7 SGC will be updated to the new configuration, but the OCSS7 SGC component will retain its existing configuration. Review the configuration changes and revert the SS7-related changes if they are not required. To apply the changes to the OCSS7 SGC, follow the procedure documented in Reconfiguring the SGC. |
Login and authentication configuration
You can log in to the Rhino VM Automation VMs either through the primary-user’s username and password using the virtual-console of your VNFI, or through an SSH connection from a remote machine using key-based authentication.
Logging in through a virtual console
You can log in to the Rhino VM Automation VMs through a virtual-console on your VNFI, using the primary user’s username and password for authentication.
You should only log in to Rhino VM Automation VMs through a virtual console when SSH access is unavailable. We recommend that you log in to Rhino VM Automation VMs using SSH. |
You can configure the primary user’s password by creating a freeform-type secret with the desired value and setting the value of the primary-user-password-secret-id
field in the product-options
section for a VNFC in the SDF to the ID of that secret. See Secrets in the SDF for more information.
The primary user’s password is initially configured during the VM’s bootstrap process. You can reconfigure the primary user’s password by changing the value of the secret in the secrets-file, re-running csar-secrets add
as per Adding secrets to QSG, and re-uploading your configuration using rvtconfig upload-config
. If the bootstrap process fails and you cannot log in with your desired password, your Customer Care Representative can provide you with a password to use here.
Logging in through SSH
You can log in to the Rhino VM Automation VMs using SSH from a remote machine.
SSH access to REM VMs uses key-based authentication only. Username/password authentication is disabled. To authorize one or more SSH keys so that users can log in to VMs within a VNFC as both the primary and low-privilege users, add the SSH public keys to the ssh/authorized-keys
list within every instance
section of a VNFC within the SDF, and then run rvtconfig upload-config
. You can also authorize SSH keys for the low-privilege viewer
user only by adding them to the low-privilege-ssh-authorized-keys
list within the product-options
section for a VNFC in the SDF. The set of authorized SSH keys can be different for each VNFC/service group, but must be identical for all VMs within a service group.
To revoke authorization for an SSH key, remove the public key from the authorized-keys
list for all VMs within a VNFC or from the low-privilege-ssh-authorized-keys
list in the product-options
section of a VNFC, and run rvtconfig upload-config
again.
All public keys within the authorized-keys
list for a VM instance will be copied to the .ssh/authorized-keys
file on the VM for both the primary user and the low-privilege viewer
user. All public keys within the low-privilege-ssh-authorized-keys
list for a VNFC will be copied to the .ssh/authorized-keys
file for the low-privilege user for all VMs within the VNFC. A user can then use a corresponding private key to SSH into a VM by using the command ssh -i <path-to-ssh-private-key> <username>@<vm-management-ip-address>
.
You can generate a public/private SSH key pair using the command ssh-keygen
. This command will prompt you for a passphrase with which to protect the private key, and a path to the location the private key should be created in. The public key will be created in the same location with a .pub
suffix.
You can set the bit length of the private key using the -b flag of ssh-keygen . The minimum length you can use for an SSH key is 2048 bits. We recommend using SSH keys with a length of at least 4096 bits. |
It is important to keep the SSH private key secret. Ideally an SSH private key should never leave the machine it was created on. |
REM certificates
About HTTPS certificates for REM
On the REM VMs, REM runs on Apache Tomcat, where the Tomcat webserver is configured to only accept traffic over HTTPS. As such, Tomcat requires a server-side certificate, which is presented to the user’s browser to prove the server’s identity when a user accesses REM.
Certificates are generated and signed by a known and trusted Certificate Authority (CA). This is done by having a chain of certificates, starting from the CA’s root certificate, where each certificate signs the next in the chain - creating a chain of trust from the CA to the end user’s webserver.
Each certificate is associated with a private key. The certificate itself contains a public key which matches the private key, and these keys are used to encrypt and decrypt the traffic flowing over the HTTPS connection. While the certificate can be safely shared publicly, the private key must be kept safe and not revealed to anyone.
Using rvtconfig
, you can upload certificates and private keys to the REM nodes, and initconf
will automatically set up Tomcat to use them.
To avoid any browser warnings for users accessing REM, you may need to add the CA’s root certificate to the browser’s in-built list of trusted root certificates, for example, by using group policy settings. |
HTTPS certificate specification
A Certificate Authority can issue you with a signed certificate for your REM domain(s) and/or IP address(es). To ensure your certificate is compatible with initconf
, it should conform to RFC 2818, that is to say that each domain name and/or IP address through which users will log in to REM must be specified in the certificate as a Subject Alternative Name (SAN), and not solely specified in the Common Name (CN). SANs must be of DNS
(also known as IA5 dNSName
) type for hostnames and IP
(IA5 iPAddress
) type for IP addresses.
Hostnames must be used for REM certificates as these direct IP addresses are private and should not be exposed to the public Internet. The DNS entry for each of these REM hostnames must resolve to only one node. This ensures that all REM requests made in a single session are directed to a single node. |
To obtain a certificate, you will need to generate a certificate signing request using openssl and send it to the CA.
When making this request, you will need to use an input file in the openssl command to specify the SAN. In this input file, specify at least the Country (C), Organisation (O), Organisational Unit (OU) and Common Name (CN) fields to match the details of your deployment. The CN must be equal to one of the SAN FQDNs.
Here is an example input file
rem_csr.cnf
[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[req_distinguished_name]
C = NZ
O = SomeTelco
OU = SomeCity Network Operations Center
CN = mag01.telco.ims.network.net
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = mag01.telco.ims.network.net
DNS.2 = mag02.telco.ims.network.net
DNS.3 = mag03.telco.ims.network.net
DNS.4 = mag01-cs.telco.ims.network.net
DNS.5 = mag02-cs.telco.ims.network.net
DNS.6 = mag03-cs.telco.ims.network.net
There are also limits on key size of the certificate signing request. The min key size is 2048-bit and the max is 8192-bit. The desired key size can be specified in the openssl command using the -newkey rsa:<keysize>
option.
To generate the certificate signing request, run the following command, please change the keysize as desired:
openssl req -newkey rsa:2048 -keyout rem.key -out rem.csr -nodes -config rem_csr.cnf
The output files are the certificate signing request (rem.csr) and your private key (rem.key). The certificate signing request should be sent to the CA, who will then issue a certificate bundle for you. DO NOT DIRECTLY UPLOAD ANY OF THE CERTIFICATES GIVEN TO YOU BY THE CA. THEY MUST BE FORMATTED USING THE STEPS OUTLINED BELOW
Ensure that the CA issues your certificates in PEM (Privacy-Enhanced Mail) format. In addition, the private key must not have a passphrase (even an empty one).
Formatting the certificate bundle
A certificate bundle issued by a CA generally contains your certificate, their root certificate, and possibly one or more intermediate certificates. All certificates in the chain need to be merged into a single file in order to be uploaded for use with Tomcat. To format this correctly, follow these steps:
-
Ensure the files are in PEM format. You can do this by first checking that the contents of each file begins with this line
----- BEGIN CERTIFICATE -----
and ends with this line
----- END CERTIFICATE -----
(the exact number of hyphens in the line can vary). Then check the certificates are valid and not expired by using
openssl
:openssl x509 -in <filename> -inform pem -text -noout
If the certificate is indeed in PEM format, this command will display the certificate details. You can check that for your certificate, the subject details (the C, OU and so on) match those you specified on the certificate request. Look at the
Validity
fields to ensure all certificates in the bundle are valid. Forinitconf
to accept them, they must all be valid for at least 30 days from the day you upload them. -
Work out the order of the certificates. The certificates should be ordered so that each certificate is signed by the next. You can work out which certificate is signed by which by looking at the Issuer and Subject of the certificates. The Issuer of the first certificate in the chain should match the Subject of the second certificate in the chain. This indicates that the first certificate is signed by the second certificate. All subsequent certificates in the chain will follow this pattern. To take an example of a bundle containing your certificate, the root certificate and one intermediate certificate: your certificate is signed by the intermediate, and the intermediate certificate is signed by the root. So these should be ordered leaf, intermediate, root. If in doubt, contact your CA who can tell you which certificate is signed by which.
-
Construct the chain by concatenating the files together in the order decided in the step above. For example, this can be done using the Linux
cat
utility as follows:cat my_certificate.crt intermediate_certificate.crt root_certificate.crt >chain.crt
this will create a file
chain.crt
containing the entire certificate chain which is suitable for uploading to the REM nodes. -
Keep the private key safe - you should not reveal the contents of the file to anyone outside of your organisation, not even Metaswitch. You will however need to upload it to the REM nodes alongside the certificate chain. If you have multiple HTTPS certificates and private keys, ensure you can associate each private key with the certificate it refers to.
Uploading a certificate chain and private key for REM during configuration
To upload the certificate chain and private key to the nodes, you will need to put the certificate chain and private key in the directory containing the RVT YAML configuration files and upload these files using rvtconfig upload-config
.
To do this, follow the following steps:
Copy the certificate chain and private key files to the SIMPL VM and rename them
On the SIMPL VM place the certificate chain and private key files in the directory containing the YAML files, ensuring the files follow this naming scheme:
-
For REM, the certificate chain file must have the filename
rem-cert.crt
, and the private key file must have the filenamerem-cert.key
.
