Merge "doc: Fix manual installation neutron resource"

2018-03-06 09:28:37 +00:00 · 2018-03-06 09:28:37 +00:00 · f928eeab83
parent 7061f4abac faa913565b
commit f928eeab83
2 changed files with 61 additions and 4 deletions
--- a/doc/source/installation/manual.rst
+++ b/doc/source/installation/manual.rst
@ -15,10 +15,9 @@ Install ``kuryr-k8s-controller`` in a virtualenv::


 In neutron or in horizon create subnet for pods, subnet for services and a
-security-group for pods. You may use existing if you like.
-
-.. todo::
-    Add reference neutron cli commands
+security-group for pods. You may use existing if you like. In case that you
+decide to create new networks and subnets with the cli, you can follow the
+services guide, specifically its :ref:`k8s_default_configuration` section.

 Create ``/etc/kuryr/kuryr.conf``::

--- a/doc/source/installation/services.rst
+++ b/doc/source/installation/services.rst
@ -99,6 +99,8 @@ would help avoiding extra hops if the amphorae were scheduled in the worker
 nodes, but how much significant that is, depends on your latency and throughput
 requirements.

+.. _k8s_default_configuration:
+
 Default configuration
 ~~~~~~~~~~~~~~~~~~~~~

@ -681,3 +683,59 @@ Kubernetes service to be accessible to Pods.
    | updated_at                | 2017-08-10T16:46:55                  |
    +---------------------------+--------------------------------------+

+.. _services_troubleshooting:
+
+Troubleshooting
+---------------
+
+* **Pods can talk to each other with IPv6 but they can't talk to services.**
+
+  This means that most likely you forgot to create a security group or rule
+  for the pods to be accessible by the service CIDR. You can find an example
+  here::
+
+    $ openstack security group create service_pod_access
+    +-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
+    | Field           | Value                                                                                                                                                 |
+    +-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
+    | created_at      | 2017-08-16T10:01:45Z                                                                                                                                  |
+    | description     | service_pod_access                                                                                                                                   |
+    | id              | f0b6f0bd-40f7-4ab6-a77b-3cf9f7cc28ac                                                                                                                  |
+    | name            | service_pod_access                                                                                                                                    |
+    | project_id      | 90baf12877ba49a786419b2cacc2c954                                                                                                                      |
+    | revision_number | 2                                                                                                                                                     |
+    | rules           | created_at='2017-08-16T10:01:45Z', direction='egress', ethertype='IPv4', id='bd759b4f-c0f5-4cff-a30a-3cd8544d2822', updated_at='2017-08-16T10:01:45Z' |
+    |                 | created_at='2017-08-16T10:01:45Z', direction='egress', ethertype='IPv6', id='c89c3f3e-a326-4902-ba26-5315e2d95320', updated_at='2017-08-16T10:01:45Z' |
+    | updated_at      | 2017-08-16T10:01:45Z                                                                                                                                  |
+    +-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
+
+    $ openstack security group rule create --remote-ip 10.2.0.0/16 \
+         --ethertype IPv4 f0b6f0bd-40f7-4ab6-a77b-3cf9f7cc28ac
+    +-------------------+--------------------------------------+
+    | Field             | Value                                |
+    +-------------------+--------------------------------------+
+    | created_at        | 2017-08-16T10:04:57Z                 |
+    | description       |                                      |
+    | direction         | ingress                              |
+    | ether_type        | IPv4                                 |
+    | id                | cface77f-666f-4a4c-8a15-a9c6953acf08 |
+    | name              | None                                 |
+    | port_range_max    | None                                 |
+    | port_range_min    | None                                 |
+    | project_id        | 90baf12877ba49a786419b2cacc2c954     |
+    | protocol          | tcp                                  |
+    | remote_group_id   | None                                 |
+    | remote_ip_prefix  | 10.2.0.0/16                          |
+    | revision_number   | 0                                    |
+    | security_group_id | f0b6f0bd-40f7-4ab6-a77b-3cf9f7cc28ac |
+    | updated_at        | 2017-08-16T10:04:57Z                 |
+    +-------------------+--------------------------------------+
+
+  Then remember to add the new security groups to the comma-separated
+  *pod_security_groups* setting in the section *[neutron_defaults]* of
+  /etc/kuryr/kuryr.conf. After making the kuryr.conf edits, you need to
+  restart the kuryr controller for the changes to take effect.
+
+  If you want your current pods to get this change applied, the most
+  comfortable way to do that is to delete them and let the Kubernetes
+  Deployment create them automatically for you.