EFA Requirements

Review this topic for requirements for host names, NTP, user privileges, DNS configuration, passwordless SSH, and IP addresses.

General requirements

Host names:
- Host names must be unique and consist of numeric characters and lowercase alphabetic characters. Do not use uppercase alphabetic characters.
- Hyphens are the only special characters allowed. No other special characters are allowed by Kubernetes for cluster formation or by the K3s service.
NTP: The server on which EFA is installed must use the same NTP or be synchronized to the correct time and timezone. Having the correct time and timezone ensures the following:
- Self-signed certificates have valid start and expiration times.
- EFA logs have the correct time stamp.
- The K3s service starts without errors.
You can edit /etc/systemd/timesyncd.conf to select NTP servers in the [Time] section of the configuration file. The NTP= option takes a space-separated list of host names or IP addresses. NTP suggests selecting as many servers as is feasible, but at least 3. Select from the pool of publicly available servers or your company's internal NTP servers. For example:
```
[Time]
NTP=0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org
```
Note
If you are not using the provided EFA OVA or TPVM, consult with your system administrator for configuring NTP.
You can use the following commands to access timesyncd.conf and to synchronize your changes.
```
# sudo vim /etc/systemd/timesyncd.conf
# sudo service systemd-timesyncd restart
# systemctl status systemd-timesyncd
# sudo timedatectl set-timezone <your_time_zone>
```
NTP: All devices that EFA manages must use NTP to ensure easy audit trails and logging from EFA.
NTP: The EFA installer allows a maximum drift of 10 seconds across nodes. If the difference is more than 10 seconds, the installer prompts you to synchronize clocks.
User privileges: The user who installs EFA must be a root user or have sudoers privileges to ensure components are installed correctly. Installation fails if this requirement is not met.
DNS: DNS configuration on the nodes must be valid or the /etc/resolv.conf file must be empty to ensure that the DNS resolution of Kubernetes functions correctly.
- Ensure that nslookup returns the correct host name based on the IP address. For example, nslookup node1.
- Ensure that the DNS servers listed in the /etc/resolv.conf file can resolve to the addresses of all the nodes. For example, dig <node_hostname> +short should return the correct IP addresses assigned to the hosts.
Note
If you are not using the provided EFA OVA or TPVM, consult with your system administrator for configuring NTP.
TPVM: With the 4.0.x releases of TPVM, you can configure DNS, NTP, and LDAP as part of deploying TPVM. For more information, see "Guest OS for TPVM" in the Extreme SLX-OS Management Configuration Guide.
Netplan: Refer to Netplan configuration examples for network configuration using Netplan.

High-availability requirements

OS: All nodes in the high-availability cluster must have the same version of the operating system. For more information about supported operating systems, see Supported Platforms and Deployment Models for Fabric Manager.
Host names: High-availability host names must be unique.
IP addresses:
- High-availability deployments require an extra IP address: virtual IP, cluster IP, or host IP. Ensure that this extra address is an unallocated IP address in the same subnet as the nodes that will form the cluster.
- All nodes in the cluster must have an IP address in the same subnet as the virtual IP address.
SSH: (For SLX-OS 20.2.3 and later with TPVM version 4.2.2 and later) Before installing EFA, configure SSH passwordless access between TPVM users. You can use the SLX command line and the following commands.
- To configure a trusted peer: device# tpvm config trusted-peer add <peer-tpvm-ip> sudo-user <tpvm-sudo-user> password <sudo-userpassword>.
- To display trusted peer information: device# show tpvm config trusted-peer.
- To remove a trusted peer: device# tpvm config trusted-peer remove <peer-tpvm-ip> sudo-user <tpvm-sudo-user> password <sudo-userpassword>.
Note
This SSH configuration applies only for the root user. There is no option for other users.
The script is a sample of paswordless SSH configuration between two nodes (either TPVM or server).