Validate the REM certificate chain
Validate the REM certificate chain has been formatted correctly by running this command from the directory containing the RVT YAML configuration files:
openssl crl2pkcs7 -nocrl -certfile rem-cert.crt | openssl pkcs7 -print_certs -noout
This command will output the subject and the issuer of each certificate in the chain in order.
There must be at least two certificates in the chain (the leaf and the root). If only one subject and one issuer is shown in the output, this means the certificate file is not valid. Run through the steps in section "Formatting the certificate bundle" again, then re-run the command above to validate the certificate file is in the correct format.
If this command outputs an error, then the chain has not been formatted correctly. Ensure each certificate in the chain is in PEM format and starts on a new line.
Check that each issuer matches the subject directly below it. This indicates they are chained in the correct order. If this is not the case then follow the steps in section "Formatting the certificate bundle" to put them in the right order, then retry the command above.
An example of a successful output with three certificates (one intermediate cert) looks like this:
subject=CN = Mutual Identification Certificate, O = Metaswitch, L = Edinburgh, C = UK
issuer=CN = Intermediate Signing Certificate, O = Metaswitch, L = Edinburgh, C = UK
subject=CN = Intermediate Signing Certificate, O = Metaswitch, L = Edinburgh, C = UK
issuer=CN = Root Signing Certificate, O = Metaswitch, L = Edinburgh, C = UK
subject=CN = Root Signing Certificate, O = Metaswitch, L = Edinburgh, C = UK
issuer=CN = Root Signing Certificate, O = Metaswitch, L = Edinburgh, C = UK
The following example shows a failed output, where the issuer does not match the subject directly below it. In this case the root cert has been put before the leaf cert:
subject=CN = Root Signing Certificate, O = Metaswitch, L = Edinburgh, C = UK
issuer=CN = Root Signing Certificate, O = Metaswitch, L = Edinburgh, C = UK
subject=CN = Mutual Identification Certificate, O = Metaswitch, L = Edinburgh, C = UK
issuer=CN = Intermediate Signing Certificate, O = Metaswitch, L = Edinburgh, C = UK
subject=CN = Intermediate Signing Certificate, O = Metaswitch, L = Edinburgh, C = UK
issuer=CN = Root Signing Certificate, O = Metaswitch, L = Edinburgh, C = UK
Upload the configuration
The config can then be uploaded, as it would be done for any change to the YAML configuration, using rvtconfig upload-config
to the REM nodes. An example command is shown below:
./rvtconfig upload-config -c <cds-address> -t mag -i <config-dir> --vm-version-source this-rvtconfig
where <cds-address>
is the IP address of the CDS, <config-dir>
is the path to the directory containing the YAML files.
This command will locate the files through the known filenames given above. It will then run a few basic checks on the files, such as checking whether the private key matches the certificate, and that the certificate is not due to expire in less than 30 days. If all checks pass, then the certificates will be uploaded to the CDS and installed by initconf
. Otherwise, rvtconfig upload-config
will inform you of any errors. Correct these and try again.
Note that you must provide both the certificate chain and private key. If you provide only one, rvtconfig upload-config
will fail.
Changing the certificate
Once a certificate and key have been successfully uploaded to the nodes, there is no need to upload them again on subsequent reconfigurations. The node will continue to use the same certificate.
You can replace a CA-issued certificate at any time by following the same steps above with a new certificate chain file and private key file.
Users overview
All VMs can be accessed by either a low-privilege user or a primary user.
Low-privilege user
All VMs include a low-privilege user with the username viewer
. This user has read-only access to almost all diagnostics and can run most read-only diagnostic commands. However, it has no access to read-write diagnostic commands, insufficient privileges for some logs and file paths, and no superuser capabilities on the VMs.
Use the low-privilege user as opposed to the primary user when possible.
The low-privilege user is only accessible over SSH. You can log in as the low-privilege user using any key provisioned in the ssh/authorized-keys
list for a VM in the SDF or using any key in the low-privilege-ssh-authorized-keys
list within the product-options
section of a VNFC in the SDF. See Logging in through SSH for more information on how to authorize SSH keys.
Follow the example below to SSH into a deployed VM as the low-privilege user.
ssh -i <path-to-ssh-private-key> viewer@<VM-management-IP-address>
The low-privilege user cannot login until initconf has configured the system. |
Primary user
The primary user has root access and thus, should only be used when you need to perform write and update operations.
Follow the example below to SSH into a deployed VM as the primary user.
Once logged into a VM, you can run sudo su - viewer
to run subsequent commands as the low-privilege user.
Permissions of commonly used commands
Below is a table indicating which user has permission to run commonly used commands.
This is not an exhaustive list. |
Command | Low-privilege user allowed | Primary user allowed |
---|---|---|
Run cqlsh commands |
No |
Yes |
Read Tomcat logs |
No |
Yes |
Read REM logs |
No |
Yes |
Read Rhino logs |
Yes |
Yes |
Read Cassandra logs |
Yes |
Yes |
Read bootstrap logs |
Yes |
Yes |
Read initconf logs |
Yes |
Yes |
Gather diags |
Yes |
Yes |
Use nodetool commands |
Yes, but only with sudo |
Yes |
Run Rhino console commands |
Yes, but only read-only commands |
Yes |
Run Docker commands |
No |
Yes |
Run report-initconf |
Yes |
Yes |
Cassandra security configuration
The Cassandra endpoints may be configured to require authentication and SSL encryption of incoming CQL connections.
The Cassandra security settings are not reconfigurable, even on upgrade. Reconfiguring any of the below settings will require you to recreate the Rhino VM Automation deployment. |
Authentication
You can configure Cassandra endpoints to require username and password authentication for incoming CQL connections.
To enable authentication, configure the username and password in the product-options
section for each Rhino VM Automation VNFC in the SDF, as follows.
-
Set the username in the
cassandra-username
field. -
Set the password by specifying a secret ID referring to the password in the
cassandra-password-id
field. See Secrets in the SDF for more information on configuring secrets in the SDF.
All VNFCs within a site must be configured with the same Cassandra username and password. |
Your Cassandra endpoints must be configured to support authentication, and have a role provisioned with your chosen username and password. See Authentication for more information.
SSL
You can configure the Cassandra endpoints to require incoming CQL sessions to connect over encrypted SSL connections.
VNFs can be configured to connect to the Cassandra endpoints over SSL connections by setting the boolean field use-client-to-node-cassandra-encryption
in the product-options
section for each VNFC in the SDF.
Your Cassandra endpoints must be configured to support incoming SSL connections. See SSL for more information.
SSL signing certificate configuration
Clients will authenticate the Cassandra endpoints by checking the endpoint’s SSL certificate against a signing certificate. The signing certificate is provisioned through the certificate secret cassandra-encryption-signing-certificate-id
in the SDF. VNFs will use the certificate-chain
part of this secret to authenticate the Cassandra endpoints when they instantiate CQL connections over SSL.
You can create a configuration file for your self-signed signing certificate by copying the example gen_rootCa_cert.conf
configuration file and respectively replacing <country-code>, <organization>, <organizational-unit>, and <common-name> with your 2-letter country-code (e.g. NZ), the name of your organization, the name of your organizational unit, and a name for your signing certificate. You can optionally protect your signing certificate with a password by adding an output_password
parameter to the [ req ]
section of the configuration file with the value of your password.
[ req ] distinguished_name = req_distinguished_name prompt = no default_bits = 4096 [ req_distinguished_name ] C = <country-code> O = <organization> OU = <organizational-unit> CN = <common-name>
Once you have created the configuration file, run the following command to create your signing certificate. Provide the desired filename for your signing certificate and its corresponding private key.
openssl req
-config gen_rootCa_cert.conf
-new -x509 -nodes
-out <signing-certificate-filename>
-keyout <signing-certificate-private-key-filename>
-days 365
You can optionally have your signing certificate signed by a Certificate Authority (CA).
Services and components
This section describes details of components and services running on the REM nodes.
systemd services
Rhino Element Manager
REM runs as a 'webapp' inside Apache Tomcat. This runs as a systemd service called rhino-element-manager
. REM comes equipped with the SIS EM and Sentinel Express plugins, to simplify management of SIS and Sentinel based services.
You can examine the state of the REM service by running sudo systemctl status rhino-element-manager.service
. This is an example of a healthy status:
[sentinel@mag-1 ~]$ sudo systemctl status rhino-element-manager.service
● rhino-element-manager.service - Rhino Element Manager (REM)
Loaded: loaded (/etc/systemd/system/rhino-element-manager.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2021-01-11 05:43:10 NZDT; 3s ago
Docs: https://docs.opencloud.com/ocdoc/books/devportal-documentation/1.0/documentation-index/platforms/rhino-element-manager-rem.html
Process: 4659 ExecStop=/home/sentinel/apache-tomcat/bin/systemd_relay.sh stop (code=exited, status=0/SUCCESS)
Process: 4705 ExecStart=/home/sentinel/apache-tomcat/bin/systemd_relay.sh start (code=exited, status=0/SUCCESS)
Main PID: 4713 (catalina.sh)
Tasks: 89
Memory: 962.1M
CGroup: /system.slice/rhino-element-manager.service
├─4713 /bin/sh bin/catalina.sh start
└─4715 /home/sentinel/java/current/bin/java -Djava.util.logging.config.file=/home/sentinel/apache-tomcat-8.5.38/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Xms2048m -Xmx2048m -...
