EFA Requirements
Review this topic for requirements for host names, NTP, user privileges, DNS configuration, passwordless SSH, and IP addresses.
General requirements
- Host names:
- Host names must be unique and consist of numeric characters and lowercase alphabetic characters. Do not use uppercase alphabetic characters.
- Hyphens are the only special characters allowed. No other special characters are allowed by Kubernetes for cluster formation or by the K3s service.
-
NTP: The server on which EFA is installed must use the same NTP or be synchronized to the correct time and timezone. Having the correct time and timezone ensures the following:
- Self-signed certificates have valid start and expiration times.
- EFA logs have the correct time stamp.
- The K3s service starts without errors.
You can edit/etc/systemd/timesyncd.conf
to select NTP servers in the[Time]
section of the configuration file. TheNTP=
option takes a space-separated list of host names or IP addresses. NTP suggests selecting as many servers as is feasible, but at least 3. Select from the pool of publicly available servers or your company's internal NTP servers. For example:[Time] NTP=0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org
Note
If you are not using the provided EFA OVA or TPVM, consult with your system administrator for configuring NTP.You can use the following commands to accesstimesyncd.conf
and to synchronize your changes.# sudo vim /etc/systemd/timesyncd.conf # sudo service systemd-timesyncd restart # systemctl status systemd-timesyncd # sudo timedatectl set-timezone <your_time_zone>
- NTP: All devices that EFA manages must use NTP to ensure easy audit trails and logging from EFA.
- NTP: The EFA installer allows a maximum drift of 10 seconds across nodes. If the difference is more than 10 seconds, the installer prompts you to synchronize clocks.
- User privileges: The user
who installs EFA must be a root user or have
sudoers
privileges to ensure components are installed correctly. Installation fails if this requirement is not met. - DNS: DNS configuration on
the nodes must be valid or the
/etc/resolv.conf
file must be empty to ensure that the DNS resolution of Kubernetes functions correctly.- Ensure that
nslookup
returns the correct host name based on the IP address. For example,nslookup node1
. - Ensure that the DNS
servers listed in the
/etc/resolv.conf
file can resolve to the addresses of all the nodes. For example,dig <node_hostname> +short
should return the correct IP addresses assigned to the hosts.
Note
If you are not using the provided EFA OVA or TPVM, consult with your system administrator for configuring NTP. - Ensure that
- TPVM: With the 4.0.x releases of TPVM, you can configure DNS, NTP, and LDAP as part of deploying TPVM. For more information, see "Guest OS for TPVM" in the Extreme SLX-OS Management Configuration Guide.
- Netplan: Refer to Netplan configuration examples for network configuration using Netplan.
High-availability requirements
- OS: All nodes in the high-availability cluster must have the same version of the operating system. For more information about supported operating systems, see Supported Platforms and Deployment Models for Fabric Manager.
- Host names: High-availability host names must be unique.
- IP addresses:
- High-availability deployments require an extra IP address: virtual IP, cluster IP, or host IP. Ensure that this extra address is an unallocated IP address in the same subnet as the nodes that will form the cluster.
- All nodes in the cluster must have an IP address in the same subnet as the virtual IP address.
- SSH: (For SLX-OS 20.2.3
and later with TPVM version 4.2.2 and later) Before installing EFA, configure SSH passwordless
access between TPVM users. You can use the SLX command line and the following
commands.
- To configure a trusted peer: device# tpvm config trusted-peer add <peer-tpvm-ip> sudo-user <tpvm-sudo-user> password <sudo-userpassword>.
- To display trusted peer information: device# show tpvm config trusted-peer.
- To remove a trusted peer: device# tpvm config trusted-peer remove <peer-tpvm-ip> sudo-user <tpvm-sudo-user> password <sudo-userpassword>.
Note
This SSH configuration applies only for the root user. There is no option for other users.The script is a sample of paswordless SSH configuration between two nodes (either TPVM or server).
