Oracle Cloud Infrastructure Documentation

Completing the Initial Setup and Configuration from the Service CLI

If necessary, you can perform the Compute Cloud@Customer Isolated initial setup and configuration from the Service CLI. However, using the GUI is the preferred method.

Warning

Only administrators with proper certification from Oracle are allowed to perform these operations. Limited access to administration functions (Service Enclave) is provided to members of the C3IsolatedGroup authorization group.

This entire procedure is best performed as one workflow. It's broken down into sections to improve navigation and clarity.

Preparing the OCI Home Tenancy

An edge cloud system with a link to OCI cannot be initialized until its home OCI tenancy has been configured to accept the connection. Before performing the initial setup and configuration procedure, ensure that these prerequisites are met:

  • Customer account with access to an OCI tenancy.

  • Infrastructure resource configured in the OCI tenancy.

Note the IDs of the OCI home tenancy and the infrastructure resource. Both are required parameters to set the system operating mode.

Setting the System Operating Mode

Connect to the Compute Cloud@Customer Isolated for the first time to create a primary administration account, unlock the system, and set the parameters that determine the operating mode. Compute Cloud@Customer Isolated is linked to OCI and operates in disconnected mode with local IAM.

  1. Log in to the workstation you connected to the infrastructure, and sign in to the Compute Cloud@Customer Isolated management node cluster for initial configuration.

    The management cluster has a predefined virtual IP: 100.96.2.32. When prompted for a password, press enter.

    # ssh 100.96.2.32 -l "" -p 30006
Password authentication
Password:

  2. Confirm initial user sign-in, where System Config State = Config User.

    PCA-ADMIN> show pcaSystem
Data:
  Id = o780c522-fkl5-43b1-8g30-eea90263f2e9
  Type = PcaSystem
  System Config State = Config User

  3. Create the primary administrative account for the infrastructure.

    1. Provide a username and password.

      Note

      Passwords must contain a minimum of 12 characters with at least one of each: uppercase character, lowercase character, digit, and any punctuation character – except for double quote ('"') characters, which are not allowed.

      PCA-ADMIN> createadminaccount name=admin password=password confirmpassword=password
Status: Success
JobId: 302a6h99-fh7y-41sd-8i30-ea28581dcw9e

    2. Enter the exit command to log out of the CLI.

  4. Unlock the system.

    1. Open a terminal window and log in to one of the management nodes using the primary administrative account.

      Note

      Management nodes are named pcamn01, pcamn02 and pcamn03 by default.

      $ ssh admin@pcamn01 -p 30006
Password authentication
Password:
PCA-ADMIN>

    2. Enter the systemStateunlock command.

      PCA-ADMIN> systemStateunlock

    3. Verify the system is unlocked and ready for configuration.

      PCA-ADMIN> show pcaSystem
Data:
  Id = 5709f72b-c439-4c3a-8959-758df94eff25
  Type = PcaSystem
  System Config State = Config System Params
  system state locked = false

    4. Enter the exit command to log out of the CLI.

  5. Use the primary administrative account to sign back in.

    # ssh admin@100.96.2.32 -p 30006
Password authentication
Password:
PCA-ADMIN>

  6. Configure the operating mode and related system parameters.

    1. Compute Cloud@Customer Isolated must be linked to OCI.

      Ensure that you have the correct values for the required linkToOCI command parameters:

      • OCI Tenancy ID

      • OCI Infrastructure ID

      • Region

    2. Run the linkToOCI command to configure the connection between the system and the OCI infrastructure resource in the home tenancy.

      Pay special attention to the highlighted parameters: connection mode and IAM data source.