Jan 11 05:43:00 mag-1 systemd[1]: Starting Rhino Element Manager (REM)...
Jan 11 05:43:00 mag-1 systemd_relay.sh[4705]: Tomcat started.
Jan 11 05:43:10 mag-1 systemd[1]: Started Rhino Element Manager (REM).
Alternatively, the Tomcat service will show up as Bootstrap
when running jps
.
For more information about REM, see the Rhino Element Manager (REM) Guide.
SNMP service monitor
The SNMP service monitor process is responsible for raising SNMP alarms when a disk partition gets too full.
The SNMP service monitor alarms are compatible with Rhino alarms and can be accessed in the same way. Refer to Accessing SNMP Statistics and Notifications for more information about this.
Alarms are sent to SNMP targets as configured through the configuration YAML files.
The following partitions are monitored:
-
the root partition (
/
) -
the log partition (
/var/log
)
There are two thresholds for disk monitoring, expressed as a percentage of the total partition size. When disk usage exceeds:
-
the lower threshold, a warning (MINOR severity) alarm will be raised.
-
the upper threshold, a MAJOR severity alarm will be raised, and (except for the root partition) files will be automatically cleaned up where possible.
Once disk space has returned to a non-alarmable level, the SNMP service monitor will clear the associated alarm on the next check. By default, it checks disk usage once per day. Running the command sudo systemctl reload disk-monitor
will force an immediate check of the disk space, for example, if an alarm was raised and you have since cleaned up the appropriate partition and want to clear the alarm.
Configuring the SNMP service monitor
The default monitoring settings should be appropriate for the vast majority of deployments.
Should your Metaswitch Customer Care Representative advise you to reconfigure the disk monitor, you can do so by editing the file /etc/disk_monitor.yaml
(you will need to use sudo
when editing this file due to its permissions):
global:
check_interval_seconds: 86400
log:
lower_threshold: 80
max_files_to_delete: 10
upper_threshold: 90
root:
lower_threshold: 90
upper_threshold: 95
snmp:
enabled: true
notification_type: trap
targets:
- address: 192.168.50.50
port: 162
version: 2c
The file is in YAML format, and specifies the alarm thresholds for each disk partition (as a percentage), the interval between checks in seconds, and the SNMP targets.
-
Supported SNMP versions are
2c
and3
. -
Supported notification types are
trap
andnotify
. -
Supported values for the upper and lower thresholds are:
Partition |
Lower threshold range |
Upper threshold range |
Minimum difference between thresholds |
|
50% to 80% |
60% to 90% |
10% |
|
50% to 90% |
60% to 99% |
5% |
-
check_interval_seconds
must be in the range 60 to 86400 seconds inclusive. It is recommended to keep the interval as long as possible to minimise performance impact.
After editing the file, you can apply the configuration by running sudo systemctl reload disk-monitor
.
Verify that the service has accepted the configuration by running sudo systemctl status disk-monitor
. If it shows an error, run journalctl -u disk-monitor
for more detailed information. Correct the errors in the configuration and apply it again.
Partitions
The nodes contain three partitions:
-
/boot
, with a size of 100MB. This contains the kernel and bootloader. -
/var/log
, with a size of 7000MB. This is where the OS and Rhino store their logfiles. The Rhino logs are within thetas
subdirectory, and within that each cluster has its own directory. -
/
, which uses up the rest of the disk. This is the root filesystem.
rem-vm-pool.yang
module rem-vm-pool {
yang-version 1.1;
namespace "http://metaswitch.com/yang/tas-vm-build/rem-vm-pool";
prefix "rem-vm-pool";
import vm-types {
prefix "vmt";
revision-date 2019-11-29;
}
import extensions {
prefix "yangdoc";
revision-date 2020-12-02;
}
organization "Metaswitch Networks";
contact "rvt-schemas@metaswitch.com";
description "Rhino Element Manager (REM) virtual machine pool configuration schema.";
revision 2020-06-01 {
description
"Initial revision";
reference
"Metaswitch Deployment Definition Guide";
}
grouping rem-virtual-machine-pool {
leaf deployment-id {
type vmt:deployment-id-type;
mandatory true;
description "The deployment identifier. Used to form a unique VM identifier within the
VM host.";
}
leaf site-id {
type vmt:site-id-type;
mandatory true;
description "Site ID for the site that this VM pool is a part of.";
}
leaf node-type-suffix {
type vmt:node-type-suffix-type;
default "";
description "Suffix to add to the node type when deriving the group identifier. Should
normally be left blank.";
}
list rem-auth {
key "username";
min-elements 1;
uses vmt:rem-auth-grouping;
description "List of REM users and their plain text passwords.";
yangdoc:change-impact "converges";
}
list virtual-machines {
key "vm-id";
leaf vm-id {
type string;
mandatory true;
description "The unique virtual machine identifier.";
}
description "Configured virtual machines.";
}
leaf rem-debug-logging-enabled {
type boolean;
default false;
description "Enable extensive logging for verification and issue diagnosis during
acceptance testing. Must not be enabled in production.";
}
description "Rhino Element Manager (REM) virtual machine pool.";
}
}
snmp-configuration.yang
module snmp-configuration {
yang-version 1.1;
namespace "http://metaswitch.com/yang/tas-vm-build/snmp-configuration";
prefix "snmp";
import ietf-inet-types {
prefix "ietf-inet";
}
import vm-types {
prefix "vmt";
revision-date 2019-11-29;
}
organization "Metaswitch Networks";
contact "rvt-schemas@metaswitch.com";
description "SNMP configuration schema.";
revision 2019-11-29 {
description
"Initial revision";
reference
"Metaswitch Deployment Definition Guide";
}
grouping snmp-configuration-grouping {
leaf v1-enabled {
type boolean;
default false;
description "Enables the use of SNMPv1 if set to 'true'. Note that support for SNMPv1
is deprecated and SNMP v2c should be used instead. Use of v1 is limited
to Rhino only and may cause some Rhino statistics to fail to appear
correctly or not at all. Set to 'false' to disable SNMPv1.";
}
leaf v2c-enabled {
type boolean;
default true;
description "Enables the use of SNMPv2c if set to 'true'.
Set to 'false' to disable SNMPv2c.";
}
leaf v3-enabled {
type boolean;
default false;
description "Enables the use of SNMPv3 if set to 'true'.
Set to 'false' to disable SNMPv3.";
}
leaf trap_type {
when "../v2c-enabled = 'true'";
type enumeration {
enum trap {
description "Generate TRAP type notifications.";
}
enum inform {
description "Generate INFORM type notifications.";
}
}
default trap;
description "Configure the notification type to use when SNMPv2c is enabled.";
}
leaf community {
when "../v2c-enabled = 'true'";
type string;
default "clearwater";
description "The SNMPv2c community name.";
}
container v3-authentication {
when "../v3-enabled = 'true'";
leaf username {
type string;
mandatory true;
description "The SNMPv3 user name.";
}
leaf authentication-protocol {
type enumeration {
enum SHA {
description "SHA";
}
enum MD5 {
description "MD5 message digest.";
}
}
default SHA;
description "The authentication mechanism to use.";
}
leaf authentication-key {
type vmt:secret {
length "8 .. max";
}
mandatory true;
description "The authentication key.";
}
leaf privacy-protocol {
type enumeration {
enum DES {
description "Data Encryption Standard (DES)";
}
enum 3DES {
description "Triple Data Encryption Standard (3DES).";
}
enum AES128 {
description "128 bit Advanced Encryption Standard (AES).";
}
enum AES192 {
description "192 bit Advanced Encryption Standard (AES).";
}
enum AES256 {
description "256 bit Advanced Encryption Standard (AES).";
}
}
default AES128;
description "The privacy mechanism to use.";
}
leaf privacy-key {
type vmt:secret {
length "8 .. max";
}
mandatory true;
description "The privacy key.";
}
description "SNMPv3 authentication configuration. Only used when 'v3-enabled' is set
to 'true'.";
}
container agent-details {
when "../v2c-enabled = 'true' or ../v3-enabled= 'true'";
// agent name is the VM ID
// description is the human-readable node description from the metadata
leaf location {
type string;
mandatory true;
description "The physical location of the SNMP agent.";
}
leaf contact {
type string;
mandatory true;
description "The contact email address for this SNMP agent.";
}
description "The configurable SNMP agent details. The VM ID is used as the agent's
name, and the human readable node description from the metadata is used
as the description.";
}
container notifications {
leaf system-notifications-enabled {
when "../../v2c-enabled = 'true' or ../../v3-enabled = 'true'";
type boolean;
mandatory true;
description "Specifies whether or not system SNMP v2c/3 notifications are enabled.
System notifications are: high memory and CPU usage warnings,
and system boot notifications.
If you use MetaView Server to monitor
your platform, then it is recommended to set this to 'false'.";
}
must "system-notifications-enabled = 'false'
or (count(targets[send-system-notifications = 'true']) > 0)" {
error-message "You must specify whether to enable system notifications.
If enabled, you must also specify "
+ "at least one system notification target.";
}
leaf rhino-notifications-enabled {
when "../../v2c-enabled = 'true' or ../../v3-enabled = 'true'";
type boolean;
mandatory true;
description "Specifies whether or not Rhino SNMP v2c/3 notifications are enabled.
Applicable only when there is a Rhino node in your deployment
and SNMPv2c and/or SNMPv3 are enabled.";
}
must "rhino-notifications-enabled = 'false'
or count(targets[send-rhino-notifications = 'true']) > 0" {
error-message "You must specify whether to enable Rhino notifications.
If enabled, you must also specify "
+ "at least one Rhino notification target.";
}
leaf sgc-notifications-enabled {
when "../../v2c-enabled = 'true' or ../../v3-enabled = 'true'";
type boolean;
mandatory true;
description "Specifies whether or not OCSS7 SGC SNMP v2c/3 notifications are
enabled.
Applicable only when there is an SMO or an SGC node in your deployment
and SNMPv2c and/or SNMPv3 are enabled.";
}
must "sgc-notifications-enabled = 'false'
or count(targets[send-sgc-notifications = 'true']) > 0" {
error-message "You must specify whether to enable SGC notifications.
If enabled, you must also specify "
+ "at least one SGC notification target.";
}
list targets {
key "version host port";
leaf version {
type enumeration {
enum v1 {
description "SNMPv1";
}
enum v2c {
description "SNMPv2c";
}
enum v3 {
description "SNMPv3";
}
}
description "The SNMP notification version to use for this target.";
}
leaf host {
type ietf-inet:host;
description "The target host.";
}
leaf port {
type ietf-inet:port-number;
// 'port' is a key and YANG ignores the default value of any keys, hence we
// cannot set a default '162' here.
description "The target port, normally 162.";
}
leaf send-rhino-notifications {
when "../../rhino-notifications-enabled = 'true'";
type boolean;
default true;
description "Specifies whether or not to send Rhino SNMP v2c/3 notifications
to this target.
Can only be specified if ../rhino-notifications-enabled is true.";
}
leaf send-system-notifications {
when "../../system-notifications-enabled = 'true'";
type boolean;
default true;
description "Specifies whether or not to send system SNMP v2c/3 notifications
to this target.
Can only be specified if ../system-notifications-enabled is true.";
}
leaf send-sgc-notifications {
when "../../sgc-notifications-enabled = 'true'";
type boolean;
default true;
description "Specifies whether or not to send SGC SNMP v2c/3 notifications
to this target.
Can only be specified if ../sgc-notifications-enabled is true.";
}
description "The list of SNMP notification targets.
Note that you can specify targets even if not using Rhino or system
notifications - the targets are also used for the disk and
service monitor alerts.";
}
list categories {
when "../rhino-notifications-enabled = 'true'";
key "category";
leaf category {
type enumeration {
enum alarm-notification {
description "Alarm related notifications.";
}
enum log-notification {
description "Log related notifications.";
}
enum log-rollover-notification {
description "Log rollover notifications.";
}
enum resource-adaptor-entity-state-change-notification {
description "Resource adaptor entity state change notifications.";
}
enum service-state-change-notification {
description "Service state change notifications.";
}
enum slee-state-change-notification {
description "SLEE state change notifications.";
}
enum trace-notification {
description "Trace notifications.";
}
enum usage-notification {
description "Usage notifications.";
}
}
description "Notification category.
If you are using MetaView Server, only the `alarm-notification`
category of Rhino SNMP notifications is supported.
Therefore, all other notification categories should be disabled.";
}
leaf enabled {
type boolean;
mandatory true;
description "Set to 'true' to enable this category. Set to 'false' to disable.";
}
description "Rhino notification categories to enable or disable.";
}
description "Notification configuration.";
}
container sgc {
leaf v2c-port {
when "../../v2c-enabled = 'true'";
type ietf-inet:port-number;
default 11100;
description "The port to bind to for v2c SNMP requests.";
}
leaf v3-port {
when "../../v3-enabled = 'true'";
type ietf-inet:port-number;
default 11101;
description "The port to bind to for v3 SNMP requests.";
}
description "SGC-specific SNMP configuration.";
}
description "SNMP configuration.";
}
}
routing-configuration.yang
module routing-configuration {
yang-version 1.1;
namespace "http://metaswitch.com/yang/tas-vm-build/routing-configuration";
prefix "routing";
import ietf-inet-types {
prefix "ietf-inet";
}
import traffic-type-configuration {
prefix "traffic-type";
revision-date 2022-04-11;
}
organization "Metaswitch Networks";
contact "rvt-schemas@metaswitch.com";
description "Routing configuration schema.";
revision 2019-11-29 {
description
"Initial revision";
reference
"Metaswitch Deployment Definition Guide";
}
grouping routing-configuration-grouping {
list routing-rules {
key "name";
unique "target";
leaf name {
type string;
mandatory true;
description "The name of the routing rule.";
}
leaf target {
type union {
type ietf-inet:ip-address;
type ietf-inet:ip-prefix;
}
mandatory true;
description "The target for the routing rule.
Can be either an IP address or a block of IP addresses.";
}
leaf interface {
type traffic-type:traffic-type;
mandatory true;
description "The interface to use to connect to the specified endpoint.
This must be one of the allowed traffic types,
corresponding to the interface carrying the traffic type.";
}
leaf gateway {
type ietf-inet:ip-address;
mandatory true;
description "The IP address of the gateway to route through.";
}
leaf-list node-types {
type enumeration {
enum shcm {
description "Apply this routing rule to the shcm nodes.";
}
enum mag {
description "Apply this routing rule to the mag nodes.";
}
enum mmt-gsm {
description "Apply this routing rule to the mmt-gsm nodes.";
}
enum mmt-cdma {
description "Apply this routing rule to the mmt-cdma nodes.";
}
enum smo {
description "Apply this routing rule to the smo nodes.";
}
enum tsn {
description "Apply this routing rule to the tsn nodes.";
}
enum max {
description "Apply this routing rule to the max nodes.";
}
enum rem {
description "Apply this routing rule to the rem nodes.";
}
enum sgc {
description "Apply this routing rule to the sgc nodes.";
}
enum custom {
description "Apply this routing rule to the custom nodes.";
}
}
description "The node-types this routing rule applies to.";
}
description "The list of routing rules.";
}
description "Routing configuration";
}
}
system-configuration.yang
module system-configuration {
yang-version 1.1;
namespace "http://metaswitch.com/yang/tas-vm-build/system-configuration";
prefix "system";
organization "Metaswitch Networks";
contact "rvt-schemas@metaswitch.com";
description "OS-level parameters configuration schema.";
revision 2019-11-29 {
description
"Initial revision";
reference
"Metaswitch Deployment Definition Guide";
}
grouping system-configuration-grouping {
container networking {
container core {
leaf receive-buffer-size-default {
type uint32 {
range "65536 .. 16777216";
}
units "bytes";
default 512000;
description "Default socket receive buffer size.";
}
leaf receive-buffer-size-max {
type uint32 {
range "65536 .. 16777216";
}
units "bytes";
default 2048000;
description "Maximum socket receive buffer size.";
}
leaf send-buffer-size-default {
type uint32 {
range "65536 .. 16777216";
}
units "bytes";
default 512000;
description "Default socket send buffer size.";
}
leaf send-buffer-size-max {
type uint32 {
range "65536 .. 16777216";
}
units "bytes";
default 2048000;
description "Maximum socket send buffer size.";
}
description "Core network settings.";
}
container sctp {
leaf rto-min {
type uint32 {
range "10 .. 5000";
}
units "milliseconds";
default 50;
description "Round trip estimate minimum. "
+ "Used in SCTP's exponential backoff algorithm for retransmissions.";
}
leaf rto-initial {
type uint32 {
range "10 .. 5000";
}
units "milliseconds";
default 300;
description "Round trip estimate initial value. "
+ "Used in SCTP's exponential backoff algorithm for retransmissions.";
}
leaf rto-max {
type uint32 {
range "10 .. 5000";
}
units "milliseconds";
default 1000;
description "Round trip estimate maximum. "
+ "Used in SCTP's exponential backoff algorithm for retransmissions.";
}
leaf sack-timeout {
type uint32 {
range "50 .. 5000";
}
units "milliseconds";
default 100;
description "Timeout within which the endpoint expects to receive "
+ "a SACK message.";
}
leaf hb-interval {
type uint32 {
range "50 .. 30000";
}
units "milliseconds";
default 1000;
description "Heartbeat interval. The longer the interval, "
+ "the longer it can take to detect that communication with a peer "
+ "has been lost.";
}
leaf path-max-retransmissions {
type uint32 {
range "1 .. 20";
}
default 5;
description "Maximum number of retransmissions on one path before "
+ "communication via that path is considered to be lost.";
}
leaf association-max-retransmissions {
type uint32 {
range "1 .. 20";
}
default 10;
description "Maximum number of retransmissions to one peer before "
+ "communication with that peer is considered to be lost.";
}
description "SCTP-related settings.";
}
description "Network-related settings.";
}
description "OS-level parameters. It is advised to leave all settings at their defaults.";
}
}
traffic-type-configuration.yang
module traffic-type-configuration {
yang-version 1.1;
namespace "http://metaswitch.com/yang/tas-vm-build/traffic-type-configuration";
prefix "traffic-type";
organization "Metaswitch Networks";
contact "rvt-schemas@metaswitch.com";
description "Traffic type configuration schema.";
revision 2022-04-11 {
description "Initial revision";
reference "Metaswitch Deployment Definition Guide";
}
typedef signaling-traffic-type {
type enumeration {
enum internal {
description "Internal signaling traffic.";
}
enum diameter {
description "Diameter signaling traffic.";
}
enum ss7 {
description "SS7 signaling traffic.";
}
enum sip {
description "SIP signaling traffic.";
}
enum http {
description "HTTP signaling traffic.";
}
enum custom-signaling {
description "Applies to custom VMs only.
