Deploying Processor¶
Public Cloud Deployment¶
You can add a processor node with policy engine to an existing application VPC or create a new VPC.
Note
Deploying several processors in the same VPC allows you to improve application availability and share the load among the processor nodes.
Create VPC¶
To create a new VPC for application deployment, with the cloud and region names
in this example azr and westus –as an argument:
(myfab2) bwctl> create vpc azr westus
You should see output similar to:
[2019-09-25 17:51:51.688] Creating VPC: azr2-vpc-myfab2...
...
[2019-09-25 17:52:50.803] VPCs ['azr2-vpc-myfab2'] created successfully
Create Processor Node¶
Next, to create a processor, run the command with the target VPC name as an argument:
(myfab2) bwctl> create processor azr2-vpc-myfab2
You should see output similar to:
[2019-09-25 17:53:22.613] Creating new processor 'azr2-p01-myfab2'...
...
[2019-09-25 17:57:27.735] ['azr2-p01-myfab2'] created successfully
[2019-09-25 17:57:27.763] Generating SSH config...
To configure the processor, you will use the FQDN of orchestrator southbound interface (SBI).
The FQDN of orchestrator SBI has been auto-generated on the prior step and in this example has the structure as follows:
controller-myfab2.myorg2.poc.bayware.io
Note
The FQDN of orchestrator SBI is always defined in the following manner: controller-<fabric>.<company>.<DNS hosted zone>
To configure the processor, run the command with the FQDN of orchestrator
SBI–in this example controller-myfab2.myorg2.poc.bayware.io –as an argument:
(myfab2) bwctl> configure processor azr2-p01-myfab2 --orchestrator-fqdn controller-myfab2.mayorg2.poc.bayware.io
You should see output similar to:
[2019-09-25 17:58:58.573] Generate ansible inventory...
...
[2019-09-25 18:00:18.506] Processors ['azr2-p01-myfab2'] configured successfully
To start the processor, run the command:
(myfab2) bwctl> start processor azr2-p01-myfab2
You should see output similar to:
[2019-09-25 18:00:44.719] Processors to be started: ['azr2-p01-myfab2']
...
[2019-09-25 18:00:47.537] Processors ['azr2-p01-myfab2'] started successfully
Private Datacenter Deployment¶
You can install the policy engine on a Linux machine in your private data center. The policy engine has been fully integrated and tested with the operating systems as follows:
- Ubuntu 18.04 LTS,
- RHEL 8 (available starting with the fabric family version 1.4).
You need root access to the Linux machine–thereafter called processor node –in order to install the policy engine.
Ubuntu¶
Add Repository¶
First, switch to root level access by running this command:
]$ sudo su -
To add the Bayware repository key to the processor node, run this command:
]# wget -qO - https://s3-us-west-1.amazonaws.com/bayware-repo/public/ubuntu/Bayware-public.key | sudo apt-key add -
Now, add the Bayware repository to the processor node by running this command:
]# echo "deb https://s3-us-west-1.amazonaws.com/bayware-repo/public/1.2/ubuntu bionic main" > /etc/apt/sources.list.d/bayware-s3-pub.list
Update the package cache on the processor node by running this command:
]# apt update
Install Engine¶
To install the policy engine on the processor node, run this command:
]# apt install -y ib-engine
Note
The policy engine package depends on: strongswan (>=5), openvswitch-common (>=2.9), openvswitch-switch (>=2.9). All dependencies are installed automatically if not found on processor node.
Configure Engine¶
The policy engine requires for its operations the following configuration:
- paths to root CA certificate, processor certificate, processor private key;
- FQDN of orchestrator southbound API;
- processor location name (optional).
By default, the policy engine works with the certificates and the private key located at ~/opt/bayware/certs/
To view folder content, run this command:
]# ll /opt/bayware/certs/
If you have the certificates and the key already installed on the processor node, you should see output similar to this:
total 32
drwxr-xr-x 2 root root 4096 Oct 4 23:54 ./
drwxr-xr-x 4 root root 4096 Oct 4 23:56 ../
-rw-r--r-- 1 root root 1956 Oct 4 23:54 ca.crt
-rw-r--r-- 1 root root 1696 Oct 4 23:54 node.crt
-rw-r--r-- 1 root root 1005 Oct 4 23:54 node.csr
-r-------- 1 ubuntu root 1675 Oct 4 23:54 node.key
-r-------- 1 ubuntu root 1704 Oct 4 23:54 node.p8
-r-------- 1 ubuntu root 3371 Oct 4 23:54 node.pem
Note
You can find requirements to the processor node certificate in a separate guide under the section Certificate Requirements.
If you want to change the path to the certificates and the key, use options offered by the policy engine configuration script. To find the available options, run this command:
]# /opt/bayware/ib-engine/bin/ib-configure -h
To configure orchestrator and location names, run the command with FQDN of
orchestrator southbound API and location name as its arguments. Use the option
-s if you want to set up IPsec configuration for this engine:
]# /opt/bayware/ib-engine/bin/ib-configure -s -c <FQDN of Orchestrator SBI> -l <location>
You should see this output:
engine configuration completed successfully
Note
All configuration settings can be changed directly in the config file located at ~/opt/conf/sys.config
Start Engine¶
To add the policy engine to processor node autostart, run this command:
]# systemctl enable ib-engine
To start the policy engine, run this command:
]# systemctl start ib-engine
RHEL¶
In progress…