      Syntax:

      PCA-ADMIN> linkToOCI 
ociTenancyId=<home-tenancy-id> 
ociInfrastructureId=<infrastructure-id>
region=<oci-region>
connected=False
iamDataSource=LOCAL

      Example:

      PCA-ADMIN> linkToOCI ociTenancyId=ocid1.tenancy....<unique_ID> \
ociInfrastructureId=ocid1.cccinfrastructure....<unique_ID> region=us-ashburn-1 \
connected=False iamDataSource=LOCAL

      These operating mode parameters will be persisted:

      System Mode = Linked
Connected State = false
IAM Data Source = local

    3. In case you need to change a parameter, you can delete the OCI link using the unlinkFromOCI command, and repeat the previous step. This is no longer possible after you set the system parameters in the next step.

  7. Configure the system parameters and verify all configuration entries.

    1. Set a system name and domain name.

      PCA-ADMIN> setDay0SystemParameters systemName=pca01 domainName=us.example.com
Status: Success
JobId: 2e5c08cc-3fe3-4631-ab86-8c60e30468ad

    2. Verify the configuration.

      PCA-ADMIN> show pcasystem
Data:
  Id = o780c522-fkl5-43b1-8g30-eea90263f2e9
  Type = PcaSystem
  Product Type = PCA
  System Mode = Linked
  Connected State = false
  System Config State = Wait for Networking Service
[...]
  System Name = pca01
  Domain Name = us.example.com
  OCI Tenancy Id = ocid1.tenancy....<unique_ID>
  OCI Infrastructure Id = ocid1.cccinfrastructure....<unique_ID>
  Availability Domain = AD-1
  Realm = oc1
  Region = us-ashburn-1

  8. Keep the CLI connection open. Proceed to the next section of this initial setup procedure.

Configuring the System Network

When the operating mode and base system parameters are locked in, you must configure the system network. Refer to the information you gathered in the Initial System Installation Checklist to complete the system configuration. It's helpful to enter all this information in a text file.

Important

Enter the IP addresses for the uplinks exactly as they appear in the network configuration spreadsheet you filled out in preparation. The order of entry is important, especially when multiple IPs are added in the same field, because they map to specific spine and data center switches in the uplink topology.

  1. Configure the network parameters according to the selected routing design for the logical connection between Compute Cloud@Customer Isolated and the data center network.

    The options are (A) static routing or (B) dynamic routing. The required parameters are different depending on the routing design you selected.

    Note

    Uplinks ports are always configured as port channels, even when only one uplink port count is configured. Port channel is configured with LACP mode with LACP rate as fast.

    Attention

    If you elected to segregate administrative infrastructure access from the data traffic, include the admin network parameters in the system network configuration command. This applies to both static and dynamic routing, which are shown in the steps that follow.

    When the Admin Network is enabled, some services will be accessed through the Admin Management VIP instead of the Management VIP. Any address record for those services should reference the Admin Network IP instead of the standard Network IP. The list of services is:

    • 'admin'

    • 'adminconsole'

    • 'prometheus-gw'

    • 'prometheus'

    • 'grafana'

    • 'api'

    • 'alertmanager'

    • 'rps'

  2. For dynamic routing, ignore this step and proceed to the next step.

    If you selected Option A: Static Routing, enter the following parameters on a single line.

    PCA-ADMIN> setDay0StaticRoutingParameters 
uplinkPortCount=2 
uplinkPortSpeed=40
uplinkMtu=9216

mgmtVipHostname=name  
mgmtVip=10.nn.nn.22 
ntpIps=10.nn.nn.1,10.nn.nn.105,nn.nn.17.1 
spine1Ip=10.nn.nn.18 
spine2Ip=10.nn.nn.19 
spineVip=10.nn.nn.20 
uplinkNetmask=255.255.255.248  
uplinkGateway=10.nn.nn.1   
uplinkVlan=678  
uplinkRouterGroup=116 
objectStorageIp=10.nn.nn.241
mgmt01Ip=10.nn.nn.7 
mgmt02Ip=10.nn.nn.8 
mgmt03Ip=10.nn.nn.9 
mgmt01Hostname=mn1 
mgmt02Hostname=mn2 
mgmt03Hostname=mn3 
dnsIp1=10.1nn.nn.200 
dnsIp2=206.nn.nn.1 
dnsIp3=206.nn.nn.2
    Note

    After static routing parameters are configured, monitor the process using the show networkConfig command. When the process is complete, the Network Config Lifecycle State is Creating rather than Active. The Network Config Lifecycle State isn't Active until the lockDay0NetworkParameters command is issued.