Custom signaling traffic.";
}
enum custom-signaling2 {
description "Applies to custom VMs only.
Second custom signaling traffic.";
}
}
description "The name of the signaling traffic type.";
}
typedef multihoming-signaling-traffic-type {
type enumeration {
enum diameter-multihoming {
description "Second Diameter signaling traffic.";
}
enum ss7-multihoming {
description "Second SS7 signaling traffic.";
}
}
description "The name of the multihoming signaling traffic type.";
}
typedef traffic-type {
type union {
type signaling-traffic-type;
type multihoming-signaling-traffic-type;
type enumeration {
enum management {
description "Management traffic.";
}
enum cluster {
description "Cluster traffic.";
}
enum access {
description "Access traffic.";
}
}
}
description "The name of the traffic type.";
}
}
vm-types.yang
module vm-types {
yang-version 1.1;
namespace "http://metaswitch.com/yang/tas-vm-build/vm-types";
prefix "vm-types";
import ietf-inet-types {
prefix "ietf-inet";
}
import extensions {
prefix "yangdoc";
revision-date 2020-12-02;
}
organization "Metaswitch Networks";
contact "rvt-schemas@metaswitch.com";
description "Types used by the various virtual machine schemas.";
revision 2019-11-29 {
description
"Initial revision";
reference
"Metaswitch Deployment Definition Guide";
}
typedef rhino-node-id-type {
type uint16 {
range "1 .. 32767";
}
description "The Rhino node identifier type.";
}
typedef sgc-cluster-name-type {
type string;
description "The SGC cluster name type.";
}
typedef deployment-id-type {
type string {
pattern "[a-zA-Z0-9-]{1,20}";
}
description "Deployment identifier type. May only contain upper and lower case letters 'a'
through 'z', the digits '0' through '9' and hyphens. Must be between 1 and
20 characters in length, inclusive.";
}
typedef site-id-type {
type string {
pattern "DC[0-9]+";
}
description "Site identifier type. Must be the letters DC followed by one or more
digits 0-9.";
}
typedef node-type-suffix-type {
type string {
pattern "[a-zA-Z0-9]*";
}
description "Node type suffix type. May only contain upper and lower case letters 'a'
through 'z' and the digits '0' through '9'. May be empty.";
}
typedef trace-level-type {
type enumeration {
enum off {
description "The 'off' trace level.";
}
enum severe {
description "The 'severe' trace level.";
}
enum warning {
description "The 'warning level.";
}
enum info {
description "The 'info' trace level.";
}
enum config {
description "The 'config' trace level.";
}
enum fine {
description "The 'fine' trace level.";
}
enum finer {
description "The 'finer' trace level.";
}
enum finest {
description "The 'finest' trace level.";
}
}
description "The Rhino trace level type";
}
typedef sip-uri-type {
type string {
pattern 'sip:.*';
}
description "The SIP URI type.";
}
typedef tel-uri-type {
type string {
pattern 'tel:\+?[-*#.()A-F0-9]+';
}
description "The Tel URI type.";
}
typedef sip-or-tel-uri-type {
type union {
type sip-uri-type;
type tel-uri-type;
}
description "A type allowing either a SIP URI or a Tel URI.";
}
typedef number-string {
type string {
pattern "[0-9]+";
}
description "A type that permits a non-negative integer value.";
}
typedef phone-number-type {
type string {
pattern '\+?[*0-9]+';
}
description "A type that represents a phone number.";
}
typedef sccp-address-type {
type string {
pattern "(.*,)*type=(A|C)7.*";
pattern "(.*,)*ri=(gt|pcssn).*";
pattern "(.*,)*ssn=[0-2]?[0-9]?[0-9].*";
pattern ".*=.*(,.*=.*)*";
}
description "A type representing an SCCP address in string form.
The basic form of an SCCP address is:
`type=<variant>,ri=<address type>,<parameter>=<value>,...`
where `<variant>` is `A7` for ANSI-variant SCCP or `C7` for ITU-variant SCCP,
and `<address type>` is one of `gt` or `pcssn`
(for an address specified by Global Title (GT),
or Point Code (PC) and Subsystem Number (SSN), respectively).
The `<parameter>` options are:
- Point code: `pc=<point code in network-cluster-member (ANSI)
or integer (ITU) format>`
- Subsystem number: `ssn=<subsystem number 0-255>`
- Global title address digits: `digits=<address digits, one or more 0-9>`
- Nature of address: `nature=<nature>` where `<nature>` is
`unknown`, `international`, `national`, or `subscriber`
- Numbering plan: `numbering=<numbering>` where `<numbering>` is
`unknown`, `isdn`, `generic`, `data`, `telex`, `maritime-mobile`,
`land-mobile`, `isdn-mobile`, or `private`
- Global title translation type: `tt=<integer 0-255>`
- National indicator: `national=<true or false>`.
`parameter` names are separated from their values by an equals sign,
and all `<parameter>=<value>` pairs are separated by commas.
Do not include any whitespace anywhere in the address.
Only the `ssn` and `national` parameters are mandatory; the others are optional,
depending on the details of the address - see below.
Note carefully the following:
- For ANSI addresses, ALWAYS specify `national=true`,
unless using ITU-format addresses in an ANSI-variant network.
- For ITU addresses, ALWAYS specify `national=false`.
- All SCCP addresses across the deployment's configuration
must use the same variant (`A7` or `C7`).
- Be sure to update the SGC's SCCP variant in `sgc-config.yaml`
to match the variant of the addresses.
---
For PC/SSN addresses (with `ri=pcssn`), you need to specify
the point code and SSN.
For GT addresses (with `ri=gt`), you must specify the global title digits
and SSN in addition to the fields listed below (choose one option).
There are two options for ANSI GT addresses:
- translation type only
- numbering plan and translation type.
There are four options for ITU GT addresses:
- nature of address only
- translation type only
- numbering plan and translation type
- nature of address with either or both of numbering plan and translation type.
---
Some valid ANSI address examples are:
- `type=A7,ri=pcssn,pc=0-0-5,ssn=147,national=true`
- `type=A7,ri=gt,ssn=146,tt=8,digits=12012223333,national=true`
Some valid ITU address examples are:
- `type=C7,ri=pcssn,pc=1434,ssn=147,national=false`
- `type=C7,ri=gt,ssn=146,nature=INTERNATIONAL,numbering=ISDN,tt=0,
digits=123456,national=false`
- `type=C7,ri=gt,ssn=148,numbering=ISDN,tt=0,digits=0778899,national=false`";
}
typedef ss7-point-code-type {
type string {
pattern "(([0-2]?[0-9]?[0-9]-){2}[0-2]?[0-9]?[0-9])|"
+ "([0-1]?[0-9]{1,4})";
}
description "A type representing an SS7 point code.
When ANSI variant is in use, specify this in network-cluster-member format,
such as 1-2-3, where each element is between 0 and 255.
When ITU variant is in use, specify this as an integer between 0 and 16383.
Note that for ITU you will need to quote the integer,
as this field takes a string rather than an integer.";
}
typedef ss7-address-string-type {
type string {
pattern "(.*,)*address=.*";
pattern ".*=.*(,.*=.*)*";
}
description "The SS7 address string type.";
}
typedef sip-status-code {
type uint16 {
range "100..699";
}
description "SIP response status code type.";
}
typedef secret {
type string;
description "A secret, which will be automatically encrypted using the secrets-private-key
configured in the Site Definition File (SDF).";
}
grouping cassandra-contact-point-interfaces {
leaf management.ipv4 {
type ietf-inet:ipv4-address-no-zone;
mandatory true;
description "The IPv4 address of the management interface.";
}
leaf signaling.ipv4 {
type ietf-inet:ipv4-address-no-zone;
mandatory true;
description "The IPv4 address of the signaling interface.";
}
description "Base network interfaces: management and signaling";
}
grouping day-of-week-grouping {
leaf day-of-week {
type enumeration {
enum Monday {
description "Every Monday.";
}
enum Tuesday {
description "Every Tuesday.";
}
enum Wednesday {
description "Every Wednesday.";
}
enum Thursday {
description "Every Thursday.";
}
enum Friday {
description "Every Friday.";
}
enum Saturday {
description "Every Saturday.";
}
enum Sunday {
description "Every Sunday.";
}
}
description "The day of the week on which to run the scheduled task.";
}
description "Grouping for the day of the week.";
}
grouping day-of-month-grouping {
leaf day-of-month {
type uint8 {
range "1..28";
}
description "The day of the month (from the 1st to the 28th)
on which to run the scheduled task.";
}
description "Grouping for the day of the month.";
}
grouping frequency-grouping {
choice frequency {
case daily {
// empty
}
case weekly {
uses day-of-week-grouping;
}
case monthly {
uses day-of-month-grouping;
}
description "Frequency options for running a scheduled task.
Note: running a scheduled task in the single-entry
format is deprecated.";
}
uses time-of-day-grouping;
description "Grouping for frequency options for running a scheduled task.
Note: This field is deprecated. Use the options in
frequency-list-grouping instead.";
}
grouping frequency-list-grouping {
choice frequency-list {
case weekly {
list weekly {
key "day-of-week";
uses day-of-week-grouping;
uses time-of-day-grouping;
description "A list of schedules that specifies the days of the week
and times of day to run the scheduled task";
}
}
case monthly {
list monthly {
key "day-of-month";
uses day-of-month-grouping;
uses time-of-day-grouping;
description "A list of schedules that specifies the days of the month
and times of day to run the scheduled task";
}
}
description "Frequency options for running a scheduled task.";
}
description "Grouping for frequency options for a task scheduled multiple times.";
}
grouping time-of-day-grouping {
leaf time-of-day {
type string {
pattern "([0-1][0-9]|2[0-3]):[0-5][0-9]";
}
mandatory true;
description "The time of day (24hr clock in the system's timezone)
at which to run the scheduled task.";
}
description "Grouping for specifying the time of day.";
}
grouping scheduled-task {
choice scheduling-rule {
case single-schedule {
uses frequency-grouping;
}
case multiple-schedule {
uses frequency-list-grouping;
}
description "Whether the scheduled task runs once or multiple times per interval.";
}
description "Grouping for determining whether the scheduled task runs once
or multiple times per interval.
Note: Scheduling a task once per interval is deprecated.
Use the options in frequency-list-grouping instead
to schedule a task multiple times per interval.";
}
grouping rvt-vm-grouping {
uses rhino-vm-grouping;
container scheduled-sbb-cleanups {
presence "This container is optional, but has mandatory descendants.";
uses scheduled-task;
description "Cleanup leftover SBBs and activities on specified schedules.
If omitted, SBB cleanups will be scheduled for every day at 02:00.";
}
description "Parameters for a Rhino VoLTE TAS (RVT) VM.";
}
grouping rhino-vm-grouping {
leaf rhino-node-id {
type rhino-node-id-type;
mandatory true;
description "The Rhino node identifier.";
}
container scheduled-rhino-restarts {
presence "This container is optional, but has mandatory descendants.";
uses scheduled-task;
description "Restart Rhino on a specified schedule, for maintenance purposes.
If omitted, no Rhino restarts will be enabled.
Note: Please ensure there are no Rhino restarts within one hour of a
scheduled Cassandra repair.";
}
description "Parameters for a VM that runs Rhino.";
}
grouping rhino-auth-grouping {
leaf username {
type string {
length "3..16";
pattern "[a-zA-Z0-9]+";
}
description "The user's username.
Must consist of between 3 and 16 alphanumeric characters.";
}
leaf password {
type secret {
length "8..max";
pattern "[a-zA-Z0-9_@!$%^/.=-]+";
}
description "The user's password. Will be automatically encrypted at deployment using
the deployment's 'secret-private-key'.";
}
leaf role {
type enumeration {
enum admin {
description "Administrator role. Can make changes to Rhino configuration.";
}
enum view {
description "Read-only role. Cannot make changes to Rhino configuration.";
}
}
default view;
description "The user's role.";
}
description "Configuration for one Rhino user.";
}
grouping rem-auth-grouping {
leaf username {
type string {
length "3..16";
pattern "[a-zA-Z0-9]+";
}
description "The user's username.
Must consist of between 3 and 16 alphanumeric characters.";
}
leaf real-name {
type string;
description "The user's real name.";
}
leaf password {
type secret {
length "8..max";
pattern "[a-zA-Z0-9_@!$%^/.=-]+";
}
description "The user's password. Will be automatically encrypted at deployment using
the deployment's 'secret-private-key'.";
}
leaf role {
type enumeration {
enum em-admin {
description "Administrator role. Can make changes to REM configuration.
Also has access to the HSS Subscriber Provisioning REST API.";
}
enum em-user {
description "Read-only role. Cannot make changes to REM configuration.
Note: Rhino write permissions are controlled by the Rhino
credentials used to connect to Rhino, NOT the REM credentials.";
}
}
default em-user;
description "The user's role.";
}
description "Configuration for one REM user.";
}
grouping diameter-multiple-realm-configuration-grouping {
uses diameter-common-configuration-grouping;
choice realm-choice {
case single-realm {
leaf destination-realm {
type ietf-inet:domain-name;
mandatory true;
description "The Diameter destination realm.";
}
}
case multiple-realms {
list destination-realms {
key "destination-realm";
min-elements 1;
leaf destination-realm {
type ietf-inet:domain-name;
mandatory true;
description "The destination realm.";
}
leaf charging-function-address {
type string;
description "The value that must appear in a P-Charging-Function-Addresses
header in order to select this destination realm. If omitted,
this will be the same as the destination-realm value.";
}
leaf-list peers {
type string;
min-elements 1;
description "List of Diameter peers for the realm.";
}
description "List of Diameter destination realms.";
}
}
description "Whether to use a single realm or multiple realms.";
}
description "Diameter configuration supporting multiple realms.";
}
grouping diameter-configuration-grouping {
uses diameter-common-configuration-grouping;
leaf destination-realm {
type ietf-inet:domain-name;
mandatory true;
description "The Diameter destination realm.";
}
description "Diameter configuration using a single realm.";
}
grouping diameter-common-configuration-grouping {
leaf origin-realm {
type ietf-inet:domain-name;
mandatory true;
description "The Diameter origin realm.";
yangdoc:change-impact "restart";
}
list destination-peers {
key "destination-hostname";
min-elements 1;
leaf protocol-transport {
type enumeration {
enum aaa {
description "The Authentication, Authorization and Accounting (AAA)
protocol over tcp";
}
enum aaas {
description "The Authentication, Authorization and Accounting with Secure
Transport (AAAS) protocol over tcp.
IMPORTANT: this protocol is currently not supported.";
}
enum sctp {
description "The Authentication, Authorization and Accounting (AAA)
protocol over Stream Control Transmission Protocol
(SCTP) transport. Will automatically be configured
multi-homed if multiple signaling interfaces are
provisioned.";
}
}
default aaa;
description "The combined Diameter protocol and transport.";
}
leaf destination-hostname {
type ietf-inet:domain-name;
mandatory true;
description "The destination hostname.";
}
leaf port {
type ietf-inet:port-number;
default 3868;
description "The destination port number.";
}
leaf metric {
type uint32;
default 1;
description "The metric to use for this peer.
Peers with lower metrics take priority over peers
with higher metrics. If all peers have the same metric,
traffic is round-robin load balanced over all peers.";
}
description "Diameter destination peer(s).";
}
description "Diameter configuration.";
}
typedef announcement-id-type {
type leafref {
path "/sentinel-volte/mmtel/announcement/announcements/id";
}
description "The announcement-id type, limits use to be one of the configured SIP
announcement IDs from
'/sentinel-volte/mmtel/announcement/announcements/id'.";
}
grouping feature-announcement {
container announcement {
presence "Enables announcements";
leaf announcement-id {
type announcement-id-type;
mandatory true;
description "The announcement to be played.";
}
description "Should an announcement be played";
}
description "Configuration for announcements.";
}
}
Example configuration YAML files
Example for rem-vmpool-config.yaml
# This file describes the pool of Virtual Machines that comprise a REM cluster
deployment-config:rem-virtual-machine-pool:
# needs to match the deployment_id vapp parameter
deployment-id: example
# needs to match the site_id vapp parameter
site-id: DC1
# Define one or more REM users and give their passwords in plain-text.
# Passwords will be encrypted by 'rvtconfig upload-config' before this file is uploaded to CDS.
rem-auth:
- username: remreadonly
real-name: REM read only user
password: xxxxxxxx
virtual-machines:
- vm-id: example-rem-1
# DO NOT ENABLE IN PRODUCTION
# Enable extensive logging for verification and issue diagnosis during acceptance testing
rem-debug-logging-enabled: false
Example for snmp-config.yaml
deployment-config:snmp:
# Enable SNMP v1 (not recommended)
v1-enabled: false
# Enable SNMP v2c
v2c-enabled: true
# Enable SNMP v3
v3-enabled: false
# SNMP Community. Required for SNMP v2c
community: clearwater
# SNMP agent details
agent-details:
location: Unknown location
contact: support.contact@invalid.com
# SNMP Notifications
notifications:
# Enable Rhino SNMP Notifications
rhino-notifications-enabled: true
# Enable System SNMP Notifications
system-notifications-enabled: true
# Enable SGC SNMP Notifications
sgc-notifications-enabled: true
# SNMP notification targets. Normally this is the address of your MVS
targets:
- version: v2c
host: 127.0.0.1
port: 162
# Enable different SNMP notification categories
categories:
- category: alarm-notification
enabled: true
- category: log-notification
enabled: false
- category: log-rollover-notification
enabled: false
- category: resource-adaptor-entity-state-change-notification
enabled: false
- category: service-state-change-notification
enabled: false
- category: slee-state-change-notification
enabled: false
- category: trace-notification
enabled: false
- category: usage-notification
enabled: false
Example for routing-config.yaml
# This file is optional. If you do not use any custom routing rules,
# you can omit this file from the configuration bundle uploaded to CDS.
deployment-config:routing:
routing-rules: []
# To create routing rules, populate the routing-rules list as shown in the example below.
# routing-rules:
# - name: Example
#
## The target for the routing rule.
## Can be either an IP address or a block of addresses (e.g. 10.0.0.0/8).
# target: 8.8.8.8
#
## The interface to use.
## Can be one of 'management', 'diameter', 'ss7', 'sip', 'internal', 'access', 'cluster',
## 'diameter-multihoming' or 'ss7_multihoming'.
# interface: management
#
## The IP address of the gateway to route through.
# gateway: 0.0.0.0
#
# The node types this routing rule applies to.
# If ommitted, this routing rule will be attempt to apply itself to all node types.
# node-types:
# - tsn
# - mag
#
# - name: Example2
## ...
Example for system-config.yaml
# This file contains OS-level settings.
# This file is optional. Unless your Metaswitch Customer Care Representative
# has recommended that you override some settings within this file,
# omit this file from the configuration bundle uploaded to CDS.
deployment-config:system:
networking: {}
# To populate settings, remove the "{}" and fill in the appropriate keys and values.
# For example:
#
# deployment-config:system:
# networking:
# sctp:
# hb-interval: 1000
Connecting to MetaView Server
If you have deployed MetaView Server, Metaswitch’s network management and monitoring solution, you can use MetaView Explorer to monitor alarms on your VMs.
These instructions have been tested on version 9.5.40 of MetaView Server; for other versions the procedure could differ. In that case, refer to the MetaView Server documentation for more details.
Setting up your VMs to forward alarms to MetaView Server
To set up your VMs to forward alarms to MetaView Server, configure the following settings in snmp-config.yaml
. An example can be found in the example snmp-config.yaml page.
Field | Value |
---|---|
|
|
|
|
|
|
|
|
Then, perform the configuration to upload the configuration.
Adding your VMs to MetaView Server
-
Set up a deployment (if one does not already exist). From the
Object tree and Views
, right-click onAll managed components
and selectAdd Rhino deployment
. Give the deployment a name and clickapply
. -
Right-click on your deployment and select
add Rhino Cluster
. This needs to be done once per node type. We recommend that you name your cluster after the node type. -
For every node in your deployment, right-click on the Rhino cluster created in the previous step for this node type and select
add Rhino node
. Enter the management IP address for the node, and the SNMP community configured insnmp-config.yaml
. If the node has been set up correctly, it will show a green tick. If it shows a red cross, click on the bell next toAlarm state → Attention Required
to see the problem.
VM recovery
VM recovery overview
After the initial deployment of the VMs, some VMs might malfunction due to various reasons. For example, a service fault or a system failure might cause a VM to malfunction. Depending on different situations, Rhino VM automation allows you to recover malfunctioning VM nodes without affecting other nodes in the same VM group.
High level recovery options
The following table summarizes typical VM issues and the recovery operation you can use to resolve each issue.
VM issues | Recovery operation to resolve the issues |
---|---|
Transient VM issues. |
Reboot the affected VMs, in sequence, checking for VM convergence before moving on to the next node. |
A VM malfunctions, but the |
Use the During the healing process, the system performs decommission operations, such as notifying the MDM server of the VM status, before replacing the VM. |
A VM cannot be recovered with the |
Use the During the replacement process, the system doesn’t perform any decommission operations. Instead, it deletes the VM directly and then replaces it with a new one. |
All VMs in a group don’t work. |
Redeploy the VM group, by using the Backout procedure for the current platform. |
All VMs that have been deployed don’t work. |
Perform a full redeployment of the VMs, by using the Backout procedure for each group of VMs, then deploying again. |
Recovery operations in the table are ordered from quickest and least impactful to slowest and most invasive. To minimize system impact, always use a quicker and less impactful operation to recover a VM.
The csar heal
and csar recovery
operations are the main focus of this section.
Notes on scope of recovery
VM outages are unpredictable, and VM recovery requires a human engineer(s) in the loop to:
-
notice a fault
-
diagnose which VM(s) needs recovering
-
choose which operation to use
-
execute the right procedure.
These pages focus on how to diagnose which VM(s) needs recovery and how to perform that recovery. Initial fault detection and alerting is as a separate concern; nothing in this documentation about recovery replaces the need for service monitoring. |
The rvtconfig report-group-status
command can help you decide which VM to recover and which operation to use.
VMs are replaced rather than healed in place
Both the heal and redeploy recovery operations replace the VM, rather than recovering it "in place". As such, any state on the VM that needs to be retained (such as logs) must be collected before recovery.
No configuration during recovery
Don’t apply configuration changes until the recovery operations are completed.
No upgrades during recovery
Don’t upgrade VMs until the recovery operations are completed.
This includes recovering to another version, which is not supported, with the exception of the "upgrade before upload-config" case below. A VM can only be recovered back to the version it was already running. A recovery operation cannot be used to skip over upgrade steps, for example. Before upgrading or rolling back a VM, allow any recovery operations (heal or redeploy) to complete successfully.
The reverse does not apply: VMs that malfunction part way through an upgrade or rollback can indeed be recovered using heal or redeploy. |
Recovering from mistaken upgrade before upload-config
There is one case in which it is permissible to heal a VM to a different version, when the mistaken steps have occurred:
-
The VMs were already deployed on an earlier downlevel version, and
-
An upgrade attempt was made through
csar update
before uploading the uplevel configuration, and -
The
csar update
command timed out due to lack of configuration, and -
A roll back is wanted.
In this case, you can use the csar heal
command to roll back the partially updated VM back to the downlevel version.
Planning for the procedure
Background knowledge
This procedure assumes that:
-
you have have access to the SIMPL VM that was used to deploy the VM(s)
-
you have detected a fault on one or more VM(s) in the group, which need replacing
Reserve maintenance period
Do these procedures in a maintenance period where possible, but you can do them outside of a maintenance period if the affected VMs are causing immediate or imminent loss of service.
VM recovery time varies by node type. As a general guide, it should take approximately 15 minutes.
Tools and access
You must have access to the SIMPL VM, and the SIMPL VM must have the right permissions for your VM platform.
This page references an external document: the SIMPL VM Documentation. Ensure you have a copy available before proceeding.
Set up for VM recovery
Disable scheduled tasks
Scheduled Rhino restarts, Cassandra repairs, and SBB/activity cleanups should be disabled before running recovery operations. Run the rvtconfig enter-maintenance-window
command to do this.
Gather group status
The recovery steps to follow are highly dependent on the status of each VM and the VM group as a whole. Prior to choosing which steps to follow, run the rvtconfig report-group-status
command, and save the output to a local file.
Collect diagnostics from all of the VMs
The diagnostics from all the VMs should be collected to help a later analysis of the fault that caused the need to recovery VMs. Gathering diagnostics from the VMs to be recovered is of higher priority than from the non-recovering VMs. This is because as diagnostics can be gathered from the healthy VMs after the recovery steps, whereas the VMs to be recovered will be destroyed along with all their logs. To gather diagnostics, follow instructions from RVT Diagnostics Gatherer. After generating the diagnostics, transfer it from the VMs to a local machine.
Ensure that non-recovering VMs are responsive
Before recovering VM(s), use the output of the report-group-status
command above to ensure that the other nodes, which are not the target of the recovery operation, are responsive and healthy.
This includes the ability for each of the other VMs to see the CDS and MDM services, and the initconf process must be running, and should be converged:
[ OK ] initconf is active (running) and converged
[ OK ] CDS connection successful
[ OK ] MDM connection successful
For TSN nodes, both Cassandra services (disk-based and RAM-disk) should be listed as being in the UN
(up/normal) state on all the non-recovering nodes.
Recovery of REM VMs
Plan recovery approach
Recover the leader first when leader is malfunctioning
When recovering multiple nodes, check whether any of the nodes to be recovered are reported as being the leader based on the output of the rvtconfig report-group-status
command. If any of the nodes to be recovered are the current leader, recover the leader node first. This helps to speed up the handover of group leadership, so that the recovery will complete faster.
Choose between csar heal over csar redeploy
In general, use the csar heal
operation where possible instead of csar redeploy
. The csar heal
operation requires that the initconf process is active on the VM, and that the VM can reach both the CDS and MDM services, as reported by rvtconfig report-group-status
. If any of those pre-requisites are not met for csar heal
, use csar redeploy
instead.
When report-group-status
reports that a single node cannot connect to CDS or MDM, it should be considered a VM specific fault. In that case, use csar redeploy
instead of csar heal
. But a widespread failure of all the VMs in the group to connect to CDS or MDM suggest a need to investigate the health of the CDS and MDM services themselves, or the connectivity to them.
When recovering multiple VMs, you don’t have to consistently use either csar redeploy
or csar heal
commands for all nodes. Choose the appropriate command for each VM according to the guidance on this page instead.
Recovering one node
Healing one node
VMs should be healed one at a time, reassessing the group status using the rvtconfig report-group-status
command after each heal operation, as detailed below.
See the 'Healing a VM' section of the SIMPL VM Documentation for details on the csar heal
command.
The command should be run as follows:
csar heal --vm <VM name> --sdf <path to SDF>
Make sure that you pass the SDF pertaining to the correct version, being the same version that the recovering VM is already on, especially during an upgrade. |
Redeploying one node
VMs should be redeployed one at a time, reassessing the group status using the rvtconfig report-group-status
command after each heal operation, as detailed below. Exceptions to this rules are noted on this page.
See the 'Healing a VM' section of the SIMPL VM Documentation for details on the csar redeploy
command.
The command should be run as follows:
csar redeploy --vm <VM name> --sdf <path to SDF>
Make sure that you pass the SDF pertaining to the correct version, being the same version that the recovering VM is already on, especially during an upgrade. |
Re-check status after recovering each node
To ensure a node has been successfully recovered, check the status of the VM in the report generated by rvtconfig report-group-status
.
The csar heal command waits until heal is complete before indicating success, or times out in the awaiting_manual_intervention case (see below). The csar redeploy command does not wait until recovery is complete before returning. |
On accidental heal or redeploy to the wrong version
If the output of report-group-status
indicates an unintended recovery to the wrong version, follow the procedure in Troubleshooting accidental VM recovery to recover.
Post VM recovery steps
Enable scheduled tasks
You should now enable the scheduled tasks that were disabled before the recovery operations. Run the rvtconfig leave-maintenance-window
command to signal that the maintenance window has now concluded. Refer to the rvtconfig page for more details.
Troubleshooting accidental VM recovery
Accidental heal to wrong version
If the csar heal
command is accidentally run with the wrong target SDF version, it will perform steps which are closely equivalent to a csar update
to the new version, in other words an unplanned rolling upgrade.
In the case where the new total number of versions is 2, follow the usual rollback procedure described in this document to recover by rolling back the unplanned "upgrade", rolling back to the original version. This applies for example when all the other nodes are all on the same software version, or mid upgrade/rollback, when accidentally moving to other version.
If however, the group was already mid upgrade/rollback, and the node was healed to some third, different version, then this situation is not recoverable, and the group must be deleted and deployed again, using the procedure for deleting a VM group. See the Backout procedure within this guide for detailed steps on backing out the group.
The current versions can be queried using the rvtconfig report-group-status
command.
Accidental redeploy to wrong version
If the csar redeploy
command is accidentally run with the wrong target SDF version, the VM will detect this case, and refuse to converge. This will be detectable via the output of the rvtconfig report-group-status
command The initconf.log
file on the machine will indicate this case, failing fast by design.
To recover from this case, use csar redeploy
to redeploy back to the original version, using the normal csar redeploy
procedure detailed on the previous pages.
Troubleshooting node installation
REM not running after installation
Check that bootstrap and configuration were successful:
[sentinel@rem1 ~]$ grep 'Bootstrap complete' ~/bootstrap/bootstrap.log 2019-10-28 13:53:54,226 INFO bootstrap.main Bootstrap complete [sentinel@rem1 ~]$
If the bootstrap.log
does not contain that string, examine the log for any exceptions or errors.
[sentinel@rem1 ~]$ report-initconf status status=vm_converged [sentinel@rem1 ~]$
If the status is different, examine the output from report-initconf
for any problems. If that is not sufficient, examine the ~/initconf/initconf.log
file for any exceptions or errors.
Further information can also be found from the REM logs in /var/log/tas
and its subdirectories.
Cannot connect to REM
Connect to REM using a web browser. The connection should be over HTTPS to port 8443 of the management interface, and to the /rem/
page. For example: https://192.168.10.10:8443/rem/
If you connect using a hostname rather than the IP address, be sure that the hostname refers only to a single server in DNS.
If connections to REM fail despite use of the correct hostname/IP and port, try the following:
-
Check the REM service status on the node you are trying to connect to with
sudo systemctl status rhino-element-manager
. It should be listed asactive (running)
. -
Check that
jps
lists aBootstrap
process (this is the Apache Tomcat process). -
Check that
netstat -ant6
shows two listening sockets, one on the loopback address127.0.0.1
, port 8005, and the other on the management address, port 8443:tcp6 0 0 127.0.0.1:8005 :::* LISTEN tcp6 0 0 192.168.10.10:8443 :::* LISTEN
If any of the above checks fail, try restarting REM with sudo systemctl restart rhino-element-manager
. You can also check for errors in the log files in the /var/log/tas/apache-tomcat
directory.
Cannot log in to REM
When connecting to REM, you should use one of the accounts set up in the rem-vmpool-config.yaml file. The default username/password documented in the REM product documentation is not available on the REM node.
When trying to connect to Rhino, REM asks for credentials
When trying to connect to a Rhino instance, you need to enter the credentials REM can use to connect to Rhino. The Rhino username and password are configured in the VM pool YAML file for the Rhino nodes being monitored.
The mapping from REM users to Rhino users is deployment-specific (for example, you may wish to allocate a separate Rhino user to each REM user, so it is clear in Rhino audit logs which user made a certain change to Rhino configuration). As such, the VM software is unable to set up these credentials automatically.
It is recommended to use the "Save credentials" option so that you only need to specify the Rhino credentials once (per user, per instance).
Known REM product issues
For known REM issues, refer to the Known issues in REM section in the REM documentation.
RVT Diagnostics Gatherer
rvt-gather_diags
The rvt-gather_diags
script collects diagnostic information. Run rvt-gather_diags [--force] [--force-confirmed]
on the VM command line.
Option | Description |
---|---|
|
option will prompt user to allow execution under high cpu load. |
|
option will not prompt user to run under high cpu load. |
Diagnostics dumps are written to /var/rvt-diags-monitor/dumps
as a gzipped tarball. The dump name is of the form {timestamp}.{hostname}.tar.gz
. This can be extracted by running the command tar -zxf {tarball-name}
.
The script automatically deletes old dumps so that the total size of all dumps doesn’t exceed 1GB. However, it will not delete the dump just taken, even if that dump exceeds the 1GB threshold.
Diagnostics collected
A diagnostic dump contains the following information:
General
-
Everything in
/var/log
and/var/run
-
This includes the raw journal files.
-
-
NTP status in
ntpq.txt
-
snmp status from
snmpwalk
insnmpstats.txt
Platform information
-
lshw.txt
- Output of thelshw
command -
cpuinfo.txt
- Processor details -
meminfo.txt
- Memory details -
os.txt
- Operating System information
Networking information
-
ifconfig.txt
- Interface settings -
routes.txt
- IP routing tables -
netstat.txt
- Currently allocated sockets, as reported bynetstat
-
/etc/hosts
and/etc/resolv.conf
Resource usage
-
df-kh.txt
- Disk usage as reported bydf -kh
-
sar.{datestamp}.txt
- The historical system resource usage as reported -
fdisk-l.txt
- Output offdisk -l
-
ps_axo.txt
- Output ofps axo
TAS-VM-Build information
-
bootstrap.log
-
initconf.log
-
The configured YAML files
-
disk_monitor.log
-
msw-release
- Details of the node type and version -
cds_deployment_data.txt
- Developer-level configuration information from the CDS -
Text files that hold the output of journalctl run for a allowlist set of both system and TAS specific services.
Glossary
The following acronyms and abbreviations are used throughout this documentation.
CDS |
Configuration Data Store Database used to store configuration data for the VMs. |
CSAR |
Cloud Service ARchive File type used by the SIMPL VM. |
Deployment ID |
Uniquely identifies a deployment, which can consist of many sites, each with many groups of VMs |
MDM |
Metaswitch Deployment Manager Virtual appliance compatible with many Metaswitch products, that co-ordinates deployment, scale and healing of product nodes, and provides DNS and NTP services. |
MOP |
Method Of Procedure A set of instructions for a specific operation. |
OVA |
Open Virtual Appliance File type used by VMware vSphere and VMware vCloud. |
OVF |
Open Virtualization Format File type used by VMware vSphere and VMware vCloud. |
QCOW2 |
QEMU Copy on Write 2 File type used by OpenStack. |
QSG |
Quicksilver Secrets Gateway A secure database on the SIMPL VM for storing secrets. |
REM |
Rhino Element Manager |
RVT |
Rhino VoLTE TAS |
SAS |
Service Assurance Server |
SDF |
Solution Definition File Describes the deployment, for consumption by the SIMPL VM. |
SIMPL VM |
ServiceIQ Management Platform VM This VM has tools for deploying and upgrading a deployment. |
Site ID |
Uniquely identifies one site within the deployment, normally a geographic site (e.g. one data center) |
SLEE |
Service Logic Execution Environment An environment that is used for developing and deploying network services in telecommunications (JSLEE Guide). For more information on how to manage the SLEE, see SLEE Management. |
TAS |
Telecom Application Server |
VM |
Virtual Machine |
YAML |
Yet Another Markup Language Data serialisation language used in the Rhino VM Automation solution for writing configuration files. |
YANG |
Yet Another Next Generation Schemas used for verifying YAML files. |