- SSH: (For SLX-OS releases earlier than 20.2.3) Before installing EFA, configure passwordless SSH
between the nodes that will form the cluster. The following is an example of
configuring passwordless SSH from a remote host for two TPVMs.
In the example, the script takes in two parameters, which are the IP addresses of the TPVMs or the servers for server-based deployments. The example assumes the availability of the public key from the remote host and the RSA keypair.
Note
Modify this script to suit your requirements.#!/bin/bash TPVM1_IP="$1" TPVM2_IP="$2" TPVM_USER="extreme" SSH_OPTION="-o StrictHostKeyChecking=no" echo "Setting up passwordless ssh login from this host to TPVMs..." MY_PUB_KEY=`cat ~/.ssh/id_rsa.pub` ssh $SSH_OPTION $TPVM_USER@$TPVM1_IP "bash -c \"echo $MY_PUB_KEY >> /home/$TPVM_USER/.ssh/authorized_keys\"" ssh $SSH_OPTION $TPVM_USER@$TPVM2_IP "bash -c \"echo $MY_PUB_KEY >> /home/$TPVM_USER/.ssh/authorized_keys\"" echo "Generating ssh keypairs for root on TPVMs..." ssh $SSH_OPTION $TPVM_USER@$TPVM1_IP "bash -c \"sudo ssh-keygen -b 4096 -t rsa -q -N '' -f /root/.ssh/id_rsa <<< y >/dev/null\"" # This could have been a mkdir -p /root/.ssh so that root's .ssh dir is present. ssh $SSH_OPTION $TPVM_USER@$TPVM2_IP "bash -c \"sudo ssh-keygen -b 4096 -t rsa -q -N '' -f /root/.ssh/id_rsa <<< y >/dev/null\"" echo "Setting up passwordless ssh login between TPVMs..." TPVM1_ROOT_PUB_KEY=`ssh $SSH_OPTION $TPVM_USER@$TPVM1_IP "bash -c \"sudo cat /root/.ssh/id_rsa.pub\""` #TPVM2_ROOT_PUB_KEY=`ssh $SSH_OPTION $TPVM_USER@$TPVM2_IP "bash -c \"sudo cat /root/.ssh/id_rsa.pub\""` echo "Exchanging ssh public keys for root between TPVMs..." #ssh $SSH_OPTION $TPVM_USER@$TPVM1_IP "bash -c \"sudo sh -c 'echo $TPVM2_ROOT_PUB_KEY >> /root/.ssh/authorized_keys'\"" ssh $SSH_OPTION $TPVM_USER@$TPVM2_IP "bash -c \"sudo sh -c 'echo $TPVM1_ROOT_PUB_KEY >> /root/.ssh/authorized_keys'\"" echo "Adding TPVM IPs for root between TPVMs as known hosts to skip first time login prompts..." #ssh $SSH_OPTION $TPVM_USER@$TPVM1_IP "bash -c \"sudo sh -c 'ssh-keyscan -H $TPVM2_IP >> /root/.ssh/known_hosts' 2>/dev/null\"" ssh $SSH_OPTION $TPVM_USER@$TPVM2_IP "bash -c \"sudo sh -c 'ssh-keyscan -H $TPVM1_IP >> /root/.ssh/known_hosts' 2>/dev/null\"" echo "Completed passwordless ssh login between TPVMs."
- IP Address:
- Do not use the following IPv4 or IPv6 address subnets which are either
reserved for K3s or not supported:
- 10.42.0.0/16 subnet
- 10.43.0.0/16 subnet
- 169.254.0.0/16 subnet
- fd42::/48 subnet
- fd43::/112 subnet
- Do not use IPv4 mapped IPv6 addresses.
Format: 0:0:0:0:0:FFFF:w.x.y.z or ::FFFF:w.x.y.z
Example: ::ffff:10.10.10.10or ::ffff:0a0a:0a0a
- Do Not use IPv6 Link Local addresses.
- Do not use the following IPv4 or IPv6 address subnets which are either
reserved for K3s or not supported: