Configuring the network on the master node

You can configure the network on the x86 or Linux on Z server to ensure that the master node is connected with other cluster nodes on the IBM Z or LinuxONE system.

This procedure is intended for users with role cloud administrator.

Before you begin

• Check that the cluster-configuration.yaml file contains the network information for the master node. For example,

  ...
  masterconfig:
   internal_ips:
   - 192.168.0.251
   subnet: 192.168.0.0/24
  ...
  

• Refer to the checklist that you prepared on this topic Planning for Secure Service Container for IBM Cloud Private.

Procedure

On the x86 or Linux on Z server, complete the following steps as a root user.

1. Configure the master node to persist the network configuration. Note that if you want to configure multiple aliases to one network interface controller (NIC) on the master node, see IP-Aliasing.

   • For Ubuntu 16.04:

     • If the master node is connected to an ethernet-type connection, use the following procedure.

       a. Add the following interface and network information into the /etc/network/interfaces file.

       # Static IP
       auto eth0
       iface eth0 inet static
         address 192.168.0.251
         netmask 255.255.255.0
         gateway 192.168.0.1
         dns-nameservers 8.8.8.8 8.8.4.4
       # Static route
       up route add -net 192.168.10.0/24 gw 192.168.10.1 dev enp0s3
       

       b. Restart the networking service to apply the changes.

         sudo /etc/init.d/networking restart
       

       c. If the IP address is not updated after running the restart command, reboot the master node.

     • If the master node is connected with the trunk port of the switch, use the following procedure.

       a. Add the following interface and network information into the /etc/network/interfaces file.

       # Static IP
       auto eth0
       iface ens224.1121 inet static
         address 192.168.0.251
         netmask 255.255.255.0
         gateway 192.168.0.1
         dns-nameservers 8.8.8.8 8.8.4.4
       # Static route
       up route add -net 192.168.10.0/24 gw 192.168.10.1 dev ens224
       

       b. Restart the networking service to apply the changes.

         sudo /etc/init.d/networking restart
       

       c. If the IP address is not updated after running the restart command, reboot the master node.

   • For Ubuntu 18.04:

     • If the master node is connected to an ethernet-type connection, use the following procedure.

       a. Create a Mycluster.yaml file under the /etc/netplan directory, and add the following interface and network information.

       network:
        version: 2
        ethernets:
           ens224:
              addresses: [192.168.0.251/24]
              gateway4: 192.168.0.1
              nameservers:
                  search: [ibm.com]
                  addresses: [8.8.8.8, 1.1.1.1]
             #For the L3 network
             routes:
                 - to: 192.168.20.0/24
                   via: 192.168.10.1
       

       b. Apply the changes by using the network management tool.

       sudo netplan apply
       

       c. If the IP address is not updated after running the netplan command, reboot the master node.

     • If the master node is connected with the trunk port of the switch, , use the following procedure.

       a. Create a Mycluster.yaml file under the /etc/netplan directory, and add the following interface and network information.

       network:
        version: 2
        ethernets:
           ens224:
              addresses: [192.168.0.251/24]
              gateway4: 192.168.0.1
              nameservers:
                  search: [ibm.com]
                  addresses: [8.8.8.8, 1.1.1.1]
             #For the L3 network
             routes:
                 - to: 192.168.20.0/24
                   via: 192.168.10.1
        vlans:
           vlan.1121:
                id: 1121
                link: ens224
                addresses: [192.168.0.10/24]
          vlan.1122:
                id: 1122
                link: ens224
                addresses: [192.168.0.20/24]
       

       b. Apply the changes by using the network management tool.

       sudo netplan apply
       

       c. If the IP address is not updated after running the netplan command, reboot the master node.

   • For Redhat:

     • If the master node is connected to an ethernet-type connection, add the IP address of the master node as the following.

       a. create a file ifcfg-eth0 in the /etc/sysconfig/network-scripts/ directory, where eth0 is device name.

        vi /etc/sysconfig/network-scripts/ifcfg-eth0
       

       b. Add following content into the ifcfg-eth0 file.

        TYPE="Ethernet"
        BOOTPROTO="none"
        DEVICE="eth0"
        ONBOOT="yes"
        IPADDR="192.168.0.251"
        PREFIX="24"
       

       c. Restart network service on the master node by using the systemctl restart network command.

     • If the master node is connected with the trunk port of the switch, create the VLAN interface that is connected to the trunk port of the switch.

       a. Create a file ifcfg-ens224.1121 under the /etc/sysconfig/network-scripts/ directory, where ens224 is device name and vlan ID is 1121.

        vi /etc/sysconfig/network-scripts/ifcfg-ens224.1121
       

       b. Add following content into the ifcfg-ens224.1121 file.

        DEVICE=ens224.1121
        BOOTPROTO=none
        ONBOOT=yes
        IPADDR=192.168.0.251
        PREFIX=24
        VLAN=yes
       

       c. Restart network service on the master node by using the systemctl restart network command.

     • In case of layer 3 (where more than one subnets are available), you need to add the routing rule for other subnets.

       a. Create a file route-eth0 under the /etc/sysconfig/network-scripts/ directory, where eth0 is device name.

       vi /etc/sysconfig/network-scripts/route-eth0
       

       b. Add the following content into the iroute-eth0 file.