    Example: square topology with static routing

    This example shows a square topology with ECMP static routing.

    setDay0StaticRoutingParameters 
uplinkPortCount=1 uplinkPortSpeed=100 
uplinkMtu=9216 

uplinkNetmask=255.255.255.252 
peer1Ip=10.nn.nn.34 
peer2Ip=10.nn.nn.38 
uplinkTopology=square 
mgmtVipHostname=pca1vip 
mgmtVip=10.nn.nn.43 
ntpIps=10.nn.nn.105 
spine1Ip=10.nn.nn.33 
spine2Ip=10.nn.nn.37 
objectStorageIp=10.nn.nn.49 
mgmt01Ip=10.nn.nn.44 
mgmt02Ip=10.nn.nn.45 
mgmt03Ip=10.nn.nn.46 
mgmt01Hostname=pac1mn1 
mgmt02Hostname=pca1mn2 
mgmt03Hostname=pca1mn3 
dnsIp1=206.nn.nn.1 
dnsIp2=206.nn.nn.2
    Example: mesh topology with static routing

    This example shows a mesh topology with ECMP static routing.

    setDay0StaticRoutingParameters 
uplinkPortCount=4 uplinkPortSpeed=100 
uplinkMtu=9216 

uplinkNetmask=255.255.255.254,255.255.255.254
peer1Ip=10.nn.nn.96,10.nn.nn.98 
peer2Ip=10.nn.nn.100,10.nn.nn.102 
uplinkTopology=mesh 
mgmtVipHostname=pca2vip 
mgmtVip=10.nn.nn.107 
ntpIps=10.nn.nn.105 
spine1Ip=10.nn.nn.97,10.nn.nn.103 
spine2Ip=10.nn.nn.101,10.nn.nn.99 
objectStorageIp=10.nn.nn.113 
mgmt01Ip=10.nn.nn.108 
mgmt02Ip=10.nn.nn.109 
mgmt03Ip=10.nn.nn.110 
mgmt01Hostname=pca2mn1 
mgmt02Hostname=pca2mn2 
mgmt03Hostname=pca2mn3 
dnsIp1=206.nn.nn.1 
dnsIp2=206.nn.nn.2

  3. If you configured static routing, ignore this step and proceed to the next step.

    If you selected Option B: Dynamic Routing, enter the following parameters on a single line.

    PCA-ADMIN> setDay0DynamicRoutingParameters 
uplinkPortSpeed=100 
uplinkPortCount=2
uplinkMtu=9216 

spine1Ip=10.nn.nn.17 
spine2Ip=10.nn.nn.21 
uplinkNetmask=255.255.255.252 
mgmtVipHostname=example-vip 
mgmtVip=10.nn.nn.8 
ntpIps=10.nn.nn.1 
peer1Asn=50000 
peer1Ip=10.nn.nn.18 
peer2ASN=50000 
peer2Ip=10.nn.nn.22 
objectStorageIp=10.nn.nn.1 
mgmt01Ip=10.nn.nn.nn 
mgmt02Ip=10.nn.nn.nn 
mgmt03Ip=10.nn.nn.nn 
dnsIp1=10.1nn.nn.200
bgpTopology=topology-type 
BGPAuthentication=true 
BGPAuthenticationPassword=<bgp-password> 
adminBGPAuthentication=true 
adminBGPAuthenticationPassword=<admin-bgp-password>
    Note

    BGP authentication isn't enabled if you don't specify a password. Because BGP often involves separate administrative domains, password coordination is necessary between those responsible for both ends of the BGP links.