SSH: (For SLX-OS releases earlier than 20.2.3) Before installing EFA, configure passwordless SSH between the nodes that will form the cluster. The following is an example of configuring passwordless SSH from a remote host for two TPVMs.

In the example, the script takes in two parameters, which are the IP addresses of the TPVMs or the servers for server-based deployments. The example assumes the availability of the public key from the remote host and the RSA keypair.

Note

Modify this script to suit your requirements.

#!/bin/bash
TPVM1_IP="$1"
TPVM2_IP="$2"
TPVM_USER="extreme"
SSH_OPTION="-o StrictHostKeyChecking=no"

echo "Setting up passwordless ssh login from this host to TPVMs..."

MY_PUB_KEY=`cat ~/.ssh/id_rsa.pub`

ssh $SSH_OPTION $TPVM_USER@$TPVM1_IP "bash -c \"echo $MY_PUB_KEY >> 
/home/$TPVM_USER/.ssh/authorized_keys\""

ssh $SSH_OPTION $TPVM_USER@$TPVM2_IP "bash -c \"echo $MY_PUB_KEY >> 
/home/$TPVM_USER/.ssh/authorized_keys\""

echo "Generating ssh keypairs for root on TPVMs..."

ssh $SSH_OPTION $TPVM_USER@$TPVM1_IP "bash -c \"sudo ssh-keygen -b 4096 -t rsa -q 
-N '' -f /root/.ssh/id_rsa <<< y >/dev/null\""

# This could have been a mkdir -p /root/.ssh so that root's .ssh dir is present.

ssh $SSH_OPTION $TPVM_USER@$TPVM2_IP "bash -c \"sudo ssh-keygen -b 4096 -t rsa -q 
-N '' -f /root/.ssh/id_rsa <<< y >/dev/null\""

echo "Setting up passwordless ssh login between TPVMs..."

TPVM1_ROOT_PUB_KEY=`ssh $SSH_OPTION $TPVM_USER@$TPVM1_IP "bash -c \"sudo 
cat /root/.ssh/id_rsa.pub\""`

#TPVM2_ROOT_PUB_KEY=`ssh $SSH_OPTION $TPVM_USER@$TPVM2_IP "bash -c \"sudo 
cat /root/.ssh/id_rsa.pub\""`

echo "Exchanging ssh public keys for root between TPVMs..."

#ssh $SSH_OPTION $TPVM_USER@$TPVM1_IP "bash -c \"sudo sh -c 'echo 
$TPVM2_ROOT_PUB_KEY >> /root/.ssh/authorized_keys'\""

ssh $SSH_OPTION $TPVM_USER@$TPVM2_IP "bash -c \"sudo sh -c 'echo 
$TPVM1_ROOT_PUB_KEY >> /root/.ssh/authorized_keys'\""

echo "Adding TPVM IPs for root between TPVMs as known hosts to skip first time login prompts..."

#ssh $SSH_OPTION $TPVM_USER@$TPVM1_IP "bash -c \"sudo sh -c 'ssh-keyscan -H 
$TPVM2_IP >> /root/.ssh/known_hosts' 2>/dev/null\""

ssh $SSH_OPTION $TPVM_USER@$TPVM2_IP "bash -c \"sudo sh -c 'ssh-keyscan -H 
$TPVM1_IP >> /root/.ssh/known_hosts' 2>/dev/null\""

echo "Completed passwordless ssh login between TPVMs."

IP Address:
1. Do not use the following IPv4 or IPv6 address subnets which are either reserved for K3s or not supported:
  1. 10.42.0.0/16 subnet
  2. 10.43.0.0/16 subnet
  3. 169.254.0.0/16 subnet
  4. fd42::/48 subnet
  5. fd43::/112 subnet
2. Do not use IPv4 mapped IPv6 addresses.
  Format: 0:0:0:0:0:FFFF:w.x.y.z or ::FFFF:w.x.y.z
  
  Example: ::ffff:10.10.10.10or ::ffff:0a0a:0a0a
3. Do Not use IPv6 Link Local addresses.