       GATEWAY0=10.162.161.0
       NETMASK0=255.255.255.0
       ADDRESS0=10.152.151.0
       

       c. Restart network service on the master node by using the systemctl restart network command.

   • For SUSE Linux:

     • If the master node is connected to an ethernet-type connection, add the IP address of the master node as the following.

       a. Disable the default network management service NetworkManager by using the following commands:

       systemctl stop NetworkManager
       systemctl disable NetworkManager
       

       b. create a file ifcfg-eth0 in the /etc/sysconfig/network directory, where eth0 is device name.

        vi /etc/sysconfig/network/ifcfg-eth0
       

       c. Add following content into the ifcfg-eth0 file.

        BOOTPROTO='static'
        IPADDR='192.168.0.251'
        NETMASK='255.255.255.0'
        STARTMODE='auto'
        ONBOOT='yes'
       

       d. Enable and start Wicked network management service by using the following commands.

        systemctl enable wicked
        systemctl start wicked
       

     • If the master node is connected with the trunk port of the switch, create the VLAN interface that is connected to the trunk port of the switch.

       a. Create a file ifcfg-vlan1121 under the /etc/sysconfig/network/ directory, where vlan ID is 1121.

        vi /etc/sysconfig/network/ifcfg-vlan1121
       

       b. Add following content into the ifcfg-vlan1121 file.

        BOOTPROTO='static'
        IPADDR='192.168.0.251'
        NETMASK='255.255.255.0'
        STARTMODE='auto'
        ONBOOT='yes'
        VLAN='yes'
        ETHERDEVICE='eth0'
       

       c. Create a file ifroute-eth0 under the /etc/sysconfig/network/ directory with the following routing information.

       DESTINATION GATEWAY NETMASK INTERFACE
       192.168.20.0/24 0.0.0.0 - eth0
       default 192.168.0.1
       

       d. Restart network service on the master node by using the systemctl start wicked command.

2. Configure IPSec to ensure that the data traffic within the network is encrypted. IPSec can operate in two different modes: transport or tunnel. The transport mode is sufficient for encryption of the provided IP traffic. To configure IPSec, you must ensure that the strongswan daemon is installed. See strongSwan for more details.

   a. Install the strongswan daemon on your x86 or Linux on Z server. The version of strongswan must be 5.6.2 or later.

   • For Ubuntu 16.04, you have to replace the bundled strongswan binary with version 5.6.2 or later.

     sudo apt-get remove strongswan
     sudo apt-get purge strongswan
     sudo apt-get autoremove
     apt-get -y install build-essential libunbound-dev libldns-dev libgmp3-dev
     wget http://download.strongswan.org/strongswan-5.6.2.tar.bz2
     tar xjvf strongswan-5.6.2.tar.bz2
     cd strongswan-5.6.2/
     ./configure --prefix=/usr --sysconfdir=/etc
     make
     make install
     ipsec version
     ipsec start
     

   • For Ubuntu 18.04:

     apt-get install strongswan
     

   • For Redhat on x86:

     yum install http://ftp.nluug.nl/pub/os/Linux/distr/fedora-epel/7/x86_64/Packages/e/epel-release-7-11.noarch.rpm
     yum install strongswan
     

   • For Redhat on IBM Z, you have to download the strongswan source package and build the binary on the IBM Z system. For information on how to build the strongswan package, see strongSwan Installation Documentation.

     yum install gmp-devel
     wget http://download.strongswan.org/strongswan-5.6.2.tar.bz2
     tar xjvf strongswan-5.6.2.tar.bz2
     cd strongswan-5.6.2/
     ./configure --prefix=/usr --sysconfdir=/etc
     make
     make install
     ipsec version
     ipsec start
     

     Note: You might experience network connectivity problems, because of a known issue Using /32 groups in ipsec causing leaks, when the master node runs on IBM Z with Redhat 7.5 or 7.6 and strongswan v5.6.2. To workaround the problem, create a cron job to run ipsec restart command every 30 minutes on the master node.
   • For SUSE Linux:

     wget http://download.strongswan.org/strongswan-5.6.2.tar.bz2
     tar xjvf strongswan-5.6.2.tar.bz2
     cd strongswan-5.6.2/
     ./configure --prefix=/usr --sysconfdir=/etc --disable-gmp --enable-openssl
     make
     make install
     ipsec version
     ipsec start
     

   b. Copy the following two files into the /etc (on Ubuntu and SUSE Linux) or /etc/strongswan (on RedHat) directory. Those two files are generated in the config/<ClusterName> directory after the Secure Service Container for IBM Cloud Private CLI tool is installed.

   • config/<ClusterName>/ipsec.conf, this file contains the network topology of the cluster.
   • config/<ClusterName>/ipsec.secret, this file contains a randomly generated Pre-Shared-Key (PSK) that will be used as an authorization token to the IPSec network.

   c. Start the strongswan daemon to apply the changes.

   service strongswan restart
   

   Note: You might have to run the command again for some Linux distributions if you reboot the x86 or Linux on Z server.

3. Test the internal and external connection to each cluster node on the IBM Z or LinuxONE system by using the ping command. For example,

   ping 192.168.0.252
   ping 192.168.0.253
   ping 192.168.0.254
   ping 172.16.0.4
   

Next

Follow the instructions in the Installing IBM Cloud Private topic to deploy the IBM Cloud Private on your cluster nodes.