    The adminBGPpassword must be established and changed on both ends of the BGP links at the same time. This might require careful coordination between different administrators. If one BGP authentication password is changed and the other isn't, the link fails.

    To verify success in BGP operation, run the command show bgp sessions.

    Example: mesh topology with dynamic routing and admin network

    The following example shows a dynamic mesh topology configuration using BGP authentication on the uplinks, where a separate administration network is set up:

    setDay0DynamicRoutingParameters  
uplinkPortSpeed=40 uplinkPortCount=4
uplinkMtu=9216 

spine1Ip=10.nn.nn.29,10.nn.nn.35 
spine2Ip=10.nn.nn.33,10.nn.nn.31 
uplinkNetmask=255.255.255.252,255.255.255.252 
mgmtVipHostname=example_vip 
mgmtVip=10.nn.nn.46 
ntpIps=10.nn.nn.1,10.nn.nn.2 
peer1Asn=50000 
peer1Ip=10.nn.nn.30,10.nn.nn.32 
peer2Asn=50000 
peer2Ip=10.nn.nn.34,10.nn.nn.36 
objectStorageIp=10.nn.nn.72 mgmt01Ip=10.nn.nn.44 
mgmt02Ip=10.nn.nn.45 
mgmt03Ip=10.nn.nn.46 
dnsIp1=10.1nn.nn.200
bgpTopology=mesh
BGPAuthentication=true
BGPAuthenticationPassword=bgp-password
adminBGPAuthentication=true
adminBGPAuthenticationPassword=admin-bgp-password

  4. Configure the management node IP addresses and host names. Add at least one and up to three DNS servers. The dnsIp1 field is required. Enter the command parameters on a single line.

    PCA-ADMIN> edit NetworkConfig \
mgmt01Ip=10.nn.nn.9 \
mgmt02Ip=10.nn.nn.10 \
mgmt03Ip=10.nn.nn.11 \
mgmt01Hostname=apac01-mn1 \
mgmt02Hostname=apac01-mn2 \
mgmt03Hostname=apac01-mn3 \
dnsIp1=206.nn.nn.1 \
dnsIp2=206.nn.nn.2 \
dnsIp3=10.nn.nn.197

  5. Enter the data center IP addresses that the appliance can assign to resources as public IPs. Enter the data as a comma separated list on a single line.

    edit NetworkConfig publicIps=10.nn.nn.2/31,10.nn.nn.4/30,10.nn.nn.8/29, \
10.nn.nn.16/28,10.nn.nn.32/27,10.nn.nn.64/26,10.nn.nn.128/26,10.nn.nn.192/27, \
10.nn.nn.224/28,10.nn.nn.240/29,10.nn.nn.248/30,10.nn.nn.252/31,10.nn.nn.254/32

  6. Keep the CLI connection open. Proceed to the next section of this initial setup procedure.

Verifying and Applying the Network Configuration

All network configuration parameters have been entered. However, you must still verify and apply the configuration.

  1. Verify the network parameters are configured. You can monitor the process using the show NetworkConfig command. When the process is complete, the Network Config Lifecycyle State changes to ACTIVE.

    Note

    After static routing parameters are configured, the Network Config Lifecycle State is Creating rather than Active. The Network Config Lifecycle State isn't Active until the lockDay0NetworkParameters command is issued in the next step.

    PCA-ADMIN> show networkConfig
Data:
    Uplink Port Speed = 40
    Uplink Port Count = 2
[...]
    Uplink Router Group = 116
    Network Config Lifecycle State = ACTIVE

    When this process is complete, the System Config State changes from Wait for Networking Service to Test for Network Params.

    PCA-ADMIN> show pcasystem
Data:
  Id = 1e79d401-4a4a-44d2-9e60-57ec223b5418
  Type = PcaSystem
  System Config State = Test for Network Params
[...]

  2. Apply the configuration by locking the network parameters.

    PCA-ADMIN> lockDay0NetworkParameters

    System network configuration is now complete.